This Framework in Focus interview was featured in the Fall 2021 NICE eNewsletter.
Title/Organization: Chief Scientist, DoD Cyber Crime Center (DC3)
NICE Framework Categories: Protect & Defend; Analyze; Investigate
NICE Framework Work Roles: Cyber Defense Analyst; Cyber Defense Forensics Analyst; Cyber Defense Incident Responder; Counter-Intelligence Forensics Analyst; Threat/Warning Analyst
Academic Degrees: B.S., Mechanical Engineering, University of California, Berkeley; M.A., Educational Communication and Technology, New York University; Ph.D., Computer Science, University College Dublin
Karen Wetzel: Hello, my name is Karen Wetzel. I am manager of the NICE Framework at the National Initiative for Cybersecurity Education at NIST. The NICE Cybersecurity Workforce Framework, published as NIST Special Publication 800-181, establishes a taxonomy and common lexicon used to describe cybersecurity work. The NICE Framework is intended to be applied in the private, public, and academic sectors. In this edition of the NICE eNewsletter series, Framework in Focus, it is my pleasure to speak with Eoghan Casey. Eoghan, thank you so much for letting us learn more about your career pathway and understand the NICE Framework from your perspective.
Eoghan Casey: Thank you, Karen, for the opportunity.
Karen: Eoghan, could you start by explaining with us the work you do in digital forensics and incident response via your consultancy and your non-profit work?
Eoghan: I’ve come from a long experience in digital forensic work in both the criminal context and the cybersecurity context. My role has evolved to the point where I deal with very complex incidents, and it’s a matter of coordinating a number of specialists in different areas to determine the root causes, the extent of the damage, and follow-up actions that might be necessary—whether it’s to improve the cybersecurity weaknesses that were exploited or to pursue legal action involving law enforcement, for example.
It’s often not fully appreciated that digital forensics plays such a central role throughout the cybersecurity lifecycle to enable the detection of cyberattacks, further scope assessment, assessment of damage across an organization, the development of threat intelligence, and then being able to bring someone to justice as well. It’s very central and sometimes undervalued in the process.
Karen: I wonder if you could share a bit more about the people you work with and the kinds of roles that they fill?
Eoghan: I work with all phases of the cybersecurity work chain, from the system administrator or security analyst on the front line of defense through to front-level incident responders. I work with them to help get better visibility of the incident, learn what they’ve gathered and gleaned from their response activities, and provide guidance on what to do and what not to do in terms of evidence preservation and making decisions, which is often at the executive level. At that higher level, there is the need to translate all the technical detail into the big picture—describing the exposures and options for response, including technical and potential regulatory or legal responses—for decision makers in an organization. Ultimately, if an incident goes into the legal action phase or into law enforcement, there is a testifying role. Usually where I’m involved is at this point of coordination level and then also at the presentation and decision-making level or in court.
I also teach and research to try and bring new members of the community or of a team to a higher level of capability or to develop new methods or tools to help us analyze our information.
Karen: You are well known in this field and bring a lot of expertise and experience to bear in your work. My question is: How did you get to where you are now?
Eoghan: I started as an information security officer at Yale University, when cybersecurity was in the very early phases. I had a lot of work to do in implementing security mechanisms, intrusion detections systems, firewalls, and the like. But I also had a lot of work to do in responding to security breaches and misuse of the network. I got a lot of experience with quite a wide variety of misuse of computer systems, not all of it external. There were all sorts of issues, including cyber stalking and missing persons. In some cases, I had to be involved in criminal investigations that arose out of the community.
Once I had that experience, I worked for a time with EDUCAUSE to bring together other members of the higher education information security community to develop more consistent approaches to dealing with these types of problems. Then I moved to the private sector for a time to get broader experience. I was working as a director of a commercial forensic laboratory, Stroz Friedberg, dealing with very high-profile or complex matters, dealing with cybersecurity matters and civil matters.
I took that expertise to go into business for myself, but I found I wanted to help deal with some of the more international problems that were emerging then, around 2005. So I started working for the Department of Defense in the DoD Cyber Crimes Center to bring my digital forensic and incident response expertise to bear on state-sponsored attacks against industry and government. That was also a good, broadening experience, both technically and just in terms of understanding the international scope of a lot of these activities.
Ultimately, I decided to focus more on research and development to develop new capabilities in the field. I went most recently for a time into research and development, including as a professor at the University of Lausanne in Switzerland. Now I’m more at the policy level and research level.
Karen: Degree-based education isn’t always the best match for emerging technologies, approaches, and policies. What are your thoughts on the role of academic degrees and cybersecurity certifications and how they relate to the practical experience that you are describing?
Eoghan: There is more than one answer, depending on the career path that someone wants to take and on what opportunities are available for that particular person. It’s very important to have options for a diverse set of individuals to enter the cybersecurity workforce, including multiple career and education pathways for high school students coming through community colleges, higher education, or even sometimes directly to the workforce. The NICE Framework, in that context, really helps people entering this career to say, “Okay, I’ll focus in this one area to start with and understand what is necessary for that area,” instead of trying to cover everything that is structured in the NICE Framework.
When we’re talking about people with more opportunities—whether they are going into a college-level degree, already have some existing work experience, or are transitioning from one technical (or even non-technical) career into cybersecurity—having the same view of what capabilities are necessary can help with that transition significantly. Certifications can be very beneficial for people who are trying to get started. Degrees are useful for some of what I view as higher level or more specialized skills sets for some of the work we do.
