Breaking Into Cybersecurity

We recently sat down with Jeff Groman, CISSP, to discuss cybersecurity careers and his EmergingEd courses. With over 20 years of experience in the field, Jeff is certified in forensic analysis and application security and previously worked with Mandiant Security Consulting Services and FireEye, providing strategic and incident response consulting to security teams and educating executives through the delivery of SOC assessments. Jeff has presented at Information Systems Security Association (ISSA) International, NetSecure and Infragard conferences, briefed boards of directors, conducted tabletop exercises and workshops, and helped clients build security processes to properly prepare for the inevitable.

EmergingEd: Jeff, thanks for taking the time to chat with us today! A lot of our readers come from non-technical backgrounds and aren’t sure how to enter the cybersecurity field. Can you tell us about how you first got started?

Jeff: It's an interesting question because when I got started in cybersecurity 20 years ago, it was a different world. There really wasn't a separation between the security teams and the technology teams. They were married together, and security was almost like a second job. I worked at a company and was on the network side, managing networks and systems. There were not a lot of security tools in those days— there were firewalls and some nascent intrusion-detection systems. That was really it, so people ended up generally owning that and doing some other technology stuff daily. In those days, it was a little bit easier to move back and forth and jump into a security role, but there were also fewer roles. So, as I was doing the network role, I did some cybersecurity work and my career in cyber sort of started from there. 

EmergingEd: That’s very interesting to hear. I bet a lot of people do not realize how different cybersecurity functions and roles looked back then. What kind of advice would you offer those looking to make a career switch into cybersecurity now?

Jeff: I think the more obvious route today is starting with a strong technology background because that's really what cybersecurity layers over. You must really understand how the operating system works, how applications work under the hood and what's driving these systems. We live in an era where technology is much more complex and gets more so every year. We can do much more with technology today than we were able to do a decade ago—and cybersecurity layers on top of all that. So, if you want to get into cybersecurity, you also need an understanding of technology systems and applications.

EmergingEd: But what if somebody doesn’t have that technical background? What kind of work can they do? 

Jeff: If you don't have that, I don't think it means the doors are closed. I believe what it means is that you're probably going to be looking at specific areas of security that are less technical. So for instance, the policy side of security, the security-awareness training side—these areas have less technical roles. The other area that we see people in who aren't necessarily hands-on technical is when you get into a manager role because your responsibilities are a little bit different. You manage the people who do the technical work and keep them focused and aligned with strategic initiatives. But it’s always important to try and continue to learn, even if you don’t have a technical background.

EmergingEd: Can you speak a little more about the different types of roles that one can pursue in cybersecurity? I’d imagine it’s a very broad field.

Jeff: Yeah, that's a great question because cybersecurity has blossomed into a lot of specialties. Let's talk a little bit about those roles within a company, especially when talking about larger companies. Generally, companies employ people that are managing security policies and the governance side of security. That's usually going to be somebody in-house, but you might outsource certain pieces of that cybersecurity team. Those outsourced pieces are probably more of the technical roles. So, for somebody who's coming in with a technical background and really wants to get into cybersecurity, there are certain specialties that are more common, like pen-testing and red-teaming. 

For some smaller companies, they may hire those roles out. So, you might be working for an outside firm, providing those types of services. There's also the flip side to the red team, which are the folks who are trying to detect somebody trying to break in. We call that the “blue team.” There are also breach-investigation roles or roles that monitor for anything that looks like an outside intrusion into your system. There are also a variety of other roles within cybersecurity today that you can search for online.

EmergingEd: It sounds like there's a lot of breadth and depth to this field. What are some of the skills people need to develop to obtain a career in cybersecurity?

Jeff: I think there are really two different skill sets that are important in cybersecurity today. One is the technical side we've been talking about—really having deep technology skills. The other side of it is what we've always called “soft skills.” I think communication is a big part of this. One of the challenges cybersecurity has is that it is always full of jargon. Nobody else understands when we start talking about nation-state actors hacking infrastructure systems and whatnot. I think that's a huge thing. We have to learn how to communicate well, so our stakeholders and leaders can understand what is happening and make the best possible decision.

EmergingEd: That makes a lot of sense. Let’s talk about the cybersecurity courses you developed with EmergingEd. How can that help professionals who are either interested in making a career switch or wanting to learn more about cybersecurity? 

Jeff: I think the top specific skills you'll learn when you take our EmergingEd cybersecurity courses is a true understanding of cybersecurity concepts so that you can really talk intelligently, both with security folks and those outside of security. We designed the courses so you can understand how to apply core concepts to different scenarios, whether at work or in your personal life. 

As I’ve said before, what's really important today is to be able to communicate about cybersecurity as a cyber risk, which is just another form of business risk. The only way to do that is to be able to bridge that gap between the security and business folks. I think that’s a huge piece that you get out of the EmergingEd cybersecurity courses. 

Finally, you will gain the ability to understand cyber risks a little better. You learn how to gauge the severity of cyber risk and the impact it can have on your company. Business leaders are always looking for guidance on this subject, and our EmergingEd courses can help you become fluent enough to have that conversation.

EmergingEd: I definitely agree with what you said about the value of communication and understanding cybersecurity concepts. That wraps up our interview for today. Thanks so much for taking the time to chat with us and give us your insights, Jeff. It’s been very informative and helpful.

Jeff: My pleasure, thanks for setting this up!