With security breaches and hacks in the news and on TV (Mr. Robot, anyone?) cyber security is more important than ever. Bootcamps like Evolve Security Academy are now helping to train the next generation of Cyber Security Professionals. We caught up with Brian Liceaga, the Lead Instructor at Evolve Security Academy in Chicago, to learn about the types of roles graduates get in security, the curriculum at a security bootcamp, and the best meetups, conferences, and podcasts for aspiring security professionals.
Brian, tell us about your background and your experience in the Security industry.
I went to Loyola University, which actually offered a B.S. degree in Communication Networks and Security. The degree was heavily focused on theory and computer networks, which meant that I had to do a lot of discovery and fiddling outside of the classroom to really get up to speed. That happened through corporate internships, hobby projects, finding any IT consulting opportunities I could get my hands on, and even some part-time gigs doing security operations.
One of my internships lead to a full time job on the security team at a major insurance company, where I focused on application security, security operations, vulnerability management, and participated on their Computer Security Incident Response team.
Switching gears from insurance, I went to work at an e-commerce startup that was experiencing hyper growth. I joined as their first security engineer and was tasked with building the security team and establishing a security program.
What types of jobs does Evolve Security Academy prepare graduates for?
Security is a big field, and consists of many domains: Application Security, Network Security, Identity and Access Management, and the list goes on. A really great role for an Evolve grad would be a Security Operations Center (SOC) Analyst and Information Security Analysts. SOC Analysts are the folks who monitor the environment and its systems for any anomalies and investigate alerts.
Do those security roles require coding skills? Is a Security Analyst working in a code base each day?
Not necessarily - it definitely depends on the expectations of the company. I think that a lot of companies who are hiring for security don't even know what the role should be.
Some roles may require some scripting knowledge, or some basic Python; others may require really advanced Python. A job title requiring scripting skills is usually listed as a security engineer compared to a security analyst.
Did you think having your undergraduate degree has been necessary to your career as a security engineer?
My degree really helped me out on the networking side of my career. The best security teachers I had were part-time or adjunct instructors, because they were real industry professionals. It was good to have that foundation, especially in the theory side of things. I did have to do a fair amount of tinkering and reading on my own due to the lack of hands on experience in the classroom. That's what attracted me to the bootcamp model and what Evolve Security Academy is doing
I landed a job in security directly out of undergrad, but that’s definitely rare for most security professionals and wasn’t the case for the majority of my classmates. With Evolve, I'm hoping to make the experience streamlined and provide more direction to individuals getting into the security field.
How did you get connected with Evolve Security Academy?
I was hosting the “Chicago Security Meetups” at my office, and noticed that Evolve had started a new meetup called the “Chicago Cyber Security Meetup”. Their meetup was geared more towards people that are newer to the industry. They had a great speaker who did a nice job of breaking things down when the topics became more technical. After discovering what Evolve was, I reached out to the co-founder, Andrew, asking if they needed help teaching and building the curriculum. The Evolve co-founders invited me to do some adjunct lectures for the first cohort, and then I eventually came on as the lead instructor of our current cohort.
After your own journey into security, did you have to be convinced of the efficacy of the bootcamp model?
At first, the idea of a bootcamp was a bit shocking to me, and I didn't fully understand how this model could replace the traditional experience. However, I soon learned first hand that the bootcamp model worked because at my current company, we have a few graduates from Dev Bootcamp working as full-time engineers and are high contributors. I've seen it work, and it just goes to show this model really can give you the necessary foundation and streamline your path towards a career. I also believe that success depends on how hard you are willing to work, and how much time you are willing to dedicate to making yourself successful.
You’re the Lead Instructor at Evolve Security Academy, but you also work full time- do you think that's important to keep working as a real security engineer?
Instructors need to stay involved with the industry in some way or another. Despite not directly working in the industry, my favorite computer science instructors in college were constantly reading, teaching, programming, organizing meetups, and sponsoring other students to do research under them. Most of those guys even wrote their own textbooks! It’s all about engaging yourself, whether that is working as an engineer, writing a security blog, conducting research, or attending conferences. Technology is always going to change, so you have to stay sharp and put yourself in the mindset of, "What would an attacker do?"
That's what I feel like what we're doing with Evolve. We're essentially writing our own security playbook.
Have you help develop the curriculum? What goes into a security bootcamp curriculum?
I’ve partnered with Paul on the curriculum. He has a profound pentesting and security management background. I’ve started to influence our curriculum by leveraging my experiences from both traditional/conservative environments and bleeding edge/fast paced environments with high automation and orchestration. We’re improving on the Evolve curriculum every day; adding new material and lab exercises and receiving feedback from students based on their interests.
In order to deliver a strong foundation, we have broken up the major domains of security into modules:
- Security Program Creation / Administration
- Physical / People (Social Engineering)
- Defense, Detection and Architecture
- Hardening Systems (OS/Network/Application)
- Cryptography (Encryption of Data)
- Vulnerability Detection / Management
- Forensics and Incident Response
- Leadership Training / Interview Preparation / Job Placement Process
Do you think Prep Work is important to a successful 12-week bootcamp?
