Careers, Concepts, Human Aspects, Security Education

Choosing your Cybersecurity Career Path

Posted on by Ron Woerner

  • Landing and keeping a job in cybersecurity
  • What’s best for your Cybersecurity career: certification or a degree?
  • Strategic (GRC) vs. Tactical (Technical) career paths

I’m often asked by folks entering the cybersecurity career field, “How do I land (or keep) a job in cybersecurity?” and “Should I get a degree in cybersecurity or focus on certifications?” The bottom line is that there is no one answer that fits everyone. As with most things in life, it depends. Where you are at in your career, life’s journey (i.e., age), financial resources and your own ambitions are all things to consider. In this post, I’ll cover options in hopes of helping you understand the benefits of each and how you can grow your career as a cybersecurity professional. This is part 2 of my series on Breaking into Cybersecurity.

From a career or professional perspective, information security (aka cybersecurity or information assurance) is now a stable and growing profession. Information security jobs are expected to increase by 28 percent through 2026, according to the Bureau of Labor Statistics (BLS). With all the opportunity, landing a cybersecurity job can still be tricky trying to meet the laundry list of requirements that are often looking for the optimal candidate who walks on water.

Below are some steps for you to determine certs or degree and help you build your cyber career:

  1. Pick a path. There are two main categories of cybersecurity careers: Strategic and Tactical.
    1. Strategic includes Governance, Risk, and Compliance (GRC), Policy, IT Audit, security frameworks and management.
    2. Tactical includes everything technical: security systems administration, networking, application security, security operations, incident response, vulnerability management, and penetration testing.

Pick the one where you have the most strengths. If you love playing with technology, go tactical. If you’re more prone to management and process, consider strategic. A word of caution: don’t try to do both and be a jack of all cybersecurity trades. Folks in this position (like me) are often seen as a master of none and are disqualified from many jobs. I’ve been told dozens of times that I’m too technical for strategic jobs and not technical enough for tactical. By the way, picking one over the other does not mean you won’t need to know how the other side works. Strategic needs to understand technology and tactical needs to get business risk. The Cyber Seek website (https://www.cyberseek.org/pathway.html) contains a list of careers for each path.

  1. Determine your education path. This is how you will reach the goal of getting the cybersecurity job of your choice. Cybersecurity degrees and certifications each have benefits and costs. Both can be used to open doors on cybersecurity careers.
    1. Degree – Expand or gain knowledge over time. With a degree you learn how to learn. This is crucial in the ever-changing cyber world. You’ll also gain additional professional skills like communications, leadership and management. Another positive for education is that a degree is forever and does not require any upkeep. It will get you in the HR screening process door if an IT degree is a particular job requirement. It indicates that you have the work ethic to complete something. Of course, it comes at a cost; both time and money. An inexpensive education option in the United States are 2-year schools (aka community colleges). The National Security Agency (NSA) designates 2 and 4-year schools as Centers of Academic Excellence in Cyber Defense. See https://www.nsa.gov/resources/students-educators/centers-academic-excellence/.
    2. Certification – Establish your credibility. Certifications show you have knowledge in a specific area or indicates that you have the subject matter expertise. If you’re just starting in cybersecurity, the CompTIA Security+ (http://bit.ly/2Ei6Xtw) is the perfect place to start. It covers the basics, without requiring you have extensive knowledge or experience. Certifications based on a point in time and require continuing certification. The benefit is that you can often take a 1-week boot camp or watch a video series like Cybrary and complete the certification exam shortly after. This can be a low-cost option for many.
  1. Practical Experience / Practice. Getting certifications or a degree does not guarantee a job. You must continually practice what you’ve learned and build on that knowledge. This should come from both practical experience and personal practice.
    1. Experience. For many cybersecurity jobs, this matters more than degrees or certifications. For those who are new to the cybersecurity career field, start in a help/service desk or security operations center (SOC). These are great ways to gain positive professional experience learning how cybersecurity operates within an organization. You can also gain experience by volunteering to fix or security computers for a community group (e.g., senior center, religious organization, etc.). In return, ask for a reference. By the way, you don’t have to start in cybersecurity. All careers can teach about professionalism and how organizational operations. These can provide much-needed perspective outside of technology.
    2. Practice & Do Your Homework. Cybersecurity is a career where you must keep learning and relearning to stay relevant and keep your skills sharp. I often tell my students, “Homework begins after you graduate” and “The real test is in the real world (not in the classroom).” You flunk a test in school, you can still graduate. You flunk a test irl (in real life), you won’t get the job or get to keep your job. This means you need to keep learning. Take advantage of sites like Cybrary that provide free videos on many aspects of security.
      1. For the strategic / GRC track, you need to read a lot about cybersecurity. Study the latest frameworks (NIST, CSC), laws and regulations (PCI, HIPAA, GDPR, State Laws, etc.). Read security news like krebsonsecurity.com.
      2. For the tactical / technical track, practice your skills. You should have a home lab environment with physical equipment, virtual machines or both. You can do much of this for very little cost. Learn Linux by getting a Raspberry Pi or load VMWare or VirtualBox. Learn how to hack and protect yourself.

