How to Select the Right Cybersecurity Career Path
Wed 19 May 2021 | Raymond Pompon
Raymond Pompon, Director of F5 Labs, gives his tips on choosing the right cybersecurity career path
Twenty-five years ago, when cybersecurity was emerging as a specialty, most practitioners were transitioning from IT operational roles. As the Internet expanded and firewalls went up, security duties became increasingly demanding and businesses created dedicated security positions.
Those doing these early cybersecurity jobs ended up knowing a bit about everything and evolved into generalists. Since then, with so many new avenues of technology, most of these generalists either specialised or went into management.
New recruits don’t have time to acquire the historical knowledge of generalists. Instead they will choose from a wide variety of security specialisations to match their capabilities and interests.
Cybersecurity Offers a Diverse Range of Roles
The three primary cybersecurity job roles are engineering defenses, testing security, and responding to cyberattacks. In smaller organisations, all these roles may land on a single person or be tacked onto non-security work.
Foundational cybersecurity skills are necessary for all these roles including:
- Knowledge of common cyberattacks
- How to perform a risk analysis
- How to manage risk through using controls
- Knowledge of compliance regulations and how they work
- Knowing how to explain risk and compliance in business terms
Cybersecurity engineers, testers, and responders build specific skills on top of this foundation, many of which can be acquired in industry training classes and cybersecurity boot camps.
Many cybersecurity engineers come from traditional IT jobs, such as network engineers or system administrators. They use various tools, usually technical, and play a big part in engineering administrative controls.
Job titles include:
- Director of security
- Security architect
- Network security engineer
- Security software developer
- Security systems administrator
- Technical director
- Security analyst
Where You’ll Find Cybersecurity Engineers in an Organisation
Cybersecurity engineers are the most common roles in cybersecurity. Most are found within the IT organisation, so they report up through the IT chain of command to the head of technology. However, being embedded in IT can diminish the effectiveness of their security functions. The key problem is the divergent missions: IT is about implementation and maintenance, while security requirements can sometimes mean slowing down an implementation to lower risk. This contributes to the security team’s reputation as the “Department of No”. Since the head of IT is in charge, they have veto power over security, which can be a problem as well.
Key Skills for Cybersecurity Engineers
Because of the obscure nature of some cyberattacks, a cybersecurity engineer needs to understand the organisation’s technology and the technical infrastructure.
They also need a firm grasp on how the specific technical controls in their area function. For example, engineers working in networking should understand firewall features and limitations as well as the specifics of the implemented solution within their organisation.
And they should understand the business and cultural aspects of rolling out and maintaining controls, even simple ones.
Testers are one of the most glamorous jobs in security, as these are the folks who hack things or find the problems and look for the gaps and mistakes before an attacker does.
Job titles include:
- Penetration tester/Red teamer
- Vulnerability researcher
- Exploit developer
- Ethical hacker (sometimes known as “white hat” hacker)
- Security research engineer
- Internal, third-party, or external auditor
Where You’ll Find Cybersecurity Testers in an Organisation
Cybersecurity testers are often outsourced, often for their independence. Be warned that the healthy competition between engineers and testers can fester into an adversarial relationship, even more so if the tester is external.
When cybersecurity testers are full-time within an organisation, they can be attached to IT like cybersecurity engineers. Although, sometimes they can be part of a different department, such as legal or compliance. Application security testers are sometimes linked to quality assurance departments, under an organisation’s development arm.
Key Skills For Cybersecurity Testers
The role of a cybersecurity tester is to question everything, including assumptions. One way to help do this is to learn threat-modeling techniques such as STRIDE.
Testers may need to use their technical knowledge in unexpected ways, such as chaining together low-severity vulnerabilities to breach a system.
Testers often require specialised tools and techniques, which are sometimes self-developed, so, they should also have some programming skills (if hacking) or statistical knowledge (if auditing).
They will also need to communicate their findings, explain risks in business terms, and document the testing work they do, with detailed citations of evidence such as screenshots, source code, and compliance regulations.
Cybersecurity responders plan for and minimise security incidents. They sometimes detect attacks and stop them. And sometimes help clean up the messes and get systems back online. Many of them investigate what the attackers did, who they were, and help find the clues to go after them, and some even work on finding digital evidence from non-cybercrimes.
Job titles include:
- IT forensics technician
- Security operations center analyst
- Forensic, intrusion, or malware analyst
- Incident responder
- Disaster recovery or business continuity manager
Where You’ll Find Cybersecurity Responders in an Organisation
Responders are commonly outsourced in smaller organisations. When they are internal, they can be found in IT, if focused on recovery and repair, or in legal, if focused on forensics. Sometimes they are found within the general business continuity organisation under operational risk.
Key Skills For Cybersecurity Responders
Responders are often under acute stress, whether dealing with ransomware that’s shut down the entire organisation, gathering evidence that can affect someone’s future, or performing post-incident forensics in a potentially litigious situation.
Responders need to wrangle resources for cyber incidents, such as appropriate cyber insurance, intrusion detection tools, and forensic and malware analysis tools. They should also develop government, legal, and law enforcement contacts and resources to assist with incidents.
They may need to report on incidents in various settings, including boardrooms, conferences, and legal depositions. Therefore, presentation and writing skills are helpful.
Striking a Balance to Avoid Silos
Many different standards and practices in cybersecurity can contradict each other and some may find the categories overlap too much.
We began by saying that cybersecurity career entrants should specialise. But if they become too specialised, they may find it harder to communicate outside their silo, and the real world doesn’t always adhere to clearly delineated categories. Neither do actual career paths.