Welcome to CyberInfoVeritas (The Truth About Cybersecurity). I started in the IT field during the 1990’s and later transitioned into Cybersecurity. I spent most of my working years in management positions at Fortune 500 companies and owning my own businesses. Now, I share on this blog all the tips I’ve learned during my time in the IT and Cybersecurity fields.
On July 2017, one of the most devastating incidents in the history of cyber attacks took place when a group of elite hackers hacked into Equifax, one of the largest credit bureaus in the globe and stole private data including social security numbers, credit card numbers etc of around 145 million clients.
Such information on the wrong hands can be used for misrepresentation or identity theft. This example, therefore, serves to show you the importance of taking cybersecurity seriously since a cyber attack can terribly damage an organization’s reputation and even lower the quality of the service or product it offers. This spills over to the financial side as revenues dwindle and losses are incurred.
Cybersecurity: A Business Strategic Risk
For many organizations, cybersecurity is a long way from being a core competency. Most IT specialists, board directors, and C-suite executives aren’t too familiar with matters to do with information security. This means that if an attack were to take place, they would be helpless in their attempts to protect crucial data from being stolen. It’s this lack of adequate information that brings about evasion or irresolution when it comes to cybersecurity, and in a more serious scenario, a resigned acknowledgment that cyber attacks are inevitable.
In the past, the security of a company’s information was something that was delegated to the IT department and the subject was seldom brought up in board meetings. That was the period when the internet was still in its infancy. This does not happen anymore because, over the years, cybercrime has become more and more rampant.
In board meetings nowadays, one of the most important agendas that is given priority in the discussion is cybersecurity. Why? Board directors and CEOs are interested now more than ever to understand how threats posed by cybercrimes can affect their line of business.
Now, more and more businesses are elevating their cybersecurity from a mere IT issue to a strategic business risk. This increased interest in securing information has led to the growing demand for the newest member to the executive suite; CISO (Chief Information Security Officer). This is a senior-level executive within an organization whose job is to maintain and establish the enterprise program, strategy and vision to make sure that all information technologies and assets are sufficiently protected from hackers and crackers.
This new development will go a long way to improve the business profile of the information security operations. In addition, the mindset among stakeholders and employees that information security is an IT issue is slowly dying off.
Practices That Should Be Implemented In Organizations To Ensure Effective Cyber Risk Management
The following guidelines are meant to reinforce the security programs of an organization, in the form of a business continuity plan (BCP), a disaster recovery plan (DRP), and employee awareness program by pointing out the core cybersecurity competencies and assigning each to the proper management level. As a member of the C-suite executive, it is up to you to include all of the following:
Suppose that your company’s information system may be breached at some point in the future. With that in mind, you should assess your ability to identify and react to threats within the network. This means that the security initiatives that should be put in place must focus on how to decrease the time it takes to realize, contain and remediate suspicious activity on the information system. To do this, companies have to consider using new and additional threat detection methods. For instance, cybercriminals often establish control and command channels so that they may initiate attacks. If you were to find these channels early enough, it would be easy to identify and stop such attacks before they even begin.
A ransomware attack is a form of cyber attack that involves targeting a computer’s operating system by encrypting data into it and then demanding ransom payments in form of cryptocurrency. Such are increasingly becoming common and the WannaCry ransomware attack that happened in May 2017 is a classic example. To counter this ransomware problem, IT specialists must have a proper backup strategy to help take the edge off the impact of such attacks. If in the event of such an attack some valuable data is lost, then the backups would help restore what was lost without having to pay the criminals any ransom. The backup data should be stored in a secure location (usually, outside the physical premises) to make sure that it is also not encrypted in the event of a ransomware attack. The backup strategy, therefore, has to be part of the Incident Response Plan of a company and has to describe in detail what should be done to “arrest” the data and then recover from a ransomware attack.
Automation is also another strategy that can be used in operational processes so that security teams can maximize on what they can do with resources at their disposal. Security professionals need as much context as possible to determine whether a threat is genuine or not. The context can be either external or internal data with a good example being ‘threat intelligence’ that is used to provide a broader context on the procedures, tactics, and tools of the attack group.
