The Internet and everything it comprises is expanding at a rate that is difficult to comprehend, much less manage and control. According to even conservative estimates, the number of people online globally has increased by a factor of more than 2,000 in the past two decades. Less than one percent of the world’s population was connected in 1995. Over twenty years later, that number is approaching 50%, with close to 90% penetration in the US alone. As early as 2008, tech analyst Mary Meeker was predicting that mobile Internet usage would overtake that of desktop computers by 2014. She was right: the U.S. reached the tipping point in 2014, when an estimated 60% of Internet use had migrated to mobile.
These numbers reflect monumental changes in the way we live, work, and navigate our world. They also raise critical questions about how we can best defend ourselves and secure the vital computer networks we now rely on. This includes maintaining the integrity of the platforms, applications, and devices they support, mitigating the impact of malicious attacks on these assets, and protecting the people who use them. The security of this essential infrastructure, or cybersecurity, is now a pressing concern at all levels of government, in every sector of the economy, and for every branch of the military. As Brookings Institute researchers P.W. Singer and Allan Friedman point out in their 2014 book Cybersecurity and Cyberwar: What Everyone Needs to Know, “97% of Fortune 500 companies have been hacked (and 3% likely have been too and just don’t know it), and more than one hundred governments are gearing up to fight battles in the online domain… These fears have coalesced into the massive booming business of cybersecurity, one of the fastest growing industries in the world.”
Cybersecurity is a relatively new professional designation that encompasses an array of activities, concerns, protocols, and technologies. It represents the convergence of computing power, data storage, and telecommunications with banking and commerce, healthcare and public policy, government and law enforcement, and countless other economic and social functions. As David Harley, a Senior Research Fellow at the cybersecurity and antivirus (AV) company ESET, noted in an interview with OnlineEducation.com, “Pretty much everyone who works with a computer is at the security front line, even if they’re simply using some sort of computing device at home.”
Maintaining open lines of communications, or access, while assuring the integrity and the confidentiality of sensitive data that is transmitted and stored, presents a strategic and technological challenge, one that is central to cybersecurity. Indeed, confidentiality-integrity-availability forms the basis of the C-I-A pyramid that is foundational in the theory and practice of cybersecurity.
It’s a model David Harley invoked in a definition of cybersecurity he offered to OnlineEducation.com. “IT security is the dimension of information technology that in a rational world would constantly be invoked to protect — as far as possible — the consumers and providers of that technology (and the data it contains and processes) from breaches of what we currently understand (or assume to be covered) by the term security. This starts from the classic tripod model (confidentiality/privacy, integrity, availability), but extends to areas that aren’t always seen as fitting into that model — for example, accountability, compliance, audit, civic responsibility and good citizenship, politics and politicization, critical thinking, social science, anthropology, and other things I may think of as I go along.”
In other words, cybersecurity is a multi-dimensional and multi-disciplinary pursuit. It encompasses a comprehensive mastery of computer hardware, software, and coding, a deep knowledge of how digital information is stored, encrypted, and transmitted, and a nuanced understanding of the social and economic functions of this technology.
Computing power has become easier to access, progressively complex, and increasingly difficult to secure. In response, cybersecurity and its related specializations — information assurance (IA), information governance (IG), and digital forensics — have risen in prominence. Cybersecurity is now a broadly trending news topic, an in-demand job description, and a pressing business imperative that requires dedicated teams of professionals and often an enterprise-wide security charter. High profile breaches like the hacks that targeted Target customer data in 2013, compromised Sony’s email servers in 2014, and penetrated the records of the healthcare insurance provider Anthem in 2015, have served to put a degree of exclamation on this point.
As a result, cybersecurity is emerging as a central area for academic research and professional training. “Cybersecurity for now basically remains a field of its own within IT and computer science (but unfortunately, not always an integral part of computer science undergraduate curricula),” explains Kelly Jackson Higgins, a veteran information security journalist and Executive Editor at the cybersecurity website Dark Reading. “You can have a career in cybersecurity today,” she pointed out in an interview with OnlineEducation.com, “but most every other technology that involves software and Internet connectivity should include and consider cybersecurity… Cybersecurity is one of the most wide open and hot career fields, and most likely it will be for some time to come.”
It would be hard to overestimate the critical nature of cybersecurity. Everything from the daily deposits and withdrawals at a local ATM, to annual stock market yields, to the overall functioning of the world monetary system is dependent upon digital networks. Even perceived threats to those networks can have dire economic consequences. As Kathryn Wilson, Director of Microsoft’s CityNext initiative, put it bluntly in a June of 2016 article on the Smart Cities Council website, “There is no security without cybersecurity.”
The true cost of cyber crime can be difficult to gauge. The estimates are quite large, and they still may not fully capture the full scope of the problem. The well-publicized breach of Target’s credit card data systems in 2013 affected more than 70 million customers and cost the company a reported $162 million. However, as the Wall Street Journal reported in the wake of the attack, “Costs associated with the recent security breach involving credit cards used at Target have topped $200 million for financial institutions.”
