Career in Cybersecurity

There was a time when you say you work in cybersecurity people would misunderstand you to be a security guard for some unheard company. Not anymore! Today cybersecurity is in the mainstream. If you are in the business of protecting internet-connected systems, including hardware, software, and data, from adversaries, then you are already a cybersecurity practitioner.

The field of cybersecurity involves application security, information security, network security, disaster recovery or business continuity planning, operational security, and security awareness and training — these supplement physical security which is the traditional field of security that protects physical locations and assets.

According to Forbes (Bradford, 2017), the average salary in Cybersecurity is $116,000 or approximately $55.77 per hour in 2017. Depending on the role it could go up or down. Such positions include Security analyst, Risk Manager, Security architect, Security Engineer, Security Testers and Chief Information Security Officer (CISO) at a high level.

If you have a passion for writing code and building application, a natural career move is to be in application security. It is the use of software, hardware, and procedural methods to protect applications from external threats. The IBM System Science Institute (Dawson, Rahim, Burrell, & Brewster, 2010) estimates that the cost to fix a bug found in production is around six times costlier than one identified during design. Application Security practitioners help to identify vulnerabilities in the design, code, and binaries early on in the System Development Life Cycle (SDLC). The ideal candidate for this practice is someone who has software development experience with training in methodologies such as Static Application Software Testing (SAST), Dynamic Application Software Testing (DAST), and Penetration Testing. Some of the certification that would help to get into this field are Certified Secure Software Lifecycle Professional (CSSLP) and Certified Ethical Hacker (CEH).

Individuals whose experience include Project Management and Architecture would find Information Security exciting where they would come up with a set of strategies for managing the processes, tools, and policies necessary to prevent, detect, document and counter threats to digital and non-digital information. As Risk Managers and Security Architect, their primary goals are to protect confidentiality, integrity, and availability of information. Certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified in Risk and Information Systems Control (CRISC) would help in getting into this practice.

Those who have been practicing network administration would make a good choice in Network Security where they would engage in design activities to protect the usability and integrity of computer networks and the data that goes through them. They deal primarily with network access controls and segmentation to protect data from unauthorized access and maintain its integrity while making it available to those who need to have access. Having Cisco or similar network certification along with CISSP would help to get into network security practice.

Disaster recovery or business continuity planning is the practice in which practitioners determine the essential functions of the business, identify which systems and processes must be sustained, and details how to maintain them. The method involves anticipating natural and other disasters that could cause significant impact to the business, planning for “Plan B” to sustain business operations, and continuously testing them. Certifications that helps to get into this practice include Certification of the BCI (CBCI), ISO 22301 Certified Business Continuity Manager (CBCM),
Certified Business Continuity Professional (CBCP), Certified Disaster Recovery Engineer (C/DRE), and EC-Council Disaster Recovery Professional (EDRP).

OPSEC (operational security) is an analytical process that classifies information assets and determines the controls required to protect these assets. (Rouse & Cole, 2016). It describes strategies to prevent potential adversaries from discovering critical operations-related data. As information management and protection has become crucial to success in the private sector, OPSEC processes are now standard in business operations. OPSEC encourages managers to view operations or projects from the outside-in, or from the perspective of competitors (or enemies) to identify weaknesses. Developing the art of Threat Modeling and Risk Management is essential in this practice. CISSP with appropriate education and experience, usually in Military or Department of Defense, would benefit this practice.

Have that passion in developing training materials and training people? Security Awareness and Training is looking for you. It involves educating employees about corporate policies and procedures for working with information technology (IT). The security awareness practitioners would provide information to employees on who to contact if they discover a security threat and would educate them that data is a valuable corporate asset. It would always help to have a CISSP when looking for a position in this area.

Today many reputed universities offers formal education in cybersecurity, information security, and information assurance. Some of them are geared for the tech-savvy while others are for mid-career professionals who are looking towards career growth in the management side of cybersecurity. I would recommend those that are recognized as the Center of Academic Excellence in Information Assurance Education by the National Security Agency (NSA) and the Department of Homeland Security (DHS).

Cybersecurity is here to stay. Professionals are always required in cybersecurity as long as there are adversaries. With the right talent and skill, an individual should not have difficulty finding a career in cybersecurity. According to Forbes, there will be as many as 3.5 million unfilled positions in the industry by 2021. (NeSmith, 2018) So why wait?

References
– Bradford, L. (2017, February 27). How To Start A Lucrative Career In Cybersecurity. Retrieved from Forbes: https://www.forbes.com/sites/laurencebradford/2017/02/27/how-to-start-a-lucrative-career-in-cybersecurity/#14b17b1f1066
– Dawson, M., Rahim, E., Burrell, D. N., & Brewster, S. (2010). Integrating Software Assurance into the Software Development Life Cycle (SDLC). Journal of Information Systems Technology and Planning., 49-53.
– NeSmith, B. (2018, August 9). The Cybersecurity Talent Gap Is An Industry Crisis. Retrieved from Forbes: https://www.forbes.com/sites/forbestechcouncil/2018/08/09/the-cybersecurity-talent-gap-is-an-industry-crisis/#59005c36a6b3
– Rouse, M., & Cole, B. (2016, July). OPSEC (operational security). Retrieved from TechTarget: https://searchcompliance.techtarget.com/definition/OPSEC-operational-security

Official (ISC)2 Guide – Review

The book is highly rich in technical content and reviewed by Hal Tipton, a very well known knowledgeable security professional. I got this book to familiarize with the syllabus and the concepts behind each common body of knowledge. Some of the chapters are easy to digest, however some are really long and tough. I guess it all depends on the reader’s domain knowledge. Since the book has three authors, the book clearly shows three different styles of writing.

The reader will feel the difference while moving from one chapter to another making it an unpleasant experience. This book is an excellent reference with lot of definitions and explanations. I read this book completely and then started attempting questions. I used this book as the primary reference with the “internet” as the secondary reference. I used all other books for more information or clarification. Try to attempt all questions at the end of each chapter of any book. “CISSP Prep” and “Advanced CISSP Prep” by Ronald L. Krutz would be a last minute refresher. It is worth understanding the concept behind each topic than to memorize. The exam tests your knowledge with experience and not on your memory.

Authors: Susan Hansche, et al
Publisher: Auerbach Publications; Bk&CD-Rom edition (January 1, 2004)
Language: English
ISBN: 084931707X

CISSP Preparation Resources

Start your CISSP preparation with (ISC)2 website – https://www.isc2.org. Understand what a CISSP is and the requirements for the exam. If you don’t have the minimum work experience required for a CISSP, you can start with the Associate program after passing the exam. Don’t wait!

The following resources helped me in preparing for the CISSP exam in 2004-

  1. Official (ISC)2 Guide to the CISSP Exam by Susan Hansche, John Berti, Chris Hare
  2. The CISSP Prep Guide: Gold Edition by Ronald L. Krutz, Russell Dean Vines
  3. Advanced CISSP Prep Guide: Exam Q&A by Ronald L. Krutz, Russell Dean Vines
  4. CISSP All-in-One Exam Guide, Second Edition (All-in-One) by Shon Harris
  5. CISSP Training Guide by Roberta Bragg
  6. Information Security Management Handbook by Harold F. Tipton

A Listmania! list by Shaheen N Abdul Jabbar of the above items is available at Amazon.com

Continue reading “CISSP Preparation Resources”