Careers in Cyber

Does this sound familiar?  You keep seeing headlines about cyber security, about information security, usually when there’s been a loss of passwords or data, sometimes about large fines being levied on companies for poor practice. You’ve heard that there are lots of vacancies in the world of cyber and would like to look at a career in security. But you don’t know what choices there are, you don’t have good IT skills and you don’t know what skills you need.

This article will answer some (though probably not all) of your questions.

Before looking at what roles there are, let’s get the first big concern out of the way shall we? Do you need to be an IT ninja to work in information security?  The answer is a resounding NO (though for some – not all – roles it helps). Read on to find out why…

Broadly speaking, cyber security is split into three main role groups:

  • governance, risk and compliance (GRC), which relates to policies, processes, and, in some cases, training. These roles include consultants, analysts, auditors and trainers
  • offensive security, also known as red teaming, with the aim of trying to get unauthorised access to systems. Roles in this group include ethical hackers (penetration testers), social engineers etc
  • defensive security, also known as blue teaming, with the aim of trying to stop those trying to get unauthorised access to systems. Roles in this group include digital forensics, incident response, Security Operations analysts etc

GRC roles

These roles typically require little to no technical skills, though an understanding of technology helps.

People in these roles will probably spend their time writing and reviewing policies and other documentation, carrying out audits to ensure the organisation is complying with policies and / or industry standards, working with other staff to help them understand and implement the policies. At a more senior level they also encompass consultancy, working with clients to help them understand and improve their security posture.

It’s likely that people in GRC roles will spend time looking at industry standards such as ISO 27001 and NIST, regulations such as GDPR and industry specific requirements such as PCI DSS.

In terms of training, people in this group will be more likely to develop and perhaps deliver general security training rather than specific courses for highly technical staff.

In terms of training, a good basis would be the BCS Certificate in Information Security Management Principles (CISMP), and if you’d like to add some technical knowledge passing the CompTIA Net+ and Sec+ exams would be really good grounding.  There are courses around data privacy which are becoming more common too. Ultimately you’d be aiming for something like the ISACA Certified Information Security Manager (CISM), (ISC)2 Certified Information Systems Security Professional (CISSP) or EC-Council Certified Chief Information Security Officer (C|CISO) qualifications, but they require at least 5 years of practical experience as well as an exam pass.

Red Team (Offensive Security)

This is where many people think the really exciting part of security sits, being paid to test other companies’ defences and helping them improve their security. This is the realm of the ethical hacker, more properly called a penetration (pen) tester.

Pen testers are, by necessity, quite technical. Typically they’ll be able to write scripts and code in several different languages, including Bash and Python.  They’ll understand toolsets such as Metasploit, which is available for free on Kali Linux. (Incidentally, the bad guys will use pretty much the same toolsets for much of their work, and both groups will probably learn a lot about how to use them from YouTube!) They’ll also be able to write exploits, perhaps for use in Metasploit or elsewhere.  Oh, and they better understand network protocols and how firewalls work too.  Essentially, they need to know a lot about a lot of things in order to be very proficient, though it is possible to run a lot of these tools with very little knowledge.

There is a form of red teaming where people try to physically get access to premises and systems using social engineering techniques.  This typically involves carrying out research on the target company using OSINT techniques, before creating some kind of pretext (cover story) or getting in through open doors and windows.  The goal may be to try to access a data centre or other sensitive room in a building, or it may be to leave some kind of listening / communications device in a meeting room, or to see what documentation can be obtained. This is the sort of work that you may have seen in films like Sneakers, where teams of people are testing an organisation’s security capabilities. Skills needed for this type of role are more related to acting / improv, calmness under pressure and the ability to think quickly.  A good understanding of human psychology, empathy, body language and non-verbal communication is really helpful in this field.

Training for the red team can be very technical, or not technical at all. If technical, you probably need to look at something like CompTIA Net+ and Sec+ as a basic grounding, before then looking at something like the Offensive Security Certified Professional (OSCP) or CHECK Team Member (if in the UK). It’s worth saying that when it comes to the technical aspects, lots of practice with different packages, scripting languages and exploits is probably more beneficial than lots of certifications, though having at least one industry respected certification will be helpful.

