Career Path options and framework to becoming a CyberSecurity professional

It is common knowledge in the global cybersecurity community that there is a multitude of unfilled cybersecurity jobs, and there will be even more in the coming years. Some statistics range from 1.8 million open jobs by 2020 to 3.5 million unfilled jobs by 2021. Both are very large numbers and, of course, the question remains, where will all these qualified candidates come from?

The question of how to fill these openings is its own matter, but there is a way to give cybersecurity candidates an opportunity to understand the cybersecurity profession and to help them get a sense of the different facets or realms of this vocation.

A professional framework can be an important tool for cybersecurity professional career development; for example, the National Institute of Standards and Technology's NICE Cybersecurity Workforce Framework describes and categorizes work within the cybersecurity profession.

Another map of the job landscape came into being almost 15 years ago, when two Seattle-based CISOs began to build a framework of the cybersecurity profession. The concept began on a paper napkin at a small café and ultimately progressed to a formal structure and skeleton.

At a high level, this framework is intended to show the reader -- whether an experienced CISO or cybersecurity professional, or a new person exploring the idea of becoming a cybersecurity professional -- that there is a semblance of hierarchy and flow in the profession. This model can show the individual perusing the key aspects of the profession that there are many opportunities, from the frontline to the back office, and that every job has its tactical and strategic importance.

The higher level facets of the framework can be seen in the image below.

Daily work in this area is important and should be focused on the bits and bytes, as well as the ports and services aspects of network and system defense. This would be an excellent area for someone with keen attention to detail and the ability to mentally visualize security problems and the necessary solutions.

There are excellent training resources for the new cybersecurity candidate to pursue as they enter this domain, including the CompTIA Security+, Network+ and Cloud+ certifications. Additionally, the basic SANS courses can provide an excellent foundation for new cybersecurity candidates entering the technology security area. Similarly, experience with elementary scripting/coding -- such as Ruby/Ruby on Rails, Java or Python -- is a great way to begin a technical cybersecurity career.

The second column of the model above includes the broader, programmatic aspects of cybersecurity. This domain is less focused on technology and more on data and information protection by means of programs, processes, policies, standards, procedures and guidelines. The predominant activities involved in this arena include risk management, governance, regulatory compliance, business continuity and disaster recovery, intellectual property, business/financial integrity, industrial espionage, privacy, forensics, and investigations.

These cybersecurity activities focus on protecting the business, protecting its data and ensuring the business is compliant with associated cybersecurity rules, regulations and guidance.

Generally, one can begin a career in this domain without knowledge or experience in the technology security pillar, but a strong start and knowledge of technology security will provide a cybersecurity professional with better tools to not only recognize weaknesses and vulnerabilities, but to have a better grasp on technical, as well as programmatic solutions to problems.

Certification in this area of expertise includes the Certified Information Systems Security Professional from ISC2 and the Certified Information Systems Manager from ISACA.

The last vertical of this model, strategic security, offers an excellent next step for cybersecurity professionals in their career progression.

The strategic security pillar is primarily an area of strategic importance to national cybersecurity interests, defense and warfare. The career players tend to be in the military, national intelligence agencies and strategic cyberthreat intelligence at a corporation or university. Each day involves solving strategic cybersecurity problems.

The areas of work within this pillar include cyberterrorism and physical terrorism, cybercrime, cyberwarfare, nation state and regional cyber interests, national and international cybersecurity doctrine and policy, threat intelligence and analysis, professional alliances, politics, strategies and tactics, and others.

Success in this domain requires strong skills and capabilities in strategic and big picture cybersecurity analysis. Understanding security and intelligence tradecraft is important, as is having a passion for geopolitics.

A great place to start building skills in strategic security is working with government intelligence agencies or the military.

Each day, as you read the news, you hear about the needs -- and products -- offered by security training providers and research entities. Both of these could be starting points for cybersecurity professionals. At a minimum, a cybersecurity professional should be exposed to appropriate training and education activities. Also, simple employee security awareness courses and videos are an important aspect of a cybersecurity professional's career.

Cyber research is for the deeply experienced professional who enjoys and understands reverse-engineering of code and malware. Most of these successful researchers come up through the technical security ranks, usually starting at a young age. They are always inverting the equation and looking at security challenges in totally different ways.

That said, research is critically important to our profession. No matter what level of cybersecurity professional you are, be sure to follow and study the results of researchers such as IOActive, Sophos, Symantec, McAfee, F-Secure, etc. Also, pay attention to US-CERT, ICS-CERT, Idaho National Laboratory, and key university cyber research programs, such as the Carnegie Mellon CyLab.

There are no tried and true ways to use this cybersecurity profession framework. Some ways to use the framework include:

Essentially, this is just a framework, and it is still subject to interpretation and modification as our technologies and methodologies -- as well as our threats and cyber enemies -- evolve.

Though these are all entry level certifications, but each have their own ways of testing your knowledge. Industry experts doesn't weight all the certifications at the same level. So get an expert advice on what's right for you depending on your career goals and aspirations.https://www.mytechlogy.com/IT-career-development-services/