Cybersecurity Career Paths & Industry Trends: Q&A with Bryan McGowan, Security Practice Director
Week 2 of National Cybersecurity Awareness Month addresses ways to motivate parents, teachers, and counselors to learn more about the field and how to best inspire young people to seek highly fulfilling cybersecurity careers. We sat down with Bryan McGowan, who joined Burwood Group as Security Practice Director this year, to hear about his career path and which cybersecurity trends he anticipates for 2019.
Tell us about your new role at Burwood as Security Practice Director. What are your main priorities right now?
The role has been really exciting thus far. I’ve had the pleasure of working with a group of highly skilled and trusted consultants who are experts in network security and security program development.
My current priority is to shift client conversations around security from one focused on a single solution to one focused on strategic planning and development of their security programs. I want our clients to view security not as a project, or even a series of projects, but as a strategic initiative in their organizations. My goal is to help our clients identify and prioritize their most significant security risks, then implement technical and operational processes to reduce those risks.
I also want to help our clients shift from thinking about security as a defensive strategy and instead view security offensively. Organizations should assume breaches will happen, incidents will occur, and employee access will be compromised. The challenge in security is having the best risk mitigation strategy in place and having the visibility and data available to detect and respond to a security event quickly.
What led you to pursue a career in technology – specifically IT security? Was security always an area of IT that you were interested in?
Not at all. I started out my early days believing I wanted to be a civil engineer. However, I found out quickly that I did not possess a love for advanced calculus and physics, which it turned out was rather important. Instead, I was spending all of my time at the computer lab during college. I happened to land a part-time job working for a fledgling internet service provider (ISP) and worked my way up through network and firewall configuration into data center management. My passion for security came later from managing enterprise applications in the healthcare sector. In the healthcare space the IT teams I led struggled with so many concerns that security never seemed to get the attention it deserved. I transitioned from IT and DevOps into the security space to help those IT folks (like myself) who knew they wanted to be more secure, but just didn’t know where to begin. It’s been incredibly rewarding.
If there was one thing you wish technology leaders knew about cyber security, what would it be?
Risk should drive your security program. Imagine you only had $1 to spend on security next year. Would you know where to spend it? Would that $1 address your biggest security risk? Technology leaders are working with a limited and finite set of resources (both financial and personnel). They really need to be sure that the resources they do expend on security are indeed reducing real risks to their organizations.
Any advice for future consultants pursuing a career in cybersecurity?
I would advise future consultants to consider the world of DevSecOps. We are seeing a conversation around infrastructure and code with security following closely behind. In the future, security will be a software game and security teams will be integrated into the full lifecycle of development through production. I would also suggest becoming familiar with security solutions from the leading public cloud providers (Google Cloud Platform, AWS, and Azure) and to learn how orchestration products like ansible and terraform can be used to ensure that security tools are automatically deployed into public cloud environments.
What are the top cybersecurity trends you anticipate for 2019?
We’re moving away from protection as the foundation of security. The emerging market is in detection and response mode. No longer can organizations rely on building a strong wall to keep intruders and malicious users out and many security teams are embracing the concept that malicious actors may already be accessing your resources. The new game is centered on reducing the time it takes to find, identify, and stop a malicious user.
Advanced detection and response tools will continue to leverage AI and machine learning to better understand the normal and exceptional activities in organizations’ applications and networks. These systems will be extended to the cloud and SaaS applications forming a visibility layer that will allow smart users to hunt for threats faster and more efficiently than ever before.
In the end, security is becoming a data analytics challenge. Successful security teams (and products) will gain the most visibility, automate response whenever possible, and spend more time proactively hunting for anomalous behavior.