No matter the path, you need to:

  1. Be aware of the other side. If you’re tactical / technical, you still need to understand strategic / business, and vice versa.
  2. Network (the human kind). Join security groups in your community like ISSA, ISACA, ISC2, OWASP, Infragard, etc. This is a great way to meet other passionate cybersecurity professionals. These groups may also provide mentors to help you chose your path and keep your skills sharp through continual learning.

This is just a short tutorial on building your cybersecurity career. Like in the Matrix, you need to pick a path (the red pill or the blue pill / strategic or tactical / education or certification) and move towards your goals.

If you chose not to decide, you still have made a choice. Don’t let the choice be made for you.

Online Safety Tips, Security Education

BBB Cybersecurity Program: Learn How to Protect Your Organization From Phishing Attacks

Posted on by Douglas Rausch

The Better Business Bureau (BBB) Foundation and its partners present a FREE cybersecurity program for businesses that will provide education on how to protect your business from phishing attacks. It features our own Gary Sparks and Karla Carter.

Learn How to Protect Your Organization From Phishing Attacks!
Topics:

  • What is Phishing/How Does Your Company Protect Its Information
  • The Social Enginneering of Phishing Scams
  • Combating Phishing Attacks in Larger Organizations and Financial Institutes

When: Wednesday, October 31, 2018
Time:  8:30 am – 11:00 am
* 8:30 am – 9:00 am Registration and Breakfast
* 9:00 am – 11:00 am Keynote/Breakout Sessions

Where: Metropolitan Community College – For Omaha Campus Building 24 (5370 N 30th St Omaha, NE)

Learn more and register at https://lnkd.in/dUMebHb

Careers, Concepts, Security Education

Breaking into Security Careers – 2018

Posted on by Ron Woerner
Cyber Careers

Cybersecurity continues to be a hot career field with many job opportunities. This means more and more folks want to break into it. A common question I’m asked is, “How do I get a job in information security / cybersecurity?” We continue seeing people who are interested, but don’t know the steps it takes to start or extend a cyber career. This blog post answers the question, “How do I break into (the) security (career field)?” It’s updated from my 2014 and 2015 blogs.

Career Triad

To get hired as a security professional, you need a mix of experience, education, and certifications. It takes all three to not only land the job, but also be successful in it.

1. Education: With education, you learn how to learn. Cybersecurity is a vast field and it’s nearly impossible to know everything. You need to be able to learn and adapt quickly to new technologies, situations, and processes. Education also builds the soft skills of critical thinking and communications. It’s readily available both online and in-person through local universities and training partners like CyberVista or Cybrary.it. It’s hard to study on your own. These resources provide you with expert instruction and guidance to not only pass the certification exams but also gain knowledge to succeed as a security professional. When looking at formal education, seek out 2 or 4 year schools that are designated Centers of Academic Excellence in Cyber Defense by the NSA and DHS.

2. Experience: You gain experience and a fine-tuning of your abilities through work, volunteering and building your own home cyber playground. Almost every job today has an aspect touching technology. Do your homework and learn all you can about it. Ask others if you don’t know. It’s also easy and inexpensive to build your own home lab or playground. Finding an old computer or getting a Raspberry Pi and learning Linux is a great technical experience builder. You can also gain experience by volunteering to help secure a local non-profit, your church, or other community organization.