Organizations must come up with a strategic approach to implement a cyber defense that enables them to deal with the possibility of cyber attacks. This strategy should strike the appropriate balance between processes, people, and tools. There is no simple solution when it comes to shielding important assets. While it is very much okay to have the latest and best technology, your information system will still be vulnerable if you don’t have people equipped with the skill set to operate such technology. Additionally, you have to clearly define and express the operating procedures to utilize that particular technology to its maximum. In the case of security professionals, they must be equipped with the necessary bandwidth to increase the alerting threshold and investigate alerts.
Educate the IT professionals, members of the C-suite and all employees on why they should understand the cyber exposure of their company and how cybercriminals exploit data that is collected from reconnaissance to mastermind targeted attacks. This exercise should be as practical as possible rather than using a completely theoretical approach. You can use real-life examples such as account information and credentials of a customer sign-in. It is this kind of information that can be leveraged by cybercriminals to falsify identity cards and/or system credentials, which are used in carrying out cyber crimes. Read “How to Create a Culture of Cybersecurity Awareness” for more information and a real example of how I implemented an awareness program for all level of employees.
All members of the C-suite should be included in tabletop exercises for incident response so they may all completely learn their respective roles and the probable costs that a cyber attack may cost. If the C-suite were to experience what an attack feels like even if it is through simulation, this would ensure that they are made aware of the grave consequences of an attack and they would, therefore, have no choice but to instill a top-down kind of security-driven culture. Instilling this kind of culture in any organization is crucial to putting cybersecurity into effect over time. It is the job of the boards to make sure that C-suite executives are encouraging and exemplifying this culture. If the top leaders in the organization set a good precedent, it will no doubt seep into the rest of the organization.
In addition, boards should not only make clear but they also need to promote the incentives of compliance as far as cybersecurity is concerned. This can be done by retaining and recruiting high performing staff, entering new markets, enhancing the service quality, reducing operation costs and increasing top-line revenue etc.
Colleges and universities offering major MBA (Master of Business Administration) programs ought to include cybersecurity in their curriculum. This would ensure that freshly graduated C-suite executives would spend less time trying to master the technical details of cybersecurity as they begin their careers in marketing or sales. Currently, very few MBA programs have that cybersecurity curriculum and that is partly why many attempts to implement proper IT practices in many organizations have failed miserably.
Governance is a critical component in any organization whose task is to come up with the parameters needed for the organization to stay compliant and secure. Such parameters should be well prioritized, measurable, consistent and clearly stated. Furthermore, they should be defined in a manner that aims to guard what the organization perceives as its most sensitive assets. It is up to the C-suite executives to define such parameters so that they may be evaluated and approved by the board.
It is important to keep bringing cybersecurity recommendations and conversations into the boardroom to ensure that each board member is role-based, risk-focused and relevant; this will make cybersecurity management relatively easy because the top executives are involved in the process. In my experience, it is also important to remember that C-suite executives respond well to case studies. Whenever you are advising them on any matter, remember to contextualize the information you are presenting using relevant case studies and news stories. The guidelines above have also touched on the responsibilities of the board and management to provide the company with the foundation for a security-centric and strong organization.
The term VPS stands for Virtual Private Server. I.T. Professionals pioneered the use of VPS mostly for running corporate applications. Basically, a VPS requires one server. You install a virtual manager application on this server and begin creating one or more VPS in it. You can create as many VPS servers as you wish, but it all depends on the resources from the physical server.
A good example in the corporate world is when running an application installed in a VPS. You can increase the resources based on the number of users that will be accessing this VPS. For example, if for any reason your number of users increased and the VPS requires more memory, then instead of purchasing physical memory, you just go to the VPS settings and increase the amount of Gb that the VPS requires, without spending a cent. You can also increase the amount of CPU this VPS requires the same way you do with the memory.
As the use of a VPS became more popular, businesses started to emerge and provide what today is known as cloud services. The fact that within one physical server you can manage multiple virtual servers means that businesses can now offer hosting services to companies and individuals who are looking to host applications and services in the cloud.
