Beyond the Hacker Stereotype: Exploring Cybersecurity Careers You Didn't Know Existed

[Music]

hello everybody I hear a lull I'm going to grab it let's start um welcome to Beyond The Hacker stereotype um I here's a little bit about myself I won't go over the details it's just to establish I do know a little bit about security I have not been on the red team side I've not done much hacking um I love going to Defcon all the same I always learn great stuff um uh since this is a talk about careers I'll just give you briefly a little sketch of mine because it wasn't entirely predictable I started thinking I was going to be an English Professor that's like the first 10 years of my adult life um but I didn't I went up

ended up going into software development and so that's another 20 years there in various software team tasks after which I got tired of that and finally shifted into security I call this slide uh move laterally and escalate privileges okay um I uh have over the last couple of years in particular through connections I have at Western Oregon University at the local oasp chapter at some Regional conferences and events I've had the privilege of talking increasingly to people who are early in a cyber security career whatever their age is they are starting off into that career um and it frustrates me a little bit just irks me a little because that they're not interested in what I do I do

blue team stuff and they all come to the talks if we're having talks about how to do penetration testing then we have a lot of people attending and that's perfectly fine it's interesting work it's hard to do uh and it is a lot of fun but there are other things in the world so it seems to me like this is what they think the security world looks like and this is what I think the security world looks like so um the point of this talk is really to cover two things one is to list what some of those other hats you can wear are and I'll describe them briefly and put up some facts about some of those roles the

other thing I'm going to do is re to get that data I'm going to rely on a tool the federal government made that uh tries to categorize and describe in a transparent and consistent way the kinds of work that happen in the cyber security industry so that gives my my spaxs a little authority a little systematic approach here there's some data behind this um just briefly because I'm going to use these acronyms the um framework I'm going to rely on was created by a subub branch of the Department of Homeland security um it is the uh National Initiative for cyber security careers and studies niccs and they created this framework that I'm going to draw data from called

the nice framework and that's an acronym too but when you hear me say the nice framework that's what I mean it's freely available on the web I have the URL for it on the last slide you can get to it and look it all yourself um it starts by uh it one of the Core Concepts is a work role which is close to what a job is and the difference is so small it doesn't matter much it says there are 58 work roles in the cyber security industry and I'm not sure they hit all of them and it divides those 58 or categorizes those 58 groups them into seven categories here and and since the categories themselves give you

a sense of the breadth I am going to spend a little time on this slide and say first of all um they they they code everything uh all the the roles that are in oversight and governance begin OG and an ID number it's like a little database they have IDs for all these things so the first um section up there is about leadership management and advocacy within an organization to be sure that all the right security things are happening what is our vision what do we need have we hired the right people what you know what that's that's so that's the leadership side of it the second row is um design and development and that's

building and testing secure technology systems so that's like building software and and making a new product um I owe implementation and operation is running maintaining configuring setting up and and using uh an information technology system it's a typical it Department um the next one is identifying and analyzing risks to organizational infrastruct U Information Systems um responding to attacks this is a focus on digital evidence so that that fifth bar investigation that fifth row gets invoked when something actually goes wrong or preparing for the fact that something might go wrong the last two shift more into stuff that more often happens in military or government organizations but sometimes in very large companies like Microsoft to or big Consulting companies gathering

information from many sources analyzing it and producing information about thread actors cyberspace intentions and capabilities that is the penultimate row and then finally is executing operations aimed at defending or projecting Force Through cyberspace so that's like attacks and defense so there's a range of things that are not by any means all hacking although it includes hacking uh so the core Concept in this nice framework is a long list of work roles I've said there 58 640 different knowledge areas that some of those work roles need to know 556 skills that are spread out across those work areas and 1,084 separate tasks that people do so there's really a great deal of detailed information that somebody uh in the

government with a lot of Consulting with industry has put together to try and come up with a transparent way a systematic way that we can like code uh work opportunities and be transparent about what's required to describe it the same way in different organizations one of the goals in this is to make it easier to bring people in a lot of this tool is written by HR people for HR people solving their problems not mine and I found that that was sometimes a hindrance for answering the kinds of questions I wanted to get out of it but they are thinking of us too and there are ways you can use this to find things you're interested

