Transitioning from a career in law enforcement to one in cybersecurity was, on paper, a relatively short journey, lasting some 18 months of graduate school while pursuing a master’s degree in Cybersecurity Technology. However, this was merely getting acquainted with the nuances of the career field and learning how vast it actually was. In reality, my journey was much longer, as I learned vital lessons in law enforcement, along with skills and other parallels across both industries. But first, a little about myself. My journey into cybersecurity began with a desire to enter a new and challenging field. One that is better suited to a person with a growing family, and in a world still very much locked-down due to COVID-19. At the time, I was working as a detective in the Baltimore City Police Department, handling a wide range of cases from non-fatal shootings to robberies, assaults, and pretty much anything that wasn’t a homicide. I decided to pursue a master’s degree in Cybersecurity Technology while working full-time. After 18 straight months filled with six 6-credit online courses, I had achieved this goal. I had also recently accepted an offer from Fortreum as a Security Analyst with about a month to go until graduation. I found out that I would be working on Federal Risk and Authorization Management Program (FedRAMP) engagements using National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 controls to which I had some exposure during school. I was glad to know that I was not stepping into this role completely blind, since I had my schooling as a foundation. It was in my interview with Fortreum, though, that I was first asked how my skills and experience in law enforcement paralleled and could support success in cybersecurity. As I started thinking about that question, I realized that there were many commonalities that could help me on my way.
Interviewing was the first thing that came to mind and the first answer I gave. I can now say that after almost a year here, this skill is absolutely essential to assessment work, just as it is in detective work. When people think of interviewing from a police perspective, it is probably seen more as an interrogation. Fortunately, we are not required to interrogate our clients, as many prefer to be forthcoming and show/explain what we need to see and hear. I have watched senior assessors roll through interview sessions very smoothly, seamlessly capturing all the evidence needed without making the experience a boring Q&A session. This is something I could do in my sleep as a detective, but I am still finding my interviewing style when it comes assessment work.
This is a universal skill, and I have found that those people who can effectively communicate their thoughts verbally and in writing are extremely successful. Effective verbal communication can make or break an interaction with another person. When I was on the streets, they used to tell us that you can either be someone who can use words to make their job easier and diffuse situations, or you can literally fight your way through 20+ years on the job. In assessment work I have found that those who possess the “gift of gab” or who consider themselves a “people person” can often get the answer they want much faster and clearer than those who lack this skill. I have also noticed that during assessments there is inevitably always a time that can be considered “awkward silence.” I have definitely asked a question that drew an awkward silence, one where we all look at the screen and wonder if our sound cut out. It’s in these situations where the gift of gab can save the day and put things back on track. Hand-in-hand with verbal skills is the ability to effectively communicate through writing. This is absolutely essential to both police and assessment work. As a detective, I was required to prepare many documents that would be admitted into evidence in court. These documents had to be both current and accurately convey a message in a clear and concise way. This is the same with assessment work, with the prepared documents just going to the Joint Authorization Board (JAB) or the Program Management Office (PMO) instead of a judge. Effective writing skills is an absolute essential when it comes to writing to NIST 800-53 controls. Working through security requirements traceability matrices (SRTMs), where each control is broken into sub-controls and enhancements, requires an assessor to write to each portion of the control, and address how an implementation either passes or fails each portion.
Remember that awkward silence we mentioned earlier? Well, there are also times in both assessment work and police work where the awkward silence is beneficial. Clients may be thinking through their response and preparing to give a very detailed answer and demonstration, or realizing something is incorrectly implemented. The awkward silence in a formal police interview is often an indicator that a victim/witness has your full attention and are trying to find a way to best communicate their memory or needs. The awkward silence in an interrogation is likely something else entirely. I like to talk, and my old partner used to bruise my ankles by kicking me under the desk in the interview room, a clear sign to “shut up.” It was always best to let a suspect sit quietly and think, this meant the gravity of the situation was weighing on them and if you were lucky, they might be getting ready to tell you everything you want to know.
