Blog post -
So you want to work in cyber security?
By Sourya Biswas, Technical Director
Hindsight, as they say, is 20-20. When the internet was first being built out, few imagined that the very nature of the “information superhighway” – fast, open and frictionless – would make it the ideal mechanism for doing harm to many from far away. Even as the threat surface increased with the ubiquity of connected computers, so did the skills of the malicious players as evidenced by the increasing sophistication of malware. While smart TVs and smart watches are household items today, this trend of connected devices will continue to grow – at 22 billion today and expected to be 38.6 billion by 2025 and 50 billion by 2030. As the potential for new threat surfaces continues to expand, so does the number of threat actors and attack vectors.
However, not all hope is lost. Even as the ‘bad guys’ grow in sophistication, companies have realized the need to have a team of ‘good guys’ on board to counter them. In fact, such is the demand for cyber security professionals that it is far ahead of supply. As per a recently released report, this gap between supply and demand stands at 4.07 million professionals, up from 2.93 million a year before. This includes 561,000 in North America and quadruple that number in the Asia Pacific region. Therefore, if you want to work in cyber security, there’s no time like the present.
With that being said, where do you start? The answer depends on what you want to do in cyber security. Borrowing a page from successful programs, let’s explore your options through the lens of the Golden Triangle.
A role in cyber security can broadly align itself to at least one of the sides of the Golden Triangle with some overlap between them. In other words, there are specific cyber security roles that align more strongly with one of the three sides. At the same time, it’s important to understand that this mapping is not a line in the sand; there are no roles that deal exclusively with people, process, or technology. Also, change of roles is common in the course of a cyber security career. For example, you may start in a highly technical role in Incident Response working with specific forensic tools but over time, gain process expertise that allows you to take on a leadership role such as owning the Incident Response function.
With that caveat, below is a matrix that can help guide you. As a consulting firm specializing in cyber security, we have positions / services that map to most of the enumerated roles from a service provider, as in helping clients, perspective. Of course, these are also applicable in industry.
People
Role | Job Description | NCC Group Position/Service |
Sales | Selling cyber security products and services, including advisory, to prospective clients | Account Manager |
Training | Conduct training on security topics, including general security awareness and more focused like secure coding |
Process
Role | Job Description | NCC Group Position/Service |
Strategy | Formulate security strategy that aligns with the organizational strategy leveraging frameworks like NIST CSF, CIS Top 20 etc | |
Compliance | Ensure compliance with applicable business and regulatory requirements like ISO27001, PCI-DSS, FedRAMP etc | |
Auditing | Independently confirm compliance with applicable business and regulatory requirements like ISO27001, PCI-DSS, FedRAMP etc |
Technology
Role | Job Description | NCC Group Position/Service |
Vulnerability Scanning | Scan for weaknesses in the information ecosystem, and once found, remediate them within established timelines | |
Monitoring and Detection | Monitor the information ecosystem for issues that may be escalated to security incidents | |
Incident Response | Once detected, respond to security incidents by containing the spread, eradicating the cause and recovering to business as usual. Detailed investigation and evidence collection may follow if criminal charges are to be filed. | |
Penetration testing | Simulate attackers by attempting to overcome existing protective measures and breach the information ecosystem | |
Software Security | Ensure the security of software by reviewing and testing design and code | |
Hardware Security | Ensure the security of hardware by reviewing and testing design and architecture | |
Cloud Security | Ensure the security of cloud environments via traffic monitoring, encryption and appropriate provider (AWS, Axure, GCP) configurations |
- In terms of preparing for a career in cybersecurity, while a technical background has its advantages, it’s not a barrier to entry. What’s more important than a Master’s in cyber security is an innate sense of curiosity and desire to learn. After all, without those attributes, the lessons learned in class can soon be rendered obsolete by the furious march of technology.
One such example is automation and its impact on job security, and cyber security is not immune. In my opinion, the best way to future-proof ourselves is not to restrict ourselves to narrow areas and continue learning. For example, don’t just specialize in operating a couple of security tools, understand how those tools were developed and the logic they use to operate.
The following industry bodies have a lot of free (and paid) resources to start your prep for a cyber security career:
- Information Systems Audit and Control Association (ISACA)
- International Information System Security Certification Consortium (ISC)²
- Computing Technology Industry Association (CompTIA)
Speaking from personal experience, I started my cyber security journey with a role in Risk Analytics, developed an interest in Cloud Computing while studying for my MBA (and wrote several hundred articles on the subject) before focusing on the security implications of moving to the cloud. Starting off in IT Strategy consulting in a Big 4 firm post MBA, the economic downturn led to more cyber security work versus strategy until the occasional foray turned into a full-time cybersecurity career. I supplemented my learning through certifications while continuing to learn in a challenging start-up environment before returning to consulting with NCC Group, a boutique firm focused on information risk and cyber security.
In my opinion, nothing beats on the job training. In an article on my certification experience, I wrote, “No certification can replace actual work experience and knowledge obtained from getting your hands dirty. At the same time, certification prep can certainly help in expanding your knowledge, and the certifications themselves don’t hurt your career prospects.”
If you’re new to cyber security, you may be asking yourself, “Should I be a generalist or a specialist?” or “Should I pursue a technical or management track?” I suggest starting off as a generalist and building a strong technical base, because to succeed as a specialist or a manager, you need to have those building blocks in place. In fact, I believe adding cyber security to high school curricula would go a long way in bridging the knowledge gap new cyber security professionals face at the start of their careers.
With constantly evolving threats, new regulations and innovative technologies, there’s nothing static about a career in cyber security. Of course, the demand for such skills that translates to high salaries doesn’t hurt either. Add to that the chance of clashing skills with some of the most intelligent criminal minds on the planet, and it’s not surprising that this challenging field is attracting the smartest minds out of college. Remember, hackers only need to get it right once, cyber security professionals need to get it right every time.
Related links
Topics
- Computer security
Categories
- cyber security
- talent and careers