in um I began with a t ask imagining myself as a fresh college grad I was an English major so this is an English major example and I probably picked not the best way to start with this framework but I'm going to drag you through the steps that I went through because it does reveal something about how the framework works and what's in it and then I'll go more quickly through the other ones um I opened up the spreadsheet that has all those hundreds of items in it with each one on a different Tab and I skimmed through the the skills thing I thought I know what skills I have or at least I think I do I

don't know what jobs I want I want to start with the skills here are skills I have what could I do with it is the question I wanted to answer and I stared at the all read all these hundreds of skills for a while and then I began to notice some that were interesting and so I filtered the Excel spreadsheet to show me only the skills that have the word Communication in them and then I said as an English major there are two in particular that attract me I'm interested in um communicating complex Concepts and doing it in writing those are things I I could handle um so then my next question is what job roles need

those skills so I go over to the other tab the one with all the job roles and there's a column of the skills listed by number which isn't terribly friendly but I remember the two numbers from the other page and I've highlighted them where I found them here and I sorted this you know did the filtering and Excel spreadsheet and came up with three roles that need those two skills and a lot of other skills too I admit but but still that's a good start um and uh the first one attracted me cyber security instructor I wanted to be an English Professor I could have imagined myself as an instructor this is a wein um and

so then I let's see is I have this on the next slide yeah uh there that's the role I got interested in so now for a while I'm going to think about what I can find in this framework about that cyber security instructor role what other information is there um this is the UI they probably mean you to start with not with the spreadsheet where I started but it doesn't list by it doesn't let you browse by skills which how I got Dove back into the spreadsheet um so now in the upper left I know you can't see it in a minute I'll blow up part of this but I have put cyber security instruction in the top left

there's a drop- down list I found that role and you can see it's pulled up information about that role the next slide blows up the right hand half of that picture to show just what some of those details notice the details tab is highlighted there are other tabs we'll go to in a minute some of the details offered about role include functional job titles ah this is what I look for on a job board if I want to be a cyber security instructor I don't look for cyber security instruction that's just the framework's word for this role these are the job titles where they might need someone who can do that role there might be other job titles as well but that's a

good start it gives me an idea for the kind of thing I might be looking for I've switched down to the task statements still looking at the same cyber instruction role and now you can recognize probably these our tasks that were in that spreadsheet but now it's showing them to me on a web page and there are a lot of tasks more than you see here way more than you see here but still the top ones are interesting it confirms I'm in the right place this is a job about um evaluating training programs preparing and delivering briefings yeah that's the kind of thing I thought would be here good I'm in the right place um another tab common

relationships there are at the bottom on the right here four other roles from the workshop from the um framework uh and you there there the codes their names and then a percentage on the right that percentage is telling me how many of those tasks and skills um and what are the other knowledge areas are shared between the role I picked and these other roles so although I'm looking at cyber security instructor that's 87% overlap with curriculum development well that makes sense but I might not have known there was a curriculum development role I could look for and there's a significant amount of overlap less than 80% but still a significant amount with some other rules so that might give me

another error to look in and say well maybe I should be considering those too maybe I'm could find my way into one of those um the next T another one of these tabs is capability indicators and I'm going to go there next except that when I click it you get so much information it doesn't fit on a slide um so I have abstracted it off the website and just made kind of a sketch there's way more information in there but just to give you an idea what these capability indicators are like it shows you a little bit about what's what you're expected to have in that job the way of qualifications at different stages in

your career and since I'm imagining myself as a just graduated English major I care about the First Column and the First Column says an Associates or a bachelor's degree will get you in maybe I don't need didn't need that bachelor's degree I just got I could have got in with an Associates this is a way to find that out and that doesn't mean it's a hard and fast rule that you have to have one of those degrees but by and large in general that's what's expected that's useful information It also says what areas I might look for training in maybe I can find a course a course or maybe there maybe I already have a job and

there's professional training there or maybe I can find some books those would be good areas to focus on and it tells me if I need credentials or certifications if that's a common requirement for that job those are things I get asked um so I thought it was useful to see that they're here in the framework finally and this is not part of the framework I went on to LinkedIn to see if I could find an actual person who had a cyber security instruction role because I wanted this to seem kind of concrete like people in the real world actually do this and here's somebody I found and of course there were people with normal instructor roles but I really liked his

