Cybersecurity is one of those odd sectors: Ask a subject matter expert how they got into the field, and listeners will be privy to a circuitous tale of their journey to the world of information security, filled with twists and serendipitous skills inadvertently acquired throughout their career.
While the technology industry has praised cybersecurity as a leading and lucrative sector for a number of years, it is a relatively new field, becoming top of mind for businesses with the rise of large-scale cyberattacks.
Though security education is becoming more formalized, with four-year universities starting to offer courses and minors dedicated to infosec, many experts find themselves in cybersecurity by chance. Those who have spent their careers working in cybersecurity before the field become fashionable have unique paths, often learning in the trenches.
At RSA Conference 2018, we spoke to experts about their origin stories. Here is how five experts got into the field of cybersecurity:
Tammy Moskites, managing director at Accenture Security:
Starting as an executive assistant, Moskites first role relating, in part, to security was working in actuarial as a senior trends analyst. There, it was her job to understand the likelihood of an event occurring and other risk factors.
In her move to becoming a technology professional, Moskites looked through the lens of "what's the average likelihood of an event to occur." With a risk lens in mind, Moskites took up identity and access management, building programs to understand how organizations knew what employees were accessing.
"I started really focusing on building out secure organizations that had specific controls and roles and responsibilities," she said. "It was a very early stage security leadership."
In 1998, Moskites joined Nationwide to help build out its identity program. Her first role building programs out at large organizations, she went on to serve as the CISO of The Home Depot and Time Warner Cable.
"The CISO role has morphed into many different things and because I had the business background and the ability to work with the business, [I] always focused the security controls around the impact of the business," Moskites said.
Alexander Heid, chief research and development officer at SecurityScorecard:
Heid's foray into the computer world began when he was a kid, he said. Running a Linux machine and experimenting with video games, Heid eventually began to meet people who knew how to make computers with "any type of software or hardware do what [they're] not intended to do."
Save for a typing class to learn how to type fast, a lot of Heid's experience was self taught. "Once you're in the industry you're thrown into the deep end of the pool."
After dropping out of college, Heid began hacking for a bank, tasked with finding and disclosing vulnerabilities on their websites and potential routes for payment compromise. The bank, in turn, introduced him to the more underground world of cybercrime, which he now researches.
Jenny Menna, SVP of Security Intelligence, Engagement and Awareness at U.S. Bank:
Graduating with a degree in international relations and a bachelor's in Russian studies, Menna moved to Washington D.C. to work in international development consulting, before joining SRA International.
Working on a series of contracts, Menna was eventually assigned to support the Department of Homeland Security. One of the ways the agency staffed up was by flipping contractors to become government employees, and she joined DHS in 2005.
During her time at SRA, Menna developed a background in information assurance for federal systems, which allowed her to join a "nascent" cybersecurity group at DHS, she said.
While she did work on US-CERT and industrial control system security, "I was primarily the person who dealt with the private sector on cybersecurity, everything from incident response, developing tools and getting the NIST framework built and rolling that out."
Marc Spitler, sr. manager of Verizon Security Research at Verizon Enterprise Solutions:
Though Spitler came out of college without a background in IT or computer science, in the late 1990s people could get into the field just by showing a "go getter" attitude, and a willingness and ability to learn, he said.
Spitler began his career as a system administrator, learning TCP/IP and Unix and managing firewalls for a company that would eventually become part of Verizon. His background pivoted into general security consulting, focusing less on the network and more on peer mission security.
Juan Pablo Perez-Etchegoyen, CTO of Onapsis:
Perez-Etchegoyen's path into cybersecurity stems from curiosity. Experimenting with computers, he was interested in IT security, investigating malware and working to understand how things operated.
Once he became a penetration tester, he was able to start developing his skills and experience. As a pen tester, Perez-Etchegoyen would go into an organization for a couple of days or weeks to investigate flaws and vulnerabilities, reporting to the business the holes in their security posture.