"The World rewards specialization but it comes at a cost. You learn more and more about less and less, until you know everything about nothing." -Dr. Nathan Myhrvold
I was recently watching a documentary about creativity and the characteristics very creative people all share. The main characteristic is having interests and passions in multiple different fields, not becoming too specialized or an expert in just one area . Some of the fields relate to each other and some are completely different.
What hobbies/interests/passions help you stay creative within the field of Cyber? Or inversely, has learning Cybersecurity helped creativity in other areas of your life?
One of the career detours that helped me most in cyber security was auto mechanics. Back in high school I was a real big geek. I had teachers asking me how to do things on the computers. Then I went to college and had a jerk of a professor who turned me away from my passion (IT). When trying to figure out what to do next I enrolled in auto mechanics because I didn't know how to change the oil in my car. Going this route helped me figure out how to troubleshoot things and to understand that by knowing how things work, you can figure out how to fix them. In IT/cybersecurity, if you know how things work, you can figure out how to break them.
Having the ability to figure out how to fix things has also given me the confidence to figure out innovative solutions to problems that other people can't or haven't found solutions for. One example I can give is this:
I worked at a big industrial complex as the Cyber Director. We had a department come to us for help. They had these huge multi-million dollar lathe milling machines that they needed to get connected to the Internet so the company that built them could remote in and fix them, on occasion. Problem was this, they were made in a foreign country. The plant I worked at was the government military complex. It was a big no-no to allow foreign companies on the government network. So that Internet option was out. We had a Science and Technology network that they could go on but, since our Information Security Officer (ISO) was such a jerk, they wouldn't allow us on their network either. Our ISO told that department they were out of luck and no options existed for them. I said hold on a minute. We were in a huge industrial plant that covered 11 acres. The "customer" only needed temporary access to the Internet on the rare occasion they needed a repair. We had telephone lines running all throughout the plant. I said why don't we just put up a DSL router and give them temporary Internet access when they need it and then take it down when they are done? The ISO said "HQ will never go along with that!" I said "Why not?" He said "Because we are not allowed to have outside Internet connections in the plant. All Internet connections have to be approved. They always say no."
So I prepared my brief for HQ and asked to get put on their next Change Control Board (CCB) Meeting to present my request. We also had several other "temporary Internet" needs that this solution would fix as well. We had some laptops for security scanning purposes that were stuck in a Catch-22 situation. We couldn't put them on the government network until they had been patched and updated, but in order to patch and update them they had to be connected to a network with Internet access. Was I supposed to tell my people to take them home and put them on their home networks to patch them? As the cyber division we also had a need to perform Internet searches on hacking tools and techniques that were blocked on our normal network so we needed a temporary Internet solution for that as well. I presented my solution and concerns in the meeting, discussed all of my security planning and reasons for this "temporary Internet portal" and stated that we already had the equipment that was not being used so it wouldn't cost us anything other than the DSL contract, which we were paying for but not using anyways. So it wasn't going to cost us anymore than we were already paying. The CCB board asked a few questions, for which I had sufficient answers, and they approved the request.
My ISO was shocked. "I can't believe they approved it." he kept saying.
The lessons here are this:
1) Don't assume a "No." People that use absolutes (never, always, etc.) have closed their mind off from looking for a solution.
2) Search for a solution and think outside the box.
3) Prepare well for your approvals.
3) Consider what questions others might ask you and be prepared to answer them.
4) Don't be an information security jerk. If you can't get along with people in this field, then you may be in the wrong field.
5) Enjoy your successes and learn from your defeats.