Being naturally curious about many things is what pushes us to keep asking who, what, when, where, why, and how. Any detective strives to answer these questions in any case and many times when I was working a case, just being curious about these things was often what pushed me forward and gave me the drive to continue the investigation, even if the case went cold and was forgotten by everyone else. In assessment work, curiosity is indispensable. In my opinion, it is what separates the good assessors from the great assessors. Anyone can ask prepared questions, but the ones who are curious as to how things are implemented, why they are done this way instead of that way, the ones who ask the questions that are not required but simply curious to know the answer are the ones who are moving things forward and providing the most value to clients.
Reviewing evidence and making solid determinations is paramount in both police work and assessment work. While working cases as a detective, most of my work involved acquiring plenty of evidence and spending countless hours reviewing everything to build an effective case on solid conclusions. Conclusions that could be replicated and verified by other detectives. Assessment work involves much of the same process. Oftentimes we interview and gather our evidence for a week (or more) before making a final determination whether to pass or fail a control. A key piece of this review in both industries is having good attention to detail. Just like detective work, this is far from being considered the “sexy” work of cybersecurity, but it is an essential part. What I have outlined above are some skills that I feel parallel police/detective work and assessor work. They are all essential to job performance and employer/client happiness. Aside from these, I have also found some other parallels between these industries. These are broader and relate to the industries, not necessarily to individuals within these roles.
Constantly Evolving Threat Landscape
This should go without saying for police work. You never know what you are going into and what is waiting for you once you get there. I would argue that cybersecurity is the same. New threats appear daily and are exploited simultaneously with old, unpatched vulnerabilities. The burden is on the cybersecurity professionals to be prepared for these threats. Obviously, this touches upon many diverse skills such as pen-testing, bug-bounty hunting, vulnerability scanning, etc. As assessors, we are here to supplement those skills on the front lines by ensuring that systems are as secure as they can be, and hopefully reducing the threat landscape through effective evaluation of security control implementations.
Opportunities to Specialize and Diversify
The number of opportunities that exist within cybersecurity are vast. I admittedly had no idea what I would be stepping into, or what type of job I should be looking for. In police work, the opportunities were also there for an individual to grow during their career. Every patrol officer can decide to specialize and go into investigations, traffic enforcement, drug enforcement, SWAT, homicide, etc. The same is true in cybersecurity. Professionals in this field can assume many roles from system architects to security operations center analysts, to pen-testers and bug-bounty hunters. The choices are only limited by each individuals’ unique aspirations.
Keeping Your Skills Current
Police train constantly, at least the serious ones do. This is both physical, mental, and educational. I was once told that you will get older, fatter, slower, and the criminal element will remain young, quick, and ready to challenge you. Staying current with laws and regulations was as necessary as staying as fit as you possibly could. We were required to attend yearly training involving legal updates and organizational directives. In addition to this, we had to keep our marksmanship current and pass handgun qualifications yearly. Does this sound like yearly security awareness training or role-based training to anyone yet? In cybersecurity, no matter the role one works in, training and certifications are encouraged if not required. I found out after the first few months that I was going to be required to obtain an American Association of Laboratory Accreditation (A2LA) approved certification in order to support FedRAMP assessments. I also found out that each year I had to meet a required amount of continuing education units to maintain my assessor status with A2LA, as well as document any and all outside learning towards my professional certifications to keep those current as well.
Due to the well-documented shortage of skilled workers within cybersecurity, many individuals are finding their way into this field after a career change. I am one of these people. I have found that although the subject matter is unique to this industry, many of the skills and experiences that we bring with us from prior jobs parallel those that are necessary for success within this industry. If you find yourself pursuing a cybersecurity career and aren’t sure if your experience is relevant, don’t get discouraged. You are most likely more suited to the role than you think, and with a little training, a desire to learn and continue to grow, you can make a positive impact in this field.