A 2015 Cost of Cyber Crime Study report by the Ponemon Institute, pegged the average cost of cyber criminal activity at $15 million annually for 58 benchmarked organizations in the US, and $7.7 million for companies on a global scale. That may be a conservative estimate. A 2014 study by McAfee and the Center for Strategic and International Studies suggested that cybercrime might be costing the US as much as $100 billion a year, and the global economy upwards of $575 billion.
In addition to the economic costs, cybercrime has a psychological component. If digital technologies are to function at peak efficiency and effectiveness, then people must be able to trust the integrity, reliability, and security of digital systems. The collateral damage of the Target breach amounted to tens of millions of customers whose credit card data was stolen and whose security was compromised. The Sony hack had direct financial costs, but it also crippled the company’s internal communications for several weeks, embarrassed public figures, and led to the resignation of Sony Pictures Co-Chairman Amy Pascal. And, when Anthem’s database was compromised, 80 million patients and employees had to contend with the psychological implications of their private information being accessed.
Martin Zinaich is a cybersecurity expert with degrees in Information Security and Business Administration, and numerous professional certifications. He has worked in the private and public sectors. As the Information Security Officer for the City of Tampa, he’s seen cybersecurity evolve into an organizational necessity. “When I started in this business,” he recalled in an interview with OnlineEducation.com, “and information security was just starting to be mentioned in IT shops (note: it still is rare to hear it at the board level) there was a term used to help sell information security — FUD (Fear, Uncertainty, and Doubt). I never liked that tactic, and I never used it. I know the boy who cried wolf story, so it seemed silly to base a program on FUD. However, you had a perfect storm brewing with the addition of personal computers and the Internet. Soon, FUD was not a tactic; it was a reality. Because business still kept information security contained to a corner of IT, the products they made, the business processes they ignored, and the lack of integration all combined to create the disorder we currently call business as usual. Until there is an integration of information security into the business proper, yes, we are going to live in a breach-a-day environment.”
Cyber criminals take advantage of the complexity of digital systems. They master the technology, and seek out the weaknesses in computer networks. Dark Reading’s Kelly Jackson Higgins summed up the dynamic this way: “There’s a saying in cybersecurity that the bad guy only has to be right once, but you have to be right (and protected) all the time. What that means is that there are so many potential security holes for cybercriminals and cyber espionage gangs to infiltrate — unpatched and outdated software versions, old and insecure technology still running (like Windows XP, which is no longer supported by Microsoft but found in some industrial systems and even ATM machines), and unknown or zero-day bugs in software that no one but the bad guys know about, for example. And in most cases, an attacker dupes a trusting human being, the end user, who falls for a convincing phishing email or scam, and opens an attachment or responds with his or her credentials, or unknowingly picks up malware on a website.”
Experts group these cyber attack strategies into three basic categories, based on what part of the system is targeted.
Physical Attacks: Computers and Network Infrastructure
Physical attacks aim to compromise the hardware, electronics, and communication lines of computer systems. Protecting the equipment itself, hardening vital infrastructure, and creating redundancies that limit the value of any one point of attack amount to an effective defense again these kinds of incursions.
Syntactic Attacks: Computer Viruses, Worms, and DDoS
More difficult to counter are syntactic attacks, which exploit vulnerabilities in the operating systems, software applications, and disrupt communications protocols that run on computer networks. Syntactic attacks include self-replicating viruses that infect exiting programs; self-sustaining worms that can corrupt an entire network; and Trojan horses, which look and act like legitimate software, but contain viruses or worms. Syntactic attacks can be delivered through email attachments, websites, software updates and installations, and other functions that involve one computer communicating with another.
Computer firewalls and anti-virus software are deterrents to these attacks, which often come in the form of malware (malicious software) and ransomware (malware that restricts access to a hard drive). But, it’s also important to raise awareness about these attack vectors. As information security researcher and consultant Robert Slade explains, “New forms of attack actually come very slowly. Ransomware, the current infosec bugbear, is actually almost 30 years old, and is easily dealt with via one of our most frequently repeated security suggestions. Everyone repeat after me: “Make a backup.” The advanced persistent threat (APT) furor of a few years back is really only common email-borne malware, with a slight touch of spear-phishing to make the social engineering more targeted.”
A different kind of cyber assault, one that is famously favored by the hacker collective Anonymous, is a distributed-denial-of-service, or DDoS attack. While it does not involve infecting a system with a virus or worm, it can be very effective at shutting down a Website or even an entire network by overwhelming it with requests. The classic DDoS attack involves co-opting large numbers of individual computers — often hundreds of thousands or more — to create a botnet that conducts a coordinated strike on a vulnerable target, overwhelming its capacity to respond. Because the target can’t discriminate legitimate traffic from botnets, it is difficult to thwart a DDoS attack without compromising some degree of access, so a typical defense involves building resiliency into a system.
Semantic Attacks and Social Engineering
The third cyber vulnerability classification, and in many ways the hardest one to control and eradicate, is the semantic attack. Semantic attacks use words and their representative meaning to create hoaxes, sow confusion, and illicitly gain access to computers, networks, and the data contained therein. Phishing, which covers a range of methods for acquiring passwords, usernames, and other vital data, including the certificate authorities that underpin common types of digital encryption, is a type of semantic attack that is considered “social engineering.” As Kelly Jackson Higgins explained, “Cybercriminals and cyber espionage hackers all go for the weakest link in the chain, and that’s typically the user.”
