Careers in cyber security
There are numerous routes into a cyber security career and different paths to take within it. You may be new to the world of work and thinking that cyber security might be for you, but unsure what path to take or where to start. You may have years of experience in cyber security roles, but not clear what your next step or even end-goal for your career is. You may even have years in other industries and be considering a complete career change.
In this blog we look at some of the roles within cyber security and some paths into the industry in general, covering the different scenarios above.
In a lot of cases, the skills needed for any job can be taught and so often a fairly broad but less detailed knowledge of key areas will put you in good stead to start. As is true in most walks of life, the attitude, desire to learn and work hard are what will stand you out, more so than any qualification – but that is not to take away from the benefits of qualifications to make you a more rounded individual.
The main output of a pen tester is to run a simulated attack on an organisation to test their network strength and response and then present the findings back to the organisation. Programming and scripting (such as Bash, Python or C++) is an important part of a pen tester’s job, but a broad understanding of technology and how people use it is a good starting point. In addition, being able to articulate your findings to a range of people (not all technically minded) within the context of their organisation is an important element of a successful pen tester. Read more about the life of a Pen Tester and how to get started in Akimbo Core’s blog.
“Whilst it’s useful to know how to use common security testing tools, it’s better if you can understand what’s under the hood.” - Holly Grace Williams, Managing Director at Akimbo Core, on the important skills for a Junior Pen Tester.
Often more of a freelance role (at least initially), bug bounty hunting involves actively searching for unknown vulnerabilities that can be exploited and reporting them to software vendors before attackers can take advantage of them. At a basic level, bug bounty hunters will develop a hypothesis based on a piece of intelligence and then test.
Important skills include curiosity, an analytical mindset and ability to challenge known wisdoms. Experience-based skills and knowledge, such as malware analysis, system and tech knowledge can all be learnt on the job. Bug bounty hunting can be very lucrative with major organisations paying huge sums of money to anyone who can find flaws in their security. As a result, it’s also competitive and challenging and several years in cyber security may help give the edge, although there are, of course, individuals who have started with bug-bounty hunting and been highly successful.
Security Analysts often work in a SOC (Security Operations Centre) and are commonly split into 1st, 2nd and 3rd line). A SOC Analyst role in general involves monitoring an organisation’s network for known threats, investigating alerts and following the assigned playbooks (processes) in order to analyse and investigate before coming to a conclusion about the next steps.
Useful skills for a SOC analyst include technical knowledge of networks (although this can be taught) alongside analytical skills and natural curiosity to spot anomalies. Like most roles, it’s not all about technically knowing what you’re doing – you’ll need to engage with customers, be they internal or external to explain potential threats in context they can understand, as well as advise on next steps.
At e2e, we have a Cyber Consultants team. Their main responsibilities are to develop security use cases and associated playbooks, both generic to the use case and tailored to the network and risk appetite of an organisation. They also engage with customers to help improve their security through running threat workshops and having a broad threat intelligence knowledge base. Useful skills for a consultant include the ability to see the bigger picture and cutting through the noise to identify the root cause of a problem.
A consultant is likely to have an established background in a cyber security role to gain a practical understand of threats and how they develop. One often overlooked skillset in consultancy and arguably in cyber more generally, is understanding how people work – the best processes based on the technical results of threat workshops and network mapping will only work in theory, understanding what they mean for individuals in an organisation and making them easy and desirable to follow will make them much more likely to succeed.
Broadly speaking, forensic roles centre around incident response, whether that be building a proactive Incident Response (IR) plan or getting involved during an active incident. This can involve jumping in during an incident and helping with the response to stop it in its’ tracks or reducing the impact (which can include negotiating ransoms, although often this is best left to the NCSC, police and/or regional cyber-crime units). In addition, the role involves investigating post-breach to understand exactly how the attackers got in, predict how they may get in again, should they try, and to identify lessons learned.
Incident response skills cover many of the requirements of other roles, as the incident responder needs to understand network architecture, operating systems and hardware to consider how attackers may have got in. They then need to translate this in a way that supports a defensive team’s ability to better defend (or to react if part of an active incident).
