There is a dearth of talent in the cybersecurity industry, and the talent that does exist tends to be very specific, with some skill sets being more rare than others. An IT guy with 15 years of experience in network engineering is not interchangeable with a skilled penetration tester (pentester), though these are both certainly needed skills for a cybersecurity program. For many companies, the lack of pentesters is a significant problem. And while there are a lot of pentesters working in the industry, there is still a shortage of exceptionally good ones. What separates a mediocre pentester from a good or a great one, is not the number of tools or scripts memorized, nor how many certifications are listed on the resume. No, it is by how cunning he or she is, and how shrewdly a pentester thinks. But even the really great pentesters still fall short in the expertise and mindset that a company needs when defending itself.
What companies need is access to people with real world expertise, people who have a bit of a malicious mindset, and who have had the opportunity to perfect it – legally of course. People whose skills and talent have been honed through extensive experience of planning and executing cyber attacks. Essentially, these are people who have been advanced actors working for the U.S. government against our nation’s adversaries. In government parlance, these would be people with computer network operations (CNO) experience, computer network exploitation (CNE) experience, and operations officer (aka case officers). The NSA and CIA are the premier proving grounds for this kind of experience, although there are a few other agencies that have a smaller portion of resources with similar experiences.
The intelligence community (IC) conducts offensive cyber operations to exploit the networks of our adversaries. Just look up the job vacancy descriptions for cyber positions within the IC. This can be done through technical means, it can be human-enabled, or a combination of the two. If you consider the methods of the nation state actors attacking US corporations, then you can see a similar advanced methodology of human manipulation and technical means to access and exploit networks.
When an advanced actor is tasked with exploiting a network to collect intelligence or for some other actionable result, the actor looks at the project holistically and does so without being limited by “rules of engagement.” These rules or limitations are always used in commercial penetration tests or with red teams. Advanced cyber actors have to have a malicious mindset to do their jobs well. They have to consider all possible avenues of attack. If you take a ‘kid gloves’ approach, you will most likely fail, and failure in the real world of national security has serious consequences.
Cybersecurity professionals without this mindset and expertise are more likely to underestimate the tactics an advanced actor is willing to use. They are less likely to understand their adversaries and to predict their potential actions. Cybersecurity professionals today tend to look for a technological solution. They tend to look at the problem in parts (i.e., we need better antivirus software on our endpoints since that is how the advanced actors are gaining access) instead of designing a holistic security program. A cybersecurity professional with offensive experience will look at a company’s organization, its people, its sensitive information, and its network in a different way.
However, it would be difficult to cultivate this mindset and expertise in cybersecurity professionals that do not come from the IC. Can you be a combat veteran without having served in actual combat? No. While training is great and serves a vital purpose, it cannot replace the experience of actual combat. It means something significant when we say a combat unit is battle hardened. For difficult missions, you would rather have experienced combat veterans than soldiers fresh out of boot camp and infantry school. They anticipate issues, have a greater appreciation and understanding of their enemy’s tactics, and are far more likely to design and implement an effective defense with limited resources than someone right out of training or someone who has simply studied combat strategy.
The expertise that is honed from the training and the operational experiences gained in the intelligence community cannot be replicated outside of that environment. At the end of the day, a person with this mindset and background should be able to provide a company with greater insight into its current security posture, provide strategic thought leadership on designing a holistic cybersecurity program, and anticipate a threat actor’s actions more effectively. That’s not to say these professionals have all the answers or are the smartest in the group, but they do have insight, perspective, and knowledge that is undeniably beneficial to a corporation that wants to effectively defend itself.