It’s very important to give a map because it’s such a broad field. Cybersecurity is in the private sector, public sector, and also in research and development. It can be overwhelming for somebody to enter this field. Having the NICE Framework and steps that people can take to get into a career in cybersecurity is really valuable.
Karen: As you’ve said, there are a lot of different kinds of cybersecurity work out there. From your perspective, what roles do you think are the most difficult to fill? It might be, for example, an emerging area of need or a high-demand area.
Eoghan: The most difficult position to fill is somebody who has a combination of the digital forensic expertise—so there’s a technical aspect there—as well as programming skills and strong problem-solving or critical thinking abilities. This combination of competencies and skills that include reasoning is highly valued and is also what makes these jobs hard to fill, so they are some of the highest paid jobs in the field. It takes time and resources to find those people and bring them onto a team. But it also takes time for an individual to get to that level—the combination of education and experience is critical in this field.
Karen: It goes back to the concept of career path too. It’s understanding where someone might be now and being able to continually evolve and build those capabilities to get to these kinds of positions. I can imagine that’s both on the individual level as well as in the organization wanting to build those capabilities out.
Eoghan: That’s a key point. With my career pathway, I consciously looked for opportunities to get different practical experience and continuously sought opportunities to educate myself. Some organizations understand that value and will pay for education and training to help individuals advance, but what happens more frequently is people move from one organization to the next and in the process get broader experience and training.
Karen: How have you kept your skills sharp and current? You shared about how you’ve done a bit of this on your own via identifying where you want to go and what you need to learn, but can you share more?
Eoghan: One of the great benefits of the cybersecurity field is that there’s huge willingness to share in the community. Attending community conferences or participating in competitions where there’s an opportunity to interact with other knowledgeable members and develop or see new skills sets is what I’ve done for all of my career. Those events and the exchange of knowledge, either in person or online, have been my biggest source of keeping up my skills.
Another way I do so is through my teaching and research. It doesn’t have to be a full-time job. It’s sometimes nice to engage in a discrete training event and share your knowledge with others who are trying to advance in the field, whether in a high school or university or conference context. To teach something you must understand it well enough to explain it, so it’s a good learning process and also helps with career advancement.
For research, it doesn’t have to be high-level, academic research. A lot of practitioners do very focused and practical research with new technology or a certain type of data, studying it, pulling it apart, and publishing a blog. Sharing that kind of research with the community helps you gain knowledge, learn a new skill, and get feedback from the community.
Karen: This theme of reaching out to and engaging in the cybersecurity community has come up in previous conversations I’ve had. Certainly, at NICE we have a number of communities of interest ourselves, including a new NICE Framework Users Group that launched in January this year.
For my next question: I know you’re doing some work now that is helping to make our workforce more diverse. I wonder if you could share a little bit more about those efforts.
Eoghan: For the past four or five years, I’ve been working on a project that was initially funded by the National Science Foundation to educate high school students about cybersecurity and digital forensics. We have a non-profit umbrella organization now called Cyber Sleuth Science Lab where we create curriculum for mostly out-of-school programs, and we’ve started to do in-school activities and a hybrid of in-classroom and online. It’s specifically targeted to traditionally under-represented populations, particularly young women. We’ve benefited from involvement from partner schools in Baltimore, New Orleans, and Nevada that serve specifically Hispanic communities or African American communities and provide career pathways for those students to enter the field in some fashion.
I’ve also worked through my career with universities trying to bring more diversity into the cybersecurity and digital forensic fields. I came from a computer science background but had a lot of interaction with forensic science. Computer science does not have a lot of diversity in the workforce. Forensic science, on the other hand, does. Putting the two together has been very fulfilling. I’ve had the pleasure of being able to bring more individuals from diverse backgrounds into the digital forensic and cybersecurity domain because of their interest in forensic science.
Karen: It’s just so very important and not only, as you pointed out, because there’s a real pipeline issue here. There’s a need for the broader experience and perspectives that a more diverse workforce can bring to the work, to prepare us more effectively while making sure we are adequately staffed in areas of need. Just a couple of last questions. What do you enjoy most about the work you do?
Eoghan: I would say the most fulfilling part of my work is helping people. Whenever someone calls me it’s bad news for them, so to help them deal with the problem is fulfilling. I also really enjoy the variety or work—every engagement has unique challenges to solve. I like the challenge, and the diversity of experiences is really fulfilling.
Karen: It’s certainly an area that keeps you on your toes.
Eoghan: And provides job security! Unfortunately, we have to get better—instead of paying off the criminals we need to discourage them.
Karen: Getting ahead of it, yes. My last question is: What advice would you give to a young person considering a career in cybersecurity?
Eoghan: It goes back to the combination of education and practice. What is key is to try out different roles in different organizations to see if you actually like them or not. As you do this, you develop your skill sets and it becomes easier for you to take on new opportunities and new challenges. In the end, it’s about finding the right context or the right area to focus on.
Karen: You’ve given some great advice. Going back to what you mentioned about the importance of engaging in the community I think it’s good to remind folks that, as they do move forward, the community is there to help support you and where you can provide support to others. Eoghan, your work is fascinating and I really appreciate that you took the time out of a busy schedule to speak with us and to share about your experience in this field. Thank you so much.
Eoghan: Thank you, Karen. It was an honor, and I appreciate the opportunity to encourage others or perhaps provide an example of what might work and encourage any future questions as we learn and as we develop the domain. I look forward to using and contributing to the NICE Workforce Framework for Cybersecurity.
To listen to the full audio interview with Eoghan Casey, click on the audio below:
Download a full transcript of the interview.