Senior security and privacy executive for Amazon and Microsoft told the Cyber students how to become experts

Name two lessons you would like the students to have taken with them after your talk.

Cyber security has many sub-disciplines (e.g. AppSec, SecOps, Vulnerability & lifecycle Management, Compliance, Anti-Fraud, Exploit research…).  Find one that appeals to you most and focus on that area until you build your expertise. Branch out to adjacent areas and continually repeat this process to add breadth to your depth. No one can be an expert in all these sub-disciplines. Even people with decades of experience often feel imposter syndrome since there is so much interaction between disciplines that you’re likely always surrounded by team members with more depth in their focus area than you do—that’s ok. Try to ignore that and focus on the work.
Learn to learn.  If there is one thing that will always be true about security, it is that it is constantly changing. Technology moves quickly with new product cycles every 12-18 months. This rapid pace of change makes security more difficult because you must constantly evolve your skills and knowledge. The flip side of this is that you can jump ahead to any area that you see as emerging and build your expertise before it is a critical need. This puts you in the position of being the expert when the expert is first needed.  It can also help you see around corners to predict problem areas before the problems manifest.

How have you decided to become a Cyber professional, and why?

I started my career before security was a discipline unto itself, so I came into it differently than people do today.  I started in a helpdesk role dealing with technology, fixing those things which didn’t work correctly.  As I learned how to address the basic problems, I also worked to learn from those around me to tackle the harder ones. I learned basic principles of troubleshooting, like binary tree models, to rule in or out a hypothesized cause and to drill toward the root cause in my analysis. This often required reading documentation to understand the design and feature sets more completely.  Later, this evolved to working at the network layer, analyzing network traffic to see why computers were not communicating successfully. It was a simple transition from these fundamental skills to handling security issues. Security issues are often caused by intentional misuse of features or network protocols. Troubleshooting skills that I learned earlier in my career were critical in adapting to this more focused area. One thread that ties these together is that these issues are, at their base level, puzzles, and I enjoy solving puzzling situations through applied empirical analysis. I also enjoy learning how things work (and how they don’t work as expected).

What was more important to you for becoming who you are today?

My approach to constant learning has put me in a position to be in the right place at the right time for my career multiple times. I understood firewalls because of my network engineering and troubleshooting, I understood weak defaults and configurations from application support, I understood the value of privacy from working in the financial sector, and I understood malware from having seen its impact across large groups of computers near simultaneously (which, in turn, helped me to understand the importance of compliance requirements as a minimum bar). By constantly learning how things work and continually increasing the depth and breadth of my knowledge areas, I could be positioned as an expert in subject matters that became more critical to the business. I was the “go-to” person in these areas as they emerged because I was always building on my areas of knowledge.

Can you name 1-2 significant challenges in cybersecurity today and how an executive program like this can help overcome them?

The scale and pace of innovation create numerous security challenges. Businesses are developing new capabilities rapidly, and we must continually evolve our approaches to keep up and support them. As a security practitioner, it’s important to remember that you are there to support and enable the business- not constrain it. The best security is the security that lets the business manage the risk of their new endeavors; it should never be seen as “the department of ‘no.’ “Find ways to master the basic principles of security across the whole of the organization—least privileged access, minimized and segmented connectivity, defense in depth, multifactor authentication, secure development practices, stay up to date on patching and versions using full CI/CD where possible, and prevent systems from reaching the end of the support lifecycle through these updates. These basics form the foundation of everything the business will do.  If you can master these, you make the rest of the work easier and focus your time on enabling the business to do new things.

From there, try to understand deeply what “normal” looks like. Build mechanisms to take log data to understand if current behavior is expected and continuously investigate and resolve anomalous conditions. As often as you can do so safely, remove humans from the equation by automating a deep and complete understanding of your systems. Iterate continuously to improve. Look around corners to anticipate the next set of challenges and opportunities and learn those deeply before you need them.