If I were to ask ten people to describe what a cyber security professional does, I would get ten very different answers. Some of the answers I have heard include:
- You hack “things”.
- You hack other competitor organizations.
- You wear a hoodie all day.
Cyber security suffers from an identity crisis from those who are not part of the industry. It makes sense as the only exposure anyone has to cyber security is what they see on TV. CSI on a few occasions shows a computer smoking or a monitoring blinking on and off due to a virus. If a ransomware attack hits the local news, there tends to be a graphic of someone in a hoodie with random computer code being mindlessly scrolled in the background. No wonder everyone things that everyone in cyber security is just hacking all day and night and does not talk to anyone.
Cyber security turns out to be much more than just “hacking” a system (although that may be part of the job you gravitate toward). While understanding technology may be part of the job, many of times it is not the only part of the job. Professionals need to understand how things should work to help identify the anomalies that may be detected. What makes a cyber security professional shine is translating what is found into a language that companies understand: business and risk speak.
You may be surprised that cyber security is more than just understanding technology. While technology is an important part of the role, it is not the only focus area of a cyber security professional (even though that is what shows like CSI may lead you to believe).
Almost every role in cyber security involves identifying, remediating and communication risk to the organization. Risks come in all shapes and sizes. Some risks are minute and may be accepted or mitigated by the organization as part of their standard operation of business. Some cyber risks are deemed to be too much for the company to handle such as the company potentially getting hit with a ransomware attack. As a cyber security professional, you would help identify what the company can go to help mitigate, or reduce, that risk. You have to tell the company all about this risk you identified as well. That means you have to communicate the risk broadly. Are you just going to tell your friends and family about the risk that you uncovered at the organization? While they may find it interesting (and I would not recommend sharing company secrets about risks you identified outside of the company walls), those more interested are those in the position to review those risks in more details and maybe even help you close those risk. Closing the risk that you identified could be done by a few different ways. Most of the time, it includes having people help you close the gap that was identified (such as yourself), adjust existing technology to address the gap, or new technology such as a third party tool to begin the discussions of reducing the risks. Implementing the tool correctly will take some planning and time, but you may be part of those implementation discussions. You may find yourself on a cyber security aligned project before you know it! Sometimes you may find it is easier and more effecting to write something down that people can follow every time something needs to be followed. Something as simple as a document that is uploaded to a document repository that is followed every time the document is invoked another simplistic way you may be able to solve a problem. You are a problem solver in cyber security, not just a problem identifier.
You may find that some of the problems you solve are smaller quick fixes while others require weeks, month or years of architecting a solution correctly. You may need to elicit the help of other subject matter experts at times to help you out. These could be other security practitioners, non-security personnel such as an infrastructure team or legal team, or maybe even a vendor (there are even dedicated jobs for that too). You do not have to be the one who is always the problem solver. Sometimes the strongest way to solve a problem is to bring the right people together.
Problem solving in a vacuum is almost like not solving a problem at all. People will wonder if someone is working on the problem or if a solution ever was agreed upon. This is communication in cyber security is one of the top skills. If we do not know how to speak to the problems that were solved, not only will people think the problem is left unsolved but you also may not get the credit you deserve either. Being able to tell people in terms they understand about what the problem was and how it was solved is crucial to your success in the industry. Sometimes speaking “cyber security speak” requires us to be deeply technical while other times we should deftly reimagine our conversation to avoid going anything more than a millimeter into the technical weeds. Knowing our audience is important, and while it may some obvious, it is easy for a cyber security professional to default to communicate in the language they feel most comfortable in. Communicating the right message to the right audience takes time, yet it is time well invested. You may find talking to others from your organization will give you strong insight into what your audience is looking for. What is the bottom line up front messaging you can provide to your audience with supplemental details as needed to enforce your messaging? Everyone that we will need to communicate with in a cybersecurity role has about the same amount of time you have: very little. Brevity and to the point messaging of the problem and solution will make you unexpected friends in this industry.
Why has this industry even blossomed to begin with? The industry is built on trying to protect itself from threats that may target the organization. Who are these villains of society? People and groups we most likely will never see. No one is going call up the organization you are working at and say “I hope you have your team working at full capacity today because I am going to be hacking you around 11 AM”. If it were that easy, there would not be much of an industry for us to join. Some groups may try to attack an organization opportunistically by looking for the tiniest little crevice that will let them into the organization. If it is easy, they will come in and not care who you are. Other groups spend enormous resources to target specific industries or companies while trying very hard not to get noticed. Sometimes it is someone who is sitting right next to you at the office or you talk to on camera during meetings ona daily basis. We know better not to leave the door open though, so a lot of companies have defense after defense after defense to stop these malicious groups from opening up that door. As a cyber professional, you want to know who is knocking at the door and if they were successful or not. Even if what was detected by the cool tools you have in place was blocked, does that mean that we caught someone bad already in our systems? Should we search for other interesting details in our environment to see if that bad actor is already in and we caught them n the middle of their attack? What if we identified something weird that fits the behavior of a well-researched threat group? Is your company being specifically targeted? What is that bad actor looking to do if they do get into your systems? Disrupt your business? Steal your data? The possibilities are endless. Having knowledge of what our threats are to our organization is half the battle of being able to implement the strongest ways to protect and detect those villains of society. Without knowing our threats, we may not know the best ways to prevent and detect their presence in our systems. Left undetected, that villain may do an untold amount of hurt to the company on their time table.
