Careers in Cyber

Does this sound familiar?  You keep seeing headlines about cyber security, about information security, usually when there’s been a loss of passwords or data, sometimes about large fines being levied on companies for poor practice. You’ve heard that there are lots of vacancies in the world of cyber and would like to look at a career in security. But you don’t know what choices there are, you don’t have good IT skills and you don’t know what skills you need.

This article will answer some (though probably not all) of your questions.

Before looking at what roles there are, let’s get the first big concern out of the way shall we? Do you need to be an IT ninja to work in information security?  The answer is a resounding NO (though for some – not all – roles it helps). Read on to find out why…

Broadly speaking, cyber security is split into three main role groups:

  • governance, risk and compliance (GRC), which relates to policies, processes, and, in some cases, training. These roles include consultants, analysts, auditors and trainers
  • offensive security, also known as red teaming, with the aim of trying to get unauthorised access to systems. Roles in this group include ethical hackers (penetration testers), social engineers etc
  • defensive security, also known as blue teaming, with the aim of trying to stop those trying to get unauthorised access to systems. Roles in this group include digital forensics, incident response, Security Operations analysts etc

GRC roles

These roles typically require little to no technical skills, though an understanding of technology helps.

People in these roles will probably spend their time writing and reviewing policies and other documentation, carrying out audits to ensure the organisation is complying with policies and / or industry standards, working with other staff to help them understand and implement the policies. At a more senior level they also encompass consultancy, working with clients to help them understand and improve their security posture.

It’s likely that people in GRC roles will spend time looking at industry standards such as ISO 27001 and NIST, regulations such as GDPR and industry specific requirements such as PCI DSS.

In terms of training, people in this group will be more likely to develop and perhaps deliver general security training rather than specific courses for highly technical staff.

In terms of training, a good basis would be the BCS Certificate in Information Security Management Principles (CISMP), and if you’d like to add some technical knowledge passing the CompTIA Net+ and Sec+ exams would be really good grounding.  There are courses around data privacy which are becoming more common too. Ultimately you’d be aiming for something like the ISACA Certified Information Security Manager (CISM), (ISC)2 Certified Information Systems Security Professional (CISSP) or EC-Council Certified Chief Information Security Officer (C|CISO) qualifications, but they require at least 5 years of practical experience as well as an exam pass.

Red Team (Offensive Security)

This is where many people think the really exciting part of security sits, being paid to test other companies’ defences and helping them improve their security. This is the realm of the ethical hacker, more properly called a penetration (pen) tester.

Pen testers are, by necessity, quite technical. Typically they’ll be able to write scripts and code in several different languages, including Bash and Python.  They’ll understand toolsets such as Metasploit, which is available for free on Kali Linux. (Incidentally, the bad guys will use pretty much the same toolsets for much of their work, and both groups will probably learn a lot about how to use them from YouTube!) They’ll also be able to write exploits, perhaps for use in Metasploit or elsewhere.  Oh, and they better understand network protocols and how firewalls work too.  Essentially, they need to know a lot about a lot of things in order to be very proficient, though it is possible to run a lot of these tools with very little knowledge.

There is a form of red teaming where people try to physically get access to premises and systems using social engineering techniques.  This typically involves carrying out research on the target company using OSINT techniques, before creating some kind of pretext (cover story) or getting in through open doors and windows.  The goal may be to try to access a data centre or other sensitive room in a building, or it may be to leave some kind of listening / communications device in a meeting room, or to see what documentation can be obtained. This is the sort of work that you may have seen in films like Sneakers, where teams of people are testing an organisation’s security capabilities. Skills needed for this type of role are more related to acting / improv, calmness under pressure and the ability to think quickly.  A good understanding of human psychology, empathy, body language and non-verbal communication is really helpful in this field.

Training for the red team can be very technical, or not technical at all. If technical, you probably need to look at something like CompTIA Net+ and Sec+ as a basic grounding, before then looking at something like the Offensive Security Certified Professional (OSCP) or CHECK Team Member (if in the UK). It’s worth saying that when it comes to the technical aspects, lots of practice with different packages, scripting languages and exploits is probably more beneficial than lots of certifications, though having at least one industry respected certification will be helpful.

It’s also worth noting that many red team members will have experience of operating as a blue team member (and vice versa), and the skills gained there will be useful for them in trying to defeat their opponents.

If you know the enemy and know yourself you need not fear the results of a hundred battles.
– Sun Tzu, The Art of War

If looking at the non-technical courses, then typically psychology and sociology are very useful. Experience of acting / talking to lots of different people is also helpful, and an understanding of verbal and non-verbal communications is also very useful.

Blue Team (Defensive Security)

The defensive teams are also likely to have some very technical people in them. They may not write exploits like some pen testers, but some do need to have a very deep and detailed understanding of how things work.

Digital forensics is a highly specialised field, and there are individual specialities within it. For example, someone may only deal with mobile devices, so will need to understand Android, iOS (for Apple devices) and Windows Mobile, amongst others. Some may look mainly at memory stores, or disk drives etc. They also need to know how to capture, store and examine data in a methodical way which can be replicated in court, using the ACPO Good Practice Guide for Digital Forensics (in the UK – other countries may have other standards).

SOC (Security Operations Centre) Analysts look at information coming from a range of sources such as log files, and are skilled at looking at the big picture to identify attacks or other threats.  They need to understand networks, protocols and firewalls, how systems are configured and how the whole network interoperates.  They also need to understand patching and malware, to evaluate likely effects and the best methods of combating those threats.

