Information security is one of the hottest, most-desired careers. When I, however, talk with college students and recent graduates, and even experienced professionals looking for a career change to cybersecurity, there is often a lot of confusion about where and how to begin. Interestingly, this conversation came up during a recent dinner with CSOs. The subject proved to be divisive even among this group who regularly hires cybersecurity professionals.
During the dinner, some CSOs advised that those interested in a cybersecurity career should focus on cybersecurity-specific education, while others argued that it is better to focus one’s formal education in other areas, such as computer science or even business to better understand the nature of the business and the vertical market in which a security professional may work. The student would then minor in security. Perhaps the answers to these questions vary depending on the career path one chooses.
In addition to education and training, there’s the question of where the best jobs are in the field. While “best” is certainly subjective, it is important to give considerable thought to which specialty within the broad field of cybersecurity one wants to specialize. In fact, while many people speak of cybersecurity or information security as a career in itself, it’s actually a diverse field with many specialties ranging from enterprise risk management roles such as application security, forensics, and investigations, infrastructure, malware, to many other disciplines.
In fact, there are so many positions and disciplines in cybersecurity for newcomers that choosing one may not be easy for some. Fortunately, SANs has help for future (and current) cybersecurity professionals who seek an area of focus: The Top 20 Coolest Cybersecurity Career list.
It’s both an interesting and a helpful list. For each career category, there are recommended courses. Here’s what they have to say about the CISO career, for instance:
#10 – CISO/ISO or Director of Security
“Seems like I can get a lot done with little to no push back”
Today’s Chief Information Security Officers are no longer defined the way they used to be. While still technologists, today’s CISO/ISO’s must have business acumen, communication skills, and process-oriented thinking. They need to connect legal, regulatory, and local organizational requirements with risk taking, financial constraints, and technological adoption.
SANS Courses Recommended
- MGT414: SANS® +S™ Training Program for the CISSP® Certification Exam (GISP)
- MGT512: SANS Security Leadership Essentials for Managers with Knowledge Compression™ (GSLC)
- MGT525: Project Management and Effective Communications for Security Professionals and Managers (GCPM)
Why It’s Cool
- “Authority always wins.”
- “These people get to decide where to build the “watch towers,” how many rangers are stationed in the park, where fires can be safely built, and the rules of engagement.”
How It Makes a Difference
- “You have the creative direction to influence and directly contribute to the overall security of an organization. You are the senior security player, the only one whom the CEO will trust.”
- “This position usually reports at a very high level, and gets to see and influence the big picture. You work with physical security, IT, the businesses, even the FBI and other law enforcement agencies.”
- “You are da Boss. You can pick and choose who does what, what gets done, and motivate and then share the credit with your people. You make a real impact on a daily basis.”
How to Be Successful
Organizations succeed by taking risks. But they frequently fail because they don’t manage the risk-taking very well. The risks are business risks, and the security team needs to see business constituencies as “customers.” The “this is how it’s always worked” approach must be thrown out. Data-driven decisions, devolving perimeter, any-device thinking, collaboration technologies, virtualization, and mobile data are diametrically opposed to prior thinking. Today’s solutions are tomorrow’s threat, and global and geopolitical landscape shifts are tightly coupled to intellectual and informational threats.
Experience is often the training ground; diverse thought and scenario planning are requirements for a good outcome. Focus on the business goals: Never forget that this is the basis for security thinking.
You should take the time to look at the other 19 job write-ups. As you’ll see, there are many paths in the enterprise to a cybersecurity career, so there’s no need for newcomers to feel they are getting themselves locked into something. After writing about cybersecurity for more than 20 years now, I can assure everyone that this field is indeed dynamic and anyone who picks an area of interest today and carves themselves a niche will always be able to shift their focus to another area if they wish with training and additional experience.
The reality is that many cybersecurity jobs either didn’t exist or were very sparse, 20 years ago. And the day-to-day duties from as little as 10 years ago certainly don’t resemble what they are today. No one knows what this field will look like in 10 or 20 years. So if a cybersecurity career is something that is of interest, it’s best to pick an area and run with it. You just don’t know where the path will lead over time.