Cybersecurity careers are in high demand, but a closer look at the timeline of network technology and the Internet reveals that this has virtually always been the case. While cybercriminal attacks have become more sophisticated than phone scams and phishing emails, the occasional review of such tactics can shed light on valuable insights that today’s cybersecurity professionals can learn from—and that enterprises hiring for cybersecurity positions can use to inform their candidate selection processes.
At the turn of the century when distributed denial-of-service (DDoS) attacks first occurred, network carriers scrambled to train existing staff and recruit as many professionals as possible. The small number of network security professionals struggled to keep up with what was then an unexpected surge in illicit activity, at the worst of all times, just as reliance on network technology was growing exponentially with the promise of the Internet. Network providers had dreamed of the business value of the Internet for marketing and sales, research, and government work, and they were not alone. Criminals with a technical bent seized their own opportunities and cybercrime started a never-ending upward climb.
Activity that one would consider technology crime surfaced in the 90s, focusing on phone scams and initially prompting organizations to hire those versed in law enforcement. Consider this common 90s era story of phone scamming that was used as a teaching example for network business sales teams, (names and details are altered):
Jeff Dareme checked his presentation material as he gathered his belongings from his hotel room. It would be another interesting day on the traveling education road show to make sure ABC Network Provider’s sales teams were keeping their business customers informed about the surging number of phone scams that were impacting customers and the company alike. After 20 years with the New York (New York, USA) Police Department (NYPD), this job was a great shift away from the day-to-day stress on the beat. Sales teams always sat wide-eyed as Jeff retold stories of scammers at New York City’s Penn Station, preying on unsuspecting victims. They always marveled at his tape recording of someone’s feisty grandmother pushing back on the criminal caller, and they always looked heartbroken when the grandmother succumbed to the criminal ploy. He enjoyed setting the stage for those in the class who thought these crimes only happened to the old and unaware. Jeff would switch to his business stories of successful Private Branch eXchange (PBX) scams at major corporations where unsuspecting receptionists would connect phone hackers to international lines and open voice mailboxes. The scenarios laid out, Jeff would end the class with the critical message to educate customers about these schemes. Even though he used the same story at each road show stop, it was always an interesting day at work. Who knew he would leave the police force, join the phone company and still fight crime?
The reality of cybersecurity is that it is a multitude of disciplines with many potential career directions. The story of Jeff Dareme discusses the onset of technical crimes back when pay phones, phone banks, and PBXs were the enablers. New York City was a hotbed for tech scammers as were other cities around the world. Tech criminals would call unsuspecting victims, feign an emergency and steal credit card information. Still other tech criminals would stake out pay phone territories and “break” the network so they could charge people large sums of money to make international calls. These pay phone hackers worked in teams, with one person breaking the code and handing the phone over to the paying caller, while the other person would “run” the cash to an undisclosed spot so that the cash “on hand” was always less than the trigger point for a larceny conviction. Breaking these crime rings naturally fell to police departments, which would stake out phone banks and film crimes in progress as the money hand offs occurred over and over. It was a natural progression that the police, network providers, and the US Treasury Department, which was responsible for federal telecommunications law enforcement, would team together and build a base of knowledge among their ranks to close in on the criminal activity. Understanding criminal intent was critical, and the police departments knew the streets and those involved. The phone company understood the technology of its networks, including the weaknesses that allowed criminals to bypass controls and initiate phone fraud. The Treasury, a seemingly unlikely member of the triumvirate, was the only vehicle for prosecuting what was becoming a major financial loss for businesses.
The core competencies of investigative skills, technical know-how, and a healthy skepticism about human behavior are still at the heart of security career success today, a key reason why ISACA®-trained professionals do so well in the field. Despite the myriad technical methods for committing cybercrimes, all activity is based on behavioral drivers, whether they are the desire and need for money, or the desire to promote a political, religious or other ideology by shutting down the ideologies of others.
It is an interesting parallel to the risk assurance discipline where the abilities to recognize and assess inherent risk allows establishment of preventive controls, while IS auditing expertise leverages the ability to uncover issues and determine solutions that lead to sounder, more stable operating environments. Understanding criminal intent and reacting in the most effective manner has led to a boom in detective careers such as forensics analysis, while education and the need for awareness has caused a career surge regarding preventive disciplines such as cyber consultants and ethical hackers.
To learn more about the history of the cybersecurity profession, read the ISACA® Journal, vol. 5, 2021, article, “The Human Side of Cybersecurity—Careers.”
Cindy Baxter, CISA, ITIL Foundation
Is director at What’s the Risk, LLC. Her practice focuses on integrated risk control and process assessments for cybersecurity, privacy and business continuity/disaster recovery. She views risk management and control assessment as a chance to learn the nuts and bolts of a client’s business and help them worry less because gaps have been uncovered and a stronger operating model can be built. Baxter draws upon her experience in banking, insurance, healthcare and technology after holding compliance and management roles at State Street Corporation, American International Group (AIG), Johnson & Johnson and AT&T. When she is not doing risk and audit work, she enjoys volunteering on climate and environmental issues that impact her community.