It’s also worth noting that many red team members will have experience of operating as a blue team member (and vice versa), and the skills gained there will be useful for them in trying to defeat their opponents.

If you know the enemy and know yourself you need not fear the results of a hundred battles.
– Sun Tzu, The Art of War

If looking at the non-technical courses, then typically psychology and sociology are very useful. Experience of acting / talking to lots of different people is also helpful, and an understanding of verbal and non-verbal communications is also very useful.

Blue Team (Defensive Security)

The defensive teams are also likely to have some very technical people in them. They may not write exploits like some pen testers, but some do need to have a very deep and detailed understanding of how things work.

Digital forensics is a highly specialised field, and there are individual specialities within it. For example, someone may only deal with mobile devices, so will need to understand Android, iOS (for Apple devices) and Windows Mobile, amongst others. Some may look mainly at memory stores, or disk drives etc. They also need to know how to capture, store and examine data in a methodical way which can be replicated in court, using the ACPO Good Practice Guide for Digital Forensics (in the UK – other countries may have other standards).

SOC (Security Operations Centre) Analysts look at information coming from a range of sources such as log files, and are skilled at looking at the big picture to identify attacks or other threats.  They need to understand networks, protocols and firewalls, how systems are configured and how the whole network interoperates.  They also need to understand patching and malware, to evaluate likely effects and the best methods of combating those threats.

Training courses vary, though SANS are renowned for their very detailed courses, particularly in the forensics arena.  Again, CompTIA Net+ and Sec+ are good courses to start with before building up experience and looking at the more technical material available. Many courses will relate to the toolsets that the team member uses e.g. when using a Security Information and Event Management (SIEM) application, firewall apps etc. Blue team members may also take some of the same courses that the red team members do – remember Sun Tzu!

Summary

There is a lot of scope for people who are not technical – and have no desire to be technical – to work in Information Security.  In many cases, the key skills / attributes include patience, attention to detail, concentration, focus, diligence and curiosity, as well as people skills like empathy and communication.

As someone who has worked in the industry for over 30 years, since before it was even called security, I’d recommend it to anyone. There are so many opportunities, so many different roles, that there is bound to be something for everyone!

I should also mention that the company I work for, PGI, runs many of the courses mentioned above, or equivalents of them: I’m one of the instructors on the awareness courses…

Getting started in Cyber 

One of the most common questions I’m asked by non-cyber professionals is “How do I start a career in cyber?” and fortunately I think there’s a relatively easy answer. 

The British Computer Society (BCS) have an entry level qualification called the Certificate in Information Security Management Principles (CISMP). It’s typically a five day course and covers most aspects of information security at a high level, digging in to some in a bit more detail. It was the first security course I attended, many years ago, and I can thoroughly recommend it for beginners, even for those with limited IT knowledge. 

If you’re looking for a company that provides this course in fantastic surroundings with outstanding instructors, look no further than these guys below (it’s who I work for). This is one of the courses that I teach, but I don’t think I’m scheduled to teach this particular one. If you do book on it, let me know and I’ll make sure I come along and see you. 

Good exam technique explained

In my work as a consultant, and particularly when helping define training plans and strategies with clients, I’m often asked about learning styles and exam techniques. For example, what method of learning works best and gets best results? Is there a right way or a wrong way to prepare for exams? 

I’m not an expert in education techniques, but I do know what works well, and what doesn’t work, for me. That is, I know what learning style suits me best. 

Some people are very comfortable with self-study, with reading text books, watching online lessons etc. I’m not one of that group. I prefer a blend of learning in a classroom, with a mix of theory and hands on, practical work. I’m reasonably ok with reading notes afterwards, but only once I’ve got my hands dirty, so to speak. The best advice I can give on this topic is for you to find and attend courses which match your best learning style. If, like me, self study isn’t a good option, don’t sign up for a course which requires that. If you learn best working on your own and not in a classroom, look for options which allow you work that way. 

Exam technique is something which is a bit more nuanced I think. Since leaving college and starting work I’ve not failed an exam or test, so I think I must do something right. 

