Closing the Cybersecurity Skills Gap, Part 3
In part one of our discussion on the cybersecurity skills gap, we discussed how organizations can develop their own cybersecurity professionals as opposed to trying to hire them. In part two, we explored where to begin in cybersecurity and the basic skills needed any cybersecurity professional needs. Now we’re going to explore the landscape of jobs and roles in the cybersecurity field. But first, let’s talk about how we got here.
The Evolution of Cybersecurity
Twenty-five years ago, when cybersecurity was still emerging as a specialty, most practitioners were transitioning from IT operational roles. As the Internet expanded and firewalls went up, the network team was given additional security duties. Eventually, these security duties become so burdensome that businesses created dedicated security positions. Now organizations had a catchall role for all their security work that included security policy writing, application security review, intrusion detection monitoring, vulnerability scanning, and security awareness training.
The people who did these early security jobs ended up knowing a bit about everything in cybersecurity because they had to. From here came the first cybersecurity generalists. Since then, the field has evolved along with so many new avenues of technology, and most of these generalists either specialized or went into management.
With so many new things to learn, an initiate simply doesn’t have enough time to catch up with the historical knowledge that generalists have. So, anyone entering the field now is faced with choosing a specialty. As cybersecurity guru Dan Geer said, “The core knowledge base has reached the point where new recruits can no longer hope to someday become competent generalists, serial specialization is the only broad option available to them.”1
The good news is that these new recruits now have a wide variety of security specializations to match both their capabilities and interests.
The Diversity of Cybersecurity Jobs
Many kinds of job roles are available within cybersecurity. An easy way to look at them is through the three primary cybersecurity functions: engineering defenses, testing security, and responding to cyberattacks. Some of these roles may not exist in every organization. In smaller organizations, all of these roles may land on a single person or be tacked onto other non-security work. But be wary of such situations, for in the land of toast, the butter is spread very thin.2
Within these roles, we’ll lay out specific job titles and duties, talk about where these roles fit into a typical organization’s organization chart, and what kinds of skills are needed. But as part 2 discussed, foundational cybersecurity skills are necessary for all these roles. To recap, these skills include:
- Knowledge of common cyberattacks
- How to perform a risk analysis
- How to manage risk through using controls
- Knowledge of compliance regulations and how they work
- Knowing how to explain risk and compliance in business terms
The specific skill sets for cybersecurity engineers, testers, and responders will build upon this foundation. Because these skills are narrower and more specialized, many of them can be acquired in industry training classes and cybersecurity bootcamps.
Cybersecurity engineers—sometimes called SecOps or IT security—design, implement, operate, and maintain cybersecurity controls. From the chief security officer to the firewall administrator, the engineer makes sure sufficient cyberdefenses are in place. Many engineers come from traditional IT jobs, such as network engineers or system administrators. Their job is to predict the attacks, block them, and detect them if they get through the barriers. They use many tools, usually technical, but they also play a big part in engineering administrative controls, such as policies and procedures. Engineers can specialize in a particular type of control, like workstation endpoint solutions or software security, or they can go wide to perform analysis and design on a macro scale.
The kinds of job titles seen here include:
- Director of security
- Security architect
- Network security engineer
- Security software developer
- Security systems administrator
- Technical director
- Security analyst
How Cybersecurity Engineers Fit into the Organization
Cybersecurity engineers are the traditional, most common roles in cybersecurity, so a lot of them exist. Most engineers are found within the IT organization, so they report up through the IT chain of command to the head of technology. However, being embedded in IT can diminish the effectiveness of their security functions. The key problem is the divergent missions: IT is about implementation and maintenance, while security requirements can sometimes mean slowing down an implementation to lower risk. This contributes to the security team’s reputation as the “Department of No”. Since the head of IT is in charge, they have veto power over security, which can be a problem as well. We explored this in detail in our earlier blog: Who Should the CISO Report To?
Cybersecurity Engineer Key Skills
One of the most important skills for a cybersecurity engineer is to understand the organization’s technology. Because of the obscure nature of some cyberattacks, cybersecurity engineers often need to know more about the technical infrastructure than the IT operational team. A good tool for examining the specific technical areas is the Cyber Defense Matrix, which has five classes of security technologies: devices, applications, networks, data, and users.3
Building on those technical skills, cybersecurity engineers also need a firm grasp on how the specific technical controls in their area function. For example, engineers working in networking should understand firewall features and limitations as well as the specifics of the implemented solution within their organization. Also, this role, more than any other, is heavily dominated by the security vendors who manufacture a majority of these technical controls. However, this also provides an avenue to training and certification in those technologies.
Lastly, cybersecurity engineers should understand the business and cultural aspects of rolling out and maintaining controls. For example, successfully rolling out multifactor authentication is more than just installing software and configuring VPNs—the users and their workflows must be properly addressed. Even simple controls, like effective security awareness training, require some forethought and consideration.
