Recently I was honoured to be asked to speak to a cohort of AWSN explorers, this is an outreach program run by the Australian Women in Security Network (AWSN) that connects, supports and inspires women and those who identify as women, tertiary students, early career professionals and career switchers.
Eric Pinkerton
I was given just 10 minutes to impart as much value as I could, which got me thinking about all of the lessons I have learn't over the past 20 odd years, and specifically those things that I wish someone had told me back then that are still relevant today.
Here is what I came up with. 
1. Cybersecurity is all about people
It probably took me way too long to work out that contrary to expectations, Cybersecurity is all about people.
You will see regular posts on Linkedin that assert Cyber breaches as about 90% attributable to Human Factors, but in my view anything less than 99.9% is just another example of human error.
I saw a great example a while back that concluded 88% of Cybersecurity was about Human Factors and I read it purely out of fascination to learn what the other 12% was, and as I expected all of the things they said were not human, were still human, but just one part removed, for example one of them was ‘Procurement buying the wrong product’, but procurement is people, and if they bought the wrong product it’s because they are human, another was poor process, but guess who creates process? – you get the picture.
Allow me to present my magnum opus, the PAE PAL PFU Triangle!
People are Evil, People are Lazy and People ‘Make Mistakes’.
It’s explained in more detail here but the TL;DR is that we tend to put most of eggs into trying to solve the ‘people are evil’ equation, when the best yield is in designing technology and process to embrace the fact that people are predictably inconsistent, chaotic, error prone and with a propensity for indolence, so a secure system is one that can not only accommodate that, but expects it.
2. Not everyone in this industry needs to be a Hacker.
I wasted many years trying to be good enough at hacking to be a Penetration Tester, and whilst being a hacker is great, and if that’s the way you are wired then I really envy you, but if that’s not your jam please do not be disheartened and definitely do not listen to the pervasive gatekeeping myths about how you will never make it in this industry unless you can code.
This Industry is a very broad church, and you just need to find your little niche in order to thrive, and there are plenty of those where you do not need to be able to write code.
Don’t get me wrong, If you want to learn to code then please do, it certainly will not hinder your career, but understand that a massive part of the problem set that is cybersecurity is arguably a direct result of forcing people who did not want to learn to code, to do just that which predictably produced sub optimal coders, who went on to write sloppy code, and well we know where that leads.
3. Neuro Diversity can be a super power
A lot of the people in this industry are what we call neuro diverse, ADHD, Dyslexia, Autism Spectrum Disorder you name it.
This is because these amazing individuals have taken the so called disorder that life has dealt them, and ignored a bunch of people telling them that they are abnormal or stupid, or destined for nothing, and they have reframed what was once widely considered a disability as their own personal super power.
I truly believe my success in this field is not in spite of, but because of the things about me that made me really struggle in school. My brain just works differently to most people and I get lost easily, but I excel at troubleshooting, I’m a natural at adversarial thinking and can be super creative and innovative at times. I also suffer from turbo procrastination, and can sometimes hyper focus on things to the exclusion of everything else, which can be a blessing and a curse. Put plainly if you feel like you are wired a little bit different, then you might just find your tribe here.
4. This industry in tiny!
Forget Kevin Bacon, there is seemingly no more than 2 degrees of separation between everyone in this industry and that is a double edged sword.
What I mean by that is that if you consistently work hard, play nicely, exhibit signs of integrity and demonstrate that you really give a crap, you will quickly build a great reputation for yourself, the community will support you and fantastic opportunities will appear as if by magic.
Conversely, if you try to fake it till you make it, generate unnecessary drama, engage in dishonest or disreputable behaviour, then it quickly gets around and you will end up having to work at one of the big 4.
Just kidding, but there are certainly a few notable characters who go from role to role, before having to set up on their own, which can be symptomatic of them not getting the opportunities that they desire because their reputation has caught up with them.
So curate your network carefully, surround yourself with positive people, and don’t be afraid to ask people you trust “what do you think of this person/company/product”. Always take gossip with a pinch of salt and never rely on a single source. Most of all trust your gut.
5. Almost everybody great here has Imposter Syndrome
I have imposter syndrome a lot, especially when I put up my hand to give talks at conferences. After a while I started to realise that everyone I respected in this industry suffers from the same thing.
Imposter Syndrome is a bit of a politically charged concept at the moment, so I’ll be clear, that what I’m talking about here is the phenomenon of ‘the more you know, the more you become aware of how much you don’t know’ and that leads you down a path of assuming that everyone else must be ahead of you, and you start to question whether you belong.
The good news is that feeling like this is actually a good thing because, if you don’t feel like this, there is a very slim chance it’s because you actually do know everything, and a much larger chance that my next point is for you.
