When contemplating a career in cyber security and deliberating whether a lateral move would be worthwhile or the pursuit of up-skilling in a certain area, there are two schools of thought. It ultimately rests on what led you to your chosen career to begin with. Assuming that you are passionate about cyber security but searching for a greater challenge and outlet to further test your skills and capabilities, certainly, side-stepping into a slightly different area of cyber security would be a positive decision.
Speaking to Tony Vizza, CISSP, CCSP, APAC Director of Cyber Security Advocacy at (ISC)², Inc., the tragedy would be in abandoning what you’re passionate about in pursuit of something different. “Unless there’s a significant reason to start over in a field you may only be slightly interested in, in my opinion, you would be doing yourself a huge disservice,” he says.
As for retraining, this can often be of benefit to the younger members of the cyber security industry who perhaps followed the crowd or an enticing paycheck into a role that over time proves itself to be the wrong fit. Fundamentally, if you’re not enjoying what you’re doing, it could be time to revisit your career direction, determine where your interests lie and obtain new skills commensurate to the desired role.
So what about those options? What are the hot cyber security jobs right now?
Vizza suggests that among the must-have cyber roles are cyber security architects and analysts. Security architects are responsible for designing, building and supervising the implementation of network and computer security for an organisation. Meanwhile, analysts are charged with scouring logs and devices in pursuit of miscreants in the network. Both these cyber roles comprise of highly necessary and valuable skills in today’s business climate.
Individuals experienced in the governance, risk and compliance side of cyber security will also find their skills in high demand. Organisations need people who are adept at identifying risks, specifically pertaining to their business, so having the ability to think in a commercial context is very important. In a similar vein, it is becoming increasingly common for legal professionals to take a more cyber focused role as they look to advise on cyber risk issues. So too issues around privacy in light of the GDPR directive and similar, as companies require people who are specialised in understanding what those data privacy issues mean for the organisation.
Vizza adds that Cloud Security Architects and Engineers are also among hot cyber roles in demand today. “Organisations are increasingly putting data in places they don’t have direct control over and therefore need people who understand how that can impact them” says Vizza.
Besides job roles, it is equally important to be aware of the skills that are most in demand.
“A big growth area is in soft skills, people skills,” says Vizza. “Namely the ability to communicate effectively with the business. Most cyber security professionals are fantastic on the technical side but not so much on the business side.” Professionals who can understand the cyber risk to a business and translate that into a language that makes commercial sense to the organisation, particularly when financial investment is required are invaluable. Vizza explains that there are often two ways of saying the same thing, but for example rather than suggesting an outdated firewall needs replacing due to age, it is more effective to explain that installing the most up to date technology will reduce operational risks and quantifying that in dollar terms. “It’s about selling an idea and convincing people it’s in the best interest of the organisation.”
Cyber security professionals need to appreciate that while cyber is a piece of an organisation’s operations, a business needs to juggle multiple issues and it’s incumbent on the cyber professionals that they communicate as effectively as possible to capture as much of the business’ mindshare and ensure cyber security is prioritised.
Skills and expertise around governance, risk and compliance are also hugely important. Individuals should have an acute awareness of what the cyber security landscape looks like and aim to master a ‘vendor agnostic’ approach to cyber security concepts, technologies and controls.
As far as routing your career path itself, the most common starting points include IT and risk management. “Coming from IT, a lot of the time those people will have applied some elements of cyber security without even being aware of it,” says Vizza. Other areas include law. “There are lawyers who are now training in cyber security in order to apply that knowledge of cyber risk to their legal role.”
Another area to acknowledge in the cyber security industry are the common stereotypes that exist, which often serve to hinder diversity in the industry. For example, the nerdy loner emerging from his parent’s basement to unleash his super coding prowess on the world, is something of a fallacy. Certainly, there are roles in cyber security that are highly technical, however there are also many roles requiring a governance, risk and compliance-based skillsets for which the ‘hacker’ stereotype does not apply. In these roles, women are far more likely to be involved. And it’s because of the growth in these non-traditional roles that times are changing. In terms of gender diversity, the 2018 (ISC)² Cyber Security Workforce Study indicated that 21% of cyber workers today are women, with that number increasing every year.
Finally, it’s also important to know the area of cyber security you want to focus on. Almost all cyber security experts need to have a fundamental understanding of how a network operates and need to be familiar with the basic IT concepts to be successful working in cyber security. Speaking with experienced people in the industry who could become mentors and offer useful advice will be beneficial, as will getting involved with cyber security meetup groups, association branches and chapters, alongside engaging with key government and non-government agencies linked to cybersecurity such as the National Cyber Security Centre (NCSC), the UK Cyber Security Forum and the Cyber Security group within TechUK.