What does a security career look like? What qualifications should it have? Those are legitimate questions at any time, but they’re especially relevant in the context of the recent Equifax data breach.
Several senior executives at the company resigned as the full extent of the breach entered the public domain. More than 145 million people in the US, 400,000 in the UK, and about 8,000 in Canada, had their data compromised in attacks that took place between May and July this year. The intruders exploited a software vulnerability that was disclosed in March, but which Equifax failed to address.
Among those standing down from the company was the chief information security officer Susan Mauldin. Some commentators, combing through the ashes of the Equifax “dumpster fire” in search of a hot take, seized on her educational background. Mauldin holds a BA and master of fine arts degrees in music composition from the University of Georgia. Some tone-deaf commentary tried to infer a direct link between her background and Equifax’s poor approach to security. The gist of the argument went like this: what could a liberal arts graduate possibly know about information security?
Many others sprang to Mauldin’s defence. They pointed out that many long-established security pioneers have little formal training in the field, never mind degrees. As a result, it sparked debate on Twitter under the hashtag #unqualifiedfortech, and on LinkedIn (search for ‘edumacation’). Troy Hunt, who runs the HaveIbeenpwned website, subsequently wrote an excellent blog about qualifications and technology jobs. It’s a long read but I recommend it for the fantastic perspective it lends to the issue.
There’s a bigger debate about security skills behind this particular story. Are specific cybersecurity qualifications the only legitimate route into working in the industry? By contrast, is the security skills shortage so acute that non-technical attributes are a valuable, welcome addition to the field?
Mikko Hypponen, chief research officer with F-Secure, told me: “Diplomas and titles don’t matter much to me in this field. Curiosity, willingness to learn and having the right mindset does.” BH Consulting is also doing its part to encourage talented people to enter the security field through its Masters Scholarship programme.
The conversation about careers in cybersecurity is spilling into other forums. It’s already shaping up as one of the main themes at next month’s Irisscon, the annual cybercrime conference taking place in Dublin. Industry figures like Javvad Malik, Dr Jessica Barker, Quentyn Taylor, and Lee Munson, will all discuss areas related to working, or getting started, in cybersecurity.
Also speaking is Chris Boyd, lead malware intelligence analyst with the security company Malwarebytes. Prompted by the Equifax story, Chris researched other large breaches to find out the qualifications of those companies’ security leaders. Some didn’t even employ a CISO or equivalent. Many of those that had a senior security leader, employed a person who didn’t hold a technical degree. “I think a qualification is pretty irrelevant in terms of whether a company is going to be breached or not,” he told Security Watch.
Chris believes a CISO or head of information security should have a combination of technical skills and soft skills like communication. “Equifax’s CISO had been around the industry for two decades, and you have to question what use a computer degree from 20 years ago would have been to the threats that ultimately took down the network,” Chris said.
He describes some of the current security job specs as “unrealistic”. He said: “I think it’s just an easy way for some HR departments to make things easier for themselves. They just want to tick some boxes rather than delve into the history of the person and what they’ve achieved. Most people I know in tech, who built tools back in the day to combat threats the traditional AV tools couldn’t deal with, had backgrounds from professional photography to stockbroking.”
Expecting senior security people to spring from purely technical backgrounds is a “narrow view”, Chris believes. “In that sort of position, a lot of soft skills would be a benefit. I personally would be more comfortable with someone who can work across teams and pull them together. Most CISOs I know have all had very strong people skills. Some had tech qualifications, but some didn’t. It was irresponsible for some outlets to start berating people without those pieces of paper.”
Let’s leave the last word to Arrigo Sacchi. Best known for coaching AC Milan in the 80s and 90s, Sacchi revolutionised Italian football despite never having played the game professionally. Consequently, he came up with a brilliant response to barstool critics everywhere. “I never realised that in order to become a jockey, you have to have been a horse first.”