With the increasing threats of data breaches and leaks in our interconnected world, it’s clear that cybersecurity is more important (and visible) than ever. But are you cut out for this career? Manju Mude, a cybersecurity expert and member of the Paranoids at Yahoo, answers our questions. She tells us why every technologist has the responsibility to build products safely and the steps you can take to become a cybersecurity professional. Plus, as a member of the advisory panel for Springboard’s new Cybersecurity Career Track, we ask Manju what’s missing in cybersecurity education today – see her thoughtful answer.
Manju, how did you start your career in cybersecurity?
I did my undergrad in Art History and my master’s in Information Systems. I started out caring about things like search engines, and big data, applications, and web logic in the mid-90s when the consumer web had just started. I started my career before cybersecurity was offered as a concentration at any school, but I've always been interested in the history of the military, warfare, physical, and cybersecurity, etc.
I worked for the government in cybersecurity through the early 2000s, including during 9/11. As you can imagine, security became top of mind in most industries after that and my career blossomed from there.
How have you seen the security field grow over the years? Is cybersecurity becoming more important or is it just in the news more often?
No matter what stage of history we’re in, I actually think security has always been equally important. Today, we’re more aware of security issues because of social media and the internet – things we didn't have pre-1990s.
We live in a very connected world. Almost everything you touch has an IP address. And if it has an IP address, it has a threat vector. Cybersecurity is growing because the threat vectors are growing.
Cybersecurity is definitely a very good field to get into. I am also thankful that it's been a progressive field, both for the industry and for myself professionally.
What do you mean by “progressive?”
In security, there is always new information, new data, new threat vectors. To be good at your job, you have to continue to learn about the way risks and threats operate and change. Some of that is very fundamental, but the field requires continuous learning. Threat vectors are always changing, which makes for a very exciting, non-monotonous career.
Should every developer or technologist have the responsibility to have some level of cybersecurity expertise?
Anybody who builds something should want to build things securely and safely, without introducing more threats. If you're building a house, your job is more than making the house look fine. If the door hinges are going to fall off or the pipes are going to burst, then you haven’t done your job.
Sticking with that analogy – in technology, your job is more than making an application act fine or look fine. The architecture of your code is vital to keeping your product intact and hardened. The reason that new risks are introduced into applications is that some developers and system administrators aren’t trained, or overlook risky behaviors in code and systems. One of the challenges that the industry has faced is the rise of breaches, compromises, and data leakage. Our problem is that we've historically only trained a very small set of people to think about security. In actuality, it's everybody's job – if you’re touching a computer, security is your job.
Anybody who works in technology should have some form of cybersecurity education. If you're building new applications, architecting, etc., then you should devote 10% to 20% of your career to cybersecurity at minimum.
So you’re saying that security is everyone’s responsibility – that sounds even more important in the age of short term education like coding bootcamps.
Knowing about cybersecurity as a developer actually gives you a competitive edge. When you're looking for a new job, you might be good or enthusiastic about a certain domain or programming language, but nowadays it is a selling point to be aware of security practices.
The more that we can equip everybody – regardless of their domain – to think about security, the more we can elevate our community and society as a whole to deal with risks and reduce threats….or try and keep up with the growth of threats.
Are there basic security principles that every tech company or tech professional should be adhering to?
There are several standards and publications in the industry. If you're going to be a developer or engineer or building anything, then I encourage you to look at the Open Web Application Security Project (OWASP). OWASP is a list of web and application security principles to harden your code and make sure that you're not introducing unintended risks into your applications. OWASP teaches you how to be a more hygienic, cleaner, more efficient programmer. The 2017 Top 10 Principles are:
Adhering to those principles is an easy way to know that you’re covered; if you’re training all of your developers to practice those basic 10 principles of OWASP, this helps organizations prepare for myriad next level threats which could be anything from introduction of a new architecture or even something as grand as malware attacks or a nation state attack.
One: Labs that Teach Beyond the Security Principles
One turn-off that I see in security education is this tactic called FUD – Fear, Uncertainty, and Doubt. Rather than just preaching the collapse of the system, we need to actually show why a principle is important, the reasons behind it, and the consequences of not adhering to it. We have to repackage FUD and start teaching people how to protect and why you do things in a certain way.
Today, we give people security principles and expect them to accept those. We don’t teach students to intentionally write bad code-behavior and execute on it, then teach them what good behavior looks like. In a Java class, we should be incorporating labs where you execute some bad behavior and actually see what it does to your application. Labs are absolutely critical to teaching security. When we study most of the big breaches or data leaks, we need to peel back the layers with students and also study the behavior in the tech community that contributed to that potential exposure.