Those villans want to cause havoc on the mission of your business. There are many crafty ways for them to be successful in that journey. However, this forces us to take a step back and think about what exactly are we protecting as a cyber security professional. What is essential to the business you are a part of? What drives the mission of your organization. Is it data? A set of applications? How about where customers going to every day to purchase something from your company. What drives the profit or missions of the business is exactly where a villain would want to attack to being the company to the brink. As a cyber security professional, you need to understand the business you work at better than the CEO. You need to have a good understanding of how a company makes money, what are the assets you are protecting and how you are going to protect them. Once you start understanding your priorities of what you need to protect, then you can speak with confidence about how you are protecting your business against the threats you have identified that have it in for you against your company and industry.
Alas, sometimes no matter how strong we make our fortress, an invader will do anything they can to get in. Or sometimes we thought something that should have prevented an attack was not implemented correctly. Maybe someone knew all of our secrets from inside our own doors and used those secrets against us. All those vendors that have access into your company? Yes, we need to keep a watchful eye for them as well. Even the strongest of houses needs a plan to recover from a potential disaster. As cyber security professionals, we need to detect when something is amiss. Sometimes it is painfully obvious such as when no one is able to use their computers because a villain was successful able to launch bad code to areas of the network or was able to successfully bring down a portal or a website that your customers use. Maybe it was as stealthy of an attack on the way out as it was coming in, and without your knowledge data that was under the lock and key of your organization could be seen by anyway who is interested. As a cybersecurity professional, we need to know how to help bring back our company to a state of how it was prior to the attack. How did the attack occur? How can we try to limit the after effects of the attack? Is there anything that we can do to prevent the spread? Are there rules and regulations we need to now adhere to inform others of our unfortunate news? Does your company have to talk to the media about the incident (the media has an uncanny way of finding out when bad things are happening at a company)? Do we have fines we may need to be prepared to pay based on the type of incident that occurred? So many questions to think about during one of the toughest times in the company’s history. Being prepared for these moments may not ensure we never have them or that even if something bad were to occur the response would go 100% according to plan, but as a cyber security professional we need to plan for it regardless. Writing down the ways our team and other teams respond to the incident is just the beginning. While hopefully these type of nasty events do not happen to often at an organization, we should be prepared for when they do. Just like firefighters practice how to go into burning buildings to rescue those inside and practice putting out fires constantly, cyber security professional need to do the same. If the incident is severe enough, you will find it is a whole company effort to respond to an incident, from the CEO to the legal team to the communications teams and technical teams all sitting in a very tense room. At some organizations there are teams dedicated to ensuring any disruption to the business is handled effectively to reduce any undue downtime. Distrption of business could be caused by an operational event, a physical security concern, or you guessed it, a cybersecurity event. They will be in the tense room too. Of course, as a cyber security professional, you would have already practiced through these real life scenarios before so you can respond with some confidence.
Phew! As a cyber security professional, you wear many hats in your job. You are a business person who understands how the company operates and achieves its mission. You are a master communicator who knows who your audience is and what type of information that audience is craving from you. You are a technologist that understands how the company you currently work for is currently set up, how the 0s and 1s move back and forth on the network, and what technologies are out there that not only make the company more efficient but also need to be protected. You are knowledgeable of the threats against your organization, what those threats are, their tactics on how they like knocking at the door of your business and what their end goals may be. You speak the language of risk not only a problem identifier but also a problem solver. You are the whole package.
You may find in your quest of identifying what area of cyber you like best, you may find yourself focusing in on a subsets of the areas referenced above. Maybe you find yourself researching those villains you cannot see or being the technical superstar who implemented tools to help stop those knocks at the door. Maybe you are the person who responds to any type of incident that is identified at the organization to find out what really happened, how to ensure it will not happen again, and craft a communication to the appropriate audiences. You may even find yourself managing some of these functions and the people who make this industry shine.
You are joining an industry that is dynamic and ever changing. What made a cyber security professional at any level successful ten years ago is different than the requirements today and will evolve over the next ten years and beyond. Many times no two days are alike. Welcome to one of the most fun and exciting careers to ever be a part of.