The most popular service being hosted in the world today are websites.
There are several different applications that can be used to create a VPS, but the one I used during my time as a Manager and still use in my cybersecurity labs is VMware (click to check the current price).The beauty of using VMware is that it is scalable! It means that you can increase the resources a particular VPS requires according to your demand for using this VPS as each VPS is assigned a number of CPUs and memory size.
There are companies that specialize in hosting servers by providing you a hosted VPS in exchange for a monthly fee. The amount of the fee depends on the number and capacity of the resources that you will require to run in the VPS.
For example, if you need to run a website, you can have it hosted as most people and companies do and pay a fee for the hosting services.
Most hosting companies use three main types of hosting services. One service is known as shared hosting, the second service is known as VPS hosting and the third is known as dedicated hosting.
Shared hosted service
Shared hosted service is the one that I recommend for those of you looking to start a website or to practice around with some content or development. It is good for starting a website because you have no web traffic yet and it can handle monthly pageviews for up to 5k to 10k, depending on how the hosting company configured this service. Also, because this is the cheapest option to start a website.
This is also good for those like me who like to have a website to practice some bug bounty skills or to create some on-demand page to practice social engineering or pentesting methods.
The difference between a shared hosting and a VPS hosting is that with a shared hosting you are literally sharing your resources with other website owners on the same server. On a VPS hosted website your resources are all yours. There are no sharing resources with other VPS owners, even if they are on the same physical server.
On a shared hosted service if suddenly your website has a spike of users accessing your website and because you are sharing your resources with other website owners, the system is designed to give priority of resources to those who need it the most, which in this example is you. By allocating the resources to you the other website owners could notice a slowdown in the speed when accessing their website, in part because of this.
Again, this could only happen when there is traffic already coming to a website, which is why this option of shared hosting is good only when starting a website or for development purposes, but not when you already are generating traffic of over 30k monthly pageviews.
VPS hosted website
After your website starts growing in traffic and your number of monthly pageviews starts to go above 10k, then is time to consider moving to a VPS hosted server. The fact that a VPS server is scalable, means that you can keep upgrading your VPS by allocating more memory or CPU power accordingly. This is something that you can handle via customer service. They can take care of doing the updates for you if you select the managed service.
You don’t need to worry about updating your VPS server if you think you can’t do this on your own. This is when you need to consider a managed versus an unmanaged VPS hosting service. A managed service is when the hosting company basically takes care of the server for you. You only take care of your website, and they take care of the server.
An unmanaged VPS server is where you do all the work from updating your server, Operating System updates, backups and your website or any service you are running on your VPS server. You own the root account.
Technically, you can start your brand new website with a hosted VPS server, but you need to consider the cost versus a shared hosted. You never know when your website can pick up the traffic to justify having a VPS hosted server from the very beginning, for which you could be paying more for nothing.
For a website, a VPS hosted server usually can manage up to 100k monthly pageviews.
This is the most expensive of all three of hosting services and there is a reason for that. It is recommended for those that require a system with a high capacity and a maximum of resources for your hosted services, such as a website with a high traffic. If your website receives a traffic of over 100k monthly pageviews, then it is time to consider moving to a dedicated hosting.
The reason it is dedicated is that there is no virtual environment involved. The dedicated server is a 100% physical server dedicated to you only. Again, you have the option of choosing a managed or an unmanaged service. Of course, if you are hosting a dedicated server, then it makes more sense to pay for a managed service unless you want to physically travel to the site to perform the maintenance the server requires.
The hosting company I prefer and currently use is a2hosting (click to check the current price). They offer what they call WordPress optimized system for your website on their packages. Different from other hosting companies, a2hosting offers a semi-customized WordPress application which is optimized with the speed and basic settings your server requires to avoid any speed issues with your website and is included in the shared hosted package. It also means that you don’t have to worry about the installation details of installing WordPress into your server, because with just a couple of clicks you can install your website and have it up and running within minutes!
