I’ve worked in Cyber Security for a number of years and frequently get asked about the difficultly of working cyber security. Especially from people who are looking to break into cyber security, as they see it as a rewarding career move.
So, is cyber security hard? Cyber security is hard for people without technical skills, as the cyber security technology involved maybe difficult for them to learn. Cyber security uses a lot of security technology to protect against cyber attacks and cyber threats, so a technical mindset is important.
People with some technical skills can find it easier to grasp technical concepts in cyber security making it much easier for them to learn. There is a lot of technology as well as processes, principles and steps required in Cyber Security.
Those that already work in a technology role may be able to get into cyber security with no or minimal experience, depending on what type of technical role they are transitioning from. As their current role could be considered to be an entry level role suitable for cyber security.
They could be working as Server Engineer with experience in installing and configuring Microsoft Windows servers. Moving into Cyber Security as a Cyber Security Engineer could expand what they do with Microsoft Windows Servers, whereby they get involved in hardening the servers to ensure they are protected against cyber attacks.
What skills are needed for cyber security?
The skills needed for Cyber security depend on the role undertaken as some roles require a lot more technical knowledge than others. Some roles like Cyber Security Architects, require a high level knowledge compared to the detailed knowledge Cyber Security Engineers and Cyber Security Analysts need in specific security areas.
I work as a Cyber Security Architect and for me to know what a security tool protects is far more important than knowing in detail how to install it and how to configure the settings.
So, taking a Cyber Security tool like a Web Application Firewall (WAF), I know why it’s needed. That is to protect websites from cyber attacks like SQL injection.
I know what SQL injection is, where malicious data entered into a database via the website can lead to information being divulged (data breach) or just as worse the database being taken over by a hacker through privilege escalation.
I know any projects I’m working on that have public facing websites, need to be protected by a WAF. If these websites are not protected, then I flag this up as a risk that could lead to a cyber attack.
The appropriate remediation will be required to mitigate the risk, which will be getting the WAF put in place. I won’t be doing this as the Cyber Security Architect.
Now, if I worked as a Cyber Security Engineer, I would need to know a lot more than a Cyber Security Architect. I would need to know about:
- Installing a WAF, including automating the installation
- Configuring the WAF, especially the rules required
- Integrating the WAF into logging, monitoring and alerting tools
- Testing the WAF to make sure it works correctly
- Applying any patches or updates when they come out
- Troubleshooting and supporting the WAF for any problems, issues and errors.
As you can see, the level of knowledge required by a Cyber Security Engineer is far greater than what I would need as a Cyber Security Architect. Meaning that I could not do the job of a Cyber Security Engineer as the learning curve would be too much for me.
How long does it take to learn cyber security?
The time taken to learn cyber security is longer for more specialist hands-on Cyber Security roles like Cyber Security Engineers. With a minimum of 12 months required to gain an entry level of proficiency. Expert level proficiency requires at least 24 months.
Those people who want to become Cyber Security Engineers, the process and time taken to become proficient will be a lot longer than for those people who want to become a Cyber Security Architect because there will be more to learn for the cyber security engineer wannabes.
It took me about three months to get over to Cyber Security from my previous Architect role where I worked as a Solutions Architect. I already had enough experience understanding key concepts of architecture and just needed to get to grips with the principles of Cyber Security.
Likewise, if I had been an Engineer, like an Infrastructure Engineer who worked on installing and configuring servers, applications and services, then the transition to a cyber security engineer role would be fairly straightforward. As I wouldn’t have to learn what I already knew technically.
Those with no previous technical experience will find it a lot harder to get to grips with cyber security. As there is a lot of technology involved and having a technical mindset is a must to pick up the new cyber security technical skills.
Cyber Security Engineer
Take the role of Cyber Security Engineer, it’s a role I would say is particularly hard to get into if you have little or no technical experience.
Let’s take a look at the resume (CV in the UK) for a typical Cyber Security Engineer role. The required skills could include:
- Extensive technical Security and Operations (SecOps) experience
- Extensive experience working with the Microsoft Office 365, Microsoft Azure and AWS (GCP nice to have)
- Microsoft Windows and RedHat Linux server engineering experience including server hardening
- Vulnerability management experience
- Certificate management & PKI
There’s quite a lot to know, with Linux and Microsoft Windows experience being a massive area on their own to know about. Along with knowing Microsoft Office 365, Microsoft Azure which is Microsoft’s cloud offering, AWS is Amazon’s cloud offering and GCP is Google’s cloud offering and stands for Google Cloud Platform.
With each of the cloud offerings, not only will the Cyber Security Engineer know how to install, configure and test security tools but they will also need to know how to automate the installation and configuration. This will require experience in one or most of the following:
- Azure ARM Templates
- AWS CloudFormation Templates
- GCP Reusable Templates
If native templates aren’t being used then some form of scripting will be required, with the following being popular choices.
- Bash scripting for Linux, Unix
The list below, is of the typical security tools a Cyber Security Engineer could end up installing, configuring, testing and supporting.
- Web Application Firewall (WAF)
- Anti-DDoS (Distributed Denial of Service)
- Intrusion Detection System (IDS)
- Intrusion Prevention System (IPS)
- Data Loss Prevention (DLP)
- Security Incident Event Management (SIEM)
- Antivirus End Point Management
As you can see there’s a lot for the Cyber Security Engineer to learn and usually these people come from technical backgrounds, either from an infrastructure or a development background.
