As the scope of cybersecurity continues to evolve, so, too, do the demands facing those entering the field. This has prompted many in higher education to revisit the question: What’s the best way to prepare students to enter the field? And for those interested in pursuing a career in cybersecurity to ask: What do I need to know?
During a roundtable Tuesday morning, a panel of five experts in different sectors—including finance, healthcare, and higher education—discussed the complex nature of cybersecurity and the “soft skills” required to succeed in the ever-changing cyber landscape.
Titled “Creating Aligned and Relevant Pathways for Students” the event was co-hosted by Northeastern’s Lowell Institute School and the Business-Higher Education Forum.
The Lowell Institute School offers science, technology, and engineering bachelor’s degree completion programs for students who already have some college credit. It also offers post-graduate students and professionals the opportunity to pursue new or related careers in those growing industries.
Here are five tips for those looking to break into the cybersecurity field, with insight from the roundtable experts.
Be a good communicator
All five of the experts said they had interviewed a candidate for a cybersecurity position who possessed a strong technical understanding of running a cybersecurity operation but who struggled to explain how it worked to someone without a technology background.
This posed a grave problem for someone like Jim Graham, sales engineering manager at the cybersecurity company Imperva, whose business relies on employees’ ability to explain to other companies what his can offer.
Or, for someone like Ari Seitelman, information assurance engineer at Raytheon, a U.S. defense contractor, who needs people within his team to be able to effectively communicate with each other.
“Those communication skills are important,” Seitelman said. “The larger part is being able to translate these technical solutions to your audience. You have to make sure that you can not only communicate what you’re doing, but articulate these technical solutions in a way that people who aren’t in that field can understand.”
Craig Bennett, director of corporate compliance at Deaconess Medical Center, recalled joining the team at Deaconess in 2004, when the hospital was in the midst of converting from paper medical files to digital files.
“Some of the best people I dealt with from an IT perspective were those who came from different disciplines,” he said, such as sociology or psychology. “They brought to the table that critical thinking, which was really important in healthcare.”
Understand that cybersecurity is “not just a technical issue; it’s a human issue”
Cybersecurity is more than just a nebulous concept tucked into the deep web, the experts argued Tuesday.
Kemi Jona, founding director of the Lowell Institute School and associate dean for undergraduate education in the College of Professional Studies, said, “Cybersecurity is not just a technical issue; it’s a human issue, a systems issue, an ethical issue—it impacts everything.”
In fact, Mark Nardone, chief information security officer at Northeastern, posited that cybersecurity is hardly a technology problem at all.
“If you look at the new aspects of cybercrime, they’re just digitized versions of the oldest con in the book: the confidence game,” he said. “That is, tricking someone using social engineering, just now through a digital format.”
Discern why people get conned
Graham said that the largest-scale cyberattacks tend to stem from phishing—a tactic whereby a hacker scams an account holder into releasing important information by posing as a legitimate company.
If that’s the case, and if, like Nardone said, cybersecurity is just the latest version of the oldest trick in the book, then why do people keep falling for it? That’s what cybersecurity teams have to figure out, said Michael Woodson, information systems security director at State Street Corp., a financial services company.
“It’s a matter of saying, ‘Let’s peel back the onion and consider, what were they thinking? What did they do?’ It’s about taking a human approach to cybersecurity,” Woodson said.
Maintain a strong moral compass
There’s an ethical component to cybersecurity as well, particularly when it comes to teaching, Nardone argued.
“We’re basically talking about teaching people how to compromise accounts, how to compromise systems, and if we’re going to be teaching those skills, we need to be teaching it in a way that makes students understand the ethics of it,” he said. “Just because you can do something, doesn’t necessarily mean you should.”
Find the right balance between security and usability
It’s also important to strike a balance between incorporating too many security measures and leaving a system open to attack, Graham said.
“Security is a balancing act. You can make things so hard on the end user that they start writing things down on sticky notes and putting them under their keyboard or on their desk,” he said. “You don’t want to crack down so hard that people can’t remember their passwords.”