Two: Tactical vs. Thoughtful Education
Bootcamps are clearly creating these compressed courses for a reason – preparing folks for the workforce – but it worries me that we’re training people to be tactical and not thoughtful. Part of what has led to breaches in the industry is that you train a bunch of developers to write code, but you're not really teaching them to think critically, to not click on phishing links, to not download weird software. And so the threat vectors keep growing. It’s the responsibility of training programs (bootcamps, universities, and companies) to teach these things.
Three: Specializations in Security
I think diversity of thought is really important to the security industry – people bring specializations in different tracks and make different contributions. In that way, diverse-skill teams are actually thinking about more threat vectors. If we only hire web developers onto a security team, then we'll only think about the threats that a developer would think of; we’d miss the threads that an HR or marketing professional would see. I want to encourage people to use their strengths. If you’re good at public speaking or at presenting, or if you’re a very detail-oriented person or great at project management, or you have an eye for math and accounting, then you can intersect the skills that you’re passionate about with cybersecurity.
This is a shift that we're seeing in the cybersecurity industry and I predict that it will take off in the coming years – we need to teach security to people who specialize in other industries and fold them into the cybersecurity world.
What does it take to get into cybersecurity? Do you need certain qualities or a certain background?
Security is a mindset. If you look at “non-technical” fields – whether it's psychology or the arts – there are now applications of computer science in any field. I actually think you can pivot from almost any field into computer science or information security.
When you work in security, you view threat vectors differently than the average person or even a computer scientist. You put on your security lens for everything you do – whether you’re interacting with a web application or online shopping. That's what makes a passionate security professional. Security encompasses your career and how you live (and share data in) your personal life.
Do I need to know a programming language before I can get into cybersecurity?
One thing that cybersecurity education and the media tend to do is glamorize the hackers, but there are so many careers in cybersecurity outside of being a “hacker.” That is a component of security at big companies (often referred to as a Red Team).
For every five people who are hacking and breaking things, there are 100 people fixing, project managing, building/managing security services (encryption, authentication, etc.), finding the budget to tackle issues, ticketing bugs, and making security issues visible to executives.
Not everybody is built to be a coder and not everybody has to be a professional developer. In fact, for the cybersecurity jobs of tomorrow you'll need to understand coding fundamentals, but you really don't have to be a coder to be successful in cybersecurity.
The answer to this question also depends on your industry of interest. If you only want to work for a Google or Twitter, then they might have different expectations than a bank or the government would have for their security professionals. Regardless, utilize your strengths and your inner born talent and capitalize on those strengths; then intersect that with security.
It sounds like there is a path into security for people from all different types of background.
The only prerequisite for cybersecurity is that you think and understand risks and threats. You don't have to know coding, you don't have to know programming or architecture, and you don't have to be a senior engineer in your field. You just have to understand the concept of risks and threats, and accountability for those risks and threats.
One common way to get into cybersecurity is being a part of a compliance team in the legal department. A compliance team is made up of project manager and risk managers and risk documenters – it is a basic and well-rounded introduction into cybersecurity, allowing for visibility into the way security controls and threats are managed.
As an advisor to Springboard, why is it important for you to be a part of creating good education around security?
Educating the future workforce on security principals is foundational to creating a well rounded community. Being in security is exciting, complicated, and takes strong, well-rounded individuals. There is a lot of opportunity and I want to help shape programs from many years of hands-on experience.
Are there intro classes or conferences that you would suggest for a beginner who wants to learn more about cybersecurity?
There are plenty of good conferences to attend that aren’t too expensive. If you're enrolled in any type of training or university or curriculums, you might even get a discount. I would encourage people to go to active security conferences to learn. In most big cities, you’ll find security conferences and meetup. Several cities have BSides, which are information/security conferences; there are big conferences like DEF CON and Black Hat.
If you don't find the meetup you like, then create one! Create a club of security enthusiasts who want to talk about security – there's nothing stopping us from creating the conference we want.
YouTube is also a really good resource! And my advice is to follow the news. Read about what’s going on because those are the very risks that you'll be discovering once you’re in this field. If there are certain things about the security world that appeal to you, then you're already on the right track. If you want to fight malware or cybercrime or innovate data privacy, then you’ll be really excited to get into cybersecurity as a career.
If you're a beginner in cybersecurity, check out Springboard’s Introduction to Cybersecurity. If you already have some experience in security or in related technical fields like Engineering and IT, check out Springboard’s Cybersecurity Career Track. You’ll prepare for a role as Software Security Analyst and receive career support to help you land your next role.
Learn to code this summer (updated for 2019)!
Is learning to code on your New Year’s Resolutions List? Find coding bootcamp course dates for 2019!