-By Barbara Kay
After a 5% increase in 2016, average IT Security permanent salary rates climbed another 1% in Q1 2017 to reach £58,725, according to the Experis Tech Cities Job Watch for Q1 2017. What with looming GPDR deadlines adding pressure on companies to hire capable cybersecurity talent, is now the time to consider a career in cybersecurity? As someone with 15 years’ experience in the industry, here’s what I think.
Cybersecurity is a complex profession, blending technical, business, and socio-political subjects. While there are definitely opportunities within core IT engineering tracks, such as network operations, systems administration, and database management, cybersecurity requires rising above the purely technical. Detecting and investigating an incident requires consideration of the context, motivations, and relationships of the attacker (or insider) and different events. It requires creativity, imagination, and dogged determination.
This diversity makes cybersecurity fun.
It also makes it possible for people to follow non-traditional degrees and career trajectories into success in cybersecurity. I work closely with a philosophy major who is training security operations analysts to write software for accelerating security processes. My own degree combines History with English, and yet I earned a Certified Information Systems Security Professional (CISSP) accreditation, which is recommended for anyone with “security” in their job title, and means I can technically become a Chief Information Security Officers (CISO) one day.
We welcome people with backgrounds in teaching, law, and accounting, not just people with software degrees. We need the people, and we need different skills to those that were important 15 years ago, when computer security was about updating antivirus or creating a firewall rule.
Technology is important, but not sufficient
I can’t lie to you -- you do need to have aptitude for and facility with technology. But that comfort is far more common for today’s millennials and thirty- and forty-somethings than it was in the dot-com era, before widespread mobile technology and ubiquitous Internet access changed everything. Frankly, as a consumer, and doubly so as an enterprise employee, you are involved already in cybersecurity. You deal with phishing, encryption, authentication, and privacy concerns every day. If you pursue a career in cybersecurity you can switch from being a victim to an activist.
The key requirement is having the ability to think outside the standard literal and serial processes that are the hallmark of many engineering functions.
- Can you see patterns and create associations?
- Can you extrapolate from regulatory direction to practical plans?
- Can you herd, coach, and nurture others through changes to systems, organisations, and daily processes?
- Can you work at a fast pace, and jump between topics and priorities?
- Do you have a wicked sense of humor and a healthy dose of skepticism?
In cybersecurity, you don’t need a posh outfit. We care what you can do and how you think, not what you wear.
Ready, set, think!
OK, you are eager. Now what? Can you walk in and be hired immediately? No. But you can get there relatively quickly through training, which is increasingly available from local colleges and institutions, fostered by public and private sector organisations who are desperate for the right skills.
I would start this process with a self assessment.
What are you already capable of, and where do you need to invest to build skills? Cybersecurity has two trifectas: its components (People, Process, and Technology) and its definition (Confidentiality, Integrity, and Availability). You must be good at understanding and implementing several of these things to have a chance in this space, and you need to grow into an understanding of the inter-relationships to succeed.
The people, process, and tools mantra is central to other areas of IT, as well as other functions in life (every fireman and nurse can describe incarnations). Well-defined processes help the people use the tools for maximum positive impact, both efficiency and efficacy. So it’s likely you may already be adept in managing these relationships. For example, in security operations, we have an intense interest right now in implementing automation that increases the contributions tools make in investigation and response processes, to lighten the burden on the people. Consultants, software engineers, teachers, and contractors all have skills that support getting the right things done the right way in the least time.
Confidentiality, integrity, and availability may each be valued separately in life (we sign confidentiality agreements; we get service level agreements that guarantee uptime). They represent an inter-related system for cybersecurity. Changing one may affect another, in disastrous ways. Since security crosses operational and business interests, you may find yourself educating marketing people on the importance of confidentiality to the appeal and success of their new business service. You may need to negotiate with a network engineer to schedule in software updates and establish privileges and segmentation to support integrity and confidentiality, not just the 5 nines availability traditionally measured. Understanding their priorities will help you achieve your own.
Cybersecurity is different from other jobs. The satisfaction can be intoxicating. The pace can be addictive. Are you ready to get out your trainers and get involved.
-Barbara Kay, is Senior Product Director at McAfee and works on McAfee’s threat intelligence and analytics solutions and McAfee’s security management platform.