You are currently viewing Build a stronger cybersecurity team through diversity and training

Build a stronger cybersecurity team through diversity and training

The security community is constantly evolving, growing and learning from each other to better position the world against cyber threats. In the latest post in our Voice of the Community blog series, Microsoft Security Product Marketing Manager Natalia Godyla speak with heath adams, Chief Executive Officer (CEO) at TCM security about mentoring, hiring new security talent, certifications, development, the future of cybersecurity training, and much more.

Natalia: What would you recommend to security managers concerned about the lack of talent?

Heather: There needs to be more openness and moving away from control. In this industry, there’s a lot of “I went this way, so you have to go this way.” Or “I did these certifications, so you need to do these certifications.” Everyone wants that perfect candidate, someone with 10 years of experience, even if they don’t necessarily need it. We need to be able to take someone younger, whom we can help train. Or take someone with a clean slate.

As a manager, be open to more than what’s in the HR job description. And be open to new people from different backgrounds. People come from all walks of life and all age groups. So if you put those biases aside and only consider the person in front of you, it will help fill the job gap and fill the talent gap.

Natalia: And how has the pandemic and shift to hybrid working changed cybersecurity skills?

Heather: I think it was positive. In our field, the possibility of working remotely has always been there. But the pandemic has changed things, so more and more companies are starting to realize this fact. I worked as a penetration tester where I had to relocate, even though I worked away from home 95% of the time. Today, more and more companies are opening their eyes to talent that is not local. You no longer need to search in large markets; you can look at someone across the country who is studying cybersecurity, and they can be an asset to your team.

I was streaming Twitch a lot during the shutdown, and noticed that our streams were way bigger than before. We had more people watching, more people interested. There are a lot of people who took advantage of the shutdown to say, “Hey, it’s time for me to focus. I want a new career. There are high-paying jobs and there is remote work. And as I mentioned, you don’t need any specific training or degree to get into this field. People can come from all walks of life. I think the pandemic has helped bring that to light.

Natalia: You are well known as The Cyber ​​Mentor™. What impact has mentoring had on your career?

Heather: It keeps me on top of my game. I need to be able to give direction to people and I don’t want to give bad information, so I make sure to stay on top of changes in the industry, direction jobs and how to interview properly – all of which seem to change from year to year. It helps me keep in touch with the next generation that is also coming into the security field.

Natalia: Do you have your own mentors who help you progress in your career?

Heather: I offered what I call “community mentoring”. I have a Discord community, and we use it to encourage others to give back. You want to be able to help people when they need it or get help when you need it while learning from each other. When it’s time to network or need a job, that’s a lot. For me, it’s more about being where there are groups of like-minded people. I have a lot of friends who own penetration testing companies, and we’ll meet, have lunch, talk strategies. What are you doing? What am I doing? That’s the kind of mentorship we have with each other; just making sure we check on each other, thinking about new things.

Natalia: What are the biggest challenges for early career mentees trying to develop their skills? And how can leaders meet these challenges?

Heather: For someone looking to get a role, there are a few things to remember. The first is to make sure you crawl before you walk, walk before you run. I will use hacking as an example. Many people are excited about the hack and think it looks awesome. “Can you get paid to hack something? I want to do this!” And they try to get started without learning basic skills, learning the components of a computer, or learning how to do basic computer networking or troubleshooting. What I tell people is to break and fix computers Understand basic hardware, basic computer networks, what IP addresses are, what a subnet is Understand some coding, like Python You don’t need a computer background, but having these basic skills will help you a lot.

If you don’t put a foundation under a house, it will collapse. So you have to think about your career the same way. You need to make sure that you build a foundation. People don’t realize the amount of effort it takes to get into the field. Do your due diligence beforehand.

There is also a lot of impostor syndrome in cybersecurity. I tell people not to worry about other people, especially on social media. They say comparison is the thief of joy, and I really believe it. You have to make sure you run your own race. Even if you run the same kilometer as someone else, they finish it in 5 minutes and you finish it in 10; you always finish the same mile. What matters is that you got there. As long as you try to be better than yesterday, you are going to get much further than you think.

Finally, cybersecurity is an ever-evolving field. For someone who is complacent – ​​who wants to get a degree, get a job, and then is set – cybersecurity is not the way to go. Cybersecurity is for someone who constantly wants to learn because there are always new vulnerabilities. It was only the Log4J vulnerability that worried everyone. I had a meeting today with a client, and if I’m not prepared, I let him down. I also drop their security. I spent the weekend studying because I had to. This is the business we are in.

You also need to stay on top of the employer side, be able to train people and keep them up to date. TCM Security has a grassroots base where we want our employees to be, then we encourage them to gain knowledge where they are most interested. I was sent to a training I had no interest in and wanted to pull my hair out. As a manager, I ask, “What do you want to learn? When I send an employee to a cybersecurity training course that interests them, they will retain that information much better. They can then report that information back to us, and we can use it in real-world scenarios.

Natalia: How can security managers better recruit security professionals into their teams? What should they pay attention to? For example, how important are certifications?

Heather: For an entry-level position, certifications are important. Their importance diminishes once you enter the field. But I’m an advocate for them; they help prove certain knowledge – just like having a blog, attending a conference, building a home lab, speaking at a conference, talking to a local community group – everything which says, “I’m passionate about safety.”

I’ve seen entry-level roles where investigators make you code something, or have you fix broken code, just to make sure you understand logically what’s going on. You don’t need to be a developer or know how to code, but you do need to be able to understand what’s in front of you. Having coding challenges during the hiring process can be beneficial, but it should be open book. For a security professional, research use is 90% of our work, honestly. If you prevent someone from doing research online, you are setting false expectations.

I go back and re-watch videos and re-read blogs all the time, because there are so many different commands, and there’s no way to memorize them all. But you have to understand the concepts. If you understand the tool they might need to run or the concept of it, you can research it, find the tool, and run it. It’s more important.

Natalia: We’ve all read the statistics on burnout in the security industry. What do you recommend to leaders who want to better retain their talent?

Heather: You have to be pro-mental health. Make sure there is enough paid time off (PTO) and encourage employees to use it. Also, make sure your employees can take time off beyond the PTO. If they are sick, they should not feel like they are letting others down. That’s why we have flexible hours; we operate on a 32 hour work week. We try to give people back as much time and have a work-life balance. We also pay for training, so people can focus on the topics that interest them. We make sure to invest in our employees. It’s so much more expensive to rehire and retrain. I prefer to invest in an employee and keep their sanity high, and make sure I give them all the tools and training they need to be successful.

Natalia: What trends have you seen in cybersecurity skills? What do you think will happen next in terms of training, recruiting and retaining security professionals?

Heather: There are more people interested in the field, and that’s great. We are starting to see a lot more training providers and training options. Back when I started, it was largely about reading blog posts, and there were maybe one or two training providers. Now there are 10 or 15.

Wrong information may exist or outdated information. If you search online for certification companies, or even check an online publication from a year ago, this information might be out of date. So, again, it comes down to due diligence and making sure you’re doing your research, and not just relying on one source. If I was looking for certifications to get into this field, I would look at 20 or 30 different resources, get consensus on the highest polls, and then do my own research on those organizations. It’s a great job skills practice to research and make sure you understand where you need to go.

Learn more

To learn more about Microsoft security solutions, visit our website. Bookmark the Security Blog to follow our expert coverage on security issues. Also, follow us on @MSFTSecurity for the latest cybersecurity news and updates.

Disclaimer: The opinions expressed herein are solely those of the author and do not represent the views of Microsoft Corporation.

Leave a Reply