As our use of computers and the internet increases, cyber threats also increase. While most cyber-attacks are human instigated and often ride on factors such as system vulnerabilities and human errors, as artificial intelligence (AI), machine learning, and the Internet of Things (IoT) advance at a fast pace, some people are worried about a Skynet—a Terminator reference—type of future. Others, however, are more optimistic about the implications of artificial intelligence on the effectiveness of cybersecurity.
Understanding how artificial intelligence is changing cybersecurity will help you determine the changes to implement in your cybersecurity program as technology develops and improves:
How We Are Presently Applying AI And Machine Learning To Cybersecurity
When simplified to its simplest forms, artificial intelligence refers to a computer’s ability to complete complex tasks that demand some form of intelligence. On the other hand, machine learning is the process through which these machines/computers learn new information and how to apply it to solve problems.
Machine learning is at the heart of present cybersecurity in that, because it helps machines learn and implement what they learn, many companies and businesses are using AI to recognize data breach patterns, how users use systems (thus ensuring that the machines can recognize hack patterns fast) as well as learn from previous hack patterns.
Thanks to the development of computing power, enterprise businesses such as Google, Amazon, and Facebook are using machine learning and artificial intelligence to gather invaluable behavioral data that is helping shape cybersecurity in many ways. For instance, by collecting this behavioral data, Facebook, Amazon, and Google can offer their users tips and strategies on how to keep their data safe.
Moreover, as these organizations analyze the consumer data they get from teaching machines how to recognize patterns, they can easily build big data frameworks as well as open-source applications that are helping other businesses recognize the same patterns and therefore, the benefits of big data collection whittle down.
Moreover, since intelligent machines are quick to recognize patterns that they have learned, and some are so complex that they are teaching themselves from experience and the patterns they have inferred, AI is developing so fast that machines are not able to protect systems from enhanced cyber threats. As AI develops further, becomes sophisticated, and as machines learn more, they will only bolster cybersecurity.
An example of the relationship between AI and cybersecurity (in reference to enhancing cybersecurity) is how machines that have learned how to detect deception technology are automatically defending systems from cyber-attacks. A great example of this is Google. When you visit some “unsafe” websites, after gathering information from users, Google is likely to inform you of the deceptive nature of the site.
Presently, cybersecurity experts are creating and implementing machine models that are gathering past cybersecurity data, learning from it to protect the system, and that are consistently gathering information about new cyber threats that they need to protect the system from.
The other aspect of this is that by using machines (artificial intelligence) to gather and make sense of big data, the machines can generate patterns that enterprise businesses can then use to build strong cybersecurity infrastructure and security products. The risky-prone patterns recognized by these machines then act like a sort of early warning system that cybersecurity experts can use to secure the system.
Machine Learning And AI: How AI Is Helping Us Fight Spam
Machine learning, the most important subset of artificial intelligence, is proving to be a very invaluable and effective tool against spam and phishing attacks. A great example of this is Google. Google’s Gmail uses machine learning to determine which emails to filter based on the messages users have flagged as spam and phishing attacks. Google has been using this system for more than 18 years and over that time, the system has learned a lot and become intuitive even as spam and phishing attacks on email change and develop.
Today, Google uses artificial intelligence in almost all areas of its business. It especially uses something called deep learning, a system that allows machines to recognize patterns in big data and adjust themselves intermittently as they gather new reams of data.
With deep learning, cybersecurity analysts do not have to worry about the magnitude of their data. All they have to do is program the machine to recognize certain parameters and then from there, use these parameters to learn more. This has massive implications for cybersecurity. For instance, deep learning is allowing machines to detect malware, phishing attacks, and even duplicitous payments. Google especially is using their technology to protect their Play Store and cloud.
Machine Learning And Security Training
One of the most significant relationships between AI and cybersecurity is that today, it is very easy to teach an adaptively designed and programmed server to recognize normal requests from unusual requests, what we call baseline.
This relationship is proving very central to cybersecurity because by teaching machines to detect this baseline and then flag whatever else does not meet the baseline parameters, it is becoming easier for cybersecurity analysts to determine which threats to guard against.
