Cybersecurity Career Options Use Hacking Skills for More than Hacking
Hacking skills seem like they would be pretty easy to leverage into a career in cybersecurity. But what about a career in management or as a C-level executive? There are more cybersecurity career options than many people realize. And there are more ways to use hacking skills than just behind a computer.
See Hacker to CISO with Alyssa Miller for a complete transcript of the Easy Prey podcast episode.
Alyssa Miller is a lifelong hacker and a cybersecurity leader. Currently, she is the Chief Information Security Officer (CISO) for Epiq Global. She has sixteen years of experience in security and is an internationally-recognized speaker, author, and researcher. She has also been a hacker her entire life. Hacking is just part of who she is, and that hasn’t changed just because she’s an executive. She’s still a hacker, just a hacker who also happens to be a CISO. It just happened to be quite the journey to get there.
Hacker Beginnings as a Curious Four-Year-Old
Even as young as four years old, Alyssa was curious about technology. But what can you really do to learn about tech as a four-year-old? Alyssa took things apart. She disassembled her toys to find out how they worked. She also took apart her parents’ VCR, as well as other things. Her parents didn’t appreciate it at the time, but when she put them back together again, they usually worked.
It’s that kind of energy that drives the hacker identity – that curiosity, passion, and willingness to play with things, take them apart, and figure out how they work. Not everyone has that.Alyssa Miller
That curiosity has always been a fundamental part of her identity. The willingness to take things apart and find out why they do what they do is a large part of what makes her a good hacker today. This kind of curiosity is not something everyone has. She has had conversations with people who have told her that they don’t care how it works inside as long as it does what it’s supposed to. While there’s nothing wrong with that, it’s not the kind of attitude that will make a hacker.
A Twelve-Year-Old with a Computer
When Alyssa was twelve, she saved up about $1,000 to buy a computer. This was in the era of the late 1980s and early 1990s, before home computers were everywhere. She went to Best Buy, bought a computer, brought it home, and immediately screwed it up.
She didn’t know back then that operating systems and apps came pre-loaded on the computer. The computer came with a manual, but only for the disc operating system (DOS). Alyssa opened up the DOS manual, and it said that step one was to run fdisk. She ran fdisk. It wiped all of the partitions, and she couldn’t figure out how to create a partition again.
Alyssa called Best Buy and explained the situation to the guy who answered. His response was, in essence, “You did what?” Hardly anyone reads the manual, but Alyssa, it seems, was the exception. He offered to take the computer back and see if they could solve the problem, but Alyssa declined. Through trial and error, she figured out just enough to create a new bootable partition. From there, it was easy.
Going Down an Internet Rabbit Hole
Originally, Alyssa’s computer didn’t have a mouse or a modem, and the internet wasn’t a thing. But she started getting discs in the mail from Prodigy, America Online, and CompuServe. So she did what any technology-curious twelve-year-old would do: Got a modem, booted up Prodigy, and started playing.
At that time, you only got twenty-three hours of being online before they wanted a credit card. Alyssa was twelve – she didn’t have a credit card, and she wasn’t going to do that anyway. So she went digging through library books on UART, serial comm, asynchronous modem communications, and other things. She found a way through the software and broke into Prodigy without having to pay. Being twelve years old at the time, she used it to play games.
The internet came along years later. She discovered internet relay chat and eventually hacker rooms online. That’s when she started to associate with the term “hacker.” It was something she did because she enjoyed it, not as a career move. In the early internet age, “hacker” wasn’t a career option. And nobody at that time thought that a cybersecurity career might become an option.
Studying Computers in College
Alyssa started college as a pre-med student. But three semesters of college chemistry will help you figure out quickly if you want to be a pre-med or not, and it turned out she did not. So she had to find a new major. At that point, she had been writing some code – mostly in Basic, but she was learning C as well. When she saw her school had a computer science program, she thought it would be easy. She already knew how to program, after all.
So Alyssa switched to studying computer science. This was the dot-com era now. Everybody wanted programmers. At age nineteen and still in school, Alyssa got a full-time “grown-up” job as a software developer for a financial services company. All they did was write and host software. Today, it would be called Software as a Service (SaaS).
From Programming to a Cybersecurity Career
Alyssa worked in programming for nine years. Eventually, she was approached by someone on the security team at her company. She wanted to know if Alyssa would join her security testing. Alyssa said she didn’t know how to do it, and the woman from the security team said, “You’re smart, you’ll figure it out.” When she got there, she figured it was just hacking. That, she knew how to do.
That was the start of her cybersecurity career. She ended up leading a team that was responsible for vulnerability management and security testing for a 6,000-employee Fortune 500 financial services company. That company got bought out, and she ended up in charge of the same department for a 35,000-employee Fortune 200 company. By the time she was thirty years old, she was going to board meetings and talking to the executive team.
After fifteen years at the company, she was tired of financial services and wanted to see other industries. She got into consulting. Along with financial services, she also got to work in healthcare and energy, among other industries. As her consulting grew, she ended up working with CISOs and senior leadership teams and doing presentations for them.
Moving Towards CISO
As Alyssa continued her career, new opportunities just kept popping up. She ended up as a Business Information Security Officer for a historic Wall Street firm. That role included leading cybersecurity as, essentially, a CISO for one business division.
When she got that job, she decided it was a stepping stone. Her goal was to take her cybersecurity career all the way to Chief Information Security Officer. She may have started off as a hacker, but she discovered along the way that she loved management. In addition, she had the skill set for managerial roles.
She was only in the BISO role for eighteen months when another job came looking for her. It came from a colleague who was currently in the position but leaving to take a bigger role. Alyssa went through the process and got an offer. It put her as a CISO leading cyberseucrity at a multi-billion-dollar company.