Defending against semantic attacks is a multi-tiered endeavor, one that can involve restricting access to particularly sensitive data and networks, raising the cyber awareness of non-technical members of an organization, and employing password protection and cryptography protocols more resistant to social engineering schemes.
In an ideal world we would expect every cybersecurity professional to be capable of defending against all kinds of attacks, and proficient in every aspect of IA and IG. But that’s not practical. “Security is a huge field,” explains Robert Slade, “You have to know everything about all fields of technology. And, of course, you can’t.”
In the real world of cybersecurity, various responsibilities are divided among professionals who have specific skills and training. As Richard Moulton, an Air Force intelligence veteran who is now a Subject Matter Expert in cybersecurity at Chiron Technologies, put it in an interview with OnlineEducation.com, “The first thing we need to teach the next generation is that cybersecurity is a team sport. No one knows everything, and you must not be afraid to ask questions when you don’t understand something. Every person has a different perspective and experience and will be in a unique position to solve certain problems.”
These problem solvers generally fall into one of the following broad areas of specialization:
In addition to these three formal classifications, there are several other key areas in which cybersecurity expertise is in high demand. Because so many companies require cybersecurity services they aren’t equipped to address, there are a growing number of consultants and auditors who fill these roles. Lachlan Turner, for example, is a cybersecurity consultant who founded Ark Infosec Labs, a company that specializes in testing IT products to insure they meet the Common Criteria Evaluation and Validation Scheme used by many businesses and government agencies as a security standard. Mr. Turner’s perspective reflects a paradigm shift toward a more synergistic conception of cybersecurity. In an interview with OnlineEducation.com, he explained: “To move towards something better we have to address security challenges at every layer of technology, starting with hardware and working up through the protocol stack and into applications.” He added, “The fundaments of good security, and plain old good IT management remain fairly constant. You need to know what you have deployed in terms of inventory. You need to keep your systems up to date, which is essentially patch management. You have to prioritize and minimize privileged access to vital systems. And you need to layer your controls in order to create depth in your defense.”
Coordinating cybersecurity goals and objectives also requires good thinkers, communicators, teachers, and researchers. Megan Garcia is a Senior Fellow at New America, where her policy expertise is focused on the think tank’s Cybersecurity Initiative. “We need to have a shared conversation about who owns our data (the user? an internet service provider? a third party?), and who’s responsibility it is to secure it,” she explained in an interview with OnlineEducation.com. “Because both the societal and policy conversations have lagged behind technical capacity, you see things like startups opting to avoid problems down the road by dumping data. That’s a symptom of a larger problem, not a solution that addresses either the need for policies to dictate how data should be handled or what happens if it’s stolen.”
Ms. Garcia also emphasized the need for better and broader cybersecurity education. “If we could bring computer science and cybersecurity education to a large number of American classrooms, there could be a huge change in both the way that people understand their own role in protecting their data, and a change in their perception of their ability to work in technical fields.”
There is now widespread recognition that cybersecurity must begin at the very first stages of hardware and software development, and continue on up through the process of system architecture design, and installation. Once a network is up and running, users must be trained in best security practices, software must be updated and patched, glitches must be diagnosed and addressed, access to critical data must be monitored and secured, backup systems and redundancies must be implemented, and potential breaches must be detected, diagnosed, and mitigated. It’s an ongoing and all-encompassing process.
The day-to-day work of cybersecurity is often situational. Martin Zinaich explains it this way: “The first item to understand about cybersecurity is there is not ‘typical’ day. Primarily this is because there is no prototypical information security officer… An emblematic day is actually based on a few factors, such as your industry vertical, your reporting structure, the size of your organization, and if your organization is pre-breach or post-breach.”
“In a pre-breach organization,” he explained, “a practitioner focuses more on the ‘A’ of the ‘CIA’ triad — availability. This may entail firewalls, proxy servers, certificate authorities, directory services, and providing a lot of third-tier troubleshooting. Everyone blames the firewall for availability issues. If you are of the ‘business enabling’ cybersecurity mindset, which I am, you often use your skills to help solve access and firewall problems, even if they are not in your purview. At the same time, you will be trying to ‘sell’ the information security program.”
“In a post-breach organization, a practitioner will be focused more on the ‘C’ and ‘I’ of the CIA triad — confidentiality and integrity. This may entail security incident and event management, threat intel feeds, pinpoint log reviews, and focusing on policy and business integration. The latter can now happen because the business is engaged at the proper level. You are also likely to have enough staff to employ dedicated tasking. No more ‘selling’ at this stage; the business is now asking the right questions.”
IA is the core of cybersecurity, and the two terms are often used interchangeably. Robert Slade summed it up this way: “Another name for information security is information assurance, which is also another name for cybersecurity,” Richard Moulton echoed this idea: “Information assurance is concerned with finding cybersecurity problems and mitigating them to the extent that is possible.”
Information Assurance and Cybersecurity Skills and Responsibilities
IA is the technical defense work of cybersecurity. It encompasses the day-to-day responsibilities associated with assuring confidentiality, integrity, and access. IA professionals keep network hardware and system software up to date and running properly; insure that users can safely navigate digital networks; maintain firewalls; troubleshoot glitches; and monitor databases, communication networks, and information systems for anomalies and signs of attack.
