Careers, Security Education, Security Management

Security Trial & Error

Never give in, never give in, never; never; never; never – in nothing, great or small, large or petty – never give in except to convictions of honor and good sense” – Sir Winston Churchill, Speech, 1941, Harrow School

Perseverance is one of the better traits to have for security professionals and anybody. Rarely do things work out the first time tried. It often takes multiple attempts using multiple techniques to accomplish the goal. The key is to never give up (or give in as Sir Winston Churchill says in the quote above).

While I’m sure I had this trait beforehand, I really got this trait in College. This was back in the late ’80’s when all they had was Computer Science and they mostly taught C programming. Some people are born to program, but I’m not. Most assignments were a battle.  I’d try one thing, test it, figure out what I did wrong, and then try again. It was totally trial and error. Although I don’t remember very much C, I do maintain the trait of perseverance.

This is also important in computer security where you often need to try multiple approaches to reach your goal. It can be seen in vulnerability or penetration tests, forensic investigations, or configuring an application. Fortunately with most systems, there are multiple ways to do things.  So if one way doesn’t work, try another. When you begin to get frustrated, take a break. It’s okay to ask for help, but make sure you’ve done your homework and tried everything you can think of. You may even want to write down what you’ve done to track your progress. Don’t take the easy way out and quit trying. A good part of the learning is not in reaching your goal, but in the lessons you learn along the way.

I’ll finish with a quote from one of the best philosopher’s of our time, Yoda: “Do or do not… There is no try.”

Careers, Concepts, Security Education, Security Management

Why Aim for the Ground? Teaching our kids the right computer skills

We’re in a national crisis. Many kids know how to point and click, but they don’t know how the underlying technology works or worse yet, basics on how to keep themselves and their information safe online. This leads to bad choices. To make it worse, most teachers lack resources to teach technology to teenagers. In a talk at DerbyCon 2014, Professor Phil Fitzpatrick explains why our kids need to learn fundamental computer skills in a fun and ethical way; through education and competitions like CyberPatriot. It’s a discussion of why high school students should learn more than just simple computer applications and what security professionals can do to help.

Below are are problems as we see it:

–  The general public understands that most jobs out of high school, are based in knowing and having IT skills. Yet, most parents hand off their kids starting in 6th grade assuming all areas of education are covered, especially technology.
–  High schools are trying to answer the call for more IT workers by adding technology classes to their curriculum. However, they don’t have a lot of room for a variety of courses because of school year length, teaching expertise and availability, and their nature of school environment.
–  Kids only need to take one technology course to graduate and they look for the easy “A” rather then what will help them with their careers.
–  Schools are challenged with keeping the curriculum and technology up to date to meet current needs.
–  High schools are more concerned with getting students ready for college or working by teaching necessary life skills.

There are solutions available:

–  Establish technology academies in schools that teach a variety of cyber skills, not just what’s on the computer science AP test.
–  Provide courses in application develop, systems and network administration, database management, and cybersecurity.
–  Encourage teachers to build their knowledge base on different computer skills needed by industry.
–  Use grants to ensure technology is up to date.
–  Promote competitions and clinic like US CyberPatriot (
–  If you’re an IT or Cybersecurity Professional, become a mentor. These kids need someone with experience to help guide them in the journey. They’re not looking for an expert, just someone who cares. AND it’s very rewarding for the mentor.

Lastly, educate yourself. Here are some links to get you started:

–  Cybersecurity’s hiring crisis: A troubling trajectory –
–  Developing the Next Generation of Cyber Leaders –
–  DoE: Science, Technology, Engineering, and Math: Education for Global Leadership –
–  Cyber-Security, IAS and the Cyber Warrior –
–  High School 12-Week Cybersecurity eLearning Pilot –
–  Secure Coding Education: Are We Making Progress? –
–  Where are the STEM Students? –
–  ACM: Toward Curricular Guidelines for Cybersecurity –

Also see the previous post, “Hacker High – Why we *need* to teach hacking in school.”

Please help be part of the solution by promoting cyber education in your community.

