learning infosec

Workin’ for a livin’

With information security job openings projected to reach the multimillions within the next few years, organizations are growing creative at finding and recruiting new security talent. On the flip side, more and more colleges and universities are offering dedicated cybersecurity courses and degrees, and mainstream media attention to cyber attacks and data breaches may pique interest among students looking for a first-time job or current employees contemplating the next step in his or her career path.

“Cybersecurity,” though, is not one, tidy job description; many defined areas of focus exist within the larger umbrella term. While explaining, “I work in cybersecurity” during a cocktail party might be adequate, when it comes to the day-to-day role and responsibilities, practitioners and potential practitioners have more to consider when it comes to selecting a specialty.

Bus boy, bartender, ladies of the night

At the Stevens Institute of Technology School of Business, Associate Industry Professor Paul Rohmeyer meets students from across all walks of life—pre-employment students, career professionals buffing up on or acquiring new skills, individuals with or without degrees or certifications, and everything in between. Often these students look to Dr. Rohmeyer for career advice since he’s both a professor and a security consultant, but Rohmeyer says giving advice isn’t cut and dried. The topic of choosing a career, or dedicated direction within a career, is complex, he explains, and usually depends on a combination of technical skills, non-technical skills, and other interests. Despite the market need, Rohmeyer doesn’t believe that just anybody can be a security practitioner. “Not everyone can be in cyber. To be an effective practitioner, you really need to understand networks, routing, switching, how the internet functions, common attacker tactics, all the nuts and bolts,” he explains. He points out that within certain circles there is a push to take non-technical people and make them cyber experts, but Dr. Rohmeyer feels that it’s important for all security experts to be trained to “build and care for information systems.”

How one gains that knowledge, though, is as individual as each individual him- or herself. “We’re in an era unlike any other with respect to learning. We’re lucky to have so much rich, free material available online and even more behind paywalls,” he explains, knowing full well that working for a university yet pointing students towards (often un-vetted) outside information is a sticky wicket. He advises anyone examining a cybersecurity career to explore different educational options—and not just in a traditional classroom. For instance, students can build test beds or a home-grown lab, take a MOOC, or play with an open source security tool. All of these activities constitute ongoing learning and help students understand individual interests and proclivities.

Certifications, too, are a good way to gain broad-based understanding of security, though Rohmeyer warns that earning a certificate does not replace or even equal hands-on experience. Rohmeyer, like many in the security industry, worries that recruiters and HR departments often rely too heavily on paper-based qualifications, given the pressing need to fill open positions. However, textbook learning cannot substitute for the ability to spin up a server, configure SSL/TSL using appropriate cryptographic algorithms, or correctly deploy a firewall.

Grease monkey, ex-junkie, winner of the fight

Once a bit of educational exploration has occurred (inside or outside the classroom, or upon careful self-reflection), Rohmeyer says it’s time to correlate skills and interests to find the right career path. He asserts that being too much of a generalist doesn’t work well—today’s threat environment necessitates specialization. Fortunately for anyone in or considering cybersecurity as a career, manifold options exist.

Are you interested in offensive or defensive responsibilities? Prevention or response? Technical or policy work? Managing long-term programs short-term projects? From operations to forensics, regulatory compliance to governance, these disciplines all require different skill sets and personality types but are equally important components in the cybersecurity drivetrain.

Students who possess deep technical knowledge, are conversant about today’s cyber threats and risks, and understand vulnerabilities and outcomes might be an excellent fit for operations careers, says Rohmeyer. Not everyone with these talents is suited for operations, though. The most important capability for being an effective ops practitioner, claims Rohmeyer, is “good diagnostic skill—someone who is good organizationally and knows how to quickly get the right resources aligned to work on problems. Rapid decision making and a ‘response personality’ are key.” He says that people who are very technical and function better autonomously might not be comfortable in the ops world; those individuals might prefer working in a lab environment, on technical research, reverse engineering malware or analyzing exploits. Both career options are critical to the field, but the former requires a “front-lines” and team mentality whereas the latter fits for those who enjoy focusing deeply on specific problems as an individual contributor.

On the other end of the spectrum are those who have a thorough interest in and knowledge of vertical industries and who are well-versed or trained in law and the accompanying regulatory landscape. These types of personalities make excellent governance officers and managers, a function Rohmeyer feels is currently underserved in the security industry. Often students Rohmeyer counsels hold the misconception that people working in governance are essentially clerical workers and need an audit-like mentality. Nothing could be farther from the truth, he offers. “Security governance is highly complex and requires someone who can effectively straddle the technical world and the legal/regulatory world. It’s a hard job because without the right technical skills you can’t apply policy in the right way, and without strong policies the security program doesn’t operate effectively.”

Walkin’ on the streets, it’s really all the same

Per a 2016 “Next-Generation Workforce” study conducted by Mike Saurbaugh and presented at InfoSec World, nearly 70% of students enrolled in higher education technical programs want to become a CISO or manager/director of security.

Source: Mike Saurbaugh

Though accomplishment in technical security often, to-date, leads to appointment in a senior security role, leadership is not for everyone—nor does it make you a bad person or underachiever if this career choice is not of interest to you.

Individuals who excel at leadership have a solid combination of notable technical skills (to understand what the security team is working on and what’s possible technologically) plus formidable communication, collaboration, and trust-building skills (to navigate business responsibilities and relationships and lead the security organization). Leaders must have the ability to see the big picture and establish the long-term strategy rather than getting mired in the details of day-to-day log management or the sort. In addition, if budget planning and resource management aren’t up your alley, steer clear of decision-maker roles, says Rohmeyer, as these tasks are comprising more and more of security leaders’ work hours. CISOs, too, are frequently asked to defend the security team/budget/choices/outcomes, therefore people who are a good fit for these roles are able to explain and defend decisions without becoming confrontational, understand industry benchmarks, and can deescalate situations when they turn heated.

Sellin’ souls, rock ‘n roll

A very common security career choice is owning or working for a consultancy. In many people’s viewpoints, this is where the action and money is! Consultants are the heroes who swoop in to identify, contain, eradicate, investigate, and recover from security incidents; they don’t have to deal with the monotonous tasks of setting up Active Directory or resetting passwords. All of this “star power” comes at a price, though, which many people don’t realize before they jump in with both feet. Consultants usually work long hours, travel more than they’re at home, and frequently must spring any time the phone rings. “Consulting is rapid fire and intellectually rewarding,” says Rohmeyer, but people who prefer a steady state and longer-term planning might be happiest choosing another career path.

Any other day

Infosec as a career choice is hugely rewarding. Whichever discipline you choose, security requires life-long learning and constant change—you’ll never grow bored. Security is not for the complacent or those who prefer book-based knowledge, and it’s certainly not for anyone who needs answers 100% of the time. Aside from those minor details, anyone who wants to (learn then) apply deep technology expertise and combine it with unique personal attributes can find a place working in security.

The industry needs more problem solvers and out-of-the-box thinkers. Fortunately, in security there’s room for diverse personalities and abilities everywhere you look. Don’t settle for what appears most rewarding to someone else; each role can be fulfilling for the right person. It just depends on what you want from your unique career.