II.

Cybersecurity as a profession

Cybersecurity has been part of many professions’ responsibilities, and it has also emerged as a profession in itself. Let’s take a closer look at some potential career options.

Cybersecurity professions today come in many forms and roles that combine traits such as privacy, development, physical security and auditing.

Corporate professions

In the past, high-security organisations (like defence or intelligence) as well as high-value transaction processors (the financial services sector, stock exchanges and payment card processors) were first focussed on securing their systems. That means those sectors focussed on internal controls in their company to safeguard their information.

In the 1960s, the growing commercial use of computers (such as IBM mainframes) created a need for information technology controls and auditing. That led to a control and audit-focused profession, which still exists as a part of the daily work of many roles in modern organisations.

Note

In 1969, the Electronic Data Processing Auditors Association (EDPAA) was incorporated in Los Angeles, California, USA. The association is today known as ISACA, and is one of the organisations that provide cybersecurity training and certifications (such as CISA, CISM and CSX-P) for cybersecurity professionals.

Traditionally, corporate security (consisting of guards, fire drills and locks) considered cybersecurity to be a small part of its profession, if even that. Back then, IT security was considered to be linked only to internal IT services: the workstations, mainframes and networks.

Gradually, physical security systems became network-connected and physical security controls (for example doors and locks) couldn’t protect information from external access via the internet.

Today, corporate security leaders pay attention to information security as digital processes are a much more significant part of a company’s operations. Also, IT has become information security. This means securing information regardless of whether it’s on paper or in a digital format.

IT security and information security (later dubbed cybersecurity) were seen first as separate professions. But with digital convergence, these professions began to change and merge. Still, these traditional roles (corporate security managers and IT security managers) both still exist.

Note

With GDPR coming into force in 2018, companies were obligated to appoint dedicated Data Privacy Officers (DPO) to develop practices protecting the privacy of their employees and customers. Privacy requires security controls, which means security and privacy professionals work closely together and cooperate as they are working towards the same goal.

Although some titles (such as DPO) are very widely used, the roles differ in each organisation and industry. Also, each role or some of its tasks can be outsourced to a consultant from a professional services company, and this has created the significantly sized industry of cybersecurity consulting.

People from different roles in cybersecurity

Common roles in cybersecurity in organizations

Chief Information Security Officer (CISO)

Typically, CISOs are responsible for developing security culture and processes and leading information security operations and functions. CISOs work as interpreters between business, leadership, vendors, authorities and technical cybersecurity professionals.

Information/Cyber/IT security manager or professional

These professionals take care of daily security processes, support security-related projects and coordinate security incidents. They also prepare training guidelines and policies for personnel. They convert policies and principles into actionable tasks in the organisation.

Security manager or professional

Security managers provide more traditional security services, such as physical access control, which are increasingly digital. Security managers provide concrete safety to personnel while ensuring the cybersecurity of the service itself.

Information system auditor

An audit professional tests security controls (physical and digital) and provides recommendations for improving them. Sometimes they use special tools like scanners to test actual configurations. Auditors provide independent and objective views to help others develop practices.

Consultants

Consultants also take part in hiring, coaching, mentoring or otherwise supporting these roles. Consultants often have a background from one of the above positions.

From a hobby to a career in ethical hacking

As we learned in Chapter 1, hackers can have different hat colours. Unlike the early years of the profession, the white hats and other ethical cybersecurity “hobbyists” are nowadays able to turn their passion in to a profession.

In a corporate role, days are busy, usually full of meetings with colleagues and internal or external clients. That leaves a little room for exploring or testing creative ideas (hacks) unless they provide immediate value. Very few organisations are able to financially hire full-time researchers unless they are government-sponsored research institutions.

However, as the cybersecurity market has grown and job opportunities are global, fully remote work and research has emerged as a niche where highly specialised hobbyists/researchers – so-called “ethical hackers” – can earn a living.

Bug bounties

Crowdsourcing platforms like HackerOne, YesWeHack, and Intigriti provide hackers a method to monetise their “hacks” or engage in “bug hunting”. Anyone can join these platforms more or less anonymously and seek organisations who have so-called “bug bounty” programmes. Through these programmes, organisations can offer their product, service, app or a snippet of code for testing. Should any of the hackers on the platform find a software vulnerability, they are paid a bounty depending on the quality and severity of the finding.

At best, this career option was seen as ideal for future work; you can work from anywhere, whenever you want, and earn well. However, there has also been some criticism. Firstly, very few ethical hackers earn well over a long period of time. Companies might falsely think they can replace systematic testing with opportunistic and many times random results from bug bounties.

Note

Every organisation should have a vulnerability disclosure program of its own. A bug bounty program is usually not necessary. A vulnerability disclosure program defines ways for researchers to securely communicate details of a vulnerability and how they are internally handled and fixed. A bug bounty program is something you might consider starting if the benefits of it seem to outweigh the possible monetary expenses and the time it takes to manage it.