Multiple choice exams

Here are my top tips, starting with multiple choice exams:

  1. Read the first question.
  2. Read it again, slowly.
  3. Read the answers.
  4. Read the answers again, slowly.
  5. Read the question again.
  6. Read the answers, and if you know the right answer, mark it on your answer sheet and move on to the next question. 
  7. If you don’t know the answer, discount those you know to be wrong then remind yourself who sets the questions. If for example you’re doing an ISACA exam, bear in mind that they are mostly taken by (and set by) risk and audit professionals, so the answer is likely to be weighted towards risk or audit. You can then choose the best option based on those remaining, and move on to the next question.
  8. If you don’t know the right answer after the first few read throughs, it’s unlikely you will know it after staring at the screen for five minutes, so choose the answer which is the best fit for you, the lest wrong, and move on.
  9. Repeat the above till the end of the exam.

Here’s the most important bit – don’t skip any questions, and don’t go back to reread them. In the majority of cases, your initial instinct will be correct. You can see this phenomenon in pub quizzes, on TV quiz shows etc – how many times does the first answer you thought of turn out to be right (or at least more right) than what you changed your answer to? I believe that going back, rereading and perhaps changing some answers actually loses you marks. The one time this isn’t the case is on the rare occasions when an answer turns up as the question later on.

For longer exams – CISSP and CISM are good examples – plan to take breaks regularly, every 15 or 20 questions. Stop, put your pen, pencil or keyboard down. Stretch your arms, legs, and shoulders, rotate your head on your neck, close your eyes and take 3 or 5 deep breaths. Relax. When you open your eyes, make sure you refocus them away from the paper or screen. Then start again. With CISSP I planned and took a fifteen minute coffee break half way through, had some food, walked around for a bit, got some fresh air, and felt the benefit when I got back in. 

When you’ve finished the test, double check that you have answered every question, complete the exit process and leave if allowed. There’s nothing to be gained from sitting rereading questions because as I mentioned earlier, you’ll only end up costing yourself marks if you do. 

Written exams

That’s all well and good for multiple choice, but what about written papers? Typically you’ll get a time limit a number of questions to do and a particular number of marks per question. All of this is stuff your tutor should brief you on before you sit the exam, but if not, make sure you ask them. There are fewer tips for this type of exam, and here they are:

  1. Before starting know how many marks per minute you need to get (allow 15 or 30 minutes at the end of the exam because you will think of stuff as you go on) and make sure that you only write for the amount of time each question is worth. For example, if a question is worth 10 marks, and you know you need to write 1 mark a minute, allow yourself no more than 10 minutes on that question. 
  2. Start each answer to each question on a fresh sheet of paper. 
  3. You should finish writing (in this example) 15 or 30 minutes before the end
  4. Use this buffer period at the end of the exam to add detail to any questions you feel you need to
  5. Reread your answers and make sure you add all the detail you can, even if it’s just a bulleted list of items
  6. You should only stop when time is up

A last word

The one other tip I’d give is to do as many past papers as possible, so you’re familiar with the language used, the way questions are phrased, the subtle ways that you can get caught out. Who knows, maybe some of the past questions will come up in your assessment? It’s been known to happen! 

To certify or not

I published this article on LinkedIn on May 3rd 2017. Here it is in its entirety for you.

The age old question of whether certification is important or not reared its head again recently. I was talking to two prospective clients, and they held opposing views.

One wanted their staff to be well trained, but didn’t want them to complete any certifications. They were concerned that once the member of staff was trained they’d look elsewhere for [and get] a better paid job.

The other wanted their staff to be well trained, and saw the certification process as a way of validating that the learning on the course had stuck. They thought they would be able to market themselves better with certified staff, and make more money that way.

I can see both side of the arguments, as I’m sure you can. Perhaps the main differentiator is that in the first case, they may not be able to charge their clients as much, and will therefore have lower income / profit margins, which would mean they couldn’t pay their staff as well. In the second case, their ability to charge higher rates could be reflected in higher income and therefore they may be able to meet the wage demands of their teams.

To be honest though, neither of these scenarios floats my boat. I’d much rather employ someone with appropriate experience than just take someone who has passed a course and may have a piece of paper telling you that.

