Meera Rao, senior principal consultant at Synopsys, explains the requirements for in-demand cyber security jobs and how you can contribute
I was a software developer and continuous integration practitioner for over 20 years before I unintentionally found myself in the cybersecurity field. This was during the great recession of 2008—I remember the date even today: October 3rd. That was the day that I found out the company where I was working was closing.
I had no idea what my next move would be—or should be. I found myself interviewing at a security firm (which would actually later be acquired by Synopsys). They asked tons of questions about security. I kept repeating over and over “I have no security background.” Despite this, I must have said something that enticed them because they gave me an offer the following day. While I admittedly had zero security skills, I did have unmatched development skills.
At that point, I had no clue about anything related to security. I was quite nervous when talking to my own colleagues, let alone speaking to clients or at conferences. Initially my project reviews were bad. However, I vowed to be the best. I burned the midnight oil to learn—from scratch—everything about information security.
Learning to speak intelligently about the field, and sharing my knowledge at conferences, helped me a great deal to build my security career. Having a solid understanding of software development, end to end knowledge of the software development life cycle, and a deep understanding of software architectures was instrumental to my success in the field. And yes, these are the three key areas in which you need to make an effort to succeed within the software industry, and even more so in terms of an application security career.
A strong understanding of software development, a passion to learn, and a drive to prove myself in this field drove me day in and day out to excel. The passion, hard work, dedication, and willingness to learn helped me get up to speed, and to keep up with this ever-changing field. These are qualities I encourage you to embrace as well.
From data breaches and open source security issues to IoT device vulnerabilities and unsecured servers—we’ve seen it all and continue observing these security concerns every day. Wondering how you can be part of a fast-paced industry that has a severe talent deficit, while making a positive impact and growing your career? Let’s examine some of the newest, trendiest areas of specialization.
Cloud, DevSecOps, and shifting security left in the software development process are some of the latest buzzworthy topics in the cyber industry. As such, I’d like to walk you through the requirements for in-demand jobs, share how you can contribute, and join these emerging areas within the industry:
Cloud Security Practitioner
Cloud is the talk of the town. Every organization, big or small, wants to move to the cloud. A few reasons for cloud technologies becoming so popular involve its flexibility, cost, ability to recover data, security methods, and ease of use.
To work as a cloud security practitioner, you’ll need to illustrate that you have experience building, communicating, and managing cloud environments. Be able to inform how you have supported and/or managed migration to the cloud, delivered a cloud-native project, or delivered cloud automation.
Do you have working knowledge of Amazon Web Services, Microsoft Azure, and Google Cloud platforms? How about knowledge of RedHat / OpenStack? These skills are highly valuable. Does it mean that if you don’t have these skills right now, you can’t work as a cloud practitioner? Not at all. You can take baby steps to learn your way around one cloud provider, get to know the terms, and become proficient. Then, jump onto other cloud providers. It’s about the journey—building your skills over time.
Also of interest: Considering a career in cyber security? Read this job report
DevOps, DevSecOps, SecDevOps—however you refer to the concept, this methodology is on the rise globally. If you are interested in being part of a great DevSecOps team as a DevSecOps engineer, you should gain experience in containerization technology, preferably Docker and Kubernetes.
It’s important to have written enterprise in Java applications using the JEE technology stack. Have deep knowledge of build automation using tools (e.g., Jenkins and Bamboo), release automation (using tools such as Jenkins and Puppet), and experience using scripting languages (e.g., Ruby and Python).
If you don’t yet hold these skills, you can learn them as long as you have access to a computer. There are free online resources to learn these languages. You may find yourself spending a few weekends learning these scripting languages, but I’m sure you’ll soon find that it’s time well spent.
Also of interest: Cyber security skills shortage to touch 3.5 million worldwide by 2021
Security champions are software developers. They allow for application security development and architecture to provide the first level of defense when it comes to providing application security guidance to development teams. Security champions serve primarily as developers, but also play a larger role ensuring their applications are secure.
Champions might spend all their time performing security reviews, providing remediation assistance, and training developers across a portfolio of applications. If you are part of a development team, have good communication skills, and are curious to know more about security, you’re an ideal candidate to become a security champion.
Threat Modeling SME
Threat modeling identifies the types of threat agents that cause harm. This method adopts the perspective of malicious hackers. If you are able to review a system’s major software components, security controls, assets, and trust boundaries, and then model those threats against existing countermeasures and evaluate the potential outcomes, this is the job you would apply for.
Understand that this role requires a solid understanding of application architectures, frameworks, and the threat landscape of an application. Threat modeling requires an experienced security architect with knowledge in three fundamental areas: architecture and design patterns, enterprise application technologies, and security controls and best practices.
Performing threat modeling is a difficult and an expensive undertaking (due to lack of resources, time required to perform threat modeling, and the skillset) for most organizations and finding skilled resources is always a challenge.
Also of interest: Could veterans be the answer to the cyber skills shortage problem?
Do you like traveling? Are you looking to parachute in wherever software insecurity invades and to stomp out bugs and flaws wherever they hide? If so, you would enjoy life as a security consultant. In this role you can perform source code analysis, software penetration testing, secure software design and architecture, and will become an indispensable advisor to customers.
This role also requires an understanding of application architectures, frameworks, and application threat landscapes. There is a growing need across all areas of cybersecurity—this is an excellent starting point to build your security skills.
To sum things up, the key to being successful when it comes to a career in cyber security is the drive to constantly learn about new attack vectors, strategies, and threats. And above all, you’ll want to focus your drive on helping customers exterminate bugs and untangle the flaws that make their systems insecure. Join us in the fight—become part of the solution.