role it sounded really interesting so that's why I picked it um his role if you can't read it is engagement coordinator and speaker at Microsoft's cyber crime Center that sounded like fun he doesn't probably have to be the person who does all the technology stuff he just has to understand it well well enough to explain it to different kinds of audiences probably with different degrees of Technology familiarity and make it sound interesting and exciting and and important to them I'd like that job even now that sounds like fun to me so anyway i' I've finished there we got to one role there is one role one hat other than hacker uh that you could look

for and I'm not going to drag you through all the framework steps and all the others but I'm going to go more quickly through some of the other things you could find in this framework um so first role I'll take or second role I'll take cyber security legal advice and here are the tasks the skills and the knowledge that the framework says you need if you want to consider this as your work Ro this is a work Ro you might like if you like the idea of being the expert who guides the company through legal and Regulatory issues related to cyber security again this is not someone who programs typically they may have written a few

scripts somewhere I mean part of my message is there's a variety of roles that take a variety of qualifications and it isn't all about being a deep hacker in order to provide deeply needed Services um there are some job titles associated with the legal advice role and here is a person who actually has that role and again I not someone I know um I don't even know exactly for sure what Molly does but I liked her I picked her out in particular because she's not the um the contract lawyer for a corporation which is kind of what I expected most of the lawyers to be and I worked with them and they do important stuff I depend on them a lot but she is

a lobbyist she works for eff the electronic Freedom Foundation of which I am a proud member and she is working to influence public policy which needs legal legal input and advice for regulatory decisions so that's another angle you can go definitely public sector people with legal advice uh and here is another thing you can find for not all the jobs of this kind of in the in the framework but this did come from the framework it's a screenshot uh it gives you an idea of the median salary I think for starting positions in this role not for senior positions I know senior lawyers make way more than that but still you know you want to know what

might you be aiming for if you start down this road you might start somewhere around there and it confirms that yes indeed you do need a law degree to consider this all right here is a third role Knowledge Management as a role there are the tasks skills and um knowledge areas needed to work in Knowledge Management this is a role to consider if you like the idea of organizing information ensuring teams have the right data at their fingertips and making an organization better by improving how knowledge is shared um imagine for example you work at a big consulting company like deoe or Accenture and they have lots of people doing lots of things and they definitely like I if I'm a

consultant I get assigned to a new client who has a problem I haven't seen before I want to go to the company knowledge base and see how have we dealt with other customers who had this problem I want that to be easy to find and current that's just an example of what a Knowledge Management um person might help provide um here are the job titles associated with it and there is someone who has a documentation Focus specialist job working for one password which is um you probably know a password Management program and uh there are the starting salaries this is a job you can conceivably get without a degree certifications are encouraged you know useful information and each of these

colorful sheets also emphasizes soft skills that are needed it isn't enough in some cases not even necessary to be a deep technology person there are other skills needed in these jobs as well oh a bonus feature stepping away from the roles another thing that you can get out of the framework that I find really useful are these things called onramps when you're in that view where there are all those tabs and I was clicking around on certain of those tabs you can see this onramps uh button and if you click it you get a display like this and Knowledge Management is the role we're looking at the other circles are also uh work roles they're work

roles that um you commonly step into Knowledge Management from so if I don't see Knowledge Management entry-level position out there and I'm determined I want to go that way I might look for a data analysis role instead and use that as a step towards Knowledge Management that's what onramps are took me a while to figure that out um technical support can also be an on-ramp to Knowledge Management all right back to our list of roles threat analysis is a role and those are some of the and again just some of the task skills and knowledge for that I just pulled out some representative ones there are many more in the framework this is a job to

consider if you like understanding the way hackers think attackers think and enjoy researching emerging threats and you like anticipating the moves of your cyber adversaries it's this kind of work um people in this role are responsible for collecting processing analyzing and disseminating cyber security threat assessments and here's someone who does that for Microsoft uh there's a starting salary that is a little more technical than some so I'm not surprised to see the starting salary a little higher more technical than some of the other roles I've featured in this so far um yeah all right cyber crime investigation and we've had some talks today that that bear on this um there are the tasks skills in knowledge for you have to do

things like navigating the dark web processing digital evidence you might like this if you have an knack for tracking down digital evidence you enjoy solving crimes and you want to bring people to Justice like bike thefts Thieves for example um you are responsible in this role for investigating intrusion incidents and crimes you use a full range of investigative tools and processes and you balance the benefits of prosecution against the benefits of intelligence gathering that's a kind of judgment call you have to make and here's somebody who does this he is a cyber crime specialist also a probation officer uh somewhere on the East Coast I forget where he was but anyway concrete job people can really