This work requires a range of technical skills, and it encompass just as many specific responsibilities. The National Initiative for Cybersecurity Education (NICE), which was created to help clarify training and employment in the field, details the key competencies and functions of cybersecurity professionals in its “National Cybersecurity Workforce Framework.” For those working in IA, these include:
The NICE Framework also acknowledges the crucial roles played by other specialists in a comprehensive approach to cybersecurity. These include:
Information Assurance and Cybersecurity Careers
Many large organizations now have dedicated cybersecurity positions with distinct responsibilities in the realm of IA. In addition, there are numerous consultants working in the field in various capacities. Some of the common job titles in IA include:
Information policy and governance specialists work at the strategic level, setting cybersecurity priorities, communicating these priorities to other members of the organization, allocating security resources, and coordinating cyber incident response plans. From the perspective of Martin Zinaich, an enterprise-wide cybersecurity plan is the key to a successful cyber defense strategy. “Security governance is having all the right players making business decisions that reach across an organization regarding technical risk,” he emphasized in an interview with OnlineEducation.com. “Understanding the organizational structure of IT and how cybersecurity fits into the larger picture is key to being successful. The Information Systems Audie and Control Association (ISACA) often emphasizes the ‘tone at the top’ and ‘risk appetite’ in an organization. The National Association of Corporate Directors (NACD) also talks about ‘risk appetite’ and the integration of cybersecurity into the business proper.”
Information Policy and Governance Skills and Responsibilities
The job of IG encompasses the policies and procedures, frameworks and structures, processes and controls implemented to secure sensitive data, protect valuable intellectual property, and insure compliance with and adherence to the best practices in cybersecurity. It begins with a clear understanding of IT systems, familiarity with the data and other assets in those systems, and a working knowledge of potential cyber threats. Cybersecurity policy professionals and IG officers may not have as many hands-on technical responsibilities, like coding and installing security software. But, the personnel management function of IG does require highly developed leadership and communication skills. These are some of the other skills and responsibilities associated with work in this area:
Information Policy and Governance Careers
While there are information policy and governance conferences, and professional organizations for IG like ARMA International and the Association for Information and Image Management do exist, it is not a common job title. It’s more of a job description, or a combination of skills and responsibilities. Some of the job titles relate to the skills and responsibilities of information policy and governance are:
Digital forensics is the most clearly defined specialization in cybersecurity. It concerns the investigative processes that follow in the wake of a cyber incident or attack, the tools and techniques deployed to pinpoint and contain a system breach, and the methods used to track the source or sources of an incident.
Digital Forensics Skills and Responsibilities
Digital forensic specialists are first and foremost investigators. Familiarity with computer coding and systems is crucial. They should also be familiar with different kinds of cyber attacks. Like other criminal investigators, they also need to understand the law as it pertains to cyber crime, hacking, and other activities that compromise the security of confidential information and proprietary data. Some of the specific skills and responsibilities in computer forensics include:
Digital Forensics Careers
Digital forensics has traditionally been a component of law enforcement and military intelligence, but that too is changing. Companies in healthcare, insurance, banking, finance, manufacturing, and other data-driven sectors of the economy have valuable digital assets to protect, and require investigative resources when those assets are threatened. The NICE framework includes several job titles that have brought digital forensics into the wider world of cybersecurity.
Cybersecurity is rightly regarded as a technical field, and much of the work does involve computer coding, network architecture, server management, and other engineering skills. But, the broad mandate of cybersecurity also requires technical writers, researchers, and public policy advocates — professionals with interpersonal skills, and the ability to explain advanced concepts to non-technical staff.
Cybersecurity policy expert Megan Garcia stressed this point in an interview with OnlineEducation.com. “One of the biggest lessons we try and share via New America’s Women in Cybersecurity Project is that there are so many different types of jobs in the cybersecurity and information security fields. There are lawyers, communications people, policy experts, marketing professionals, along with engineers and more technical roles.”
There are two additional areas of employment in cybersecurity emphasized in the NICE framework: the educators and trainers who teach technical and non-technical personnel the fundamentals of cybersecurity and keep them up to date on best practices and present threats; and the legal consultants who provide counsel and advice to organizational leadership on issues pertaining to cybersecurity and the law.
In 2008, the Commission on Cybersecurity for the 44th Presidency and the Center for Strategic & International Studies commissioned a study that yielded a 2010 white paper by Karen Evans and Franklin Reeder on the state of the cybersecurity workforce. “A Human Capital Crisis in Cybersecurity” singled out nine key areas of proficiency for cybersecurity professionals:
Evans and Reeder found that cybersecurity had become a central concern throughout IT, at every level of computer systems management, development, administration, and governance. They also noted that many of the skills and proficiencies needed in cybersecurity jobs overlap significantly with skills and proficiencies required in other areas of the IT workforce. What differs is the way cybersecurity professionals deploy a particular body of knowledge. For example, the day-to-day work of systems and network administration is thought of as an IT responsibility. However, these are also IA, IG, and cybersecurity concerns. So, cybersecurity professionals require many of the same skills used throughout the IT world, but they are trained to use these skills differently, in a framework that priorities defense and security risks.
