Working in Cyber Security: “Security is a mindset, not a series of courses or a test you passed”
What is it like to work in cyber security? We ask some of the members of the team in Symantec. Today, we hear from Aleatha Parker-Wood, Senior Principal Machine Learning Research Engineer and Manager.
How long have you been in this role?
I’ve been a manager at Symantec for over two years, and a research engineer for more than four years.
How did you come to work in the field of cyber security?
I got started in security during my undergraduate studies. I studied security during my undergraduate operating systems course, and I also linked up with a DEFCON CTF team, and played in the CTF qualifiers for a couple of years. Then in graduate school, I took a class on security research and worked on research projects in forensics and file systems security. After my post-doc, I took a position with Symantec Research Labs, and the rest is history.
What advice would you give to someone who wants a job like yours?
My job, in particular, is research focused, and if you want to work in an industry research lab, I’d advise you to get engaged in research and the scientific process as early as you can, either as an undergraduate or a grad student. Hang around professors’ labs and bug the students there to give you projects. Read research papers and stay abreast of the state of the art.
However, to get into cybersecurity in general, just get curious! Find a CTF group to play with, or work your way through CMU’s pico-CTF on your own. Find an aspect of computing that interests you, and learn about the ways it’s vulnerable. Study operating systems, or SQL, or how a cross-site scripting attack works. The more deeply you understand all the different layers of computers and systems, the better a security person you can be.
If you want to go from there to being a manager, start thinking about the bigger picture around your work. An engineer builds systems out of code. An engineering or research manager builds systems out of people. How does your company organize itself? Where is information flowing smoothly, or not at all? Where are the performance bottlenecks? How do you put the right resources on a project to make it successful? What is the reason we’re doing this project at all, and how does it benefit our customers? Ask the big questions needed to make your team or company work better.
“A credential might make it easier to get through the door, but it won’t make you a good security person”
Is the course you studied at university relevant to the job you have now?
I’m unusual in my group, in that I have a background in security research as well as machine learning. Many people in my group don’t have a traditional background in security, but they do have the necessary intellectual curiosity about systems (How does this work? How do I break it?) and a background in rigorous scientific thought. In the broader industry, I know great security people who have degrees in English, or no degree at all. A credential might make it easier to get through the door, but it won’t make you a good security person. Security is a mindset, not a series of courses or a test you passed. Study the material, but don’t stop there, get passionate about the problems.
What do you think are three qualities someone who wants to work in a role like yours needs to have?
· Intellectual honesty. When you’re working in science, you often have an outcome you’re rooting for, but if we already knew all the answers, it wouldn’t be science. Learn how to recognize when your initial assumptions are wrong and you need to try something different.
· The ability to self-teach. Security and machine learning are both fast moving fields, and what you learned in school isn’t going to be enough five years down the road. Learn how to learn, how to read and synthesize information, and how to recognize good credible work versus self-promotion or bad science.
· Learn to communicate. Whether you’re a manager or a researcher, clear concise communication is your ticket to successful, effective projects. Very few projects are solo efforts in industry, and if you can’t get your ideas across to your peers or a software engineering manager, then they will never see adoption. Take every opportunity to accept constructive criticism on your writing and speaking, and read other people’s writing as often as possible with an eye on technique.
Any other tips, advice or anecdotes you would like to add?
A lot of people love to look for highly technical attacks, because they’re intellectually challenging, but if you really want to understand security as a whole, I’d advise taking a look at recent attacks in the wild. Some of the most destructive attacks in recent history relied on known vulnerabilities in unpatched systems, or on human error. Also, most modern attacks are motivated by profit, information, or nation-state warfare. If you really want to make a difference and protect people, focus on where those biggest weaknesses and rewards are. Hacking your neighbor’s smart light bulb to turn it on and off is neat, but protecting an unpatched web server for a high-profile politician is how you make a difference. I truly believe security is one of the most exciting fields you can work in. You’re pitting your skills against the smartest criminals in the world, and helping to keep real people safe every day. It’s as close as you can get to being a superhero with a computer science degree.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.
