While enterprises fight to stave off relentless attacks, 57% of them are hamstrung by the ever-worsening global cybersecurity skills shortage. An estimated 4.07 million industry positions remain unfilled at a time when the world needs skilled defenders the most.
Week three of Cybersecurity Awareness Month is dedicated to addressing this pervasive challenge though the exploration of cybersecurity careers. Led by the National Initiative for Cybersecurity Education (NICE), this “Explore. Experience. Share” initiative aims to energize and promote a robust ecosystem of cybersecurity education, training and workforce development.
We spoke with Lavi Lazarovitz, head of CyberArk Labs, and Andy Thompson, CyberArk technical evangelist, about their own cybersecurity careers and how collaboration is key to both personal career fulfillment and overall industry advancement. They also gave us the scoop on INTENT — a virtual research summit for cybersecurity researchers, by researchers, happening November 16, 2021. Founded by CyberArk and Checkmarx and partner organizations Claroty, F5, Imperva, Intezer and SentinelOne, it’s a one-of-a-kind event you won’t want to miss. Here’s what they had to say:
Blog Team: Whether it’s students, veterans or those seeking a career change, cybersecurity is rapidly evolving and has something for everyone. Do you remember what specifically sparked your interest in a cyber career path?
Lavi: “One of the things that pushed my curiosity and ultimately led me to the field of cybersecurity research, is the fact that it’s so accessible — you can see and experience everything firsthand. For example, when a big vulnerability is discovered on a user application or popular protocol (like HeartBleed that shook the world in 2014), you can dig into the research others have done, and do your own testing and discover how to adopt a process, such as fuzzing, to find new bugs and security loop holes. When you’re experiencing a vulnerability for yourself, it’s easy to imagine the impact it could have on the services and applications people use on a daily basis — along with the role you can play in mitigating risk and making the digital world a safer place.”
Blog Team: Can you highlight some of the intrinsic characteristics and personality traits that make a great cybersecurity researcher?
Lavi: “Cybersecurity research is all about trying stuff — having that ‘hacker’ mindset of breaking and re-constructing things in new, unique ways. There isn’t always a right way to do it; instead, it’s about being curious and creative and exploring why and how things work. Along with strong technical skills, cybersecurity researchers are typically highly driven individuals who thrive on learning from one another and often have a bit of a competitive streak.”
Blog Team: Can you describe how the CyberArk Labs team approaches their cybersecurity research projects — and how it’s helping drive greater industry awareness around emerging threats?
Lavi: “The research team is the foundation of CyberArk Labs. What started out as four researchers has grown into an elite team of dozens of white-hat hackers, intelligence experts and world-renowned cybersecurity practitioners, many of whom served in the Israeli Defense Force. Working side by side, they examine emerging attack techniques and post-exploit methods to understand the attack chain and how attackers operate. Their work puts us in a strong position to not only ensure CyberArk customers are more secure, but also to benefit the entire cybersecurity community. We believe security is a team game; it’s all about collaboration. That’s what you see within CyberArk Labs and that’s why we’re putting on the security research summit, INTENT, on November 16.”
Blog Team: Tell us more about INTENT and why cybersecurity practitioners and researchers should plan to attend next month.
Andy: “We’re excited about the format of this virtual event, being led out of Israel, where attendees will learn from acclaimed security researchers from around the world, such as Benjamin Delpy (aka gentilkiwi, the developer behind Mimikatz).”
“Beyond exploring findings of some major new research projects, we’re pulling the curtain back to reveal the process itself: how to deconstruct the attack cycle and adopt an attacker’s mindset to discover critical security holes that can be exploited. And we’re giving it to you straight: sometimes things don’t go as planned. We’ll show what happens when security research goes wrong and what you can learn from it.”
Blog Team: We understand the INTENT team has been hard at work reviewing speaking submissions and finalizing the agenda. Could you give us a sneak peek at some sessions you’re particularly excited about?
Andy: “We’ve got a jam-packed agenda — it’s hard to choose favorites — but here are three sessions that attendees won’t want to miss:
- An elite hardware white-hat hacker’s real-world account of reverse-engineering a major city’s smart meter system to determine electrical uptimes during the worst winter storm in decades and to help keep citizens safe;
- How a security research group teamed up to uncover vulnerabilities in one of the world’s top collaboration software tools — and landed a major prize in the process; and
- A deep dive into VSCode extension vulnerabilities and their far-reaching implications.”
Blog Team: INTENT is a great example of the industry’s push for deeper collaboration and information sharing — what many believe are keys to improving the overall security posture of organizations and governments everywhere. Why is this so important?
Lavi: “As security researchers, we’re focused on unearthing vulnerabilities everywhere. We regularly share our research findings with other industry organizations, along with government and law enforcement agencies that can use our findings to deepen real-world vulnerability investigations. For instance, CyberArk is part of the Institute for Security and Technology (IST) Ransomware Task Force — a coalition of public and private sector organizations that have joined forces to provide clear recommendations on ransomware mitigation. We all bring unique experiences and perspectives to the table and are united by a common mission to make systems safer.”
Blog Team: In closing, what would you say to those considering a career in cybersecurity research today?
Andy: “Whether you’re on the offensive or defensive side, you’re on the good team, fighting the good fight. The work you do every day truly matters — and it makes our society, and our world, a better place.”
Have a passion for collaborative problem-solving and hands-on security research? Register for INTENT today to save your spot. And if you’re considering a career in cybersecurity or looking for advancement opportunities this Cybersecurity Awareness Month, check out CISA’s Cyber Career Pathways Tool, aligned to the NICE Cybersecurity Workforce Framework, and our own CyberArk training and certification offerings to get started.