Understanding the technological components of computer networks from the ground up is one of the keys to success in cybersecurity. Robert Slade, who has taught university courses and provided certification training in cybersecurity, explained this in an interview with OnlineEducation.com. “My concern, from my own teaching and discussion with students, is that large areas of basic technologies can to be lacking in the programs, with a major focus on recent, and superficial tech. For example, when teaching about communications and networking, most students no longer understand the physical layer. If they don’t know about signaling over RF, IR, twisted pair, coax, and fiber, they don’t know what the risks are. We tell them that quantum cryptography requires dedicated single mode fiber optic cable, but they don’t realize that if you have dedicated single mode fiber optic cable you probably don’t need any encryption. We also don’t teach them that quantum cryptography isn’t cryptography; it’s just key exchange.”
The specific skills and training required to work in cybersecurity vary depending on the needs of an organizational. The following list represents an aggregate of the knowledge and skill integral to cybersecurity:
There are dozens of blogs, user group forums, LinkedIn and Quora posts, and professional columns dedicated to the types of skills and knowledge areas that are vital to cybersecurity, including the core technical proficiencies mentioned in the section above. However, most experts in the field also allude to a particular cybersecurity mindset, which includes a number of “soft,” or non-technical skills, like the ability to clearly articulate the importance of security to other members of an organization. This is one example of a valuable “soft” skill that is often associated with success in the field of cybersecurity and with an overall cybersecurity mindset.
Critical and Creative Thinking
Richard Moulton offered this example of “divergent thinking,” and its value in a cybersecurity context. “To work in this field, you must understand that rules only apply so long as we choose to adhere to them. For example, a system manual may tell you that you need to supply a username and password to get access to the system. What the manual won’t tell you is that if you supply a username with a password consisting of 4096 capital letter As, the authentication mechanism will crash and grant you full administrative access to the system. So, you must understand that rules only apply within certain boundaries, and you need a personality with the courage and creativity to find where those boundaries exist.”
Martin Zinaich provided an anecdote that illustrates the importance of creative thinking and of communications skills. “One creative thing I did was to produce a one-hour video of myself doing white-hat hacking into the organization I was working for. It showed the system vulnerabilities and how I was able to exploit weaknesses and take control of critical systems. That was shown to the CIO, who then wanted the entire IT staff to watch it in an all staff meeting. That really changed the mindset of the IT staff. They quickly started taking security more seriously as a business imperative, not just an IT concern. Next I shared it with the internal auditor. He put it in an audit report, and requested that it be viewed by all senior staff. I edited it down to 15 minutes and we had our first ‘security at the table’ moment. I came away with our initial Information Security Charter and a direction from the business.”
Mr. Zinaich is one of several experts in the field OnlineEducation.com interviewed who emphasized the benefits of understanding the business side of cybersecurity. “It may seem strange to see an information security practitioner talk so much about business, however I feel that is where this profession is missing the mark. You cannot function from a small corner of the IT department and affect the kinds of change required to protect a business in this new digital age. Technology is ubiquitous to businesses. It’s an essential lifeblood. It should be treated as such.”
He went on to explain that, “Practitioners very much need to understand their environment and understand where and when gentle pushes might be made to get traction. They also need to understand the business goals and see how they might help enable those business goals. This is one reason I elected to get degrees in both business and IT versus one master’s in information security.”
Psychology and Behavior
Understanding how people think about and interact with digital technology is a growing area of focus in cybersecurity. Socially engineered hacks may seem primitive next to an elaborately written piece of malware, but they can be just as effective and costly. “We must understand people as well as we understand the systems we are trying to secure,” Richard Moulton explained. “First, we have to convince the developers and maintainers of these systems to consider the security aspects of their products as early as possible. Then, once we uncover the remaining weaknesses, we have to train the users of these systems to compensate for those weaknesses.”
Mr. Moulton also made this point: “All software is developed with certain assumptions in mind. Often, however, the way that end users employ or understand technology is inconsistent with the assumptions made by the developers. Cybersecurity professionals looking to prepare for the social aspect of the job need to first learn how each technology is intended to be used, then learn how it is actually used. Afterward, the cybersecurity pro will be in a position to help developers and end users create a shared understanding of the technology.”
There are no industry-wide requirements for licensing or education in cybersecurity. A bachelor’s degree and a background in computer science, coupled with experience in an IT field, may be enough to qualify for entry-level positions. But, there has been a big push to develop dedicated training programs, certification programs, and master’s degrees in cybersecurity.
Martin Zinaich began working in the field before the term “cybersecurity” was in common use. “If business years are dog years then cybersecurity is still a very young puppy,” he emphasized. After earning a BS in IT and a degree in Business Administration, he added these professional certifications to his resume: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Security Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Security Software Lifecycle Professional (CSSLP), and Certified Ethical Hacker (CEH). “When I sought my first and second certification in information security, higher education was not teaching this discipline. Certifications carried a lot of weight because they were one of the only formal ways to get educated in this career path.”