That stated, most researchers and analysts are also quick to point out that inasmuch as it is easy to teach computers how to recognize threat patterns, if we stop teaching them, the machine, no matter how adaptive it is, will eventually become redundant as new, sophisticated threats emerge. It, therefore, stands to reason that even today, because artificial intelligence is yet to come of age, AI plays an additive role in the toolbox of any professional cybersecurity analyst.
An example of this is currently being applied on tools such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). These are tools that cybersecurity professionals working on the “Blue Team” side of the fence (these are the professionals that protect the systems in a company) uses every day to detect any anomalies that could turn into a potential threat for the company.
How Hackers Are Using AI And Machine Learning
Just as cybersecurity experts are using machine learning to guard against many cyber threats and generally create effective defense mechanisms against some of the most advanced cyber threats, because hackers are talented and innovative, they are also using machine learning in their attacks. For instance, some hacking pools use machine vision to defeat defense (coincidentally, machine learning defenses) such as Captchas.
Hackers are also going as far as poisoning big data. For instance, using traditional hacking methods (human negligence and error are the most exploited), hackers are looking for ways to learn the setup of a security algorithm and where the machine gathers information from.
Once they know that, they are then “poisoning” the data by introducing defective or misleading data with the intent being to decapitate the machine to a point where for instance in the case of DoD attacks, it cannot differentiate legitimate requests from illegitimate one.
AI As a Cybersecurity Tool
Now that we have established the various ways cybersecurity and artificial intelligence relate, we cannot fail to mention that as AI develops and becomes more intuitive, it is becoming a very effective tool in the toolbox of a cybersecurity expert.
As threats increase, cybersecurity experts can teach machines how to recognize threat patterns and adaptively guard against them. As a tool, cybersecurity analysts can teach machines which baseline parameters to look out for as they read big data and once alerted to data that does not meet the baseline, they can teach the machine how to handle such data/threat. The effect of this is that as machines learn how to analyze information and solve the non-baseline data, it learns and adapts.
By teaching machines the threats, weaknesses, and exploits to guard against, cybersecurity analysts and experts are now gaining the ability to deploy solutions fast, which is helping to mitigate future attacks.
Because of their ability to sift through large amounts of data, machines are easing the pressure of the backs of cybersecurity experts to some degree because when a machine knows the threats to look for, the work of a cybersecurity analyst becomes mostly passive. In fact, by employing machine learning and big data, all a cybersecurity expert has to do is teach the machine which other intrusions to note and to respond to the machine when it alerts of something outside its normal parameters.
Yes, there is a real and definitive relationship between cybersecurity and machine learning (AI). As you have seen, thousands of enterprise organizations and even medium-sized businesses are using AI and machine learning to teach machines how to read patterns within big data and then guard against any potential threats.
As we go forth into the future, the relationship between AI and cybersecurity is only going to grow as big data becomes an integral part of our lives and as countries around the world work towards standardization of data laws, formats, and communication modes. Once this happens and we achieve semantic uniformity of data flow and formats, AI will become the most effective guard against system intrusions and cyber hacks.
The cybersecurity community must work towards creating a balance between adaptive machine learning and supervised learning. This will ensure that even as machines dig through reams of big data in moments to read patterns and draw analysis, cybersecurity experts can also teach these machines which threat patterns to look out for and how to handle them once they notice them in their data nodes.
Ever since the internet became a mainstay, something used by the layperson for things such as connection, online shopping, and even online businesses, hacking has been on the rise, which in itself precipitates the need for cybersecurity on a personal and professional level.
Phishing, Trojans, ransomware, penetration attacks, Over WIFI attacks, and worms; these are some of the most common strategies used by hackers to gain access to your information or to get you to give them access to your private information.
On a professional level, the need for cybersecurity is even more important because as businesses evolve and adopt technology in all areas of operation, as the need to maintain and protect user databases increases, cyber threats are ever increasing as black hat hackers try to gain access to this invaluable information.
Despite the fact that the internet has become a staple in our lives, many businesses are constantly overlooking the need to hire well-trained cybersecurity professionals and by so doing, are compromising their business and data.