Training courses vary, though SANS are renowned for their very detailed courses, particularly in the forensics arena.  Again, CompTIA Net+ and Sec+ are good courses to start with before building up experience and looking at the more technical material available. Many courses will relate to the toolsets that the team member uses e.g. when using a Security Information and Event Management (SIEM) application, firewall apps etc. Blue team members may also take some of the same courses that the red team members do – remember Sun Tzu!

Summary

There is a lot of scope for people who are not technical – and have no desire to be technical – to work in Information Security.  In many cases, the key skills / attributes include patience, attention to detail, concentration, focus, diligence and curiosity, as well as people skills like empathy and communication.

As someone who has worked in the industry for over 30 years, since before it was even called security, I’d recommend it to anyone. There are so many opportunities, so many different roles, that there is bound to be something for everyone!

I should also mention that the company I work for, PGI, runs many of the courses mentioned above, or equivalents of them: I’m one of the instructors on the awareness courses…

Choosing your certification

There is a wide range of different security courses available, and a mind-boggling array of certification and acronyms which go with them. This article focusses on three of the most common, highlights the differences between them and provides guidance on how you choose one over the other.  I hold all of these certifications, and I’ve linked to a couple of previous articles where I’ve described the learning experience in a bit more detail. 
CISMP has been developed by the British Computer Society (BCS), and is the Certificate in Information Security Management Principles. It is a well-known and common entry-level qualification, which is typically attained by people who are looking to start their careers in information- or cyber- security. It covers, at a very high level, a wide range of topics and provides a good foundation level of understanding. It can be viewed as a preparatory course which you then build on, perhaps specialising in one area or another.

It covers the following topics, and typically these subject areas are covered over five days on a course, with a one hour multiple choice exam at the end:

  • Information security principles
  • Information risk
  • Information security framework
  • Procedural and people security controls
  • Technical security controls
  • Software development and life cycle
  • Physical and environmental security
  • Disaster recovery and business continuity management
  • Other technical aspects

CISSP is the Certification Information Systems Security Professional from (ISC)2, and is one of the two most popular high level certifications (the other being CISM – more on that shortly). Of the two, CISSP is more focussed on technical skills and management, and is based on 8 domains:

  • Security and Risk Management
  • Asset Security
  • Security Engineering
  • Communications and Network Security
  • Identity and Access Management
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

In order to achieve certification, you must pass a 6 hour exam consisting of 250 multiple choice questions, and be able to evidence at least 5 years’ experience in at least two of the domains listed above. You also need to have an existing CISSP verify your claims of experience. 

The Certified Information Security Manager (CISM) from ISACA is the other major certification which companies typically look for. It focusses more on governance and risk than technical skills, and is allied to the Certified Information Security Auditor (CISA) certification, also from ISACA. There are only 4 domains, namely:

  • Information Security Governance
  • Information Risk Management
  • Information Security Program Development and Management
  • Information Security Incident Management

Those applying for CISM need to be able to demonstrate at least 5 years’ experience in 3 or more of these domains, and also have to pass a 250 question multiple choice exam which lasts up to 4 hours. This is currently a paper based exam which is only available twice a year (all exams globally run at exactly the same time), though it is understood that this is moving to a computer based test in the near future. 

For both CISSP and CISM, certification is maintained by completing and evidencing a minimum of 20 hours Continuing Personal Development / Continuing Professional Education each year over 3 years, with a minimum of 120 hours CPD / CPE required in that time. Activities which qualify include attending seminars and conferences, contributing to papers, presenting on one of the domain topics etc. 

 Summary

CISMP is a good foundation to start a cyber- or information- security career. Candidates cover the basics of the topics involved, and will have a sound understanding for each area covered, which will in turn help them decide which they want to pursue in order to further their career. CISMP has no ongoing CPD requirement.

It can also be seen from above that there is little difference in terms of qualification requirements between the CISSP and CISM: the former is more suited to those with a technical, more hands on, background while the latter is better for those who have spent more time on the policy, process and governance side of things. They both require 5 years’ experience in the industry and endorsement from an existing holder of the certification. The exams can be lengthy, but time allowed to complete them is plenty, and candidates should not find them too daunting. 

(ISC)2 and ISACA are aiming to ensure that, because candidates must have experience as well as pass an exam, their qualifications have merit and are valuable for the individual and the company. The requirement for CPEs also helps to ensure that knowledge is being maintained and refreshed over the course of the certification.

Certified Information Systems Security Professional

In November 2015 I attended a week long bootcamp at Firebrand Training in Wyboston, England. From the Sunday to the Saturday thirty or more students sat in the classroom and tried to take in all of the course materials, ready for an exam on the Sunday.

The exam itself is computer based, 250 multiple choice questions, and you’re given six hours to complete it. You are permitted to take breaks, and the training centre laid on food and drink so you could freshen up a bit before getting back to the exam.

I have to say that if I hadn’t had years of experience to call on, and if I hadn’t done the Certified Ethical Hacker (CEH) qualification a few years before I would probably have struggled with some sections. As it was, I passed and then had to apply for my certification proper.  That involved completing a questionnaire and finding an existing Certified Information Systems Security Professional (CISSP) to vouch for me, then waiting for several weeks before being given the good news.

As with the CISM and CEH designations, recertification requires at least 120 hours of Continuing Professional Education (CPE) in related topics over three years. As I have only recently gained the accreditation, I don’t have to recertification until 2019.

In my opinion, the CISSP from (ISC)2 was the hardest certification for me to pass, though the course for CEH was much more intense.