New job in Cybersecurity. Problem: no background
August 26, 2019 6:40 AM   Subscribe

I just was hired for a managerial role in cybersecurity. I have a background as a good manager (good at developing teams, improving morale, impacting performance/job satisfaction with unhappy folks, producing targets) and have been told I was hired explicitly for this, and they know I have no background. I'd like to learn more about cybersecurity. Where do I (good at technology but in my late 30s) start?

Obviously I intend to get out of the way of my team and support them in doing awesome stuff, but I'd like to develop a basic understanding for the vital work they do. I have about 2 months before I start, and I plan to be up front with them - both about my lack of background and my good faith desire to get to know what they do. Once I'm working with them, I'll ask them this same question, but I'd like to start preparing now. My background is in emergency responder management, which I think will have some parallels, but other than generally being the person in the office that fixes tech stuff that stops working, I have no other background. Where should I start? Books, online courses, even graduate programs all gratefully solicited. As a learner, I learn better through stories and dry manuals are hard (impossible) for me to digest. This will be working in the US, for a very old-school organization that has a poor track record with cybersecurity.
posted by anonymous to Computers & Internet (16 answers total) 11 users marked this as a favorite
 
There are a lot of free online course sites with great cybersecurity courses. I started taking this one a while back and never finished, but it was great, and focused on personal security. Then, I might move on to something like this that looks at cybersecurity on a larger scale.
posted by beyond_pink at 6:47 AM on August 26, 2019 [2 favorites]


I think you should dive right in and go to an event like DEF CON / BSides / RSA or whatever fits with your own cybersecurity focus and immerse yourself. It's such a big field and there are so many different cultural influences at play that it is not easy to get a sense of what a cybersecurity team might be working with or thinking about. If you learn better through stories, go to where the stories are.

With that said, if you are inheriting a legacy team from an org that has a poor track record with cybersecurity, you may need to do a lot more than get out of their way and support them. A lot of old-school orgs are bad at this because they have an ineffective security posture and a manager that doesn't know enough about the topic to feel confident making strategic decisions and/or rebuilding the team. You may need to spend some time around other teams and other people working in the field to get a sense of what a well-functioning and effective cybersecurity team does and doesn't look like.
posted by Jairus at 7:02 AM on August 26, 2019 [1 favorite]


Read Bruce Schneier.

Get his books, read his blog. He's good at discussing security.
posted by weed donkey at 7:11 AM on August 26, 2019 [7 favorites]


I can imagine a couple of different jobs fitting your description. For one of them, the GIAC GSLC cert’s topic list may give you an idea about what you’ll be doing. You might browse their other certs for related roles. Note: I don’t think you should actually worry about any certs, but they’re decent topic lists, offering ideas about what to google.
posted by Wobbuffet at 7:28 AM on August 26, 2019


Check out a few episodes of the Darknet Diaries podcast. It focuses on telling stories about people, and while it's aimed at a general audience, it's not afraid to get into the details.

A lot of the episodes are about corporate cybersecurity and penetration testing - like this or this or this.
posted by theodolite at 7:35 AM on August 26, 2019 [4 favorites]


Get familiar with cybrary and get a basic cert like security+.
posted by gregjunior at 7:45 AM on August 26, 2019


Bruce Schneier and Brian Krebs are great, accessible cybersecurity authors with well-read newsletters. It's a bit dated now, but I'd also recommend The Art of Deception as a useful way to get into the right mindset.
posted by matrixclown at 8:53 AM on August 26, 2019 [2 favorites]


SANS offers a range of classes for managers; have you looked at these?

https://www.sans.org/curricula/management

It's good stuff. (ObDisc: years ago, I did proof-reading of some of their courses, and of a book. I'm a past customer, too, but never an employee.) If I was in your position -- i.e., good manager/weak infosec -- I would figure out which one of those courses is the most difficult that you can still follow, and sign up. The self-study is cheaper and you can start immediately, but you might benefit from being able to ask questions of a live instructor if you have the time & money.

In the mean time, start listening to the Risky Business podcast (http://risky.biz) to get current on the news and the names of the players. Listen to several recent episodes, too.

Take whatever technical area you're strongest in -- sysadmin, network, dev -- and find a couple of good web sites/podcasts/books on infosec in that area (so you'll have the most points of reference) and listen while you commute and exercise and wash the dishes.

Remember: you have a lot of catching up to do, but they hired you to be a manager and not an individual contributor -- so you have to understand the issues without solving them.
posted by wenestvedt at 8:57 AM on August 26, 2019 [3 favorites]


Cybersecurity (like any professional/ technical field) is a broad and wide topic. I often see people in a similar situation - especially internal lateral hires within companies moving into cyber with limited experience but being strong managers. Part of my role is helping these folks understand where they need to focus.

My answer is less focused on where to get learning (all of the above are good resources BTW - I run a 500K+ SANS spend very year for my team and its great etc) and more on how to be successfully in learning on the job appropriate to your role.

1. Remember there is no one person who knows everything (e.g. someone deep in Identity and Access Management may not have a clue about cloud security in Azure, etc.). You will not learn everything. Get to know your team (and other cyber teams) well and what their interests and strengths are and leverage them - you'll learn more by bringing the right people to the table on issues and listening than you will from a book. And some of the *best* people I work with on clients are "business folks coming into cyber" because they will pick up the phone and ask other teams, don't get siloed, and focus on the business - not the academically interesting but unnecessary to know (at your level) technology details.

