Blog post -

So you want to work in cyber security?

By Sourya Biswas, Technical Director

Hindsight, as they say, is 20-20. When the internet was first being built out, few imagined that the very nature of the “information superhighway” – fast, open and frictionless – would make it the ideal mechanism for doing harm to many from far away. Even as the threat surface increased with the ubiquity of connected computers, so did the skills of the malicious players as evidenced by the increasing sophistication of malware. While smart TVs and smart watches are household items today, this trend of connected devices will continue to grow – at 22 billion today and expected to be 38.6 billion by 2025 and 50 billion by 2030. As the potential for new threat surfaces continues to expand, so does the number of threat actors and attack vectors.

However, not all hope is lost. Even as the ‘bad guys’ grow in sophistication, companies have realized the need to have a team of ‘good guys’ on board to counter them. In fact, such is the demand for cyber security professionals that it is far ahead of supply. As per a recently released report, this gap between supply and demand stands at 4.07 million professionals, up from 2.93 million a year before. This includes 561,000 in North America and quadruple that number in the Asia Pacific region. Therefore, if you want to work in cyber security, there’s no time like the present.

With that being said, where do you start? The answer depends on what you want to do in cyber security. Borrowing a page from successful programs, let’s explore your options through the lens of the Golden Triangle.

A role in cyber security can broadly align itself to at least one of the sides of the Golden Triangle with some overlap between them. In other words, there are specific cyber security roles that align more strongly with one of the three sides. At the same time, it’s important to understand that this mapping is not a line in the sand; there are no roles that deal exclusively with people, process, or technology. Also, change of roles is common in the course of a cyber security career. For example, you may start in a highly technical role in Incident Response working with specific forensic tools but over time, gain process expertise that allows you to take on a leadership role such as owning the Incident Response function.

With that caveat, below is a matrix that can help guide you. As a consulting firm specializing in cyber security, we have positions / services that map to most of the enumerated roles from a service provider, as in helping clients, perspective. Of course, these are also applicable in industry.



Job Description

NCC Group Position/Service


Selling cyber security products and services, including advisory, to prospective clients

Account Manager


Conduct training on security topics, including general security awareness and more focused like secure coding

Security Training



Job Description

NCC Group Position/Service


Formulate security strategy that aligns with the organizational strategy leveraging frameworks like NIST CSF, CIS Top 20 etc

Risk Management & Governance


Ensure compliance with applicable business and regulatory requirements like ISO27001, PCI-DSS, FedRAMP etc

Risk Management & Governance


Independently confirm compliance with applicable business and regulatory requirements like ISO27001, PCI-DSS, FedRAMP etc

Risk Management & Governance



Job Description

NCC Group Position/Service

Vulnerability Scanning

Scan for weaknesses in the information ecosystem, and once found, remediate them within established timelines

Vulnerability Discovery & Management

Monitoring and Detection

Monitor the information ecosystem for issues that may be escalated to security incidents

Managed Detection and Response

Incident Response

Once detected, respond to security incidents by containing the spread, eradicating the cause and recovering to business as usual. Detailed investigation and evidence collection may follow if criminal charges are to be filed.

Digital Forensics and Incident Response

Penetration testing

Simulate attackers by attempting to overcome existing protective measures and breach the information ecosystem

Penetration Testing & Security Assessments

Software Security

Ensure the security of software by reviewing and testing design and code

Application/Software Security

Hardware Security

Ensure the security of hardware by reviewing and testing design and architecture

Hardware & Embedded Systems

Cloud Security

Ensure the security of cloud environments via traffic monitoring, encryption and appropriate provider (AWS, Axure, GCP) configurations

Products & Cloud Services

 - In terms of preparing for a career in cybersecurity, while a technical background has its advantages, it’s not a barrier to entry. What’s more important than a Master’s in cyber security is an innate sense of curiosity and desire to learn. After all, without those attributes, the lessons learned in class can soon be rendered obsolete by the furious march of technology.

One such example is automation and its impact on job security, and cyber security is not immune. In my opinion, the best way to future-proof ourselves is not to restrict ourselves to narrow areas and continue learning. For example, don’t just specialize in operating a couple of security tools, understand how those tools were developed and the logic they use to operate.

The following industry bodies have a lot of free (and paid) resources to start your prep for a cyber security career:

  1. Information Systems Audit and Control Association (ISACA)
  2. International Information System Security Certification Consortium (ISC)²
  3. Computing Technology Industry Association (CompTIA)

Speaking from personal experience, I started my cyber security journey with a role in Risk Analytics, developed an interest in Cloud Computing while studying for my MBA (and wrote several hundred articles on the subject) before focusing on the security implications of moving to the cloud. Starting off in IT Strategy consulting in a Big 4 firm post MBA, the economic downturn led to more cyber security work versus strategy until the occasional foray turned into a full-time cybersecurity career. I supplemented my learning through certifications while continuing to learn in a challenging start-up environment before returning to consulting with NCC Group, a boutique firm focused on information risk and cyber security.

In my opinion, nothing beats on the job training. In an article on my certification experience, I wrote, “No certification can replace actual work experience and knowledge obtained from getting your hands dirty. At the same time, certification prep can certainly help in expanding your knowledge, and the certifications themselves don’t hurt your career prospects.”

If you’re new to cyber security, you may be asking yourself, “Should I be a generalist or a specialist?” or “Should I pursue a technical or management track?” I suggest starting off as a generalist and building a strong technical base, because to succeed as a specialist or a manager, you need to have those building blocks in place. In fact, I believe adding cyber security to high school curricula would go a long way in bridging the knowledge gap new cyber security professionals face at the start of their careers.

With constantly evolving threats, new regulations and innovative technologies, there’s nothing static about a career in cyber security. Of course, the demand for such skills that translates to high salaries doesn’t hurt either. Add to that the chance of clashing skills with some of the most intelligent criminal minds on the planet, and it’s not surprising that this challenging field is attracting the smartest minds out of college. Remember, hackers only need to get it right once, cyber security professionals need to get it right every time.

Related links


  • Computer security


  • cyber security
  • talent and careers


NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7721577574

Related content