I work in cyber security as a cyber security architect and as part of the security teams I work for, there are a number of different. Some of these jobs are quite exciting and finding out which ones was my mission when I first looked at entry level jobs.
Is cyber security boring? As a general rule, the lower level cyber security jobs can be quite boring as they are monotonous and repetitive. Where the same tasks are repeated as part of the daily activities such as running through checklists, checking logs like security and incident logs, checking dashboards for alerts to creating tickets from a central security email mailbox into an incident management application.
The boring jobs in cyber security can lead to employees becoming demotivated and can also create a lot of stress. Many of these jobs end up with a high turnover in employees as people end up quitting these low level jobs as they become frustrated by the monotony.
Many years ago, one of my close friends was involved in a low level boring job in cyber security, where they worked in shifts, either the early shift or the late shift. With each shift they had to go through a checklist, with the morning shift requiring them to do this first thing in the morning and the late shift requiring this checklist to be done towards the end of their shift.
They told me how it could take them as long as 2 hours to go through the checklist, checking different dashboards, different logs to a whole host of other boring tasks. They said they felt like a robot when they were doing the checking as it felt like they were on automatic mode, like running a computer program in their head to check this and then check that.
Once the checklists were completed, they would have to check the centralized email mailbox for the whole cyber security team, where any incident related emails would come in. They would need to review each of these emails and then add each relevant one to the incident management application. So, if an email was from another employee let’s say who worked in accounts and their email said something along the lines of,
“I accidentally sent some of our customer information to the wrong customer”
My friend would need to create an incident on the incident management application, putting in the details of the employee who sent the email, the time of the incident, the details of the incident and so on. Then they would need to work out who this incident should be assigned to, with the example, above they could have assigned this to the data privacy team. Each incident would require a priority rating, based on my friends assumption of the seriousness of the incident.
They said, they would generally give privacy related issues a priority of three but if it looked serious, my friend would phone a listed contact of the data privacy team. If they had to phone them outside of work hours, as they were at the start of the early shift or towards the end of the late shift, this could be an emergency out of hours number.
They didn’t stay too long in this job and used their ability to quickly assimilate skills and knowledge to progress to another role. Getting involved more in the incident management type roles where they got involved in incident management planning.
One of the things my friend really hated about the boring job they did, was the lack of social contacts, as large parts of their shift was working alone, without any interaction with other employees. Sometimes the lack of social interaction can by itself make any job become boring and likewise the same can be said of some of the lower level cyber security jobs.
Is cyber security a stressful job?
Cyber security can be a stressful job especially if the jobs are involved in incident management, as a serious incident can mean all hands on deck and having to work under time pressure to get tasks done. Leading to working longer hours to make sure the incident is contained.
One of the organizations I worked at, I did an easy 9 to 5 role, except on one day when there was an incident. Initially it looked like the organization had suffered a successful cyber attack and this meant a full incident management process had to be initiated.
As the attack looked like an attacker had managed to breach one of the security controls on the project I was working on, I had to get involved. Worse still, the incident management process started just as I was logging off for the day, so I had no choice but to stay at work and provide my support to the incident manager and the incident management team.
For me, this was a first, I had never been involved in an incident before, so my curiosity took the better of me. However, some of the other colleagues on the call, especially those who were part of the incident management team had to frequently work under these conditions. That is, the unknown, where an incident could strike at any time and they needed to be ready and on their ‘A’ game to get the incident contained as quickly as possible.
This meant their 9 to 5 could turn into a 9 to midnight or maybe in a worse case scenario, they might have to pull an all nighter. The team also had to share the baton of being ‘on-call’. Meaning they could be happily asleep at home at night and the phone rings to let them know there’s a potential major incident underway.
Once an incident management process was underway, the incident manager would be asking loads of questions to the team, they would need to work out what investigations and tasks they would need to do. This would all need to be done quickly and accurately, to ensure the impact of any incident was minimized.
So, for example if one of the cloud storage services like Amazons Simple Storage Service (S3) bucket was misconfigured and one of the security tools has picked this up. The incident management process would need to look at:
- when this was discovered,
- when the misconfiguration occurred,
- what information is stored in the S3 bucket,
- who’s accessed the information,
- what could potentially be the impact of unauthorized access,
- how can the misconfiguration be fixed, and a damage limitation exercise started.
There’s a lot of investigations and tasks involved, and if the information stored in this S3 bucket was of high value, like credit card information, organizational secrets to customer information then senior people in the company may need to get involved.
For me, this sort of not knowing how my working day would pan out, as I could end up working more hours than I expected during a day, being called at night having my sleep disrupted and generally not being able to get into a routine would cause me and many other people a lot of stress. This is why I avoided these types of jobs.
