on 04 September 19
It is common knowledge in the global cybersecurity community that there is a multitude of unfilled cybersecurity jobs, and there will be even more in the coming years. Some statistics range from 1.8 million open jobs by 2020 to 3.5 million unfilled jobs by 2021. Both are very large numbers and, of course, the question remains, where will all these qualified candidates come from?
The question of how to fill these openings is its own matter, but there is a way to give cybersecurity candidates an opportunity to understand the cybersecurity profession and to help them get a sense of the different facets or realms of this vocation.
The Cybersecurity Profession Framework
A professional framework can be an important tool for cybersecurity professional career development; for example, the National Institute of Standards and Technology's NICE Cybersecurity Workforce Framework describes and categorizes work within the cybersecurity profession.
Another map of the job landscape came into being almost 15 years ago, when two Seattle-based CISOs began to build a framework of the cybersecurity profession. The concept began on a paper napkin at a small café and ultimately progressed to a formal structure and skeleton.
At a high level, this framework is intended to show the reader -- whether an experienced CISO or cybersecurity professional, or a new person exploring the idea of becoming a cybersecurity professional -- that there is a semblance of hierarchy and flow in the profession. This model can show the individual perusing the key aspects of the profession that there are many opportunities, from the frontline to the back office, and that every job has its tactical and strategic importance.
The higher level facets of the framework can be seen in the image below.
Read: CyberSecurity certifications for Starters
Technology security tends to be the first area most individuals think of when considering a future in cybersecurity. Technology security normally includes such tools and devices as firewalls, intrusion detection systems, network security and architecture, antivirus/antimalware tools, system hardening techniques and processes, security engineering, encryption, and other cryptographic processes.
Daily work in this area is important and should be focused on the bits and bytes, as well as the ports and services aspects of network and system defense. This would be an excellent area for someone with keen attention to detail and the ability to mentally visualize security problems and the necessary solutions.
In summary, technology security includes the tactical, day-to-day, sword-and-shield aspects of being a cybersecurity professional.
There are excellent training resources for the new cybersecurity candidate to pursue as they enter this domain, including the CompTIA Security+, Network+ and Cloud+ certifications. Additionally, the basic SANS courses can provide an excellent foundation for new cybersecurity candidates entering the technology security area. Similarly, experience with elementary scripting/coding -- such as Ruby/Ruby on Rails, Java or Python -- is a great way to begin a technical cybersecurity career.
CompTIA Network+ Certification Online Courses
- CompTIA Network+ Cert.; N10-006. The Total Course.
- CompTIA Network+ N10 -- 006 2017 - The Complete Course
- CompTIA Network+ Exam (N10-006)
- Prepare for the CompTIA Network+ (N10-006) Exam
CompTIA Security+ Certification Online Courses
- CompTIA Security+ Certification; SY0-401. The Total Course
- CompTIA Security+ (SY0-401) : The Complete Course
- CompTIA Security+ Certification Preparation: CyberSecurity
- CompTIA Security+ (SY0-401)
- Become a CompTIA Security+ Certified Security Professional
The second column of the model above includes the broader, programmatic aspects of cybersecurity. This domain is less focused on technology and more on data and information protection by means of programs, processes, policies, standards, procedures and guidelines. The predominant activities involved in this arena include risk management, governance, regulatory compliance, business continuity and disaster recovery, intellectual property, business/financial integrity, industrial espionage, privacy, forensics, and investigations.
These cybersecurity activities focus on protecting the business, protecting its data and ensuring the business is compliant with associated cybersecurity rules, regulations and guidance.
Generally, one can begin a career in this domain without knowledge or experience in the technology security pillar, but a strong start and knowledge of technology security will provide a cybersecurity professional with better tools to not only recognize weaknesses and vulnerabilities, but to have a better grasp on technical, as well as programmatic solutions to problems.
Certification in this area of expertise includes the Certified Information Systems Security Professional from ISC2 and the Certified Information Systems Manager from ISACA.
The last vertical of this model, strategic security, offers an excellent next step for cybersecurity professionals in their career progression.
ISACA CSX Cybersecurity Fundamentals Online Courses
GIAC Information Security Fundamentals Online Courses
The strategic security pillar is primarily an area of strategic importance to national cybersecurity interests, defense and warfare. The career players tend to be in the military, national intelligence agencies and strategic cyberthreat intelligence at a corporation or university. Each day involves solving strategic cybersecurity problems.
The areas of work within this pillar include cyberterrorism and physical terrorism, cybercrime, cyberwarfare, nation state and regional cyber interests, national and international cybersecurity doctrine and policy, threat intelligence and analysis, professional alliances, politics, strategies and tactics, and others.
Success in this domain requires strong skills and capabilities in strategic and big picture cybersecurity analysis. Understanding security and intelligence tradecraft is important, as is having a passion for geopolitics.
A great place to start building skills in strategic security is working with government intelligence agencies or the military.
Foundations: Training, education and research
Each day, as you read the news, you hear about the needs -- and products -- offered by security training providers and research entities. Both of these could be starting points for cybersecurity professionals. At a minimum, a cybersecurity professional should be exposed to appropriate training and education activities. Also, simple employee security awareness courses and videos are an important aspect of a cybersecurity professional's career.
Cyber research is for the deeply experienced professional who enjoys and understands reverse-engineering of code and malware. Most of these successful researchers come up through the technical security ranks, usually starting at a young age. They are always inverting the equation and looking at security challenges in totally different ways.
That said, research is critically important to our profession. No matter what level of cybersecurity professional you are, be sure to follow and study the results of researchers such as IOActive, Sophos, Symantec, McAfee, F-Secure, etc. Also, pay attention to US-CERT, ICS-CERT, Idaho National Laboratory, and key university cyber research programs, such as the Carnegie Mellon CyLab.
Using the framework
There are no tried and true ways to use this cybersecurity profession framework. Some ways to use the framework include:
- Orienting students to understand the opportunities and possible career paths available for cybersecurity candidates.
- Giving cybersecurity professionals the sense that staying in a singular pillar -- such as the technology security column -- is an acceptable career path. The world needs strong and experienced firewall engineers, so there is no immediate need to simply get your qualification card checked before you move to another pillar.
- Providing an orientation of future management opportunities for each of the security pillars. Strong and knowledgeable managers and leaders are required for each pillar of the framework.
Essentially, this is just a framework, and it is still subject to interpretation and modification as our technologies and methodologies -- as well as our threats and cyber enemies -- evolve.
Which cybersecurity carer path in cybersecurity is the right one for your career progression?
Though these are all entry level certifications, but each have their own ways of testing your knowledge. Industry experts doesn't weight all the certifications at the same level. So get an expert advice on what's right for you depending on your career goals and aspirations.
Here are few experts in IT and Cyber Security, with whom you can schedule an appointment and discuss anything related to your career aspirations and goals.
- Max Boedder (Specialisation: CISO Cybersecurity) - You can book a FREE 30 Mins session with this coach.
- Urooj Burney (Specialisation: Cybersecurity)
- Boppin John (Specialisation: IT Security)
- Shamane Tan (Specialisation: Cybersecurity)
- Aqeel Bhutta (Specialisation: Information Security)
For more IT Experts & Career Coaches, please visit: