Cevn Vibert has spent 25 years working in specialities across the field of Cyber Security, from advisory boards, industrial cyber security, emergency management and situational awareness, to critical infrastructure protection. Company Connecting spoke to Cevn to see what insights he could provide for both those already working in Cyber Security and those considering a role in the field.
What type of education and training prepared you for this Cyber career field?
Well, I did Electrical and Electronic Engineering with Computing but started work on Electronics Design, Electrical Design and Computing, when Computing was in its infancy. Our Department of 10 Design Engineers had one shared computer with a single floppy disk (1.2Mb) and no hard drive. The desktop computer was closely guarded by the department manager. The work I did, and training I took on, through my career has ended with me having varying levels of expertise in Industrial Control Systems / SCADA, Manufacturing Middleware, Physical Security, Control Rooms, C4i, and Cyber Security. I have also worked across a wide range of industries for end-users, integrators, distributors and gov. This means I can happily help Power, Water, Nuclear, Transport, Shipping, Manufacturing Control Systems or many others to enhance their security. The most recent ability is understanding ICS Industrial Cyber Security threats which have many examples such as Stuxnet, Shamoon, NightDragon, Crouching Yeti, Petulant Penguin or the famous Ukraine Power Cyber Attack.
What types of soft skills are necessary for succeeding in a Cyber career?
The soft skills needed are around people interaction and empathy. This can be tricky as some of the best analysts have high levels of “Asperger focus” where empathy is not quite in the game! The soft skills are something the Cyber conferences are referencing more and more, together with the need for more women in the field. This requirement is related to the basic human nature of both attack vectors and methods, and defence analysis and remediation. Social Media based attacks, drive-bys, spear phishing, etc. together with plain old mistakes or work-arounds by well-meaning employees, all have ‘people’ in common. Another key soft skill I would also add, is that in the field of NOCs and SOCs, one of the things which differentiates good teams and average teams is communication.
What advice do you have for someone considering this career?
I would give the same advice I give to many people. Take a big sheet of paper and a pen. Give them to a good friend/family to write them down. Do a like and don’t like column. And start talking. Follow the things you are both good at and what you like doing best. Also, NEVER be afraid to try something new and fresh. What can you REALLY lose?
Technically, I would search and find some example people or job specs on the web. Look at their careers. Look at the job requirements. Check out the routes for the required qualifications. Jobs specs are most often a dream requirement rather than a practical scope. DO NOT GET DISHEARTENED! You can’t be the best at everything immediately. Be patient and never stop learning. People like people who ask questions, who make jumps of learning, who surprise them. A good model I have referenced in the past is “Radar” from the TV series Mash. He knew what people wanted before they asked him. Try that in your career, do it with a winning smile and people will help you move forward. The industry needs you if you want the industry. Go to events and meet people. Another tip.. everyone else is just as shy as you may feel at these events and conferences. Just say hi and ask them what most interests them at the event.
How has technology changed this career?
Technology is changing dramatically and almost weekly and at an accelerated rate. The Cyber Security field started with ye olde Linux/Unix boxes and know we have almost intuitive software and hardware security suites, costing millions. Geographically the biggest push for new stuff is the USA due to the litigation and regulation drives in recent years. The main sources of new software and hardware is from innovation at universities, Israel security forces, Russia, France, Netherlands, UK and US in my experience.
The other things which have changed most recently are regulations, standards and methodologies. An example in my field of Industrial Cyber Security is IEC 62443 which you can web search for its background and recent news. It is still being formulated. NIST, ISO 27001/2/3, ANSSI are all also relevant standards used by many.
These have changed my career as they have largely enabled it. I am not an analyst or hacker or deep programmer. I am a high level strategist, architect, manager, educator, evangelist and consultant. The creation of “packages” of software and hardware has enabled my high level career as I don’t need to know the deepest nuts-n-bolts of security. I just need to know what it does, how it does it and what is the risk, business and strategic benefits and the immediate mitigations to risks.
What do you like most and least about your job?
Most like… is about “finding the spark in the room” when giving talks, educating, advising or helping companies grow in the Industrial Cyber Field.
Least like.. is the inertia of most companies to do even the basic in cyber security. It’s a struggle.
How did you find out yourself you wanted to be in the cyber security field?
I actually just slid sideways into it. I built an Industrial Controls and Critical National Infrastructure protection demo suite, then integrated a Cyber demo suite, then finally a Trusted computing demo suite. The Industrial Controls Systems Security was my main strength as I was the Subject Matter Expert. I saw that individual Industrial Control Systems careers were becoming more of a commodity, and hardly anyone knew yet about both Industrial Controls AND Cyber security. This situation certainly helped a career pathway choice.
Is there something in particular that I have to keep in mind while pursuing this career in Cyber Security? I think I have touched on some of this above. Certainly look at knew technologies. Keep humanity. Work with computers as interconnected systems and think like the opponents. Try to find better ways of doing things better. Talk to others who have succeeded and those who have failed. Find some heros/heroines you can emulate. The Cyber Sec field lacks the softer skills. Join cyber clubs and keep networking. Think about what you are really protecting or the information or methods you are trying to find in reality… not just what someone has said is the goal.
Good luck although you almost certainly won’t need it.
Cevn Vibert LinkedIn: https://uk.linkedin.com/in/vibertprofile
Vibert website: www.vibert.co.uk