With over 23 years of IT experience, focused mainly on information security, Travis Niedens, Senior Security Solutions Engineer at Cerium Networks, has a passion and talent for aligning security architecture, plans, controls, processes, policies, and procedures with security standards and operational goals.
Over the years, Travis has honed his craft working for a number of prestigious high-tech organizations, including, IBM, Microsoft, CDW, and other Cisco Gold Partners. He has extensive experience developing, implementing, and testing secure IT infrastructures. Travis is also well-versed in compliance requirements including SOX, PCI, GLBA, HIPAA / HITECH and more recently GDPR. Travis is currently working toward his Doctorate in Information Technology from Walden University. He anticipates leveraging the knowledge he gains earning his Ph.D. and lessons learned from years of industry expertise, to provide holistic solutions to complex security issues and make organizations as secure as possible from the multitude of security risks.
With cybersecurity being such a hot topic these days we were excited to sit down with Travis to get his take on the current cybersecurity landscape and what it takes to be a cybersecurity expert.
You demonstrate a lot of passion for cybersecurity. What attracted you to the field?
It really started in high school in Greeley, Colorado. I belonged to a group of students tasked with keeping up the school’s computer infrastructure and the responsibility gave me a deep interest in security. Over time, we went from token ring to Ethernet, to several different versions of Novell NetWare, and I would write programs to circumvent the network defenses we installed to show my teacher how vulnerable it was. My teacher was both amazed and alarmed that a ninth-grade kid could get past the school district’s network security systems.
Another experience that drew me to cybersecurity was the book The Cuckoo’s Egg by Cliff Stoll, a true adventure story of how Cliff was able to track down a German hacker through a maze of computer espionage, and all of the intrigues he went through to catch him. To follow along with the action and see what it took to catch the hacker piqued my interest in hacking and how to catch hackers.
When I was growing up, I listened to a technical talk radio program about computers before going to sleep at night. A lot of the talk was about security and the viruses prevalent at the time (Michelangelo, Mellissa, and so forth). I also belonged to the Computer Users Group of Greeley, with members from my age, 14 at the time, all the way up to 70, where we discussed everything from digital photography to the internet and computer security. I gave a few security talks to the group that were well received, which gave me confidence in my abilities and encouraged me to pursue a career in computer and network security.
What advice would you offer to engineers/administrators considering a career as a cybersecurity specialist?
The first advice I would give is that this is a constantly changing field. The ability to adapt to change is key.
Second, do your research. Don’t rely on “industry pundits” to keep you informed. I’ve seen a lot of material that makes me shake my head because the author obviously hadn’t done their research. So, do your research if you want to be taken seriously.
Finally, Network with your peers. Cybersecurity experts are often thought of as engineers working alone in a dark room, sitting at a keyboard drinking epic amounts of coffee. But that image couldn’t be further from the truth. There is so much going on in the field that to be effective you need to network to understand the latest trends and threats. Additionally, to thwart social engineering threats you need to get into the mindset of users to understand how they behave. So, it’s not just about computers or certifications, or even research; you have to get out there to understand who you are up against, and who your allies are that you can network with. I network with a lot of engineers outside of work from different business sectors, such as healthcare, government agencies, and education. When we discuss security issues I get a better understanding of the different arenas and their specific challenges.
What technical skills and tool sets should they focus on learning and growing?
Computing; all of cybersecurity plays out in the compute platform. You need to understand hexadecimal vs binary vs decimal, the basics of what a computer can do, such as how it gets data from point a to point z. And, I recommend not just learning about computers but actually working on them. When I want to truly understand an issue I build a lab and simulate it. I’ve seen security flaws in certain environments, validated my findings in my lab, and demonstrated the Because I was able to reproduce the issue and show the results the issues were dealt with quickly and successfully. So, I not only gained a deeper understanding of the technology, I was able to demonstrate that knowledge to the community and contribute to improving security in general.
Other areas to focus on include mathematics, which is at the heart of computing, so strong math skills are also very helpful. Language skills are also very important. The ability to organize, articulate, and convey your thoughts coherently to others is also an essential skill set for cybersecurity experts. Speaking to the audience, no matter what their role is or field they are in is very important. For example; tailoring a message for a four-star general is obviously different than having a discussion with a school administrator, and getting a CIO to understand the bottom-line impact of a security issue often requires a different message than explaining the same issue to a network engineer.
Earning, at least, a bachelor’s degree in math or computer science is also highly recommended. Many “experts” in the field today rely on experience and certifications and don’t always see the value in getting a degree. However, I believe that a Master’s degree will probably be required for entry-level cybersecurity jobs in less than ten years. Earning a degree demonstrates to employers your commitment to the field and your drive to complete what you started. It also lets them know you received a well-rounded education, that included math, language, and other areas, not just the focused knowledge you get from IT certifications.
You hold a number of impressive networking and security certifications; not counting your degrees, which one are your most proud of?
To be honest, my CISSP, Certified Information Systems Security Professional, and here’s why. It’s not focused on one specific vendor’s technology and it covers the breadth of security a mile wide and an inch deep. To be eligible to take the exam you need at least five years of full-time work experience in a related field. So, you can’t just go in and take one test and magically become a CISSP. Also, maintaining a CISSP requires continuing education for renewal. You have to complete a certain amount of professional education credits every year so you can’t just pass the test once; you have to keep growing your knowledge and continuing your education.
The CISSP certification process also emphasizes a code of ethics, much like the security professional’s “Hippocratic Oath”, which is a component not traditionally stressed in other certifications. This is something I strictly adhere to and take very personally. Trust is a crucial component of security. There are people I’ve met that I wouldn’t trust with my home network, and there are others I would trust with my life because of their high ethical standards.
The CISSP is a well-respected in the security field. Experts with the certification know how difficult it is to earn and maintain. It has had a lasting impact on my life and it has proved to be very advantageous to my career.
What news sources do you consume to stay up on the latest cybersecurity news?
I try to read everything that’s relevant. I look at all of the major mainstream news sites to see how they are spinning the latest security news and get their perspective on the impact of vulnerabilities and how they are being exploited. The security-related sites I frequent include DarkReading.com, Slashdot.org, Digg.com, InformationSecurity-Magazine.com, and SecureWorldExpo.com. ACM and IEEE journals are great sources of information that provide a fresh perspective on security issues. I also spend a lot of time on our vendor partner sites reading about issues related their specific products and services.
This reading and research has paid huge dividends. For example, I’ve found outstanding quantitative research that has helped us refine and improve our security practice.
There are a lot of opportunities out there for a person with your skills and experience. Why did you choose Cerium?
Two reasons. The first is the people. I really enjoyed my interaction with people who interviewed me. I got a good vibe from them. They asked insightful questions, and we discussed some very interesting topics. I see this role as a great way to leverage my skill sets and my experience in a technical leadership role.