Careers, Concepts, Security Education, Security Management

Breaking into Security

One of the common questions I am asked is, “How do I get a job in information security?”  Infosec continues to be a hot career field with many job opportunities.  Therefore, we continue seeing people who are interested, but don’t know the steps it takes to gain employment in information security.  This blog post answers the question, “How do I break into (the) security (career field)?”

A few years ago, I was asked a similar question of how I got started in security.  It all started as a computer science major at Michigan State University. I was also in Air Force ROTC.  This combination allowed me to start developing my security mindset.  As a military intelligence officer, I learned about data classification and safeguarding sensitive information. I left the Air Force for a job as a UNIX systems administrator where I learned how to apply technical controls to protect the systems and its data. As a junior security analyst, I learned the importance of policies and awareness. The combination of technical and managerial experience led me to security management roles. (You can read more about my experiences here: Me and my Job: Ron Woerner, Bellevue University, SC Magazine, April 2011)

To become a security professional, you need a mix of experience, knowledge, and abilities. It’s not generally an entry level career field, because you need time to develop yourself as a security professional who understands the many aspects of cybersecurity. The security community has a vast number of articles on breaking into the security career field.

This reminds me that everything old is new again. Many of the articles I mention above were written a few years ago. Things really haven’t changed over the years.  The career path still requires education, training, experience, and persistence.

As an extra, added bonus, here’s a 3 ½ minute Ted talk from Richard St. John: 8 secrets of success (Watch for his explanation of CRAP).  It’s great, general information on how to succeed in any career.

Careers, Security Education

Cybersecurity Degree vs. Certification

What’s best for your career – a Cybersecurity certification or a degree in Information Technology (IT) security?
[Guest Author: Laura Linhart]

A few years ago, this question would not have been as relevant as it is today.  The CISSP® (Certified Information Systems Security Professional) sponsored by the International Information systems Security Certification Consortium (ISC2) first offered as a security certification in 1994, was the first information security certification to meet ISO standards.[1]  Since then, the number and types of information or Cybersecurity certifications and professional organizations that offer these certifications has proliferated.

The growth and evolution of information or Cybersecurity as a degree unto itself has also been significant in recent years.  Today, many colleges or universities offer it is a field or major unto itself, offered as both undergraduate and graduate degrees.  In previous years it was only available as a subset of another major such as data processing, computer networking or computer science.

From a career or professional perspective, information security appears to be a stable and growing profession[2] .  As the profession continues to grow and evolve, the question of which is more relevant – a degree or certifications is now a consideration.   As with most things in life, the best answer is “it depends”.  Where you are at in your career, life’s journey (i.e., age) and your own ambitions are things to consider.

Degree – to expand or gain knowledge.  On the positive side, a degree is forever, and does not require any upkeep.  It will get you in the HR screening process door if an IT degree is a particular job requirement.  It indicates that you have the work ethic to complete something.

Certification – to establish your credibility.  Require continuing care and feeding (continuing certification requirements).  Most also require years of experience in the specific area of certification.   It indicates that you have the subject matter expertise.

Another variable to consider is practical experience.  In some situations, practical experience means the most.  It indicates that you have the ability, and can apply and expand on what you know.

The bottom line is that there is no one answer that fits all.  It depends on your particular circumstances.

In reality, you will probably need both a degree and certification(s).


Careers, Security Education

Bellevue University Cybersecurity Skill Valuation Survey

A request for your help:

I would like to ask you for your advice as we develop a new academic program in Cybersecurity.   Here at Bellevue University and the College of Information Technology, we periodically review whether our academic programs are meeting the expectations of students and employers.   As a leader in your business area, we value your views on the skills you would expect of an employee with a Bachelor of Science degree in Cybersecurity.  Conceptually, this would be an employee with a current (or future) role in your organization who would be responsible for various operational aspects of securing your information systems.  Below is a link to a short survey which will record your views about the skills you would expect of such a graduate / employee.

It will be most beneficial if you could complete the survey by Feb 14, 2012.  I sincerely appreciate you taking a few moments to complete the survey and provide us with your valuable advice on this matter as we strive to improve our programs for the benefit of both students and employers. 

We will publish a summary of the results of this survey after its completion.