The last time the Farmer School of Business Department of Information Systems and Analytics held a panel on cybersecurity, it brought in speakers who have worked in the field for many years. “This semester, we decided to bring in some more recent graduates to talk about their journey, how they got into cybersecurity, and what they're doing for a living these days,” department chair Skip Benamati told the crowd.
Taryn Fisher, EY technology consulting manager, didn’t start out in cybersecurity, but in information technology. “I leveraged a lot of the information and background that I gained through IT audit experience. It's super applicable and it really helps you bridge the gap of explaining the technical side to the business folks and really helping them understand and digest the more technical background and the specific things that they need to understand,” she said “’How will this impact my business? What's the risk to me? How do I address this?’”
Andrew Opare, US Bank cloud security engineer, started out in banking software engineering at one of Miami’s regional campuses, but found himself drawn elsewhere. “Halfway in, I found out I had a passion for cybersecurity, but at that time, Miami didn't have a full-time cybersecurity program, so I picked up the minor and it was great. So, I started as a security operations center analyst at US Bank, triaging alerts from phishing,” he said. “I worked my way up to a senior analyst, and now I'm a cloud security engineer. So I basically build the infrastructure for our purple team to do security testing on the cloud.”
Sarah Armstrong, senior cyber intelligence analyst at GE Aerospace, started at GE soon after she graduated from Miami in 2019. “We're the eyes and ears of the organization, figuring out who the big threat actors, cyber attackers in the world, what they're after, how they're conducting their attacks, and sharing that information with the stakeholders in the business who can take action,” she said.
Armstrong noted that her team generally breaks down the threat actors into four categories:
- Nation states
- Company employees/contractors
“Those four groups do things very differently. They're after very different things and they have different ways of attacking and getting into the organization,” Armstrong said. “So we have to adapt to each organization and have a strategy for each different type of threat actor.”
“Most of the attacks that we see daily are phishing. Once you can get in with phishing, you can basically exploit the whole company. We see a lot of ransomware attacks,” Opare said. “One of the biggest alerts that I’ve been seeing and dealing with is people clicking malicious links or downloading something that they weren't supposed to do.”
Fisher told the students that one area of concern might be surprising to them: the aging workforce at some companies. “One of the biggest things that we're seeing clients struggle with right now is end of life,” she said. “We see issues with staffing and people literally not knowing or having a staff member who knows how to fix things any longer. Computers and systems that can't be patched because they're just literally not supported anymore, but the company can't get rid of them. And that creates a huge opportunity for people to exploit those kind of devices.”
Taking questions from FSB Director of Cybersecurity Initiatives Joseph Nwankpa and attendees, the trio talked about artificial intelligence, and how it can be used for good or evil in cybersecurity, whether helping to detect threats or helping to make the attacks more potent. “AI is constantly advancing, and I think threat actors know that. So they use it to the absolute most of its capabilities, right? Now you can use AI to write phishing prompts, you can use it to write malware, you can use it to social engineer,” Opare said. “Organizations have to find a way they can keep up with it.”
“What are the things that we're doing that don't require a lot of critical thinking on a human's behalf? What can we ask AI to do to alleviate time and give more resources or energy back to the individuals to do the things that require that critical thinking?” Armstrong said.
“AI has the ability to help us detect threats. It can take a huge amount of data and review it and identify potential patterns that we might not see ourselves. So I think there's some really good potential uses there from a threat detection and monitoring perspective,” Fisher said. “I think it's just a matter of continuing to develop it and continuing to educate our people about how to use it.”
They told the students that to have a career in cybersecurity doesn’t necessarily mean they have to be experts immediately.
“One of the things we were talking about is how it's a myth that you have to be super technical or you have to be a hacker to be in cyber. That is not the case. Look at all three of us, none of us are really doing that,” Armstrong said. “There's a variety of different ways you can be in cybersecurity. The two skills that come to mind for me are communication skills and influencing skills. You need to effectively communicate what's at risk to people in finance and supply chain and engineering who don't look at malware all day long. And a big part of the cyber job is making sure that the business helps us stay secure, keeps their vigilance high, being able to influence groups to change priorities based on cyber risks.”
“Having the passion, the willingness to learn. Because people come from all diverse places. And cybersecurity is one of those domains where you don't need to be an ethical hacker. You don't need to have all the technical skills, but passion cannot be taught,” Opare said. “Having the passion to learn and communication effectively will help you go far in this field.”
“I would say the only other thing is being open-minded. Especially in consulting, you're going to pivot to a bunch of different projects probably in the first couple of years,” Fisher said. “I think just being willing to accept that maybe you're not the most technical, but you're willing to learn, and you're willing to take on those new challenges.”