This feature first appeared in the Fall 2017 issue of Certification Magazine. Click here to get your own print or digital copy.
Cybersecurity professionals are used to managing crises, from the latest ransomware attack streaking across the Internet to a critical security vulnerability that requires patching hundreds or thousands of systems overnight. Cybersecurity experts step in to help organizations when things go wrong.
Today, the cybersecurity profession itself is facing a crisis that requires a different kind of management. There is a critical skills gap in the profession that will leave many crucial positions unfilled, jeopardizing the security of enterprises around the world.
The research firm Frost and Sullivan recently partnered with cybersecurity industry association (ISC)² on (ISC)²'s annual Global Information Security Workforce Study. The 2017 report of this study revealed an extremely significant finding: "Frost & Sullivan projections show that the gap between available qualified professionals and unfilled positions will widen to 1.8 million by 2022."
Think about that number for a moment. It's an astonishing number of cybersecurity employment positions. If every single adult in the state of Arizona quit their jobs today and trained to become an information security professional, the industry would still be short about 200,000 qualified individuals!
While this number represents a crisis for CISOs, hiring managers, and HR departments, there's a silver lining for cybersecurity professionals. Increased demand and reduced supply in the profession means that there will be plenty of job opportunities over the next decade. It's a wonderful time to take stock of your current career path, set a target for your next step, and prepare yourself for a promotion.
A cybersecurity generalist with a Security+ or SSCP certification would do well to specialize in a security subdiscipline and add a few relevant credentials to his or her resume, in preparation for the looming staffing crisis. Let's take a look at some of the most common security specialties and the educational path that someone might follow to establish themselves in a new branch of their career.
Security Systems Engineer
Security systems engineers are the workhorses of the cybersecurity team. These skilled professionals operate the security infrastructure that forms the core of every organization's security program. Security engineers operate firewalls, intrusion prevention systems, encryption gear, VPN devices, data loss prevention solutions, cloud access security brokers, and just about every other security technology used throughout the enterprise.
They might perform firmware updates, modify access control lists, configure security application settings, or take on any number of other tasks related to security technology. In addition to gaining some hands-on experience, the best way to prepare yourself for a career as a security systems engineer is to gain specialized training in one or more security technologies.
Almost every vendor offers product-specific certification programs and those programs provide potential employers with the confidence that you'll be able to operate the technology that they've already installed and configured.
If you want to be a firewall engineer, go earn a certification in firewall technology from Cisco, CheckPoint, or Palo Alto. If security information and event management is your thing, go earn an AlienVault or Splunk certification. Vendors across the security product spectrum offer certification programs, as well as in-person and virtual training options that will prepare you for the exam.
Security Sales Engineer
Security sales engineers are closely related to security systems engineers in that they specialize in a specific technology. Instead of working for a single enterprise configuring and managing security solutions, however, they work for a vendor and assist in the security solution sales cycle.
Often paired with an account manager from a traditional sales background, the security sales engineer serves as the technical arm of the sales team. In a typical sales meeting, that means that the account manager will take the CISO to lunch, while the sales engineer stays back with the technical team and actually explains how the technology works.
Depending upon the company, sales engineers may support customers throughout the entire sales cycle, assisting with the design of a solution and initial configuration and operationalization. Preparing for a sales engineer role is similar to the career path for a systems engineer, but you'll typically receive all of the training that you need after you're hired by a security vendor.
Sure, it will help you get your foot in the door if you've already used your potential employer's product, but you'll certainly run through the training and certification process as part of your onboarding.
One thing that will help you stand out with potential employers is earning your Certified Information Systems Security Professional (CISSP) certification. While it's quite likely that you won't need that broad knowledge base in your new capacity, the fact of the matter is that sales organizations want the respected CISSP certification on the business cards of their engineers.
Security analysts are the intelligence officers of the cybersecurity world. They're typically found staffing security operations centers (SOCs) and providing the expertise necessary to keep the cybersecurity team running. They analyze the output of many different security technologies and watch for patterns of activity that may indicate a compromise.
Security analysts are the eagle-eyed watchers who analyze vulnerability scans and recommend remediation activities. Security analysts also find themselves on the front lines of incident response and are often pressed into service to serve as first responders when the SOC detects a breach underway.