You should consider hiring a cybersecurity expert—especially if your business has an online presence or a database of any sort—because:
1- The proof is in the numbers: cybercrime is very costly
If you have been following the news, you know that because of the Facebook-Cambridge Analytica data breach that compromised the personal information of over 87 million users, governments across the world are relooking registration on how companies store and use user data once they have it.
Although this breach became popular only because of its role in the United States presidential election, such breaches are not new.
Data shows that, the Healthcare industry, specifically healthcare data center, had over 112 million breaches. Further, Cisco, a worldwide leader in IT and networking, states that DDoS attacks, a type of attack that drives (more like floods) junk traffic to a database or website with the aim being to overwhelm it and make the system vulnerable, has been on the rapid rise (by about 172%). The company further projects that the attacks will grow by 430% (to about 3.1 million attacks per year).
This very fact, and the fact that cybercrime is very costly, is one of the main reasons why you (and all businesses that have an online presence) need to hire IT management professionals.
The FBI cybercrime division shows that in the first 3 months of 2016, ransomware payments instigated by unethical hackers cost small and medium sized businesses more than $209 million.
In comparison, and to show the true threat that is cybercrimes and why we need to hire cybersecurity professionals, in 2017, this number rose to about $4 billion with hacks such as WannaCry Outbreak, a ransomware attack, affecting computers in more than 150 countries around the world.
Cybersecurity experts, who are very talented hackers in themselves, test out all the vulnerabilities in your system in the same way a black hat hacker would with the only difference being this time, you are paying them to do so and fix the loopholes. By having a professional IT manager on your team, you can guard your systems against exploits unethical hackers would otherwise use to compromise your system and data.
2- The Human Error Factor
If you know anything about computer hacks, especially hacks that exploit vulnerabilities on your system (computer or server) to gain valuable information, you know that in part, hackers cannot gain access to this information without some form of participation on your end.
Take the example of malware, Trojan horse, or worms. For unethical hackers to gain access to your information, they will ask you to download something off the internet or your email inbox, perhaps a document or a piece of software.
Some of them will go as far as trying phishing attacks where they send you an email pretending to be a legitimate company such as PayPal with the intent being to get you to go to a fraudulent site where you can reset your password—these types of attacks are very common.
Now, the human error aspect of cybercrime, and the very reason why we need more cybersecurity experts, comes into play because unethical hackers rely on human errors and mistakes to access sensitive and private information. For instance, opening and downloading a document from an email that your email client has flagged as spam is a mistake; so is falling into the phishing email scam.
Bo Yuan, a Computing professor, did an analysis of threats faced by organization and businesses. His analysis revealed that most businesses are vulnerable to cyberattacks because of the human error and interaction.
For example, human error was the cause of the data breach at Equifax, a breach that gave hackers access to the private and sensitive information of more than 147 million customers and that the CEO of the company estimates will cost upwards of $600 million.
This in itself shows the need for more cybersecurity experts or at the very least, basic cybersecurity knowledge such as making sure the websites you are visiting are safe and genuine (sometimes, even looking for https encryption and other signals aren’t enough).
Cybersecurity professionals have the requisite knowledge to know which errors can cause data breaches and what to do to protect your system against such potential breaches. When you have a cybersecurity professional on your team or as a key player in your information technology department, you can rest easy in the knowledge that because of the knowledge possessed by this manager, human errors and their effects on your data will be minimal.
In addition, we need more IT management professionals because in most cases, hackers target users who do not work in the IT department but who still use work devices (i.e. BYOD)—hackers know that those who work in the IT department are less likely to make errors that compromise data.
By having a cybersecurity professional on the team, you can ensure that all departments in the business organization know what to do with files they download or at the very least, the minor mistakes that when made, can compromise the business or organization and lead to loses, sometimes even the loss of jobs.
Now that cyberattacks are changing and becoming sophisticated and harder to note, having an IT management professional will ensure that all the departments within your business have the required training they need to keep the company safe.