Cybersecurity certifications can carry a lot of weight in the field. Some target knowledge of particular operating systems and hardware, while others test for competency in broader skill areas. A survey of the cybersecurity job market in 2015 by the Boston-based analytics firm Burning Glass Technologies found that only 23% of overall advertised IT jobs request an industry certification, while 35% of the jobs posted in cybersecurity specify at least one the following certifications:
In a 2014 SANS Institute survey of “Cybersecurity Professional Trends,” 58% of the respondents reported that, “holding one or more certifications is critical to their career success.” The survey also noted that employers often pay for advanced training and certification programs.
Richard Moulton offered this view of certifications: “Employers frequently don’t know what to look for in cybersecurity candidates. Because they don’t understand the field themselves, they often rely on certifications or word-of-mouth to choose candidates. The certifications they often look for include Network+, Security+, CCENT, CCNA, CISSP, CEH, and other, similar certifications… This is not a great way of identifying candidates, but it is better than nothing. Change is in the wind here, but it is too early for me to say much about it. Right now, I think people should look at certification programs that require hands-on rather than knowledge-based testing.”
Robert Slade pointed out that, “One of the main benefits of the CISSP exam is that it tests for just enough knowledge of every field so that an InfoSec professional can speak to a specialist and understand the problem.”
The National Initiative for Cybersecurity Careers and Studies, which is part of the Department of Homeland Security’s larger cybersecurity mission, lists 24 degree programs associated with working in cybersecurity, including mathematics, engineering, and hard sciences. Of course, until very recently, there were no dedicated cybersecurity degree programs. New America’s Megan Garcia alluded to this when she highlighted the demand for cybersecurity specialists. “There is a gap of one and half million jobs projected in the next five years, and that is increasing demand for training for those jobs. The result is new degree programs at universities, coding camps, and other types of training programs. The U.S government has been supporting the creation of some the new university programs through things like the National Institute for Cybersecurity Education, through NSA grants to universities, and through other pockets of funding.”
OnlineEducation.com researched online master’s degrees in cybersecurity to create a comprehensive directory of schools, complete with detailed information about each program. Programs were categorized based on specific methodology that required researching the curriculum for each program in the directory. Learn more about master’s degrees in cybersecurity by visiting the following program pages:
Cybersecurity’s lineage traces back to underground networks of freelance programmers, tinkerers, and hackers who built their own computer labs, wrote their own code, and discovered the bugs and flaws in existing hardware and software products. A professionalized version of this culture still exists. The combination of skills and techniques that includes penetration testing, investigating unknown vulnerabilities, and learning what can happen when the normal rules are disregarded are often referred to as ethical or white-hack-hacking. There is even a credential for Certified Ethical Hacker.
Martin Zinaich emphasized the relevance of learning the art of ethical hacking through hands-on experience: “As to practical experience, one of the greatest options in IT and IT security is the ability to have your own lab. With the cheap cost of used routers, firewalls, and switches, and the ability to do a lot of this in a virtualized environment, having your own lab to experiment, test, validate, and learn is extremely helpful. The key to being effective in any career is truly understanding that basis of what and why, not just knowing the answers for a test. As a CISA, I believe the five most powerful words for an auditor are the same for any information security professional — ‘How do you know that?’ In information security, you are going to be presented with numerous challenges, everything from business integration to the ‘noise’ of telemetry data. In each case, you will need to be able to adjust to the environment and understand what you are looking at and how it relates to the end goal.”
Richard Moulton agreed. “Certifications and formal training are invaluable, of course, but the best thing you can do to prepare yourself is to get hands-on experience. I would suggest getting familiar with VMware, HyperV, or a similar virtualization technology and spinning up some virtual machines you can attack for practice. With technologies like Qemu, Kali Linux, MetaSploitable, PowerShell Empire, GCC, GDB, Nasm, Immunity Debugger/Olly Debug, Wanem, and GNS3, you can create a set of targets and attack platforms to practice on at little or no cost. This experience is something you can generally only get for free at home or for thousands of dollars at cybersecurity conferences or schools, and candidates with this type of experience will be the strongest candidates.”
systems, new devices, and the new vulnerabilities they give rise to is important in the field. Certification programs and master’s degree training provides a foundation of cybersecurity expertise. But, staying up-do-date on trends and technological developments can require additional networking among cybersecurity professionals through blogs and other online cybersecurity news publications like Dark Reading, cybersecurity organizations like NICE and ISACA, and conferences like Black Hat USA, DEF CON, and InfoSec World.
Research and training companies like SANS and Gartner also provide an array of resources, like “Cybersecurity Scenario 2020 Phase 2: Guardians for Big Change,” a 2015 Gartner paper by cybersecurity analysts Earl Perkins and F. Christian Byrnes that points to “profound changes” in business technologies that have “set the stage for the next iteration or evolution of cybersecurity.” Among the changes that top their list are the digitally networked automation and control technologies that have spread from automotive manufacturers and mass transport systems, to energy and utility companies, building and facilities management, healthcare, and “even smart home solutions.”
Martin Zinaich is a founding member of Wisegate, another trusted source for blogging on cybersecurity. He recommends getting “a good RSS aggregator and start looking for infosec feeds. Some of my favorites are SecurityNewsPortal, Securityintelligence, CSO Online, DarkNet, Dark Reading, Krebs on Security, US Cert, SC Magazine, Hak5, DatabreachToday, SANS Internet Storm Center… The list goes on and on, just like the risks.”