Many years ago – you’ll realise how long ago shortly – I received a salutary lesson in this very topic. I had a member of staff come to me to say that they had done a lot of self study and had not only passed their Microsoft CSE but their Novell CNE (I told you it was a long time ago). As a result, they wanted a massive pay rise – something like 35% as I recall. Naturally I said I would have to think about it and, if appropriate, ask approval from my manager.

Fast forward to the following week. I was disinclined to award the rise as I had concerns about the person’s ability, but had yet to tell them that. They came to me (because at the time I was still relatively hands on technically) and asked how to bind an IP address to a network card. (Again a sign of how long ago this was, TCP/IP was only just starting to appear on Windows-based networks.) Naturally, my first question was whether this had been covered in either the Microsoft or Novell courses – it was – and I then suggested that the staff member in question focus on getting experience before thinking about pushing for a pay rise.

I recently had cause to consider the benefits of certification for, shall we say, more senior people (myself included). Some clients seem to not worry too much about the letters after your name and prefer to see the experience you can bring to bear on their needs.

It is very helpful being able to speak from first hand knowledge about the process for obtaining various certificates and accreditation, but I find that I don’t get to talk to prospective clients because I’ve done a few exams. They are more interested in what experience I’ve had, where, and whether any of it has relevance to their requirements / situation.

My advice is therefore this: make sure you gain experience in several sectors including SME, government, public sector, etc, and make sure you know how to apply that experience in a range of scenarios. Being flexible and adaptable in your approach to client requirements is what you should be aiming for. Having some experience of the certification process and perhaps even a degree is helpful, but it’s not what is really needed by the clients out there.

Choosing your certification

There is a wide range of different security courses available, and a mind-boggling array of certification and acronyms which go with them. This article focusses on three of the most common, highlights the differences between them and provides guidance on how you choose one over the other.  I hold all of these certifications, and I’ve linked to a couple of previous articles where I’ve described the learning experience in a bit more detail. 
CISMP has been developed by the British Computer Society (BCS), and is the Certificate in Information Security Management Principles. It is a well-known and common entry-level qualification, which is typically attained by people who are looking to start their careers in information- or cyber- security. It covers, at a very high level, a wide range of topics and provides a good foundation level of understanding. It can be viewed as a preparatory course which you then build on, perhaps specialising in one area or another.

It covers the following topics, and typically these subject areas are covered over five days on a course, with a one hour multiple choice exam at the end:

  • Information security principles
  • Information risk
  • Information security framework
  • Procedural and people security controls
  • Technical security controls
  • Software development and life cycle
  • Physical and environmental security
  • Disaster recovery and business continuity management
  • Other technical aspects

CISSP is the Certification Information Systems Security Professional from (ISC)2, and is one of the two most popular high level certifications (the other being CISM – more on that shortly). Of the two, CISSP is more focussed on technical skills and management, and is based on 8 domains:

  • Security and Risk Management
  • Asset Security
  • Security Engineering
  • Communications and Network Security
  • Identity and Access Management
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

In order to achieve certification, you must pass a 6 hour exam consisting of 250 multiple choice questions, and be able to evidence at least 5 years’ experience in at least two of the domains listed above. You also need to have an existing CISSP verify your claims of experience. 

The Certified Information Security Manager (CISM) from ISACA is the other major certification which companies typically look for. It focusses more on governance and risk than technical skills, and is allied to the Certified Information Security Auditor (CISA) certification, also from ISACA. There are only 4 domains, namely:

  • Information Security Governance
  • Information Risk Management
  • Information Security Program Development and Management
  • Information Security Incident Management

Those applying for CISM need to be able to demonstrate at least 5 years’ experience in 3 or more of these domains, and also have to pass a 250 question multiple choice exam which lasts up to 4 hours. This is currently a paper based exam which is only available twice a year (all exams globally run at exactly the same time), though it is understood that this is moving to a computer based test in the near future. 

For both CISSP and CISM, certification is maintained by completing and evidencing a minimum of 20 hours Continuing Personal Development / Continuing Professional Education each year over 3 years, with a minimum of 120 hours CPD / CPE required in that time. Activities which qualify include attending seminars and conferences, contributing to papers, presenting on one of the domain topics etc. 