Until recently, there wasn't a fantastic training and certification path for those interested in the security analyst role. Last year, CompTIA addressed that open need by launching the Cybersecurity Analyst+ (CSA+) certification program.
The CSA+ curriculum focuses on four domains of cybersecurity: threat management, vulnerability management, cyber incident response, and security architecture and toolsets. There are now books, video training, and in-person training programs available to assist candidates preparing for this new certification program.
Penetration testing is one of the most highly demanded cybersecurity skills in today's market. Penetration testers use the same tools available to hackers to probe and assess an organization's security controls. Essentially, they try to hack into an organization to identify security weaknesses.
Penetration testers may be employed as third-party security consultants or, in larger organizations, they may be part of the internal cybersecurity team. Penetration testers must be deeply familiar with a wide variety of applications, operating systems, devices and hacking techniques and normally possess a strong background in several other areas of cybersecurity.
The Certified Ethical Hacker (CEH) credential is the must-have certification for aspiring penetration testers. The CEH program covers a very broad set of security concepts, attack techniques, and security testing tools. One important note for aspiring penetration testers: Unsanctioned "practice" against unwilling targets is not a way to land yourself a new job — it's an opportunity to land yourself in jail! Never conduct a penetration test unless you have clear, written permission to perform the test.
Cybercrime is growing just as fast (if not faster!) than the security profession. Forensic analysts are the experts who work both with law enforcement organizations and on internal teams to collect and analyze evidence in the wake of a security incident. They must follow meticulous procedures to preserve the integrity of the evidence and document a chain of custody that validates the evidence's collection and possession in court.
This work requires careful attention to detail as well as a skilled knowledge of operating systems, storage media, and cloud services. The modern forensic analyst must also be familiar with collecting evidence from the smartphones and tablets that make up a significant portion of today's computing infrastructure.
The SANS Institute offers the Global Information Assurance Certification (GIAC) Certified Forensic Analyst (GCFA) program for current and aspiring digital forensic technicians. This certification program covers incident response procedures, evidence collection and handling, timeline processing and has a particular focus on collecting evidence from Windows file systems, memory and backups.
Chief Information Security Officer
If you've set your eyes on the corner office, then you're probably considering serving as the Chief Information Security Officer (CISO) of an organization. These roles are quite rewarding, professionally and financially, but you'll find yourself worrying about the other side of that cybersecurity staffing crisis quite quickly!
Organizations seeking a CISO typically look at a pool of candidates consisting of sitting CISOs at comparable or smaller organizations, as well as those with some lower-level management experience in the cybersecurity function.
As a result, the most important thing that you can do to prepare yourself for a CISO role is to gain both a broad knowledge of cybersecurity and some management experience. You'll want to have stints in at least two disciplines of security and, ideally, have supervised staff for several years. If you don't have direct management experience, you may be able to earn your first CISO position based upon project management skills or other leadership experience, but that's definitely a handicap in your job search.
If you have a little time before you begin your job search, then you might want to ask your current employer whether any management opportunities exist within your current role. Taking on a team lead assignment may be just the boost you need to prepare yourself for a CISO position.
From a certification perspective, the CISSP credential is a must-have for a CISO role. Organizations want to see that CISOs possess this gold standard certification as a sign of broad security knowledge and commitment to the profession. They wouldn't hire someone to run their accounting department who doesn't have a CPA after their name, and they likely won't hire a CISSP-less CISO for similar reasons.
If you already have your CISSP, there are cybersecurity management certifications, such as the Certified Information Security Manager (CISM) certification, but those are much less important than the CISSP credential.
Start your preparations now
The job outlook is wonderful for cybersecurity experts. Cybersecurity teams around the world are short-staffed and there simply aren't enough people to fill the positions that exist. Salaries are on the increase and headhunters are reaching out to qualified professionals on a regular basis.
Cybersecurity professionals who specialize in high-demand subdomains of security will find themselves well-positioned to earn a promotion, or a new job, as employers struggle to recruit and retain talented employees. Now is the time to update your résumé, earn a new security certification, and prepare yourself for that next step in your career. You want to be ready to go when opportunity knocks.