Yes. We do a month of prep work, in which we go over the application stack fundamentals and networking fundamentals to get an understanding of the technology behind the scenes. Security professionals need to understand a breath of technologies in order to protect systems, applications, data, networks, and the privacy of individuals. The networking piece is critical to troubleshooting and investigating issues in the real world. Then we move into some the theory with the CIA triad.
Wait- what is the CIA triad?
CIA stands for Confidentiality, Integrity, and Availability. If a vulnerability can be exploited, it impacts one of those elements.
Is there an ideal applicant for Evolve Security? Are you looking for applicants with some programming experience, or complete beginners?
There is not an ideal candidate; students need to have the desire to learn, and we have to understand what they are looking for, so that we can make sure to deliver. It’s important to make sure that we're successful in giving the students what they expect from the program.
There's an online application, then an in-person interview process. If you ask anybody in security about their career long journey, you’ll get a different answer about how they got where they are. In our current cohort, we have a web developer, business analysts, helpdesk and IT support managers, and an administrative assistant.
What’s the ideal student:teacher ratio?
We had seven students in the first cohort. Right now we probably want to keep it at 8 to 10, at least for these first couple. We keep it that small and more intimate so people can ask questions and feel comfortable. We keep it casual and treat one another as a team. We don't want to go too formal on anybody.
Do you have a lot of teaching experience? What’s the most important part of teaching security at a bootcamp?
I haven’t taught in an environment like this, but one thing I’m used to- and this is really important in security- is giving presentations. As a security professional, part of your job should constantly teaching others and serving as a security evangelist by presenting on topics like social engineering and security awareness.
Have you noticed that companies are starting to get more proactive about security over the last few years?
NIST is a government program that started developing security best practices in the 90s; a lot of those fundamental ideas are still at the core of what we strive for today. However, all the news around large, well known companies suffering hacks and data breaches has served as a wakeup call. Think about it, the Target breach impacted tons of people and open their eyes to why security is important.
There’s a huge educational element to this job because most companies know that they need security, but they don’t necessarily know what how to implement it or how to assess their current security posture. You may think all security relies on you as an individual or as the security team, but that's actually false. Security has to be everybody's responsibility.
Tell us about the types of projects your students are doing at Evolve Security?
Our capstone project is a real world security engagement with an actual not-for-profit company. First, we define the scope of work, this is where all security projects must start. Then, we perform the security assessment on the target. The scope of the assessment may cover physical security, best practices for secure business processes, web app pentesting, network pentesting, and/or reconnaissance. At the end of the assessment, we deliver a report of the findings and recommended mitigations to the client.
Will students be working with an actual company?
As of now, we are focusing on not-for-profits and start-up companies.
It sounds like you actually need interpersonal communication skills to be a good security analyst!
Yeah, that is an important life skill and will open doors of opportunity. Truthfully, it all depends on what role you want to fill now and in the future. You could be a highly technical individual contributor, advise company boards, move into middle management, etc. These roles require different levels of interpersonal communication.
You just graduated your first Evolve cohort. Are people getting jobs after graduating from Evolve? Can you tell us your biggest success story with the students?
Yes. I know one student actually had a job before they graduated the program, which is huge.
How do you assess student progress? Are you giving tests at Evolve?
We have a competency based learning environment here at Evolve. If we ever identify a problem, we make sure to tackle it and address it right away. We don't want to let anything linger, so we talk to students individually. We ask questions that gauge how they're doing. As an instructor, I want my students to genuinely understand the material and be able to show it, not just say they understand.
At Evolve, we do hands on labs in the course, and then we provide constructive criticism. For example, one exercise involves breaking up into groups and drawing an architectural diagram of a secure network. Once the groups complete their diagrams, everyone gets a chance to explain their work while others can ask questions. This collaborative dynamic is essential for the cohort.
What is the job market like in Chicago for security roles? Is there a reason that Evolve started in Chicago?
Andrew, Paul and I are all Chicago natives. The security industry is really strong and growing in Chicago. I'm a part of a peer-to-peer security group and participate in numerous meetups, in which people are always announcing job openings and sharing ideas. The meetups are a great way to for new-comers to emerge out of their shells. Despite being a large city, the security industry here is a tight enough community that you tend to know one another.
What meetups or groups do you recommend for aspiring security engineers in Chicago?
- Meetups are huge, like the Cyber Security Meetup we host at Evolve. You can find them in your city on Meetup.com- make sure you find one that's active, such that they are doing meetups at least once a month. Be a part of the meetup, talk to people, hang out, grab a beer, and eventually present.
- Local conferences such as THOTCON in Chicago, which is run by one of our advisors, Nick Percoco.
- Websites include Krebs on Security, Bruce Schneier’s blog, and the /r/netsec sub-reddit
- Podcasts as such Security Now by Steve Gibson. This one is my favorite!
Anything else you want to share with us about Evolve Security?
I’m excited to be a part of this bootcamp and help streamline the path for new-comers into security. Everybody has a unique background, and the formal education system still isn’t mature in the security space. Joining Evolve Security or any bootcamp demonstrates a significant dedication to enabling your new career and is one of the best ways for people to align their focus.