Teaching security – Interview with Jonathan Meyers, Head of Cybersecurity, Cybrary
Maintaining a strong line of defense requires security experts. Developers with adequate security skills and a passion for cybersecurity are the key to creating a security program that helps to protect data against external threats. As in our previous articles, we asked an expert about his experience and opinion regarding cybersecurity. Read our interview with Jonathan Meyers, head of IT and cybersecurity at Cybrary!
Tell us a bit about yourself.
I’m currently the principal infrastructure engineer and also the head of IT and cybersecurity at Cybrary. I design, maintain, and secure all corporate infrastructure, including a security enablement platform supporting more than 200 companies and 3 million users worldwide. I previously worked as a Senior DevOps and Senior Operations Engineer at Forcepoint (formerly RedOwl Analytics). I oversaw the operations and deployment of its hosted and on-premises user and entity behavior analytics e-surveillance product. I attended the U.S. Military Academy at West Point and served as an Army Officer for six years before joining the private workforce.
How did you get involved in cybersecurity?
I started with computers at a very young age and became fascinated with them and the internet in the late 1990s and early 2000s. I took computer programming in High School and then did an Information Technology degree at University with a strong focus on Information Assurance which preceded the field/term of cybersecurity.
Cybrary has a wide range of content for professional development. What kind of value do you provide for individuals and teams?
It is difficult to always know the career paths one should take to get to a new skill level/pay level. Cybrary helps identify common pathways and equates specific certifications/skills with leveling up in salary and position. Without direct access to someone already in the industry for a decent amount of time, that knowledge would never reach the individual learner or even smaller teams at larger organizations because of the nature of how the cybersecurity field is constantly changing and evolving.
In your opinion/experience, what sort of threats are currently trending?
Malware is exploding at the moment. The way hackers have developed a SaaS model for using the malware pushes adoption to the lower levels of hackers that don’t necessarily understand the process but can click a few buttons, and it “just works.” With the sudden push to remote workers last year, many devices were operating on potentially unsecured home networks without all of the safety nets provided in the office and on corporate IT networks. We might see a spike in attack vectors into corporate networks from compromised devices on the home network.
What are the most important foundations of security education?
In my opinion, a general understanding of technology and IT /networking. This baseline enables you to tackle much more complex training/situations because, more likely than not, a network / IT device was crossed or used in the attack. And if you don’t understand how they did it there, you can’t take the more straightforward fix to stop it from happening again while you usually work on the more complex solution to stop the entirety of it.
What do you think are the best ways to teach IT security?
I think it has to be available across several different mediums and skill levels. We know not everyone learns the same way, so why do we force them all to take the same courses and the same skill level most of the time.
Hands-on labs and real-world experience are the best ways to advance skill sets rapidly.
You have been a leading security engineer for quite some time. In your experience, what most inspires developers to improve their security skills?
You need to give them insights into the process and tools. More data/metrics they can click around and see. Security was a black box for so long that no one knew what tools or techniques they used to evaluate. By driving the information and tools to the lowest of developers, they can understand the context around the reasons things are secure /not secure, allowing them to build that knowledge over time, which ultimately makes a more secure developer.
What is your advice to organizations that want to build a strong security culture? What are the essential steps to make it happen?
You can no longer put them all together in a room and isolate them from the people writing code and using the IT systems every day. They need tight integration with the entire organization to make the team effective in today’s fast pace and ever-evolving threat landscape. “Teamwork makes the dream work” – John Maxwell.
In our upcoming post we’ll discuss the major differences between coding and secure coding. Stay tuned!
Ready to engage your team with secure coding training?
Reading Time: 6 minutes For most companies, security is considered a side quest, which is partly related to the daily processes. In reality, security ought to be a strong foundation of any organization. To ensure the defense of the enterprise, the relevant teams need strong security knowledge and abilities.
Reading Time: 6 minutes To build an enterprise security program, one has to go back to the well-known fundamentals of organizational change: People, Process, and Technology (originates from Harold Leavitt’s “Applied Organization Change in Industry”, 1964).
Reading Time: 8 minutes If you are working on Java projects you might have heard about other languages that run on the JVM, like Clojure, Kotlin, or Scala. Programmers like to try new things out but is it worth it to pick one of them over Java?