If you haven't read Tribe of Hackers, you absolutely should. Marcus Carey’s take on Tim Ferriss’s Tribe of Mentors is brilliant. It is an incredible deep dive into some of the best minds in cybersecurity. I found the questions insightful and wanted to add my own answers to the public record.
1. If there is one myth that you could debunk in cybersecurity, what would it be?
Mac versus PC. Apple versus Android. It doesn't matter. They are all so close to each other at this point is is personal preference and what really matters most is that they are kept up to date
2. What is one of the biggest bang-for-the-buck actions that an organization can take to improve their cybersecurity posture?
Asset management. I can't tell you how many organizations I have walked into that have big money cybersecurity appliances and certifications without a function asset management system. You can't protect yourself if you don't know where anything is.
3. How is it that cybersecurity spending is increasing but breaches are still happening?
A lack of focus on the fundamentals. Again, these companies are spending thousands of dollars and man hours implementing these fancy new tools with a bunch of buzzwords (Next Gen, AI, Blockchain, etc) that aren't going to provide any ROI because they don't have asset management or regular patching down.
4. Do you need a college degree or certification to be a cybersecurity professional?
Nope! This is a field where you can succeed without a formal education. Certifications and degrees are great to pass the HR check but I have met people with no degree that have forgotten more about security than I will ever know. I have also met people with a degree that don't know a thing about working in security. It is not about being able to take a test. It is about being able to learn, make mistakes, and apply what you learned from those mistakes.
5. How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I got my start in cyber security when my Dad told me I couldn't have the internet in my room. I went on to Frankenstein a laptop together. Found a way to download Whoppix, a now defunct precursor to Kali, and booted up my laptop with it. Used money I saved working summer jobs to buy a compatible wireless card that would allow me to crack the wireless password and get on the internet. I was eventually caught and my Dad was furious but from then on, a fire had been lit and I needed to now more and more.
As far as pursuing a career in infosec? The best advice I can give is show up and network. There are plenty of cybersecurity related conferences both local and remote, as well as online communities (check out http://infosecjobs.world/!). Get out there and meet the people in the community. By showing up and showing your interested, you are almost guaranteed to run into someone who will recognize your passion and give you a shot.
6. What is your specialty in cybersecurity? How can others gain expertise in your specialty?
I would have to say my specialty is understanding cyber risk and being able to explain that to the business. There are a lot of news stories about breaches and zero days and most companies don't know what to do with that information. So they are very reactionary. And when some new vulnerability makes the news, and the snake oil salesmen come out of the woodwork, I am there to separate the wheat from the chaff. Should you try and patch Meltdown and Spectre vulnerabilities? Yes. Are you going to be compromised by an attacker using those? Probably not. Are you going to get compromised by a Flash or Java vulnerability you didn't patch? Absolutely.
As far as how to obtain this triage expertise. The best advise I can give is try and work in as many different environments as possible. MSPs and MSSPs are great for this. They give you a great chance to touch a lot of different environments and different lines of business to really understand what they need to function as well as what their risks are.
7. What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Be yourself and be honest. There are a lot of people in this industry who feel the need to never be wrong. To shift blame off of themselves. To be rockstar/ninja/pirate whatever. These people are eventually found out. If you are yourself and you are honest about what you do and own the mistakes you've made you will go far, not only in this industry, but in life.
8. What qualities do you believe all highly successful cybersecurity professionals share?
It is cliche but a passion for what they do. This field is not one that you can get a certificate or degree and never expand beyond that. You need to have passion to keep learning to keep up with this industry. The other quality I see is the ability to do quality self care. This industry can burn you out fast and if you don't stop and take a step back once and awhile, you are guaranteed to burn out.
9. What is the best book or movie that can be used to illustrate cybersecurity challenges?
Star Wars: Rogue One. Stay with me. The Empire, a massive and wealthy organization, lost its most critical asset to a foreign adversary that was familiar with their operating procedures using their own tech against them (K-2SO).
10. What is your favorite hacker movie?
Hackers (1995). I can quote it word for word. That and the Swedish Girl with the Dragon Tattoo series. It does not get nearly enough credit and is closer to the books than anything.
11. What are your favorite books for motivation, personal development, or enjoyment?
I love Extreme Ownership by Jocko Willink. It really shows how you can lead from anywhere inside an organization. As far as enjoyment is concerned; I love anything by Clive Cussler. They are formulaic and there is something comforting about that.
12. What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
This is something I am wildly passionate about and can expound for hours on. But if I had to sum it up to one golden rule it would be: Limit your exposure. Is your personal information worth 50 cents off at the grocery store. The less information you give to companies about you, the better.
13. What is a life hack that you’d like to share?
A.B.K. Always be Knolling. It is a process of arranging like objects at 90-degree angles. It's the reason Apple stores look so nice and I use it to organize my desk. It has made my desk, and by extension my mind, much less cluttered.
14. What is the biggest mistake you’ve ever made, and how did you recover from it?
I have made a lot of mistakes. No one stands out as worthy of inclusion. What I will say is that every mistake is an opportunity to learn. Making mistakes is not a bad thing. Repeating them is.