2. Read anything you can get your hands on relative to your role (prior cybersecurity assessments/audits/reports for your team/product/department whatever). Knowing the types of issues your team has been dealing with/had to resolve etc will help you focus on where to start in your learning, (and often the same issues come back to bite you again and again - so being able to ask "isn't this analogous to problem X I read we solved 6 months back, why can't we do something similar " can often by the right answer (or at least get people thinking)

3. If your company has trusted business partners (either internally like Internal Audit teams) or external (third party assessors), ask them (appropriately of course) for their perspective on what is good/bad/ugly and where more work is required or they would focus

4. Considering upskilling to where the cyber ball may be in 6-12 months. Get hold of a technology/business roadmap for the organization - are they cloud first and you need to go sharpen up on GCP/Azure/AWS? Or are they a product company where SSDLC issues are a huge headache and that's going to be a focus? Are they highly regulated and knowing a little about PCI/HIPPA/GDPR etc may be an advantage? As part of this think about what the risks for your company are now and how they may change.

5. Ask questions. A lot of questions. You can keep them basic. But don't assume the answers you get are right. Google or the search engine of your choice are incredibly helpful.

6. Don't assume the way the team works now is the way it should or could work. Consider thinking about learning about associated topics that may help (if your team is heavily manual processes based - are their automation and technology that could improve that - should you go talk to vendors and ask them what others are doing and learn from that?)

7. Don't panic when you feel out of depth - again that's an opportunity to bring others to the table - and often you'll find a lot of people are but were afraid to say it.

8. Remember cybersecurity is a rapidly changing field. You could be a 20 year veteran and still be totally out of depth or not know the answer / get blind sided that a new technology/regulation/exploit renders something you thought was correct 30 seconds ago woefully inaccurate.
posted by inflatablekiwi at 10:14 AM on August 26, 2019 [4 favorites]


It partially depends on what type of team you're managing. Offensive? (Aka red team/pen testing) Defensive? (Aka blue team/SOC/vulnerability management) A mix?

get a basic cert like security+.

Do not spend time on the Security+, it will not teach you anything important and is generally disrespected by most professionals. Same with the CEH.

I've never done any of the SANS management track courses, but they're probably decent, though expensive.

Seconding reading Schneier, perhaps starting with Beyond Fear. A big part of security is understanding that it is about risk measurement and analysis and finding the correct balance between security and usability.

Find your local hacker groups (assuming you're in an area large enough to have them). They're the ones running the local Bsides, DEF CON franchise, etc. The ISSA might also be useful to you - they tend to be managerial and non-technical but you'll probably be able to make some good connections to experienced managers through it.

Read /r/netsec - they also have links to beginner subreddits you should check out.

Read the MITRE SOC book (out of print but available for free online). Read up on the ATT&CK framework.

Check out the Pauldotcom.com series of podcasts.
posted by Candleman at 10:17 AM on August 26, 2019 [2 favorites]


Lots of good suggestions here (outside of the security+ -- I'm hesitant to recommend that for entry level folks. ISC2's SSCP is a better cert in the same-ish space). Let me also suggest that you find a mentor that is a cybersecurity specialist. You need to make some friends that run effective programs and start stealing from them wholesale until you get a better feel for what makes sense for your specific org.
posted by bfranklin at 10:30 AM on August 26, 2019


Seconding Schneier - subscribe to his cryptogram monthly newsletter. For books, Ross Anderson’s Security engineering is free online, very accessible, and interesting. Check theregister.co.uk for security news, beware of the snarky writing style, though.
posted by meijusa at 10:40 AM on August 26, 2019


If you are a veteran or government-affiliated you can also take free courses at FedVTE.
posted by Hal Mumkin at 12:58 PM on August 26, 2019


Interestingly, the current Humble Book Bundle may be relevant to your interests as well (20 days left as of today).
posted by Hal Mumkin at 2:26 PM on August 26, 2019


+1 for DarkNet Diaries. I've only listened to one episode, but always heard good things, as soon as you said you like stories that's the first thing I thought of.

+1 in bold for the Risky Business podcast, it will get you up to speed on general news stories, and also - in the best possible way - introduce you to the combination of snark and weariness infosec people tend to have.

And with all due respect to everyone else, +1 to everything InflatableKiki wrote - print or save that somewhere and re-read it every three months or so. What makes cyber security so interesting is that it's so wide, yet so deep, and moves so quickly - but that does mean you're always out of date, and there will be entire areas you'll have the barest understanding of. So being able to research or learn or ask, and being willing to say "I don't know, I'll get back to you", will stand you in good stead - especially if followed by "I know where to look" or "I know who to ask".
posted by DancingYear at 10:59 AM on August 27, 2019 [1 favorite]


One thing that often gets glossed over in fields like this is learning to think about security in a more effective way, . That is far more important (for a manager!) than getting into the weeds regarding specific implementations. That's what your team is for. Your job is (probably) risk management, not turning knobs.

You need to know what various components do, a basic notion of how they work, and how those components fit together into an overall system. Assuming you have a competent team, you can bring the most value by looking out for the risks that arise from the interactions between the individual components of your infrastructure, which is where many otherwise succesful organizations end up getting bitten.
posted by wierdo at 1:04 AM on August 28, 2019 [1 favorite]


« Older How Many Processes in the Human Body is Calcium...   |   Mouse in my house, what to do :( Newer »
This thread is closed to new comments.