3- Evolution of Cybercrime and Security
When we think of cybersecurity and cybercrime, we think computers and the likes. While that is the case and indeed, computers are the main culprits of cybercrime, cybersecurity has greatly evolved and now has a far wider application.
Since the first cyberattack sent in 1903, a very simple type of attack where Nevil Maskelyne sent insulting Morse code to disrupt messages sent by Ambrose Fleming, hackers and hacking in general has evolved so much so that today, thanks to improved computing speed, hackers can break down security systems in a matter of minutes if not seconds.
The tools hackers use have also greatly improved as the internet grows. In fact, thanks to concepts such as Freeware and platforms such as GitHub and Linux, hacking tools called “Exploit Kits” are so freely available and plenty that today, 10 year olds can even use “Script Kiddies” to exploit server and PC vulnerabilities from the comfort of their bedroom.
Having a professionally trained cybersecurity expert on your team is the first step to ensuring that not only is your system protected from human errors, but that the network is also safe from the most common exploits. When you have a cybersecurity expert on your team, you can ensure adequate protection of your servers and website since the pro will create a very adept firewall that makes it difficult for hackers to penetrate your systems.
4- Need Specialized Skills
Although the line between security services offered by IT professional and cybersecurity is very thin, managing cybersecurity requires specialized skills that far outpace the security services delivered by traditional IT professionals especially in light of the ever-changing face of cybersecurity and the rapid development of complex hacking tools.
As we have described, the work of a cybersecurity expert is to ensure your systems are safe from cyber attacks. As you can imagine, defending and guarding against such threats requires skills that only a qualified professional who has the requisite foundational knowledge can have.
Without having a professional cybersecurity expert on your team, your system would be vulnerable to emerging technologies, advanced threat vectors, and other changing cybersecurity facets that would leave your business open to attacks and massive fines in cases where your handling of user data fails to meet regulations.
Having an in-house cybersecurity expert on your team, someone with the specialized skills necessary to ensure compliance with standards such as the EU Data Protection Laws ensures data safety and protects your company or business from possible fines in case of data breaches. Essentially, a cybersecurity is like the guard who keeps your data safe and ensures that in cases of data breach, you can protect yourself in any case.
We need more cybersecurity professionals because inasmuch as the internet has become an integral part of our lives, it has also brought with it many risks and vulnerabilities; cybersecurity experts help companies guard against these vulnerabilities and by so doing, keep sensitive information and systems safe from unethical hackers.
Working in IT and in Cybersecurity allows me to get an exposure to any business I’m working with that no other field or profession is allowed to. In fact, I have access to the most important part of any business, Its information.
Businesses and governments need us to protect their information. Something you need to understand is that our job is not only to protect this information but to have processes and procedures on how to protect it.
In order to protect this information, we are required to have access to it one way or another. How you determine to access this information could decide your path as a professional because how you determine to access this information is more important than what tools you use to access it.
What I mean by access to information
When you think with a technical mindset you are thinking in terms of the software and hardware tools, or what system to use for access controls or what server to buy and configure to provide such access.
That’s not what I mean.
What I mean is that by approaching the people in the business and learning how the business works will provide you a different method for accessing the information.
For example, in my experience working in highly regulated industries, I know that having processes and procedures in place would save a company in case there is a business interruption. As a manager, my approach was more than just knowing what backup software to use in order to restore the system, or which servers to restore first according to the business requirements to keep operating. My job was to understand how the business operated and how to put all the pieces together so that the business recovery goes as seamless as possible.
I suggest that even though if you are not a manager, that you approach your job the same way I did and here is why.
Your approach to business will equal your approach to people
When you approach your job from a technical perspective you will be limited by the experience and knowledge you’ll get from this particular mindset. Yes, you’ll learn more about your area of expertise, but you won’t necessarily be able to grow in your career. The reason for this is that you as a human being are limiting yourself to interact with systems and processes by excluding other humans and that is not going to work for you in the long term.
Hiding behind a computer screen won’t work forever if you intend to keep a job and grow in your career.