 Summary

CISMP is a good foundation to start a cyber- or information- security career. Candidates cover the basics of the topics involved, and will have a sound understanding for each area covered, which will in turn help them decide which they want to pursue in order to further their career. CISMP has no ongoing CPD requirement.

It can also be seen from above that there is little difference in terms of qualification requirements between the CISSP and CISM: the former is more suited to those with a technical, more hands on, background while the latter is better for those who have spent more time on the policy, process and governance side of things. They both require 5 years’ experience in the industry and endorsement from an existing holder of the certification. The exams can be lengthy, but time allowed to complete them is plenty, and candidates should not find them too daunting. 

(ISC)2 and ISACA are aiming to ensure that, because candidates must have experience as well as pass an exam, their qualifications have merit and are valuable for the individual and the company. The requirement for CPEs also helps to ensure that knowledge is being maintained and refreshed over the course of the certification.

Certified Information Security Manager

Back in 2010 I attended a three day course with Net Security training in Wembley, in preparation for a Certified Information Security Manager (CISM) exam a couple of weeks later. All of the work was theoretical, and it was assumed that you already had experience in most of not all of the domains covered.

The exam itself was paper based, with four hours given to complete 250 multiple choice questions. You then have to wait a few weeks before you get your results, at which point you can then apply for the certification from ISACA. You need to be able to demonstrate at least five years worth of experience in two or more of rhe domains as part of the certification process.

The certification lasts for three years, and in that time you need to complete a minimum of 120 hours of Continuing Professional Education (CPE), with at least 20 hours in each of the three years. I have recertified in this way once, and have already reached my target for this recertification period.

Certified Ethical Hacker

In spring 2013 I attended a Certified Ethical Hacker (CEH) training course with Firebrand in Wyboston, England. It was a week long bootcamp, with classes starting on the Sunday evening, 12 hour days in the classroom and a 3 hour exam on the Friday morning.

The classes were made up of a mixture of theory and practical work. All attendees had a number of virtual environments to work in, and we were able to use a number of the tools we’d talked about in a safe environment. After class we had two to three hours reading every night, to read the courseware, so we spent roughly 15 hours a day on the topic.

As you can imagine, this kind of intense training crams a lot in and leaves you pretty drained at the end, but it was worth it. The course “only” gives the background, and it is then down to the individual to keep their education up by reading more on the topic, by trying the tools out and by carrying out this kind of work.

While I don’t currently do any kind of hacking as part of my job, the course gave a very good understanding of the techniques and methods used, and the risks and potential impact that each kind of attack could bring to an organisation. From that perspective, it meant I was well prepared for writing policies and standards to help counteract the threats from this angle.

Recertification takes place every three years, and in that time you have to be able to demonstrate completion of at least 120 hours of Continuing Professional Education (CPE) in related topics. I have recently completed my first recertification and am therefore entitled to use the CEH designation, approved by the EC-Council, until 2019.

Certified Information Systems Security Professional

In November 2015 I attended a week long bootcamp at Firebrand Training in Wyboston, England. From the Sunday to the Saturday thirty or more students sat in the classroom and tried to take in all of the course materials, ready for an exam on the Sunday.

The exam itself is computer based, 250 multiple choice questions, and you’re given six hours to complete it. You are permitted to take breaks, and the training centre laid on food and drink so you could freshen up a bit before getting back to the exam.

I have to say that if I hadn’t had years of experience to call on, and if I hadn’t done the Certified Ethical Hacker (CEH) qualification a few years before I would probably have struggled with some sections. As it was, I passed and then had to apply for my certification proper.  That involved completing a questionnaire and finding an existing Certified Information Systems Security Professional (CISSP) to vouch for me, then waiting for several weeks before being given the good news.

As with the CISM and CEH designations, recertification requires at least 120 hours of Continuing Professional Education (CPE) in related topics over three years. As I have only recently gained the accreditation, I don’t have to recertification until 2019.

In my opinion, the CISSP from (ISC)2 was the hardest certification for me to pass, though the course for CEH was much more intense.