They can most likely already code to some degree, so automating installations using scripting languages, templating and languages like Python is second nature to them. Installing and configuring security tools like WAFs, IDS and so on, also going to be straightforward for them, as they will understand the bare bone operating systems these security tools will be installed onto, so expanding this to include installation with support from the vendors isn’t going to be a challenge.
At one organization I worked at the Cyber Security Engineer had to install a specific container security scanning tool the organization had bought. They had never heard of the tool or the vendor, but they managed to easily install the tool, with help from the vendor.
Now consider if they didn’t have any or limited engineering skills, they’d need to play catchup with understanding the operating system first, where the new security tool would need to be installed, they’d also need to understand how containerizations like docker containers worked and so on.
Cyber Security Analyst
Now let’s take a look at the Cyber Security Analyst role, this role seems a little bit more specialized, as it tends to focus more on incident management, planning and reporting.
- Analyze network traffic including raw network traffic and network flows including Intrusion Detection System (IDS) traffic.
- Triage and assist with cyber security events and incidents, including prioritization of incidents and acting as the technical lead for major cyber security incidents
- Review security processes, incident response playbooks and detection use cases on an on-going basis
- Maintain latest threat intelligence updates on new and upcoming cyber threats
- Review vulnerabilities across the organization, including running reports, determining mitigations and planning remediations.
Analyzing network logs is a skill that needs to be learnt, even when specialist network analyzers are used, as many of the alerts, warnings could actually be false positives. That is, they look real but when analyzed they represent no threat.
This skill requires the Cyber Security analyst to be able to work out using the processes and skills they’ve learned, what the alert or warning is really all about.
For some this can take years of practice and I’ve worked with people, where I’ve seen an alert on a dashboard and thought it could be important and they’ve explained to me why it’s not and that it’s a false positive.
Cyber Security Architect
Cyber Security Architect roles are more decision making roles, deciding on whether the cyber security measures in place or those to be put in place are effective in dealing with the cyber security threats. Also coming up with remediation recommendations for any risks highlighted.
For example, a risk highlighted could include not having sufficient protection against web based attacks like SQL injection and the remediation recommendation would need to be, having a Web Application Firewall with the correct rules set in front of the website servers.
Let’s take a look at what a typical resume (CV) demands from a Cyber Security Architect.
- Provide security support for projects in an advisory capacity
- Define security requirements for projects
- Identify cyber security controls for projects
- Conduct threat modeling workshops with developers, architects and business analysts
- Produce security architectural artefacts including designs and patterns
- Provide security requirements for RFI/RFPs, including third party assessments
- Review corporate security posture and highlight any risks and recommend remediations
Now let’s take a detailed look into each of these. I work as a Cyber Security Architect, so these requirements typically form the backbone of the work I do. The first one about providing security support for projects in an advisory capacity is something I do day to day. Where I sit with the project, look at what they are planning and try to assess the security risk by trying to find what gaps they have in their overall security.
I define the security requirements for the projects I serve by either using pre-existing security requirements and checking to see if they are fit for purpose or using a series of readily available requirements associated with a security framework. For example for vulnerability management, I may decide to go with the following requirements.
|1||Vulnerabilities need to be identified in a timely fashion for applications and networks, infrastructure.|
|2||Remediations will be prioritized using a risk-based model for identified vulnerabilities.|
|3||All vendor supplied patches for vulnerability remediation must follow change management procedures.|
I will also provide security requirements when new security products are being selected as part of the Request for Information (RFI) and Request for Purchase (RFP) processes. As any vendor has to meet my security requirements to be considered.
Identifying security controls is another area of my expertise, so with projects with websites, identifying the use of WAFs and Anti-DDoS is a must. If I’m looking at the security used during software development and release, I would want as a minimum a Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and container security scanning tool if they are developing docker containerized images.
I also conduct threat modeling workshops where I work with developers, architects and other people involved in the projects to come up a list of bugs from potentials threats. This is an important step before any of the development or building work starts, as fixing bugs at this stage will save a fortune compared to trying to fix bugs when the project is about to go into service.
I provide patterns for security services, so for example, if the project is using a Continuous Integration Continuous Deployment (CI/CD) pipeline, I will design how the security tooling will fit into this. I don’t get to involved in the designs, as I try to make the patterns technology agnostic, allowing the architects to fit their chosen security technology in place.
So if my pattern has a SAST tool in it, they are free to choose the SAST tool they are comfortable with. I will obviously review their choices for any security implications, but they need to be comfortable with the security tool chosen otherwise, you could end up with a security tool I think is fine and the organization doesn’t have anyone who’s ever used the security tool in anger before.
A large part of my role is reviewing the security posture of the organizations I work and determining if what they have in place or what they are going to put into place, is sufficient to mitigate against the cyber security threats out in world.
When I find anything that could cause problems, I raise risks and advise the organization to remediate the risks involved and then follow on checking to see if this has been done and then close the risk when it has been completed.
Cyber Security is hard for people with no or limited technical skills but for those with certain skills already that may not be cyber security related, the transition into cyber security will be a lot easier.
That being said, understanding what is really required for a career in cyber security is an important first step, as otherwise, you could waste time learning about areas of cyber security that aren’t relevant to the career role being aspired to.
This is why it’s important to look at the job specs and not to take the word of a few called cyber security professionals on YouTube, who may not be telling you what’s actually real.