Chapter 1
Introduction and Motivation

I am an imposter.

Many people consider me an expert in cybersecurity, particularly software/application security. Yet, I have no degree in cybersecurity. I have zero security industry certifications. I have never been a cybersecurity practitioner for an enterprise or government agency. So I'm a phony, right? A fraud.

Wrong! Like many of us in this industry, I am mostly self-taught. I leveraged the education and experience I had to build the body of knowledge that has become my own-vast and broad and uniquely "Ed." Nobody has the experience and education that I do. I have proven myself time and time again. I am a trusted advisor to my clients, I am a speaker at industry conferences, I am a cybersecurity talk show host, and I am a sought-after expert for that very knowledge and experience only I have. I belong.

Many of us in cybersecurity feel conflicted. We feel as if we don't belong because we haven't "earned our stripes" or we lack some technical degree, certification, or hands-on experience. Imposter syndrome is real. But I'm writing this to let you know that you don't need a technical degree or any particular certification or prior hands-on experience before starting your career in cybersecurity. Cybersecurity has hundreds of different types of jobs, both technical and nontechnical. I have many friends and colleagues in cyber (many holding C-level positions) who graduated with degrees in Spanish, finance, philosophy, and other nontechnical/engineering disciplines. I have undergraduate degrees in mechanical engineering and English literature, as well as a master's in business administration (MBA). Nothing in my education would lead one to think I'd become a cybersecurity "expert"-yet here I am writing this book after spending the past 20 years in the security field. And I love it. You can too.

As executives, hiring managers, HR professionals, and others who create cybersecurity job descriptions and hire practitioners, we need to be mindful that we reflect realistic requirements for job seekers. One of my good friends, who is a CISO, reminds me that she has seen far too many entry-level jobs that require Certified Information Systems Security Professional (CISSP) certification, for example. The CISSP certification requires five years of industry experience before you can even sit for the exam. These paradoxical blockades abound in the cybersecurity industry; it is our obligation and duty to correct them.

How This Book Is Organized

I've organized this book into two parts, covering the following main topics:

• In Chapters 2-5, we explore cybersecurity careers using the analogy of the color wheel: I first came across this concept when I saw April Wright deliver a brilliant talk at the 2017 BlackHat USA conference.1 Other folks, like Louis Cremen in 2020,2 expanded on Ms. Wright's talk, and I plan to do the same. I'll discuss cybersecurity via primary colors first (red, blue, and yellow) followed by the blended secondary colors (purple, orange, and green). I also spend time talking about the absence of color in cybersecurity: white jobs. For each of these, I reference what I consider to be the most comprehensive research published on cybersecurity jobs: The Workforce Framework for Cybersecurity, commonly referred to as the NICE Framework (see https://niccs.cisa.gov/workforce-development/nice-framework), published as part of the National Initiative for Cybersecurity Careers and Studies (NICSS) under the purview of the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). But the NICE Framework is flawed. It doesn't include many common jobs that relate to cybersecurity, and it doesn't address how to incorporate security into noncybersecurity jobs, a crucial necessity for defending our digital enterprises.
• In Chapter 6, we cover software: We can't operate today without the enablement of software, so I dedicate a chapter to it and highlight its importance. Regardless of which job you want in cybersecurity, it will be difficult to avoid dealing with software at some level. Most simply it is the fuel for our connected digital world. The vast majority of cybersecurity jobs do not require knowledge of how to code; however, a basic understanding of how software works, as well as how and where it enables technologies such as the Internet of Things (IoT), blockchain, and the cloud is essential. Say you take a job as a cyber audit or risk professional. Without the ability to assess how the software in scope complies with the standards against which you're measuring, you won't be able to do your job effectively.
• In Chapter 7, we cover diversity and inclusion: This is a passion of mine. My demographic, middle-aged white males, dominates the cybersecurity workforce in terms of percentage employed. This is a dangerous cybersecurity problem as much as it is a socioeconomic issue. More diverse teams make better decisions, operate more efficiently/profitably, and outperform homogeneous groups; this has been proven in numerous studies. Meanwhile, the cybersecurity industry has millions of unfilled job openings. We have an opportunity to address multiple challenges at once. This is discussed at length in Chapter 7.
• In Chapter 8, I include interviews and survey results from working cybersecurity practitioners: One lesson I've learned in my career, sometimes painfully, is that I often need help. Some of the smartest, most successful people I know are quick to point to others who have enabled them, supported them, and otherwise assisted them. I interviewed dozens of cybersecurity professionals and asked them the same set of questions about their origin, what they look for when hiring, and challenges they've faced. I share those insights in this chapter along with data collected from online surveys asking the same questions.

Who This Book Is For

This book has a twofold objective, discussed in the following sections.

For Managers, Directors, Executives, and Other Business Leaders

You'll learn to create a relatable framework for the dozens of cybersecurity jobs that exist. Complement the work done by others, for example, the National Initiative for Cybersecurity Education, with practical experience to help build an understanding of realistic expectations, job descriptions, and recruiting strategies. I also provide insights and views into the many different ways the people in your organization-inhabiting a variety of roles not traditionally associated with cybersecurity-can contribute to improving its cybersecurity backbone. You'll discover how developers, DevOps professionals, managers, and others can strengthen your cybersecurity. You'll also find out how improving your firm's diversity and inclusion can have dramatically positive effects on your team's talent. The book should also be valuable to policymakers, regulators, and compliance professionals who want to better understand the roles, responsibilities, tasks, and contributions various job functions provide to cybersecurity hygiene.

For Individuals Interested in Entering the Industry or Furthering Their Cybersecurity Career

You'll learn to create a similarly relatable framework for cybersecurity jobs, particularly those you might not be aware of. Cybersecurity is popularized by the hackers and defenders. Imagery of black hoodies or massive war rooms with ceiling-high screens showing threat intelligence are commonplace when people imagine cyber. But the reality of the industry can be far more mundane-and far more interesting to those not drawn to hacking and war rooms. If you have a background in finance, legal, psychology, law enforcement, or economics (just as a few examples), you can build a lucrative career in cybersecurity. I also want to paint several pictures for you about the world of cybersecurity that might help broaden your perspective and pique your interest further than where it is now.

About the NICE Framework

The National Institute of Standards and Technology (NIST) developed The Workforce Framework for Cybersecurity, also known as the NICE Framework (see https://niccs.cisa.gov/workforce-development/nice-framework). It attempts to be a comprehensive guide to identify and categorize various work roles within the realm of cybersecurity. Its structured approach can help organizations define cybersecurity-related tasks, skills, and competencies required for a successful workforce. It doesn't perfectly reflect job titles that exist in the industry, but I attempt to augment them with actual work roles in each of the color slices covered in this book.

The NICE Framework has three major components:

• Seven categories that provide a high-level grouping of common cybersecurity functions
• Thirty-three specialty areas meant to define distinct areas of cybersecurity work
• Fifty-two work roles, a detailed grouping of cybersecurity jobs comprised of specific knowledge, skills, and abilities (KSAs) required to perform the work

The work roles and related KSAs are valuable resources for any cybersecurity or human resources leader when contemplating job descriptions, performance evaluation, and career pathing. It is also...