Until quite recently, most cybersecurity professionals got into the business by transitioning from another career path, often one in the broader realm of IT and computer science. The emergence of master’s degree programs in cybersecurity has simplified the process to some degree. Most of these programs are designed to train students who have completed an undergraduate degree and possesses computer literacy skills and/or an interest in digital technology. There are also positions in cybersecurity policy, management, and administration that may require less in terms of highly technical skills, and more in way of the communications, leadership, and organizational talents.
Still, most experts will say that the place to start a career in cybersecurity is on a computer, learning how to code, exploring the hardware and software architecture, becoming familiar with the language of technology. Richard Moulton provided a three-step guide for transitioning into the field.
“To get the on-the-ground experience you need in this field you need to do three things,” he explained. “First, use the technology. Generation Y and younger have a great head start on the rest of us because they are growing up using all these technologies from a young age. They are getting experience in how these systems are supposed to work, and learning very quickly where the shortcomings are in these technologies.”
“Second, learn how the technology works. This will take some time, but is much easier to do now than it was in days past. Because more people know how the underlying technologies work now, we have products on the market like Arduino, Raspberry Pi, Code Academy, and more that teach people how to use technology at low costs. Learn to program; build an app; learn to build a little robot that follows a line on the floor; learn to make a web page. All of this will help.”
“Finally, once you are comfortable with how the technology works, use all the failures in your experiences to understand the limits of the technology. Explore these limits. What happens when you give your robot 18 volts instead of 9 volts? What happens when you enter a password 1024 characters long? What happens when you connect to a web server in Python instead of a web browser? Just be sure that you only test these limits on things that you own or on things you have explicit, written permission to test on. This will guarantee you a long, rewarding career.”
He also offered this warning: “You must understand that there are certain lines you cannot cross. I believe that people in general are, rightly, deathly afraid of the havoc that imprudent cybersecurity practitioners and malicious hackers can wreak. As such, doing something as benign as ‘hacking a sign to read ‘Drive crazy, y’all” can mean an early end to your career and freedom. So, while searching for the boundaries where rules break down, you need to understand well the legal limits of what you can do.”
Cybersecurity is growing more robustly in some industries than in others. Burning Glass’s analysis of the labor market singled out finance, healthcare, and retail trade as the fastest growing sectors for cybersecurity employment from 2010-2014, with finance up 137%, healthcare up 121%, and retail trade up 89%. That data makes sense when you consider the sheer volume of sensitive and confidential consumer data financial institutions, healthcare providers, and large retailers have to manage and protect in their digital information systems, and the consequences of a potential breach. Here is a breakdown of these and other industries in which cybersecurity employment is growing.
Many policy experts and industry analysts are projecting a shortage of qualified cybersecurity professionals in the near-term, which means that employers are already looking for people with the skills and training to fill positions in IA and cybersecurity. This means people who can code, people who understand security protocols, and people who are familiar with typical cyber threats. Formal training, including bachelor’s and master’s degrees in cybersecurity fields and professional certifications, can count for a lot in this regard. Experience in the field can be important as well. In the SANS professional trends survey, 83% of the respondents reported having four or more years of experience in the field. At the same time, 60% of those who responded had 10 years or less of experience, an indication of just how new the field remains.
The cybersecurity experts interviewed by OnlineEducation.com stressed the need in the field for technical understanding of computer systems, and knowledge of specific coding languages, operating systems, and network hardware. Certain tools, like anti-virus malware detection software and encryption protocols, have particular relevance in the field of cybersecurity. However, the same experts noted that a comprehensive cyber defense strategy, and success in the field of cybersecurity, relies on the coordinated actions of professionals who have highly developed abilities in certain non-technical areas. Understanding human psychology, business planning, and organization structures can be major assets in a successful cybersecurity career. Interpersonal networking and communication skills can also be crucial. Employers may be looking for professionals with coding abilities and other technical proficiencies, but job seekers who can explain the fundamentals of good cybersecurity, and explain how these fundamentals align with an organization’s other goals can use this to their advantage.
The 2014 SANS Institute professional trends study emphasize the importance of education, training, certification, and job experience for those looking to work in the field of cybersecurity. But it also points to a number of less technical skills and characteristics that employers look for in cybersecurity hires. These include:
As companies look to hire the best cybersecurity professionals and put together capable cybersecurity teams, it has not escaped notice that women are acutely underrepresented in the cybersecurity workforce. Kelly Jackson Higgins, who has reported on this topic and moderated a panel discussion on women in security at the 2016 Black Hat USA professional conference, notes that, “the number of women in the field has remained static at a disappointingly low 10% for the past two years, despite more women in executive-level and leadership positions in cybersecurity. That data comes from a report last fall from the International Information Systems Security Certifications Consortium (ISC2) and the Booz Allen Hamilton security and consulting firm, which also found an increase in the number of women joining the industry; it’s just that their numbers aren’t keeping pace with the overall security workforce.”
This is an issue that Megan Garcia has focused on as a Senior Fellow at New America. “We know that the narrow stereotype of a guy coding in a hoodie keeps many women from thinking they might thrive in the field, when at the same time, so many companies need people and are actively trying to recruit women. And given that the average salary for a cybersecurity job is almost $98,000, it’s a very lucrative field for women to enter.”
