Taking a good look into the Cyber Security Profession
By Candy Alexander, CISSP CISM, Information Systems Security Association
It’s just one of those things, if you are in “it,” you forget that others may not know what the heck you are talking about. That is exactly the case with Cyber Security, or when I first started, it was called Information Security.
I have been fortunate enough to have grown up along with the profession and often forget that a lot of people have no idea what it is exactly, I do. Usually when I get the question of “what do you do for a living” and I respond with “I’m a Cyber Security Professional”; I get a wide-eyed look along with “oh, that’s nice.” Some of those same responses have been from former bosses, which lead me to the topic of this article.
In my capacity working with an international professional association of Information Security Professionals has allowed me to stay on top of hot trends in the profession and the industry as a whole. In the past 2-3 years, there has been a lot of media surrounding there being a gap of skilled and qualified cybersecurity professionals to fill upwards of 1 million+ open jobs, and that’s just here in the United States. Pretty amazing, since, most businesses don’t even understand what the job entails, never mind needing someone to fill it. This is due to the fact that many regulations (either legislative or industry) require companies to have a skilled and qualified individual identified to lead the “security” effort.
That again, brings us back to the question, “what exactly is a Cyber Security Professional.” The simple answer is an individual who has been specifically trained to protect information in our cyber world. As you might imagine, there are different degrees of knowledge and different disciplines. I guess you could say that it’s one of the world’s best-kept secret. And, that’s been our problem in the profession.
The reason why it’s a problem is that when it comes to protecting cyber environments, many believe that you need to get the “IT guys/gals” to put in a firewall, or some other security technology. But if it were that easy, we wouldn’t have data breaches and hacking incidents like we’ve experienced in the past few years. Don’t get me wrong, the “IT guys/gals” do wonderful things with technology, but it does take more than that. There is an adage, a sound approach to cybersecurity is three-fold; “people, process and technology.” And the “IT guys/gals” have one of them covered.
"If you need to hire a Cyber Security professional, understand exactly what it is you’re requiring them to do"
That is where the Cyber Security Pro comes in. Cyber Security Professionals are trained in all three areas, adding the dimension of the “CIA Model,” which is Confidentiality, Integrity, and Availability. When I first started, it was learned by trial and tribulation, and now there are many colleges and universities offering under-graduate and graduate programs in Information Security and Information Assurance.
The topics that Cyber Security Professionals must understand go beyond that of technology, such as human behavior and motivation in order to understand why people hack; kind of like the saying – in order to catch a thief, you must think like a thief.
When you get to the “higher levels of the profession,” it is also important for Cyber Security Professionals to understand what organizational governance is, how to motivate people to change their habits – like not opening emails that promise fortunes from foreign princes. And the most important aspect that a good Cyber Security Professional needs to understand is how to work with all groups within the business. Like other core functions such as HR, Finance, and IT, it is necessary to work across the board in order to identify what is important and how best to protect it.
So, let me close with this. I hope you now understand that there is a lot more to this profession than you did when you first started reading this. Understand that Cyber Security is a profession that is 30 years old and that there are different levels; entry, mid, and executive believe it or not. That there is more to Cyber Security than firewalls and penetration testing, there are many different disciplines within the profession such as forensics, program management, analysis, assessors.
If you need to hire a Cyber Security professional, understand exactly what it is you’re requiring them to do. Check to see what their qualifications are and if they have any security specific certifications. Certifications are a great way to understand if someone has a baseline of knowledge!
If you need to find out more about the profession, there are a lot of resources out there. The US Federal government has a great initiative (National Initiative for Cybersecurity Careers & Studies) that is a good starting point. The Information Systems Security Association can also provide you with some guidance, especially if you are interested in making a career change or are just starting out.