Author: Jerry Brennan
A national intelligence assessment released earlier this year identified eight key areas that are an accepted road map within the Cybersecurity world. Find out which of these areas your peers either feel comfortable with or have experience in.
The field of Cybersecurity as its being addressed in the media today is painted with a very broad brush. A national intelligence assessment released earlier this year identified eight key areas have become an accepted roadmap in the cybersecurity world. There are multiple levels within each of the categories, and risks associated with them varies within organizations.
From a security job seeker’s perspective, you have to identify which of these areas you’re either experienced in, or require training for. Deciding to follow the money into cybersecurity is a very large bucket otherwise.
Key areas are:
- Threat Intelligence and Vulnerability Management
- Incident and Crisis Management
- Risk and Compliance Management
- Information and Privacy Protection
- Identity and Access Management
- Strategy, Governance and Management
- Security Architecture
- Emerging Technologies and Market Trends
Specialists in the areas mentioned above often evolved from their roles in an IT department, technical specialists by default. However, educational institutions are now stepping up to offer more structured paths into the practice by offering good, in-depth degrees and programs for training. Governments are also working to training employees, but there is still not enough qualified talent to meet the current – and future – demand.
As a result, private corporations sometimes look to government agencies to source cybersecurity talent. Any major government agency that has sensitive data and leverages technology on a huge scale is a target. Governments and corporations have the same issues; they are just seeking to protect different data that they’re utilizing or storing.
However, changing technology coupled with growth is outpacing the demand for cybersecurity professionals in both arenas, and that’s addressing only the issues of technical competencies without consideration for management skills.
SMR recently polled 1600 candidates who were applying for several of our recent recruitments, asking which of the above cybersecurity areas they felt very comfortable with or were experienced in:
- 40%: Threat Intelligence and Vulnerability Management
- 38%: Incident and Crisis Management
- 35%: Risk & Compliance management
- 30%: Information & Privacy Protection
- 24%: Identity and Access Management
- 22%: Strategy, Governance and Management
- 12%: Security Architecture
- 8.5%: Emerging Technologies
Within security programs, cybersecurity is the protection of the technologies that collects, stores and transmits information. While there’s crossover with information security, they key difference is the protection of technologies. Information security translates to intellectual property, and those issues may or may not involve technology. The fact that there’s so much interdependence in managing security risk in organizations blurs the organizational lines with some sitting under the CIO and the others nested in other security or legal functions.
The ongoing issue we’ve observed in our recruitment and consultancy engagements is that companies don’t necessarily have staff to address each of the eight key areas on an ongoing basis. The financial industry are light years ahead for obvious reasons. However, there’s still a significant shortage in many other industries. A high-profile incident will speed the process along for some corporations, but those reactive fixes are usually not the best long-term solution.
What’s important here for job seekers is that there’s very clearly a gap, and where there’s a gap, there are opportunities. Look at what each of these eight areas address and what the jobs within the areas entail. Factor in what you have aptitude for or an interest in, then acquire the education and experience you need in order to secure the job you want since there will be no shortage of opportunities in the operational area for the foreseeable future.
Qualifications for these positions depend on the level of the job and how it’s categorized organizationally. The two big certs are CISM and CISSP and they’re great starting points to ascertain if you have a solid base of knowledge. But, they may – or may not – be relevant to the job depending on how the company has it structured. It’s important to understand what the certifications are actually measuring and determine if they’re relevant to the job you either want or are already in.
For instance, asking for CISSP for all CISO positions may not make sense. CISO’s are executive level positions and are not meant to be individuals who can solve all of a company’s technical problems. Companies will continue to seek qualified, well rounded adaptable people with solid management skills and competencies who can function at an executive level while having a strategic understanding of the technology risks.
ISC2 have done a very good job in identifying a variety of technical skills sets and have constructed focused certifications for those sub areas relating to IT security. CISM from ISACA and was originally designed to be information security management, whereas CISSP has become a bit more technical. Both organizations have done a great job designing programs to address information security.
As it continues to evolve, the field of cybersecurity could end up looking a lot like the medical profession over time with a proliferation of specialists vs. generalists. The complexity of cybersecurity issues that need to be managed or addressed operationally will require a greater degree of specialization than currently exists.