In a fast developing world, the need for security in the cyberspace becomes ever more crucial at personal and systemic level. Challenges keep changing as new technologies emerge. Effective counteractions require skilled teams of professionals, who are able to stay up to date with the challenges – and who can, possibly, see one step ahead.
Cybersecurity teams comprise diverse profiles and competences. While a holistic approach to security is key to the successful implementation of a secure system, the human aspect is no less important. Working under pressure, in a crisis situation or emergency response require impeccable preparation and coordination.
Cyberwayfinder (CWF) is a training program in cybersecurity that includes a career transition program to helps professionals – such as business, data, IT, application and enterprise architects – as well as senior business professionals advance their career or enable a career transition into security.
The program first started in 2016, with the mission to bring diverse profiles into cybersecurity. Based in Brussels, Belgium, Cyberwayfinder recently expanded into Luxembourg. With 2020 and the COVID crisis, the training moved to a virtual environment, adapting to the new situation with modules that allow students to create their own program depending on their career path.
Rosanna Kurrer and Patrick Wheeler are the initiators of the Cyberwayfinder program. As a trained architect and civil engineer, Kurrer and Wheeler highlight the importance of bringing cognitive diversity into the cybersecurity domain. “Cybersecurity is a domain that is resource constrained,” – says Wheeler – “but it also needs new ways of approaching the evolving challenges placed by new technologies, our opponents and the needs to assist our changing corporate clients. Cognitive diversity increases our ability to create new cybersecurity solutions faster, to more closely align with our business and IT partners while, ideally, working smarter and faster and cheaper to protect us.” Diversity in general as well as in leadership, IT and technology firms is credited with increasing performance teams and Cyberwayfinder wishes to include these benefits in our cyber defences.
How is cognitive diversity achieved? “We search out atypical profiles,” — continues Wheeler – “be it gender or professional life experience which coupled with motivation, opportunity and training can lead to a successful career transition or significant growth acceleration.”
Diversity in cybersecurity
When Cyberwayfinder was started, women were in single-digit percentages in cyber teams worldwide. The core program at Cyberwayfinder has evolved from focusing exclusively on women to including all types of backgrounds and genders. Gender is still a fast-track indicator, but by far not the only one of success or diversity. “We have found particular success in mid-career and in-house work-learn professional pivots.” – says Wheeler – “Ideally our training program, conducted evenings and weekends, is coincidental to a transition into in-house cyber teams. This on-the-job training while reinforced by academic classes combined with a support network and community of practitioners in our teaching cohort and public events and partners creates an environment we credit with significantly accelerated success. Mature learners with organizational knowledge can become amazingly effective in a very short period of time.”
Profile of a security architect
The newest program from Cyberwayfinder focuses on developing security architecture professional profiles. Security architecture can be defined as a set of security principles, methods and models designed to align to your objectives and help keep your organization safe from cyber threats. Sometimes it is said that new systems are developed so fast that security is an after-thought. Not at Cyberwayfinder. An important aspect of security is planning, and that’s where the security architect plays an important role. But who is a security architect?
There are personal attributes that make a good architect. Creativity, foresight, ambition, collaboration, communication, resourcefulness, pragmatism, idealism, design, visualization, influence, leadership, problem solving, passion, prioritization, technical / domain knowledge
comfortable at all layers of abstraction and context. Wheeler points out that “You have to be a good influencer: it’s not enough to have a brilliant vision, you have to be able to articulate it, to influence people to agree with it, and then you have to show that leadership and that passion to drive it through to a positive result.”
Besides personal attributes, security architects naturally have to master their technical / domain knowledge. This does not necessarily mean pure IT knowledge, or knowing how to penetrate a firewall. A security architect acts as an urban planner for digital ecosystem defence. Working with and understanding the business goals and methods as much as the supporting IT, but with an outward view to the attacker and where these plans can be compromised to the attackers’ advantage. Whether examining a network design or building out a new client-facing e-commerce application, the ability to lay out a coherent risk statement can be useful in business planning processes.
A typical beginner career pivot training program via Cyberwayfinder lasts up to three years and less for more senior resources. The program modules are articulated in three tracks.
- Career transition tracks (CTT) including: foundation of security, business risk and cloud security, information security management, security architecture
- Professional growth models (PGM) including: GDPR and data privacy, ethical hacking and penetration testing, data science in cybersecurity, network defence fundamentals, secure software development, certification review
- Special sessions including: cybersecurity masterclass, hacking a cyber career, core skills
The security architecture track specifically comprises six modules: strategy and governance, cybersecurity architecture, threat modelling and risk management, secure (big) data, secure system architecture, secure software architecture.
Design vs. implementation vs. teamwork
How does security architecture differ from security engineering and implementation? And how does the mission of the security architect differ from that of a security engineer? Wheeler explains that “The line between these areas of expertise is somewhat fluid. But if you consider the layers of abstraction, security architecture tends to be the furthest removed from actual implementation, whether it is coding, networking and systems administration – whereas security engineering can fall between them. However,” – Wheeler continues – “we have very fluid job descriptions that can render differences more nuanced.
As with building and in-real-life architecture, engineering and building; we often in short-hand credit an architect with a vision (i.e., the why and what), the engineering with the how (structurally, tactically) and the implementation from the actual do-ers. In a well-functioning team, we can all predict each other and work in concert. And as with real-world examples, we often run the risk of large gulfs between “ivory tower theoreticians” and pragmatic on-the-ground must-get-it-into-production-today. Diversity and empathy and relatability are core skills in handling, predicting and resolving some of these inherent conflicts and we are continually pleasantly surprised at the outcomes we observe.”
To learn more about Cyberwayfinder and the training program, visit: http://cyberwayfinder.com