I often get approached by young, ambitious people looking to start a cybersecurity career. Some are studying cybersecurity in college, some are looking to jump from IT, and some believe that the field is synergistic with past experiences in law enforcement or the military.Regardless, all are looking for guidance as they struggle to find an entry-level cybersecurity job. I realize this seems counterintuitive given the ongoing (and often hyperbolized) cybersecurity skills shortage. According to a 2024 study from ISC2, there is a global need for nearly four million cybersecurity professionals to fill the cybersecurity workforce gap, a record high.Unfortunately for newbies, most of these positions require at least three to five years of experience. While it’s a seller’s market for cybersecurity veterans, entry-level positions can be very difficult to attain. So, what should entry-level candidates do? And how can a would-be mentor advise them to explore the possibilities in the field?I start by pointing them to advice from the cybersecurity professional community at large. And then I suggest leveraging the potential of generative AI to enhance their job search. As part of the 2024 research project from the Enterprise Strategy Group (my former employer) and the Information Systems Security Association ISSA, 369 cybersecurity professionals were asked the following question: If you were advising someone who wanted to get into the cybersecurity field, what is the primary piece of advice you would give them?Here are the top three responses (note: the entire eBook for 2024, Life and Times of Cybersecurity Professionals, is available for free download here):
- Nearly one-third (32%) of survey respondents said job hopefuls should seek an apprenticeship, internship, or mentor to guide them in developing skills and career plans where they can get hands-on experience.Just over one-quarter (26%) recommended getting a basic cybersecurity certification (such as CompTIA Security+, GIAC Information Security Fundamentals, or GISF)Twelve percent recommended networking online, at industry events such as RSAC or Black Hat, or via a professional industry organization such as ISACA or ISSA by attending local chapter events.Notice that the top response centered around getting hands-on experience, sound guidance but often difficult to achieve. In lieu or in addition to this, I have another suggestion: use generative AI for simulated real-world training as much as possible.
Generative AI can be used to simulate real-world cyber training
Note that I’m emphasizing simulated real-world training and not just fact-finding. For example, I could ask ChatGPT to tell me about cyber threats toward healthcare organizations, or I could create a more personal and realistic prompt such as: “I am a cyber threat intelligence analyst at a community hospital with 200 beds in the Boston area. What types of cyber threats should I be most concerned with?” The results will differ if you target your prompts in this way.For this particular query, ChatGPT gave me a comprehensive, though somewhat mainstream, list of threats including ransomware, insider threats, threats to medical devices, etc. I then asked it to give me a list of threat actor groups I should be concerned with. It came back with another list that included groups like Conti, LockBit, Charming Kitten, and others.In my exercise, I followed up by asking ChatGPT for more and more detail a la a threat intelligence analyst’s behavior. For example, I asked ChatGPT to map these threat actors to the MITRE ATT&CK framework. I asked it to provide me with a list of CVEs that would most likely be exploited. I asked it to tell me what the most effective countermeasures and tools might be.
An example of generative AI used to simulate threat intelligence reporting
Finally, I asked for a short summary of all the information that I could provide to executive management. It came up with the following:This report outlines the key cybersecurity threats facing [Hospital Name], including ransomware, phishing, insider threats, and vulnerabilities in medical devices. Healthcare organizations like ours are prime targets for cybercriminals, and an effective defense strategy is essential to safeguard patient data, medical equipment, and critical hospital operations. Key actors in these attacks may include financially motivated cybercriminals and state-sponsored groups, and the risks can significantly impact patient safety and the hospital’s reputation.To mitigate these threats, the report recommends a multi-layered cybersecurity approach, focusing on critical areas such as network protection, endpoint security, data encryption, and medical device management. Key measures include deploying firewalls, intrusion detection systems (IDS), and endpoint detection and response (EDR) tools; implementing multifactor authentication (MFA) and role-based access controls (RBAC) for sensitive data; ensuring regular backups and disaster recovery plans; and conducting ongoing employee security awareness training to combat phishing and social engineering attacks.The report also emphasizes the importance of ensuring HIPAA compliance and the adoption of advanced technologies, such as next-generation firewalls, SIEM systems, and automated patch management tools. Immediate action is needed to implement these recommendations, which will strengthen our defenses against cyber threats, protect critical infrastructure, and ensure the hospital’s ability to continue providing care without disruption.
Using AI to train for cybersecurity can be a starting point
Of course, the information ChatGPT provided is somewhat generic, but it got increasingly detailed as I dug in with further prompts. As a real threat-intelligence analyst, I wouldn’t treat ChatGPT output as gospel. Rather, I would do further research on everything it told me.I would also edit the summary report with details specific to the hospital, its specialized services, and its existing resources and programs. I suggest the same course of action for those using generative AI as a cybersecurity training tool.Cybersecurity wannabes should be creative and inclusive when using generative AI as a simulated training tool. Take on different roles (vulnerability manager, application security engineer, security analyst, red teamers, etc.). Assume roles in different industries and organizations of different sizes.Ask about specific tools or vendors, and how you could measure the effectiveness of each technology. Pretend to be highly technical engineers or non-technical business managers who need to understand risk so they can make the right risk mitigation decisions.I realize that these exercises won’t magically lead to lucrative job offers. Still, generative AI tools can (and should) be used effectively to simulate real-world experiences, personalize training, and even help a would-be cybersecurity pro figure out which area of the field is most appealing. To quote American author, Shirley Jackson, “Use all the tools at your disposal. The language is infinitely flexible, and your use of it should be completely deliberate.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3615592/want-to-be-a-cybersecurity-pro-use-generative-ai-to-get-some-simulated-training.html