The Chief Information Security Officer is often the most senior cyber security professional in an organisation. Organisational structure varies greatly, with CISOs reporting into CTOs, CIOs, CEOs and/or sitting on the board. The challenges for a CISO change drastically with the organisational culture – in some convincing the board of the importance of taking cyber security seriously (and not just paying lip service to it) will be a significant challenge. Showing return on your cyber investments (whether made by a predecessor or yourself) will be critical to your success as a CISO and can be challenging, whether the organisation has not been hit yet (and so why would you need to spend more?) or, if your organisation has suffered a successful attack, in evidencing the elements of your security posture that did their bit and others that may be underperforming.
Whatever the situation of an organisation, a CISO should focus on making cyber security an organisational problem – not just one for the cyber security/IT team to worry about. They will need to build out processes and the right people (whether internal or external) to get the best out of the technology at their disposal.
As a result, the skills of a CISO are broad, from a good background and years of cyber security and/or IT experience. They will need to be able to manage upwards (and across to other senior leaders) to impart the importance of taking cyber seriously as well as being able to manage teams of people, both directly and indirectly to improve the security posture.
Sales & Marketing
Whilst there are a number of roles in cyber that could fit an ‘Other’ category, probably the major non-operational area of specialism is in sales and marketing. Neither are easy jobs with the cyber security industry growing rapidly, with many new entrants to the market, meaning that standing out becomes harder while the industry matures. In both roles, being able to understand the customer is critical – whilst trends can be understood with regards to ransomware, AI/ML and the cyber skills gap for example, the ability to translate these to specific customer needs is critical, especially within sales.
It can be beneficial to move into a sales or marketing role in cyber from an operational cyber security background, but it is by no means necessary. Broader experience or knowledge of IT, how people work and being articulate will go a long way in either discipline.
Like with consulting and most roles within cyber security, understanding people is critical – especially in a sales role. Whilst general trends (e.g., ransomware and supply chain attacks) will be a good starting point, each organisation will have different challenges and concerns and getting to the bottom of these and building solutions based on these will help you and your organisation stand out much more than repeating a piece of research or generalised assumption.
There are a range of routes into a cyber security career, whatever the discipline, and the best one will depend on your personality and previous experience. For some, a degree in IT-related subjects is a good starting point (including, but by no means necessary, a Cyber Security degree* ), for others it may be better to look at IT roles and learn-on-the-job, planning a sideways move into cyber security. Often being on an IT help desk can be a great starting point in understanding customer challenges, learning more about networks and gaining that all important experience in dealing with people and helping them fix issues, given a huge range in skillsets and context.
Whilst organisations shouldn’t hire just based on qualifications, the fact is that they will often expect a baseline to evidence knowledge and expertise in a subject. A common and well-respected set of qualifications comes from the SANS Institute for specific cyber qualifications. However, these can be very expensive for individuals and so it may be best to go down the route of getting IT experience/theory and look to work for an organisation that will support your studies. There are also a good range of free (or inexpensive) resources to explore, such as Udemy, Cybrary and Hackthebox.
One really exciting initiative specifically designed to get around this problem, specifically designed around people who want to retrain into cyber security with little to no previous experience, is CAPSLOCK. The training takes the form of online courses and covers a broad range of cyber skills, but also, very importantly, career coaching and impact skills aimed at helping students get a job, not just a qualification. In addition, CAPSLOCK aim to remove as many barriers as possible and as such, learners don’t pay a thing until they get hired and even then, is a percentage of salary, making paying it back much more manageable than say a lump sum or regular set amount.
Clearly there are many more roles and routes into these (some of which won’t even exist yet), but we hope this guide provides useful tips to people unsure where to start and a glimpse of the range of options available.
If you’re interested in exploring roles at e2e, we’re hiring right now – check out our careers page or email careers(at)e2e-assure.com.
- Whilst an IT or cyber degree is the obvious academic starting point, it’s not a blocker to a good career without it – for example, e2e have team members with Geology, Chemistry, Maths and History degrees, as with most careers, it’s the mindset and work ethic of an individual that really dictates their success – you can learn the technical and practical skills on the job at the right company.