Testers are one of the most glamorous jobs in security, as these are the folks who hack things or find the problems. From auditors to red teamers, cybersecurity testers look for the gaps and mistakes before an attacker does. Some organizations only need these roles some of the time, so the work is often outsourced. Furthermore, testers work well in healthy competition with cyberengineers. Job titles include:
- Penetration tester / Red teamer
- Vulnerability researcher
- Exploit developer
- Ethical hacker (sometimes known as “white hat” hacker)
- Security research engineer
- Internal, third-party, or external auditor
How Cybersecurity Testers Fit into the Organization
When they are outsourced, cybersecurity testers are often part of the consulting services team. This means they are also the most customer- and revenue-focused of traditional security roles. This is a double-edged sword. On the upside, since they are revenue-driven, it is easier to justify their work and receive the necessary resources. The downside is that the healthy competition between engineers and testers can fester into an adversarial relationship. Not only are they outside of the organization, and therefore not part of the team, but their findings can be seen in a revenue-seeking glow and thus distrusted.
When cybersecurity testers are full-time within an organization, they are can be attached to IT like cybersecurity engineers. Although, sometimes due to that healthy competition or even segregation of duties, such as for internal auditors, they can be part of a different department, such as legal or compliance. Application security testers are sometimes linked to quality assurance departments, which puts them under an organization’s development arm.
Cybersecurity Tester Key Skills
Most importantly, testers need a healthy skeptical attitude. The role of a cybersecurity tester is to question everything, even assumptions. One way to help do this is to learn threat modeling techniques such as STRIDE.4
Like engineers, testers need to be knowledgeable in their technical area. In order to subvert a control or process, it is often necessary to understand the hidden nuances of that technical area. In many cases, they need to use this technical knowledge in unexpected ways, such as chaining together low-severity vulnerabilities to breach a system.
Testers often require many specialized tools and techniques, from hacking tools like Metasploit to effectively wielding a deadly audit questionnaire. Sometimes these tools are self-developed, which means testers should also have some programming skills (if hacking) or statistical knowledge (if auditing).
Lastly, to communicate their findings in the most impactful way, cybersecurity testers need to double down on their skills in explaining risk in relevant business terms. Nearly all the testing work they do needs to be expressed in written documentation. This writing needs to include detailed citations of evidence, such as screenshots, source code, and compliance regulations.
We’ve talked about the importance of assume breach and planning for security controls to fail. This is where cybersecurity responders come in because their whole job is to plan for and minimize security incidents. Sometimes they detect attacks and try to stop them before they spread. Some responders help clean up the messes and get systems back online. Many in this role investigate what the attackers did, who they were, and help find the clues to go after them. Some responders even work on finding digital evidence from non-cybercrimes.5 Job titles include:
- IT forensics technician
- Security operations center analyst
- Forensic, intrusion, or malware analyst
- Incident responder
- Disaster recovery or business continuity manager
How Cybersecurity Responders Fit into the Organization
Similar to testers, responders are commonly outsourced in smaller organizations. Some responders are part of subscription service organizations that offer monitoring and response resources on-call as needed.
When they are internal, they can be found in IT, if focused on recovery and repair, or in legal, if focused on forensics. Sometimes they are found within the general business continuity organization under operational risk.
Cybersecurity Responder Key Skills
A key skill for responders is keeping cool under pressure. Responders are often under acute stress, whether dealing with ransomware that’s shut down the entire organization, gathering evidence that can directly affect someone’s future, or performing post-incident forensics in a potentially litigious situation.
Responders need to be able to wrangle the right resources for cyber incidents, such as appropriate cyber insurance, intrusion detection tools, and forensic and malware analysis tools. Responders should also develop government, legal, and law enforcement contacts and resources to assist in incidents.
Many responders may also find themselves called on to report on incidents in a wide variety of settings, including boardrooms, industry conferences, and even legal depositions. Therefore, presentation and clear writing skills are helpful in this role as well.
Three Final Thoughts About Cybersecurity Skills and Specializations
First, we should say that your mileage may vary. Many different standards and practices in cybersecurity can contradict each other. Some may disagree with this list and some may find the categories overlap too much. Other ways of categorizing cybersecurity roles and skills include NIST Special Publication 800-181.6 Such is the nature of our immature field.
Second, we began by saying that cybersecurity career entrants should specialize to make finding a job easier. There are downsides to this as well. As you become too specialized, you may find it harder to communicate outside your silo. We’ve heard many cybersecurity practitioners declare their discipline to be the most critical security area and listen no further. We’ve heard secure coding engineers say, “If everyone wrote secure applications, there would be no incidents.” Incident responders sometimes say, “It doesn’t matter if they get in, we’ll always find them and stop them.” Penetration testers promise they will find all the vulnerabilities first. We know that attackers will always find new ways to come at us. All three of these roles make up the legs on the stool of a sturdy cyber defense.
Third, the real world doesn’t always adhere to clean delineated categories. Neither do actual career paths. So again, your mileage may vary.