1
Marcus J. Carey
"Even if an organization is compromised by a zero-day attack, the lateral movement, registry manipulation, network communications, and so on, will be apparent to a mature cybersecurity practitioner and program."
Twitter: @marcusjcarey Website: https://www.linkedin.com/in/marcuscarey/
Marcus J. Carey is a cybersecurity community advocate and startup founder with more than 25 years of protecting government and commercial sensitive data. He started his cybersecurity career in U.S. Navy cryptology with further service in the National Security Agency (NSA).
If there is one myth that you could debunk in cybersecurity, what would it be?
The biggest myth that I hear is how attackers are always changing up their tactics. While it is true that new exploits come out over time, the initial exploit is just the tip of the iceberg when it comes to attacker movement on a system or network.
Even if an organization is compromised by a zero-day attack, the lateral movement, registry manipulation, network communications, and so on, will be apparent to a mature cybersecurity practitioner and program. So, their tactics don't really change a lot.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
The easiest thing an organization can do to prevent massive compromise is to limit administrative accounts on systems. In the military, we obeyed the "least privilege principle" when it came to information access. Organizations should do the same when it comes to their own administrative access. If attackers are able to compromise a user with administrative credentials, it's essentially game-over; they now have all the keys to the castle.
How is it that cybersecurity spending is increasing but breaches are still happening?
Unfortunately, I believe that we are spending too much money on cybersecurity products that bill themselves as silver bullets. Another thing is that there will always be breaches. Anything connected to a network can be compromised and the information pilfered. What really matters is can an organization detect and defend the attacks?
I recommend that organizations get the basics down really well before they blow money on a lot of products. Instead, organizations should hire and train people to defend their networks. In most cases, I've found that there isn't enough investment in the personnel responsible for securing networks.
Do you need a college degree or certification to be a cybersecurity professional?
Years ago, the answer would certainly have been "Yes, you need a college degree." When I was growing up, I was told that I needed to go to college. All of the "successful people" I knew had some form of higher education. Luckily, I went to the military and was able to eventually earn a master's in network security. I still believe I needed it back then and surely do not regret anything.
However, this is 2019, and I do not feel this way anymore. My son has been working as a software developer for a cybersecurity company since he was 16 years old. In technology, especially software development, you can prove your knowledge through blogging, podcasting, and working on open source projects. GitHub is the new résumé for software developers.
I understand that college degrees or certifications are still valid because they show minimal mastery of a subject matter. But nowadays, there are so many more ways to show actual experience. So, in short, my answer to this question is yes, no, maybe, and it depends.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I remember being fascinated by computers ever since I saw the movie WarGames. I never had a computer growing up, but I did take a few classes on coding in middle school and high school. Since I couldn't afford to go to college and really wanted to, I joined the U.S. Navy for the Montgomery G.I. Bill.
I scored pretty well on my ASVAB (military aptitude test). At the military processing center, I told them that I didn't care what job I got as long as it had to do with computers. I was told I would be training at a school for cryptologic technical communications. It ended up being awesome. It allowed me to work for the Naval Security Group and the National Security Agency for the first eight years of my adulthood. I learned a lot about cryptography, telecommunications, system administration, basic programming, and internetworking.
The military isn't for everyone, but it definitely helped me. I always tell anyone considering the military route to demand from their recruiter a career field and skills that are applicable to the civilian world.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I'd say my specialty is understanding internetworking really well. I gained these skills while working in the Navy and at the NSA. A big part of gaining expertise in that subject was reading a lot of books and taking several Cisco Systems certifications. After getting the certifications, I was in a better position to practice related skills and gain even more experience.
My advice is to try as hard as you can to validate your knowledge so that others will give you a chance. This is extremely important. Every time I acquired a certification, I was given so many more opportunities. Eventually, I was the first military service member to become part of the NSA's global network engineering team. That was a big deal, and I learned a lot from my time there.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
I'll take a swing at a couple of these. First, my advice for getting hired is to look at job postings and reverse engineer them. Create a résumé that mirrors what they are asking for if you already have the skills. If you don't have the skills, I recommend using your free time to learn those missing skills by reading, using open source software, and consuming any free training you can find. I've found that even if you don't have the necessary degree, years of experience, or certifications, there is still hope. Don't limit yourself and think that you aren't good enough for a job based solely on those requirements. If you believe that you have the skills to do a job, you should always apply.
Starting a company in cybersecurity has been one of the most grueling processes I have ever been through. There are typically two types of companies: those that sell products and those that sell services. On the products side, many of us see opportunities for solutions in our day-to-day lives. Your product must be able to save people time or money and ultimately make them more secure. Once you create that amazing product, you have to be able to sell it.
On the services side, you'll find companies that make money by charging people for their time. Once you have a certain expertise, people may be willing to pay you for your services. The hardest thing about any business is getting sales. The best thing you can do for your company is to partner with an experienced salesperson early on.
I am convinced that sales is the most important part of our professional lives. We have to be able to sell ourselves to get jobs. We have to be able to sell our services or products to build a successful business. In short, learn how to sell, and sell well.
What qualities do you believe all highly successful cybersecurity professionals share?
The most successful people I know in cybersecurity are extremely curious and passionate about sharing information. In my life, I've learned that the people who are most willing to help others are the most knowledgeable. I also think that you can't be afraid to look dumb. Remember, there is no such thing as a stupid question. The most successful people ask the most questions.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
My favorite movie that reminds me of cybersecurity challenges is U-571. Although the movie is fictitious, it does have an encryption angle in it because the heroes are trying to steal an Enigma machine from the Germans. There is incident after incident, but despite all the obstacles and everything that happens, the small team of experts is able to overcome each challenge. And that is exactly like cybersecurity.
A really good book I always recommend is How to Stop Worrying and Start Living by...
