This blog can further supplement the explanation and/or clarify what it means to be a DevSecOps Engineer - a post I wrote a while ago. There has been recent enlightenment.
So, I was very honoured to be able to share my career experience in cybersecurity at a mentorship programme hosted by SCS to a bunch of young people who are currently pursuing their cybersecurity education in various tertiary academies.
This was a question I was trying to answer. I realized that my role as a software engineer - armed with the knowledge and capabilities of a hacker, equipped with the DevSecOps mindset, and the attitude of a servant - is to make my organization more secure using my abilities. I don't just want to operate from the ivory tower, I want to help and be able to walk the talk. DevSecOps is not about making policies, it is about making your business more secure by eliminating those low hanging fruits Thus, I help to build the pipelines, scan the code, etc. Long story short: if you want it done well, do it yourself or at least be a part of the team building it.
With that said, I also gave them the good-o slides and explained everything from The Phoenix Project, to DevOps, to DevSecOps, etc. I had no idea if they understood what I was saying because I wouldn't understand myself if I were still in school too. But I hope it was a teaser for them into the real world.
After my half-hour of talking to them using meme infested slides, there was a much more intimate breakout session where we get into small groups and have a chat with each other regarding anything cybersecurity. There were about 2 mentors and 8 mentees in a group.
This was the question I asked them. What is it that excites you? I had a long and personal answer - some of them had some interesting reasons behind their answers while some of them are still looking for that fire to light up their passion within. I found myself in the same shoes a few years ago while I was still in CMU and studying for information security degree. Confused and unsure of what lies ahead. But the other mentor and I had similar advice: that is to explore the whole spectrum of cybersecurity.
For those who want to know more about the different domains of cybersecurity, I'm sure there are a lot of resources out there. To name a few, they broadly include Secure Coding, Policy and Compliance, Penetration Testing, Anti-malware, Reverse Engineering, Encryption, Network Security, Logging, Detection and Monitoring, Incident Response, Forensics, and more.
My number one advice is to use your internship opportunities to explore and find out if you like a specific domain or job scope in cybersecurity. For me, I had a few internships. One particular internship experience made me realize that policymaking was uninteresting to me. I was a security risk and policy analyst. I had used all the available academic frameworks - from DREAD to STRIDE to NIST (you name it) - to come up with the papers that I think will define and measure the security risk posture of the organization. After 3 months, I cannot stand what I was doing. However, my buddy, who was in another security team, was doing some amazing security work in AWS at that time and the operations seem exciting to me. I decided to seek a full-time job with THAT security team and that was how I started my career in the Red Team at Intuit. Lucky for me, it is what I am passionate about and I love what I do even until today.
After the session, I also felt that there was a lack of understanding among the students about what the industry is doing, much less the movement of DevSecOps. The academies are preparing them with the foundations and I just hope that cybersecurity will not be a disconnected silo in organizations like it used to be. I am glad that the students take the time to understand how the software industry is advancing and how is eating the world so quickly. Cybersecurity specialists should always be in touch and in pace with software development in order to understand and defend our virtual world.
Fun fact: With an increasing demand for cybersecurity specialist, Singapore's push to produce cybersecurity specialist is now at an all-time high. During my time, an average of B grade was all it takes to enter my school but now it requires an A grade.
I had a great time at the sharing session. If you have any questions, whether you were at the session or not, please feel free to reach out to me. I'm more than happy to chat. Cheers.
This article was first published on Fabian's blog here, on 25 August 2019. Information is correct at the time of publication.