3. Certifications: IT certifications get your foot in the door and help you move up in your career by showing employers you have the skills they’re looking for. CompTIA Security+ is and has been the optimal starting point for security certifications. It helps you prove basic competency in topics such as threats, vulnerabilities, and attacks, system security, network infrastructure, access control, cryptography, risk management, and organizational security. Don’t stop there. Keep your career moving by building on it with other ones like the CompTIA cybersecurity certifications (CySA+, CASP, or PenTest+). CompTIA CySA+ and CompTIA PenTest+ delve further into the cybersecurity specialty, validating the complementary skills of offensive and defensive cybersecurity teams. If you’ve been in cybersecurity for a while and want to remain in a hands-on enterprise security, incident response and architecture role rather than moving into management, CASP is for you. Once you’ve gained five years of cyber experience with those certifications, you’ll be ready for advanced cybersecurity certs like (ISC)2’s CISSP or ISACA’s CISM or CISA.

Once you’ve decided that cybersecurity for you, decide on your career track. Cybersecurity is both vast and wide and covers a myriad of jobs. Figure 1 shows the high-level cybersecurity careers. Don’t try to do or be everything for everyone. What cyber job excites you the most? In which one(s) do you have even a little knowledge and skill? Base your decision on your strengths, interests, experiences, and future goals.

Cybersecurity Career Paths

Once you’ve decided that cybersecurity for you, decide on your career track. Cybersecurity is both vast and wide and covers a myriad of jobs. Don’t try to do or be everything for everyone. What cyber job excites you the most? In which one(s) do you have even a little knowledge and skill? Base your decision on your strengths, interests, experiences, and future goals.

The NIST National Initiative for Cybersecurity Education (NICE) is a great resource for cybersecurity career information. The NICE Cybersecurity Workforce Framework, aka NIST Special Publication 800-181 is a national focused resource that categorizes and describes cybersecurity work. CyberSeek provides detailed data about supply and demand in the cybersecurity job market. Use it to see where and what the cyber jobs are through interactive maps and career pathways. NIST NICE provides numerous other resources invaluable to cybersecurity job seekers. The nice thing about these (pun intended) is that it’s all free.

Security Professional Traits

The following traits are common among successful cybersecurity professionals. Having each will differentiate you from others when you’re hunting for a job or looking for a promotion.

  • Curiosity – A wonder on how and why things work. All hackers are curious.
  • Critical Thinking – goes with #1. You need to go beyond the obvious and be able to analyze your environment to best fit business needs.
  • Communications skills – you can find the coolest things, but if you can’t effectively let others know, it’s like a tree falling in the forest. Build your ability to both write and speak. This is where education can help.
  • Technical Skills – You need to know your way around computers, networks, and applications. Understand what’s happening under the covers. You should build this both on-the-job and on your own.
  • Maturity – Stuff happens. You need to be able to keep your head when all h311 is breaking lose.

Each are discussed in more detail in Eric Steven Raymond epic paper from 2001, “How to Become a Hacker,” which should be required reading for all cyber professionals.

Join the Community

The last piece of advice is for you to join a local or national cybersecurity organization. ISSA, ISACA, (ISC)2, and OWASP have chapters throughout the World. They provide access to expert instruction on cybersecurity topics. There’s also tremendous power in networking (the human kind). Most jobs are found through someone you know. Plus, at their meetings, you’ll can meet other passionate cybersecurity and IT professionals to help you jumpstart or extend your cybersecurity career.

For more ideas on breaking into cybersecurity careers, I recommend Launch Your Cybersecurity Career in 8 Steps from CompTIA: https://goo.gl/3aV74t.

Cybersecurity jobs are aplenty and it’s a great career. It’s up to each worker to set her/his own path. Use the ideas above and share others.

Careers

Applying for an Internship

Posted on by Douglas Rausch

I’m often approached by students who are wondering what they need to do to become more marketable for an internship.  First, pursuing an internship is a great way to build practical experience and also a way to show your skills to a prospective employer.  These are competitive positions however and there are a few things you should keep in mind on your journey to secure a position.