6. If you don’t have imposter syndrome, you may have Dunning Kruger
The skills shortage is typically framed as a simplistic ‘We have more jobs that people who can do those jobs’. But actually it’s more nuanced than that, The lack of highly skilled candidates pushes up the median renumeration, which attracts more and more entry level candidates, and everyone else get’s promoted to fill the shortfall resulting in the perfect conditions for an accelerated version of the ‘Peter principle’ to thrive. This is a management concept developed by Laurence Peter, who noticed that people tend to rise to their own ‘level of respective incompetence’.
So now we have enough people, but an increasing number of those people are, to put it nicely, punching above their weight.
Remember when I said that Cybersecurity was a people problem right?
As a consultant that’s great news, because we are often engaged to either fill or supplement that skills gap, or to step in and help clean up in the aftermath of some catastrophic failure that has resulted from ‘people punching above their weight’.
For new starters in the industry however, you will be subjected to an awful lot of ‘thought leadership’ on LinkedIn that looks legit, but is actually complete nonsense, and it can be really hard to tell it apart because it sounds so plausible.
This is further compounded by the fact that we are all out here saying ‘don’t worry everyone has imposter syndrome’, without acknowledging the fact that there may actually be some genuine imposters.
7. Ain’t nothin’ gonna to grow in your comfort zone!
This is a nice cliché that underlines the importance of putting yourself out there because that’s really where the magic happens.
We are all a bit lazy, and we make mistakes, and we have a propensity to use fear of failure as an excuse not to even try, but scars are where the light enters our body, and some of my biggest mistakes have been the best learning experiences of my career.
For me that means submitting papers for conferences about topics that I am fascinated by, but know little about, so that if my paper get’s accepted, it lights a fire under me to start researching whatever it is my talk is about and so my talk becomes not about how I am an expert on a given topic, but about the journey I went on to try and discover as much as I could about it.
8. Be super sceptical about simple problems for complex problems
A few years back the story goes that a Dutch Bike Company called Vanmoof were fed up with their bikes getting damaged in transport, so they printed the boxes to resemble flat screen TV’s in order to convince the delivery guys to treat them with more reverence.
It’s a wonderful tale of a simple solution to a complex problem, but I have always considered that their claims of an 82% drop in damaged bikes to be complete and utter Fairytale.
Cyber security is full of people claiming to offer simple solutions to complex problems, just check out the comments section on any cybersecurity blog post. Your best line of defence from these ‘silver bullets’ is to remain sceptical until your can be convinced otherwise, because really elegant simple solutions to very complex problems are very rare, but Dunning Kruger generated BS abounds.
9. People’s world view is shaped by their experience
So this is a pic of Mark Zuckerberg, and as someone noticed he has a piece of electrical tape over his webcam, and this was all the encouragement people needed to start aping this completely irrational behaviour, and so now webcam covers are built right into laptops and are even offered as a selling point!
My experience is that cyber people are some of the most paranoid people you will meet, and many of them have these things, and a bunch of other silly habits that generally make their lives more inconvenient than they should be..
When you watch them type a 28 character password every time they unlock their phone, it’s easy to look at them and think ‘well that person really understands cyber I should follow their lead’…
But the reality is, our world view has been skewed by our experience, and the best analogy I have for this is to ask a policeman what the best alarm system is..
He will show you the best burglar alarm money can buy and will talk to you about how great window locks are etc. Now ask that same question of a fireman..
He will show you a smoke alarm and give you a very different talk about putting locks on your windows.
Neither is wrong but their view on the likelihood of a given threat has been skewed by sample bias, one sees a lot of burglaries, the other sees a lot of fires.
10. Complexity is the enemy of security
This is a quote by Bruce Schnier, a well-known American cryptographer, computer security professional, and writer. Bruce did a lot of foundational work on Cryptography that goes way above my head, but this is a really good rule of thumb, weather you are designing a cryptography algorithm, writing some code, designing a network architecture, or writing a policy… keep it simple stupid!
People are want to overengineer fantastical Rube Goldberg style solutions, and in doing so they loose sight of the fact that if nobody else really understands how it all works, nobody else can review it, support it, fix it etc etc, remember, people are lazy and error prone, so let’s make their job as easy as possible.
Always question complexity when it starts to creep in, even in troubleshooting, remember Ocam’s razor, ‘The simplest explanation is almost always the correct one’.
11. Your journey is your own, don’t let anyone tell you that you are doing it wrong
Final point, and what I mean by that is that everyone in this industry has come from a different path, and that’s largely because back when I came to this industry there was no Cyber Security courses you could sign up for, and when that finally changed, you didn’t want to sign up for them because the early courses were simply awful.
That’s changed now and there are some fantastic cyber security courses and resources out there, but they are by no means the only route into this field, and weather your background is a children's entertainer, a plumber, or a secret assassin, odds are you have some skills that will be of use in this industry.
Regardless you will undoubtably encounter people who have come from another path, and you will be tempted to assume that because your path is different to their path, you are on the wrong path, but don’t worry, all roads lead to Rome and cyber security is a journey not a destination.
If you have enjoyed these let me know, or if you have other pearls of wisdom feel free to add them to the comments below, this was only a 10 minute talk on something I could probably have waffled on about for hours!