Cybersecurity Career Skills in Management
Most people think leading is a fundamentally different skill set than doing. They assume that it’s a big transition from taking things apart to see how they work to leading people. In some ways it is, but in many ways, Alyssa has found that it isn’t. Being in a true management position is a different skill set because it’s not as much hands-on with tech. The farther you advance through the management ranks, the farther away you get from the hands-on work. But this isn’t necessarily a bad thing.
What you have to embrace [in transitioning to management] is that you’re going to be responsible for different things.Alyssa Miller
When Alyssa was a programmer, she had a manager who called her “the translator.” In meetings with the board, they would have to describe technological things. There were many more senior programmers who could explain things well in tech terms. But Alyssa was the one who emerged as the person who could translate so the vice president understood. It was a useful skill set to have as an engineer, but a necessary one for a manager.
Too many people see management as the next career step. But it doesn’t have to be. In fact, if the management skill set is not one that you have or want to use, it shouldn’t be.
Management by Hacking
Fundamentally, Alyssa’s hacking skills are just as useful in her management positions. She has given conference talks previously about a concept she calls “hacking the board.” A lot of the tools that she used to hack a system are the same things, metaphorically, as what she does when she presents to the board. This includes tools like social engineering in a practical sense. But on a higher level, the goals are the same.
I’m trying to help others to look at it through that lens … take some of the lessons from what we do as hackers and apply that.Alyssa Miller
Alyssa’s interest in becoming a CISO came from the same curiosity that led her to hacking. She wanted to see how stuff works. People are out there in executive leadership team meetings and board meetings. Then they come from her meetings and tell her she has to do her job in a certain way or manage her budget differently. She wanted to understand how it works. At its heart, her whole cybersecurity career was driven by the core desire to understand the inner workings of something, how it works the way it does, and if she can make it work differently.
The Role of the CISO in an Organization
The role of a CISO within the business organization is changing. The United States Securities and Exchange Commission (SEC) is now mandating that company boards have to discuss cybersecurity risks. Alyssa is happy about that. People who work with technology have been clamoring to talk about cybersecurity and get CISOs in the boardroom for as long as Alyssa can remember. They’re getting their place at the table now. But a lot of CISOs aren’t ready for it.
Part of that is that cybersecurity career options are relatively new. The Chief Information Security Officer role has only existed for around thirty years. Compared to other C-level executive positions, it’s very young. In addition, many of the people in CISO roles are people deeply experienced with technology. They are often not prepared to talk to non-techies about technology. Alyssa has been in meetings where the tech-savvy people start talking and using terms the board doesn’t understand. The board members tune out and start looking at their phones.
Because of these factors, many organizations look at the role as a junior one. A large percentage of CISOs fall into different job categories, like director or senior director. Almost all of them report to another C-level executive, and most of them are not part of the official executive leadership team. It’s hard for CISOs to actually do their jobs effectively if the board doesn’t trust them to take on an executive leadership role. But it’s also important for security leaders to be ready for the challenge.
Future Risks of Internet Security
Anyone in a cybersecurity career is able to see what risks exist right now. What is harder is predicting which risks are going to become even bigger problems in the future. These are the problems that Alyssa things are going to become the major internet security issues in the near future.
For a while, it looked like deepfakes were going to become a huge problem. A few years ago, it had some real promise. But we got a lot of awareness out that they exist. People spread deepfakes that were easy enough to prove fake, and the general public understood that their capabilities.
The core tenant of phishing is the spreading of misinformation on a very micro level.Alyssa Miller
But deepfakes aren’t the only way of spreading misinformation, and Alyssa thinks we’re going to see more of it. There’s the discourse around misinformation campaigns in politics, but it’s not limited to the political. Organizations will need to include misinformation as part of their incident response plan. It doesn’t necessarily fall under the umbrella of cybersecurity, but it can be leveraged for the purpose of cyberattacks, so it’s still important to consider.
Online privacy concerns are already a big issue. Alyssa thinks we’re going to see them spill over into a cybersecurity concern. We’re doing more things now to try and protect privacy. On the policy and practices side, cybersecurity will be a part of it. As Alyssa’s colleague Amber Welch has pointed out, you can perform a DdoS attack on a company in the physical realm by initiating a bunch of subject access requests under the GDPR regulations.
Someone in a cybersecurity career has to become more aware of things that don’t include technology and have previously not been their problem. For example, if technology is used to secure a physical space, who is responsible for that? Cybersecurity will have to extend beyond technology.
The line between physical and digital keeps getting blurred more and more.Alyssa Miller
Education for Kids
Cybersecurity education for children is already happening. Alyssa herself has been involved in two different programs teaching kids to be safe online. It may sound like a very 90s thing to say, but it’s reality. Kids need to learn how to deal with the digital world. Even helping kids understand the implications of social media from a privacy perspective can be very helpful.
The main problem is on the instructional side. Instructors who grew up in a world of landline phones are trying to catch up and learn how to communicate the risks to kids. Many of us are still trying to wrap our head around it, making it hard to educate children.
The response for most of us who don’t understand the risks is to abandon it. If we don’t understand the risks of social media, we don’t do social media. That’s not a reasonable option for Gen Z. We have to embrace it because it’s part of our world, but we also have to learn how to be safe with it.
We can’t say no to it, so how do we learn and put the controls on our own lives to protect us to a level that we’re comfortable with?Alyssa Miller
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
You’ve probably seen them somewhere. A sign by the road, an ad on a billboard, or even…[Read More]
Student loans came out of their forbearance period and payments resumed towards the end of last year….[Read More]
A virtual kidnapping call can be terrifying - that's why it's important to be prepared in advance.[Read More]
If someone asked you if you want the messages you send and receive to be private, you’d…[Read More]