There is a certain reductionist fallacy running wild within the technology world of late. This idea informs a lot of policy not only within the economy, but also within the economic world. We wouldn’t have STEM without this philosophy. This fallacy has allowed the proliferation of Coding Boot Camps, the latest panacea for anyone desperate for a job, many of which are merely scams that are outrageously expensive and of dubious quality. This dangerous fallacy is that technology is merely a synonym for software programming (coding).
Obviously software programming and coding exist within the field of technology. But technology as a whole is not just coding. You can’t code if you don’t have a device to code on. If you don’t have a networked infrastructure of some kind for the device to run on. If you don’t have an internet backbone to connect to. Keeping the technology infrastructure running requires much more than coding. The danger in this kind of reductionist thinking is that without knowing how the infrastructure that allows you to code works, you have a huge blind spot that can stop you dead in your tracks.
The same kind of reductionist philosophy also exists within the realm of Cybersecurity. In the cybersecurity context, the idea is that in order to work within the cybersecurity field, you must by definition be a hacker. If you don’t know how to hack into networks, the thinking goes, you don’t fit within the cybersecurity space. Everything in cybersecurity is about firewalls and monitoring logs and preventing malware attacks, and there is no room for anyone who doesn’t have a hard technology background.
This is dangerous for the same reason the first technology fallacy is: There is a lot more to cybersecurity than simply protecting a network from malware or hacking. Those are key aspects of any cybersecurity program, but developing a comprehensive program involves a lot more than just firewalls and encryption.
There is so much more to cybersecurity that doesn’t require coding skills or degrees in network infrastructure. Governance should be a HUGE part of any cybersecurity program in business, and that means you need legal experts and auditing experts to help you identify and classify all of the threats to your network, as well as evaluate your performance for compliance in a landscape that is undergoing huge shifts (hello GDPR!) If you are going to implement new programs to address threats to your organization, you need change management experts and project managers who can help you craft the projects that will make you more secure and help you implement them across your organization. And as a general rule, the Cybersecurity industry in general should include experts in ethics and policy analysis to determine what is working, what isn’t and what the implications are of decisions that are made in the name of security.
All of these experts need to be familiar with the technical side of cybersecurity. But they don’t need to be hackers or technical SME’s.
I have had an interest in Cybersecurity for almost a decade now, and I find it an endlessly fascinating area of study, particularly where the technical and non-technical meet. The legal ramifications of decisions to “hack back” for example. Or how to protect an organization from social engineering. These are things that don’t require technical knowledge…but they are vital to any cybersecurity program. That is one reason I am pursuing the CompTIA Security+ certification.
Another reason I am pursuing it is simply because I feel like it should be baseline for anyone working within technology. Most technology companies deal with proprietary information or intellectual property that needs to be protected. I feel like all employees of companies like that should have a baseline understanding of the threats that are facing them, and how to respond. That way they can work hand in hand with the tech experts to make sure their organization is secure.
I have studied for this exam in the past, but CompTIA recently released version SYO-501. This is the latest and greatest version of the exam and includes not only the tech side, but also significant focus on Risk Management and Threat Identification. I will be using the Security+ Certification SYS 501: The Total Course from Mike Meyers via Udemy to help me prepare, along with labs on our home network. I have already purchased my test voucher and my goal is to have the Security+ Certification by the end of 2018.
As I study for and take the exam, I’ll be sharing things that I have learned, tips, tricks and insights that I think might be helpful for anyone else studying to take the exam.
Onward to Certification!!