Also, according to some surveys, bug bounty platforms use NDAs to trade bounty hunter silence for the possibility of a payout. This allows some corporations to silence bug bounty hackers about the most serious security vulnerabilities without fixing them. This would also leave users of the said software in danger of being breached.

As with many other platform businesses, there is also criticism around potential violation of labour laws, which in many countries would force employers to take care of their employees. As a bug bounty hacker, you are technically your own employer and thus it’s difficult to ensure workers’ rights through the platform.

Example

Read an interview with a bug bounty hacker.

Offensive and defensive security jobs

In offensive and defensive security tasks, the “red team” refers to being on the offensive to test controls, and the “blue team” refers to a defending team.

Penetration testing (in short “pentesting”) is a form of offense-related and explorative testing of a system, app, service, server, network, device or even a vehicle (like an airplane or a car). The red team targets larger entities, such as a corporation as a whole.

Unlike bug bounties, this form of testing has a target, a scope, a client, success criteria and an associated payment. Some organisations may have “pentesters” on their payroll, but more often such specialised tasks are outsourced to companies that have specialised in this area. The difference between opportunistic hacking and pentesting is that pentesters provide assurance and are systematic in their approach, trying to cover most potential attack methods.

Examples of roles of red / blue teams

Red and blue team members

Red: Technical pentester

Pentesters use offensive, commercial and their own attack tools to test the target or gather information from the target. They identify configuration weaknesses more often than new software vulnerabilities. They think like a black hat hacker but they are using hacking for good. Pentesters create recommendations for other technical cybersecurity professionals about how to fix found weaknesses.

Red: Red teamer

Red teamers are testers with a wide range of skills from traditional pentesting to circumventing the physical controls and using methods of social engineering. These professionals works in a team which has a diverse set of skills. Red teamers creatively test combinations of defences to find new weaknesses.

Red and blue team members

Blue: IT/Cybersecurity architect

Security architects design and implement structures for IT services, much like their counterparts in the construction industry. Security architects plan a structure for networks, security- related services and even what services are outsourced from a vendor if not provided internally.

Security architects consider how each user and machine account is identified or authorised (IAM) as well as how different events are logged. A security architect can focus on a certain area (like IAM, network or cloud services), or consider the architecture of the entire enterprise.

Blue: SOC analyst / professional

The Security operations centre (SOC) is a function where an organisation centrally monitors most of the logs and events on its IT environment. The SOC has its special tools and services which collect and correlate a huge amount of log entries or events triggered by set rules.

An SOC analyst is responsible for creating and developing a set of rules using said tools to identify suspicious events and starts the investigation process if needed. These "first responders” (so-called Tier 1) often operate 24/7/365. SOC analysts can escalate more challenging investigations to Tier 2, which may have more experienced professionals for digital forensics – the art of finding electronic evidence of a potential security breach.

Security in development

Developing cybersecurity is not just for dedicated cybersecurity professionals, but for everyone in IT too. Technically, everything runs based on code. Code is a set of human-readable instructions that is written (developed) and then compiled into a machine executable object. This executable is then tested by a developer. After testing, the executable is taken into an operational environment (OPS), where it interacts with other programs, servers and services.

All of these phases may create security flaws by design or by error. This is why it’s important to ensure the security of the code itself, components and their interactions from the beginning of the process. Unlike in pentesting (which focusses on finding weaknesses after a code is in production), a growing number of the most effective security activities are performed before or during development.

Examples of security roles in development

Security developer

Security developers focus on the services which are critical for cybersecurity, such as identification and authorisation services.

Security champion (in a development project)

Usually a senior developer, security champions focus on secure coding practices. They are mentors and coaches for other developers and other project team members. They ensure that security testing and other security-related activities (for example code reviews) take place as planned.

Cyber security: a career for the future

Now, more than ever before, the demand for cybersecurity professionals across industries is booming. The digital transformation of our daily lives and work is driving a need for these skills in all sectors and fields. The key concern for governments, businesses, and citizens, is that the spread of digitisation and emerging technologies is outpacing our ability to train the qualified cybersecurity professionals needed to secure our online world.

In their annual study for 2020, (ISC)², an international non-profit cybersecurity members organisation, estimated that Europe has a workforce gap of over 168,000 positions unable to be filled by qualified cybersecurity professionals. Globally, this number is over 3 million. Although this demand over worker supply decreased from 2020, due to the general economic downturn caused by Covid19, it still remained high, and is expected to grow rapidly.

Despite over 500 universities and academic institutions across Europe granting certifications and degrees for cybersecurity professionals, the growing demand far outpaces the supply. One solution to help close this gap, is for employers and workers to find ways to reskill on the job or in continuing education. By completing this course, you have given yourself a great start on this path. For more information on where to gain further skills in cybersecurity, please visit the Digital SkillUp website.

Part summary

After completing chapter 5, you should be able to:

  • understand how emerging technologies can provide new opportunities, but also risks, in cybersecurity

  • discuss some of the near-future implications for cybersecurity

  • understand what kinds of jobs are available for cybersecurity professionals

You reached the end of the course!

Correct answers

0%

Exercises completed

0/0