Garcia continued: “What I tell women entering the field is that some companies are starting to realize that culture change is going to be necessary to retain talent. Managers are being given better tools to understand when employees are overworked and the flexibility to intervene. That said, we’re definitely not in a place yet where the average cybersecurity professional feels free from the demands of a 24/7 environment. Advice I give women is that there will be times when you’ll have to be on more (e.g., if a client has a big breach, or if a vulnerability is discovered) and there will be times when things are slower. Take advantage of the slow times to restore balance. And talk to your manager about how both the pressure of an intense schedule, and the perceived need to be ‘on’ all the time, negatively affects your effectiveness. A good manager is going to do anything they can to increase your effectiveness, whether that means bucking trends or not.”
There is no one quality that defines a successful cybersecurity professional. Some are introverted coders who thrive on the challenge of finding tiny flaws in programming. Others may be more outgoing in ways that can facilitate better security measures within an organization. “It might seem that security as a specialism might require a specialized skillset and type of personality, but it’s not exactly so,” noted David Harley. “Obviously, some traits are beneficial in many roles: caring about the safety of yourself and others; common sense and an analytical bent; a painstaking approach to problem solving; adaptability and coolness in a crisis. Other traits are clearly role-specific: security evangelists tend to be extroverted (but extroversion helps for anyone in the public eye, including researchers lumbered with conference presentations). A security administrator needs a broad range of technical skills, usually including a comprehensive grasp of programming, server and desktop operating systems, a range of security programs and how they work, and so on. Threat analysts need coding and analytical skills, ferocious concentration and attention to detail, and so on.”
Richard Moulton points to a particular way of thinking that’s helpful in cybersecurity. “Many areas of computer science are dedicated to finding ways to facilitate tasks for humans… The focus of cybersecurity, on the other hand, is to analyze where these solutions break down. In this field, we focus less on the one thing that solutions are trying to do well, and more on the secondary and tertiary effects of that solution. For example, we might ask, ‘Does this solution guarantee the confidentiality, integrity, and availability of my data?’; ‘Will my secrets be revealed to the world?’; ‘Will my data be erased or corrupted?’; ‘Is there a trust relationship built in that someone could abuse to do these things?’ So, in cybersecurity, we look less at what is being done right, and focus on what is being done.”
Robert Slade also pointed to a particular mindset that is common among successful cybersecurity professionals. “In all areas of security, a certain amount of paranoia, cynicism, pessimism, and ability to spot the weak points in a proposition is helpful,” he observed. “These may not be altogether admirable qualities in a human being, but they definitely bolster the security skillset… The ability to think like an attacker when it comes to assessing the attack surface needs to be combined with a firm grasp of ethics, with personal honesty and integrity.”
David Harley had a similar take: “Security people should be curious and have a kind of professional paranoia. I think it’s Bruce Schneier, in one of his books, who has this lovely diatribe about how security people can’t look at doors without figuring out how to break into them: ‘Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities. They can’t vote without trying to figure out how to vote twice. They just can’t help it.’ We constantly look for vulnerabilities: it’s just how we are built.”
About the Author : Matt Ashare is a writer with 25 years of experience in publishing. He was an editor at the Boston Phoenix and a contributor to other publications, including Rolling Stone, Spin, and the Village Voice. He now teaches journalism at Randolph College, and occasionally writes a column for the Central Virginia weekly The Burg.
"The Zettabyte Era — Trends and Analysis," Cisco Visual Networking Index
"2016 Internet Trends Report," Mary Meeker, KPCB
“http://burning-glass.com/wp-content/uploads/Cybersecurity_Jobs_Report_2015.pdf,” Burning Glass Technologies
“Fact Sheet: Cybersecurity National Action Plan,” The White House, Office of the Press Secretary
“About NICCS,” The National Initiative for Cybersecurity Careers and Studies, Department of Homeland Security
Cybersecurity and Cyberwar: What Everyone Needs to Know, P.W. Singer and Allan Friedman, Oxford University Press, 2014
“A Glossary of Common Cybersecurity Terminology,” National Initiative for Cybersecurity Careers and Studies, Department of Homeland Security
“Cost of Cyber Crime Study: United States,” Poneman Institute
“Cybersecurity Professional Trends: A SANS Survey,” SANS Institute
“Cybersecurity Scenario 2020 Phase 2: Guardians for a Big Change,” Earl Perkins and F. Christian Byrnes, Gartner
“About ISSA,” Information Systems Security Association
"About ISACA," ISACA
“Programming Research Efforts,” National Initiative for Cybersecurity Careers and Studies
“Cybersecurity Workforce Handbook,” Council on Cybersecurity
" National Cybersecurity Workforce Framework," National Initiative for Cybersecurity Education
"Cybersecurity Workforce Development Toolkit: How to Build a Strong Cybersecurity Workforce," US Department of Homeland Security
“9 Key Cybersecurity Roles for Government,” Eric Chabrow, Information Security Media Group
“Shortage of Cybersecurity Professionals Poses Risk to National Security,” Rand Corporation
“The HR Professional’s Guide to a Cyber-Security Workforce,” Council on Cybersecurity
“Cybersecurity Degree Programs,” National Initiative for Cybersecurity Careers and Studies, Department of Homeland Security