There was a time when you say you work in cybersecurity people would misunderstand you to be a security guard for some unheard company. Not anymore! Today cybersecurity is in the mainstream. If you are in the business of protecting internet-connected systems, including hardware, software, and data, from adversaries, then you are already a cybersecurity practitioner.
The field of cybersecurity involves application security, information security, network security, disaster recovery or business continuity planning, operational security, and security awareness and training — these supplement physical security which is the traditional field of security that protects physical locations and assets.
According to Forbes (Bradford, 2017), the average salary in Cybersecurity is $116,000 or approximately $55.77 per hour in 2017. Depending on the role it could go up or down. Such positions include Security Analyst, Risk Manager, Security Architect, Security Engineer, Security Testers, and Chief Information Security Officer (CISO) at a high level.
If you have a passion for writing code and building applications, a natural career move is to be in application security. It is the use of software, hardware, and procedural methods to protect applications from external threats. The IBM System Science Institute (Dawson, Rahim, Burrell, & Brewster, 2010) estimates that the cost to fix a bug found in production is around six times costlier than one identified during design. Application Security practitioners help to identify vulnerabilities in the design, code, and binaries early on in the System Development Life Cycle (SDLC). The ideal candidate for this practice is someone who has software development experience with training in methodologies such as Static Application Software Testing (SAST), Dynamic Application Software Testing (DAST), and Penetration Testing. Some of the certifications that would help to get into this field are Certified Secure Software Lifecycle Professional (CSSLP) and Certified Ethical Hacker (CEH).
Individuals whose experience includes Project Management and Architecture would find Information Security exciting where they would come up with a set of strategies for managing the processes, tools, and policies necessary to prevent, detect, document, and counter threats to digital and non-digital information. As Risk Managers and Security Architect, their primary goals are to protect confidentiality, integrity, and availability of information. Certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified in Risk and Information Systems Control (CRISC) would help in getting into this practice.
Those who have been practicing network administration would make a good choice in Network Security where they would engage in design activities to protect the usability and integrity of computer networks and the data that goes through them. They deal primarily with network access controls and segmentation to protect data from unauthorized access and maintain its integrity while making it available to those who need to have access. Having Cisco or similar network certification along with CISSP would help to get into the network security practice.
Disaster recovery or business continuity planning is the practice in which practitioners determine the essential functions of the business, identify which systems and processes must be sustained, and details how to maintain them. The method involves anticipating natural and other disasters that could cause significant impact to the business, planning for “Plan B” to sustain business operations, and continuously testing them. Certifications that helps to get into this practice include Certification of the BCI (CBCI), ISO 22301 Certified Business Continuity Manager (CBCM),
Certified Business Continuity Professional (CBCP), Certified Disaster Recovery Engineer (C/DRE), and EC-Council Disaster Recovery Professional (EDRP).
OPSEC (operational security) is an analytical process that classifies information assets and determines the controls required to protect these assets. (Rouse & Cole, 2016). It describes strategies to prevent potential adversaries from discovering critical operations-related data. As information management and protection has become crucial to success in the private sector, OPSEC processes are now standard in business operations. OPSEC encourages managers to view operations or projects from the outside-in, or from the perspective of competitors (or enemies) to identify weaknesses. Developing the art of Threat Modeling and Risk Management is essential in this practice. CISSP with appropriate education and experience, usually in the Military or Department of Defense, would benefit from this practice.
Have that passion for developing training materials and training people? Security Awareness and Training is looking for you. It involves educating employees about corporate policies and procedures for working with information technology (IT). The security awareness practitioners would provide information to employees on who to contact if they discover a security threat and would educate them that data is a valuable corporate asset. It would always help to have a CISSP when looking for a position in this area.
Today many reputed universities offer formal education in cybersecurity, information security, and information assurance. Some of them are geared for the tech-savvy while others are for mid-career professionals who are looking towards career growth in the management side of cybersecurity. I would recommend those that are recognized as the Center of Academic Excellence in Information Assurance Education by the National Security Agency (NSA) and the Department of Homeland Security (DHS).
Cybersecurity is here to stay. Professionals are always required in cybersecurity as long as there are adversaries. With the right talent and skill, an individual should not have difficulty finding a career in cybersecurity. According to Forbes, there will be as many as 3.5 million unfilled positions in the industry by 2021. (NeSmith, 2018) So why wait?
– Bradford, L. (2017, February 27). How To Start A Lucrative Career In Cybersecurity. Retrieved from Forbes: https://www.forbes.com/sites/laurencebradford/2017/02/27/how-to-start-a-lucrative-career-in-cybersecurity/#14b17b1f1066
– Dawson, M., Rahim, E., Burrell, D. N., & Brewster, S. (2010). Integrating Software Assurance into the Software Development Life Cycle (SDLC). Journal of Information Systems Technology and Planning., 49-53.
– NeSmith, B. (2018, August 9). The Cybersecurity Talent Gap Is An Industry Crisis. Retrieved from Forbes: https://www.forbes.com/sites/forbestechcouncil/2018/08/09/the-cybersecurity-talent-gap-is-an-industry-crisis/#59005c36a6b3
– Rouse, M., & Cole, B. (2016, July). OPSEC (operational security). Retrieved from TechTarget: https://searchcompliance.techtarget.com/definition/OPSEC-operational-security