Face-to-face Interaction with other humans while working is important for many reasons. It gives you the opportunity to learn what other people do in their jobs and their responsibilities. Understanding what other people do, and piecing together their jobs and responsibilities department by department, will help you understand the business you work for.
Why you should understand the business you work for
The process of understanding the business you work for will allow you to use a skill many underestimate. While you are interacting with other people and listening to them, more than talking to them will allow you to modify your mindset into one of growth and see things you never thought were there.
An example could be a specific problem that other employees told you that you could turn into an opportunity to fix and contribute to a business solution. It could be a specific business process or a challenge that someone is facing that you could contribute with. This type of opportunities gives you exposure to certain business processes that you’d like doing and help you grow in your career.
How to use this to your advantage for a salary increase
By doing what I just mentioned before, you will start to see things that others are missing which could contribute to improving a business process and if you know how to play the card, you can use this to increase your own salary and here is how.
Use your performance appraisals to your advantage
Every year, managers evaluate their employees by using a system known as performance appraisal (a.k.a. Employee Evaluation). Every company has their scoring system, but basically, they all work the same way. They all establish goals which are classified by the company by how they impact certain areas of the business. Every goal is measured according to a pre-established scoring system that every employee is aware of. For this example, let’s use a scoring system from 1 to 5 where 5 is the best score and 1 is the worst.
In most companies, just by completing a goal would‘ve given you a 3. A score of 1 or 2, would mean that you didn’t complete the goal, because of your own inaction. A score of 4 or 5 means that you exceeded expectations.
The way salaries are included in a corporate budget by department, is basically by knowing how much the company is currently paying plus a percentage that is distributed by department based on the sum of how all the employees from that department performed the previous year.
Every score from 3 to 5 means an increase in salary, but the percentage of increment on 5 is greater than the percentage of increment on 4 and the percentage of increment on 3. The key here is to perform your job by striving for a 5.
Learn how to negotiate your goals with your boss
Every time your manager meets with you to discuss the goals for next year is when you should negotiate your goals to determine which ones would be included in your performance appraisal. Also, make sure they are realistic and attainable. If you have doubts on how to attain one of those goals, make sure you ask the question of how it would be achievable.
Don’t leave anything to chance and never sign an agreement without having this clear. It is your career that’s on the line, not the manager.
Usually, this is not the place to use goals that have to do with career development. Companies usually provide a separate development plan for this purposes. Verify if this is your case.
A performance appraisal will evaluate your performance against the performance of the business you are working with and will measure how much you contributed to the performance of the business. The closer your goal is to the business’s goal, more will be the direct impact that your score will have.
The good thing is if the business couldn’t achieve its goal, but you did, then you have a sure above average score, but if it was the other way around, then it could hurt you. You have to understand these things in order to be prepared for negotiating your goals. You need to speak up and learn how to negotiate your way into career growth.
As a manager, I always spoke with my employees candidly and even asked them for feedback on the established goals. Only then they signed their agreement.
How to use this to your advantage for Social Engineering
Prior to being a manager for the pharmaceutical company, I was a consultant IT Project Manager for several companies and industries and an IT auditor. As an IT auditor, I was hired sometimes to “social engineer” my way into a company with the goal of getting access to the company’s system.
I really love this part of the job. After my clients signed the contract agreement allowing me to do this, I always found a way to gain access to a system and most of them without any computers. People are the best way to gain access to a system. I did this even before the term cybersecurity existed. I did this periodically mostly for the financial industry.
Because of my background in Social Sciences, I knew how to press the right buttons on people to get what I wanted in terms of securing my access into a company (…and still do). Sometimes I got paid a bonus if I did breach into the company’s servers. I even got arrested once after I gained access to a computer room, until my client who was the CEO at the time, cleared me of everything. That’s how “deep undercover” I was when doing my job. I took it seriously.
My point here is that having people skills really works when you want to specialize in Social Engineering and OSINT which happens to be my favorite cybersecurity specialties.
In summary, by knowing and understanding the business and the people you work with, you are helping others by contributing to a business process. Also, by the same token, you are learning new skills that will help you grow your mindset in a world where everything is getting more and more abstract.