TechRepublic’s Karen Roby spoke to Ning Wang, CEO of Offensive Security, about what it takes to become a cybersecurity professional. The following is an edited transcript of their conversation.

Karen Roby: Ning, let’s just start with the state of cybersecurity; where we are in terms of the number of professionals to fill these roles that are needed to keep companies safe?

SEE: Security incident response policy (TechRepublic Premium)

Ning Wang: I think that we’re in a pretty bad state. No matter which source you look at, there are a lot more job openings for cybersecurity than there are qualified people to fill it. And I have worked at other security companies before Offensive Security, and I know firsthand, it is really hard to hire those people. And that’s the fact that we’re facing, and there are many companies that are trying to address it, organizations and governments, and I think that we’re going to see progress, but it’s not going to be overnight. And I think the problem is going to get worse before it gets better.

Karen Roby: The unfortunate reality, Ning, and I know you’ve been in the tech world for a long time now, and have worked with so many different kinds of people, and I think that’s the interesting thing is that you don’t have to have a tech background in order to be successful in cybersecurity. So, what type of person do you look for? What type of person and skillset do people need in order to get into the field and be successful?

Ning Wang: That’s a really good question. You may think that you have to have so much technology background to go into security. And again, I know firsthand that is not the case. What does it take to be a great cybersecurity professional? And I think from my observation and working with people and interacting with people, they need a creative mind, a curious mind, you have to be curious about things. You have to have the perseverance to go through. You can’t just give up easily. We call it try harder, but you have to have that. You have to have the attention to detail because you are reading a lot of the scripts and the codes; we’re writing them. So, if you don’t have attention to detail it would take you so much longer and it has to be your passion. You cannot do this just for a job, unfortunately. You can’t just follow a playbook and then think that you will be able to do that.

Those are some of the key skills or the traits of a person. And then even if you have all of that, there’s no shortcuts. If you look at all the great people in cybersecurity, just like all the other fields, that 10,000-hour rule applies here as well, OK. You have to do the hard work and it does take that to become really good at it. And so, for example, we know at our company, we have somebody who studied philosophy. No IT background whatsoever, taught karate, and then became interested in cybersecurity. And that’s the background he started at and he is so good today and still works at OffSec. And we have another employee who is one of our top security experts in the company. He worked in the mail room for many years and he said, I don’t want to do it for the rest of my life, and I want to figure out what is the thing I want to do, and then heard about cybersecurity, and went his way just steady and going one thing at a time, and now he’s very much an expert.

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

It’s not that you need all the IT background, but what you do need, you need to have a curious mind. You need to be willing to put in the hours, you have to persevere, got to have attention to detail. And over time you learn, you develop the wisdom, the pattern recognition, and that’s how you become really good at cybersecurity.

Karen Roby: Yeah. You can’t escape that 10,000-hour rule, no way to skirt around it, Ning. You know, we’re always trying to stay one step ahead of the criminals, the hackers that can do a lot of harm to businesses and their systems. So, what do companies do? I mean, they’re desperate to fill these positions. They’re competing with other companies to get this talent.

Ning Wang: I think that’s another sort of unfortunate fact. I don’t believe there’s a silver bullet to fix the security posture, security problem of an organization or a government. Security, to be good at it, it really takes everyone who has access to your systems and networks. You need to start with creating general education and awareness with everyone in your organization that has access. And then to think that somehow you are lucky, you will never be hit. I think that’s wishful thinking, it can happen to anyone. So general awareness and education, but in order to do that, I think I need to start from the top. That means the board members, the CEOs need to know: today, doing security is no longer a nice to have, or side project, afterthought, it needs to be what it takes to do business today. So, they need to give the focus, the priority and the resources and the investment.

And from there, it’s everyone that’s doing the job, that their main job may not be security, whether it’s a developer, system admin, network engineers, but they all have a hand in security. In fact, everyone that’s doing the job, they have to think about how to have that security mindset awareness. And then you need the security experts that monitor, that checks, that does the proactive hacking so that the offense side is so you can try to catch your weakness before the bad guys take advantage of it. I always say, a company or a government or organization, your security is as good as the weakest link in your organization. You have to know that, be aware of that. And then you have to do all these things that are not sexy, but they are what it takes. It’s the patching of all the systems that you use, the operating system, or all the tools; you have to make sure you are patching them timely, especially your critical systems.

And then the other thing is that I think a lot of the systems are old and they were designed without the security in mind to really be better. You have to assume somehow the bad guys will get in, but how do you make it harder? So, even if they get in, they cannot get into your sensitive area easily to get to the data. So that requires a design with the security in mind. And so it takes all of those, the security people who know, who are monitoring on the defense side, on the offense side, they’re checking proactively to everyone else, having the awareness, and people do the job and for security to be part of it, to improve the security posture.

Karen Roby: Wrapping up here, Ning. I think I’ll go back to what you said at the very beginning, that unfortunately things are going to get worse before they get better.

Ning Wang: I think that that is the case. I think if you think about the cyber criminals, they are incredibly creative. Security is a people problem, it’s not a system problem. It’s how people do the system, follow the processes or not, and that’s where the cyber criminals are taking advantage of it, and then get access to things that we don’t want them to. So, I think we need to keep at it and we need to increase the awareness, especially the senior leadership level. And then no, it’s not going to be overnight and know we need to do our best, but even when we do our best, that things can still happen that we didn’t want to. So we need to think about how to mitigate the risk so that in the event they do get in, they can’t get to the most sensitive area of your system and then your network.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Sign up today

Also see