get um cyber CRI oh yeah more about more details about that notice this one has no uh degree requirement although certifications are encouraged again um not the you don't have to go to college to find your way into cyber security I've shown two examples and there are others in the framework I'm only sampling um another bonus feature from the framework another thing you can see as you will see as you're browsing through that UI I showed the career Pathways UI and clicking those tabs sometimes you'll encounter this button and it jumps you into to another website called USA jobs that will show you job listings keyed to that work R so they are starting to use this work role in

the industry this this framework and its coding uh and the more you find that the the more you'll find the framework will help you understand what people are asking you for but it also is a direct job lead and you can see you know what what organization it's at what the salary would be what they're requiring in an actual job specific opening all right I think this was my last um role to cover multi-disciplined language analysis is the role and it starts you know with knowledge of language and dialects uh and that of course has intelligence uses you might like this role if you're skilled in more languages than English uh and you enjoy interpreting foreign Communications and

cultures and you want to help uncover cyber threats from Global Sources that's what this work is about uh and this guy has his particular language area of expertise is Korean he's been working for the military for a while um this kind of role combines Language and Cultural expertise with knowledge of targets threats and technology and there's the little scratch sheet with some basic outline about that role all right hacker found its way in yeah there there is a role for hackers too we acknowledge that that is one of the 58 work roles they call it exploitation analysis it goes under those job titles vigilante hacker by night is Elliot's own particular job title all right I have a couple of

slides to finish up just to review I've introduced you to the nice framework and I've talked about six different uh cyber security roles that require uh different um starting qualifications than you might have expected I'm trying to uh extend our imagination of ways you could engage with this field um there is one other tool I want to introduce you to it's called cyber.org and it takes the data from the nice framework that is its little database of jobs and roles and it ties That in with actual job statistics from around the country by region and from that site I was able to see for example that in our region in the Portland metro area there has quite recently been an

uptick in hiring in the cyber security Workforce that's interesting you can get that kind of information for many different areas around the country the same site will also let you see see the data broken down by work roles by those categories that we began with and you can click into each category and see which work roles there are the most of this will help you understand supply and demand uh around those work roles in different Regional areas which could be useful in your job hunt finally I'm going to close with well nearly close one more slide I think with um this remark from the niccs website that's the people who put out the nice framework kind of the general

message from them and me for this talk is we need people in government in the military in intelligence we need people with cyber security skills at all levels of every organization in all industries from finance and Healthcare to entertainment there's a wide range of roles even the same role in different companies can give you very different kinds of satisfaction there are the three main oh there's a third one I was going to mention um at the uh Tao Summit earlier this month I discovered there's a new or well new to me or I think it's new in town new organization called Northwest cyber NW cyber uh their website was not up yesterday but it's coming up any

minute I'm told uh and their focus is helping people in our area get connected to resources and key opportunities in cyber security and they know a lot about this framework they were excited to discover I already knew about it and was going to give a talk based on it Kika are you here I met someone at the conference okay not I I thought we might actually have a representative anyway keep your eye out on that they do have a Facebook Facebook page that's running now so you can connect with them if you want to um that's it I'm done but I would be happy to take questions I think we have a little time I'm certainly

going to be around today and tomorrow would be happy to have further conversations with anyone if it would be useful thank [Applause] you do I have ideas for job things for people who are retiring and want to do part-time stuff I don't have specific leads what occurs to me I it probably already occurred to you too nonprofits um need a lot of help they use typically don't have it experienced people uh and so if you go to your favorite nonprofit and say I'd be happy to help that might work I don't know there's a thought so the question is how do we F get errors in that framework fixed that not all the data they have is accurate now um they I

I don't know that I assume that you would go through the niccs website and there would be a way to report that I do know they went through they didn't I don't know what process they followed to get this they didn't make him up I don't know where it came from and I also don't know and they' revised it once it came out in 2017 and they've shifted the role definition since then there is definitely an ongoing effort to keep it accurate so I'm sure someone is interested in that feedback and yes I wouldn't take any of that as as gospel or or written in stone just because that said that usually said usually a degree

is required that doesn't mean you might not get the job without or the other way around it's averages

w