Generally an internship is going to be most beneficial after you have completed the first year of your program.  That means by starting to consider an internship early you still have time to make yourself more marketable.  Employers are going to be looking for someone they can benefit from with the potential of hiring in the future, that means you need to be competitive with others.  You should assume that everyone applying for the internship will be enrolled in a similar college program to you, so your grades need to be competitive.  This is where most students stop, “I have good grades, hire me.”  Unfortunately, that is often not enough.  Here are some other actions you can take to become more likely to likely to secure that coveted position.

  • Any IT work you can do is valuable to put on a resume.  That may mean working a help desk but that is a starting position.  Some organizations are also looking for volunteers to help with setting up networks or administering systems.  A good place to find these opportunities in your area are professional groups – see next bullet.
  • Become a student member of ISACA, ISC2, OWASP, ACM, IEEE, or any other cybersecurity focused professional group in your area.  Find a group that has a local chapter (google for those organizations in your area).  They have speakers that provide great info and you make good connections for potential internships/jobs
  • Practice learning skills in a home lab. Start by downloading VM-Ware or Virtual box.  Both have free versions.  These allow you to set up a virtual machine on your computer.  Then load a linux version such as Ubuntu or Fedora.  Use your access to BU’s Microsoft Imagine site and download Windows Server – practice working through them.  You can set up a virtual network and share files between the machines to see how that works.  Our library has several good resources on those topics
  • Talk with our career center – http://www.bellevue.edu/student-support/career-services/career-services, they can help with info as well, especially with preparing for interviews, building a resume, etc.
Careers, Security Education, Security Management

CyberSeek resource for cybersecurity career information

Posted on by Douglas Rausch

NIST, in partnership with burningglass and CompTIA recently introduced  the CyberSeek resource for cybersecurity career information.   Per the NIST press release:

The CyberSeek tool fills in knowledge gaps so policy makers, employers, security professionals and others will have greater visibility into the demand for cybersecurity professionals around the country. It will allow them to see the skills and types of workers that employers are looking for, as well as the true supply of professionals to fill those positions.

If you are looking for that initial job in cybersecurity, identify the skills you need to improve, or get ideas on how you can progress in your cybersecurity career I highly recommend spending a few minutes on CyberSeek.org

 

Careers, Security Education, Security Management

NIST publishes draft Cybersecurity Workforce Framework

Posted on by Douglas Rausch

It probably comes as no surprise to most that demand for cybersecurity professionals continues to rise.  The U.S. Department of labor projects an 18% growth in computer and mathematical occupations during the period 2012-2024. Unfortunately, 52% of IT professionals surveyed in a recent ISACA and RSA Conference survey stated that fewer than 25% of all job applicants were qualified.

One effort to address these shortfalls was recently updated with the publishing of the draft NIST Cybersecurity Workforce Framework (NCWF), NIST SP 800-181.  The NCWF provides information about cybersecurity work roles, the tasks performed by individuals filling those roles, and the knowledge, skills, and abilities needed to complete those tasks successfully.  The document is open for public comment through January 6, 2017.

*Additional cybersecurity workforce demand statistics  are available in this infographic published by the National Initiative for Cybersecurity Education here.

Security Education

An Introduction

Posted on by Douglas Rausch

I wanted to take a quick moment to introduce myself.  I’m Professor Douglas Rausch and have recently taken over the role of the Cybersecurity Program Director from Professor Ron Woerner.  Ron has moved back to industry but don’t worry, he is still an adjunct Professor in the program at Bellevue and I’m sure will still be an active contributor to this blog.

I joined the full-time faculty at Bellevue about a year ago after serving in an adjunct position for about a year and a half.  Although I taught across both the undergraduate and graduate programs my focus was as director of the undergraduate cybersecurity program. That changed with Ron’s departure and I now oversee both programs.

Prior to joining the University, I spent 26 years in the Air Force as a communications and cyber operations officer.  It was great fun and an exciting time.  As with all of our instructors, I use those ‘on the job’ experiences to take the foundational concepts we teach in the classroom and provide thoughts on their application to the challenges you will meet each day as a cybersecurity professional.

rausch-web-hs-medWell, that’s a little bit about me.  I’m looking forward to using this forum to discuss the evolving world of cybersecurity as well as some of our activities here at the University.

Cheers
Doug