It has been slightly over a year since I leaped, head-first, into the world of information/cyber security. It has been a very wild and strange trip!
Along the way I have been amazed, appalled, confused, and confounded more times than I can count. I have met some wonderful people, some of whom I hope will be lifelong friends. And I have come to see the world of information technology in a very different way than I did before. Not better, nor worse. Just different.
Cybersecurity people think about think differently than other people do. Differently than other people in information technology, even. We (and yes, I include myself in this) look at the IT world in terms of vulnerabilities and worst-case scenarios. We have to. When the worst-case scenario happens, our normal response is, “Oh sh*t… That didn’t go according to plan…”
Then, like paramedics rushing to a car crash, it’s all about solving the problem in steps, logical steps, from figuring out who can helped and who can’t, to taking those first steps toward restoring normalcy. Unlike paramedics, however, we stay with the patient(s) all the way through to surgery, recovery, and all the aftercare that is needed to restore the patient(s) back to “normal,” and beyond.
Our “patients,” however, are computers, networks, databases, and workstations. The people who use them often are not the focus of our attentions. They are peripherals, attachments, rather than the center of where our interest lies. Unless you’re a pen-tester or educator. Then social engineering is a big part of what we do.
It’s difficult to put into words, all the little ways my thinking has changed over the past year. I understand a whole lot of new technobabble terms and acronyms than I did before. I’ve learned to use some awesome (and occasionally scary!) toys. I’ve realized that I will never be able to buy a typical “consumer” computer system again. I have a deeper understanding and respect for these complex machines and systems we use every day for work and play.
But more than anything else, this past year has reaffirmed and strengthened my resolve to protect as many people from cyber-creeps as possible.
You know, the soulless cretins who write ransomware and send socially engineered spam to little old ladies so they can steal their pensions. Or the Russian Twitter-bot makers who have assaulted democratic processes around the world, fostering and fomenting FUD (fear, uncertainty and doubt). And leave us not forget the cyberstalkers, cyberbullies, and cyberperves who terrify and terrorize innocents for fun. I already knew they were there – I have worked professionally in Internet tech for a long time – but what I see is that the tools we have now have made it easier than ever for these bottom-feeders to get their kicks by ruining the lives of other people.
Something else has changed for me this year. I have gotten over my aversion to certification. You see, I’ve been doing the Internet thing since the early 1990s. Back then there weren’t any web design or development certifications, degree programs or bootcamps. We just drank from the firehose every day as new technologies were being invented and sent out into the cyberverse. I got used to ramping up on whatever tool, language, or protocol I needed at the moment without going through any sort of formal educational process. Back then, this tactic served me well, and over the years I have learned and forgotten more stuff about computers than most people ever learn in a lifetime. But, over time, the world has changed, and so must I.
As of this writing, I currently possess three GIAC certifications related to information security. I have the SANS CyberTalent program to thank for that, and I am determined to do what I can to “pay it forward” by helping SANS and new CyberTalent applicants to achieve as much as they are able. I also plan to add a whole lot more alphabet soup after my name, both in terms of certifications and in terms of more academic accolades.
All this said, I’m still an infosec newbie, and I know it. But I have eaten from the apple of knowledge, and I want more. Where this path will take me, I have no clue. What I do know is that this is where I want to be, and that’s a very good feeling, indeed.