My jobs in cyber security architect have not stressful and going forward this will remain, as I act in an advisory capacity and I work strictly a 9 to 5 role. Sometimes 8 to 4 if I’m having to commute, as this helps me avoid the stress of commuting during rush hour. My job is not the exception, there are many roles in cyber security like this from analysis, engineering to risk management.
I would always advocate anyone new to cyber security to only view any jobs like incident management as temporary if possible, especially if they are stressful and then use these as a springboard to other less stressful roles.
Is it worth going into cyber security?
As a whole going into cyber security is definitely worth it, as the rewards are higher compared to other jobs in information technology. Both financial rewards in salaries and contract rate to doing the jobs themselves, with many jobs being very interesting.
Cyber security jobs pay well when compared to other jobs in the world of information technology. I have friends who have transitioned across from other types of information technology jobs and seen a large increase in what they earn, sometimes by as much as 50%.
For me, I like the social aspects of my cyber security job whereby as a cyber security architect I engage with multiple teams across an organization. I find this very rewarding as it allows me to build friendships but more importantly it allows me to establish with my co-workers, I’m there to help them.
I’m not there to block them and stop them doing their jobs by imposing draconian security rules and regulations. Instead, I’m there to discuss and look at how we can both work together to meet the needs of security and of the organization.
I also love the fact that many cyber security roles give a level of authority especially in organization where they treat security as a ‘first class citizen’. Fortunately for me, this has not gone to my head.
I do enjoy working in an authorative role, but my mantra is always still to help other people in the same organization understand and appreciate the need for cyber security. As it protects the ‘hand that feeds’, our employer and we need to make sure they are protected from cyber threats and attacks.
Does cybersecurity require coding?
There are many more jobs in cyber security that do not require any coding knowledge or coding experience compared to certain specialized roles in cyber security where coding is important. Jobs without coding knowledge are more people focused and more involved in architectural, designing, planning, building and supporting an organizations cyber security initiatives.
People often mistake needing coding experience as a prerequisite to get a job in cyber security when in fact most of the jobs don’t require any coding experience or knowledge. This can then lead to these people learning about coding languages in particular python, as they see this as a fast track way into cyber security.
Unfortunately this isn’t the case as actual experience and knowledge of cyber security is more important and having the ability to code is just seen as ‘nice to have’ skill in most of the cyber security jobs out there.
None of the jobs I have done in cyber security have involved any coding. I have no coding experience, other than being able to use a web programming language PHP for some of the websites I create for my non work related activities. This lack of coding knowledge has not hindered my ability to work in cyber security.
However, I do know that they need to code securely by not sticking in passwords in their code or using database queries that can easily be used for hacking. This is all I need to know, I don’t need to know anything about coding, classes to object orientated programming.
When I worked at one organization, there was a large cyber security team of about 80 people, where there were:
- Security Architects
- Security Consultants
- Security Engineers
- Security Analysts
- Risk Analysts
- Security Testers
- SOC Engineers
- SOC Analysts
- Incident Management
- Data Privacy Specialists
Out of the 80 or so people in the security team, I would estimate only about 15 of them used code in their jobs all the time. That’s statistically less than 20%.With the Security Testers and some of the SOC analysts using heavy coding expertise in their jibs. As the security testers would need to understand code to be able to run their security tests against the code, like penetration tests.
Whilst some of the SOC Analysts especially those involved in Red Team and Blue Team activities would need to be able to code, as the Red Teams were responsible for Ethical Hacking and could include individuals who would need to manipulate code or create threat and vulnerability code, to see if the Blue Team could find this vulnerability.
The Security Engineers would have some coding skills depending on what their job involved, so if they were writing scripts on Linux or Unix (bash scripts) or even on Windows (PowerShell), then they would need to know how to code these scripts. But only if these involved security tools and more than likely the tool vendor would come in and help install the security tool, taking care of any scripting needs.
The security engineers would then most likely use templates like Azure ARM Templates or AWS CloudFormation or even a templating language like Terraform to package the installation and configuration of the security tool after the vendor had created the associated scripts. I would find it difficult to say the security engineers in this example, were 100% coding, as templating languages are a lot simpler than coding languages like Python. These templating languages are a lot more declarative than logical and I’ve done some basic Terraform template building and found it way easier than coding using PHP.
More importantly, a lot of the cyber security work I recommend to the projects to get done, would be done by the projects DevOps engineers. The DevOps people would know how to code, so if I wanted them to install some security software, they would need to create scripts in python to automate the installation if templating wasn’t being used.
So whilst it correct to assume DevOps engineers needed to know about coding, I as the cyber security professional, would need to know nothing about coding even though there is coding involved in what I’ve recommended.
The DevOps engineers were not part of the cyber security team and were part of the project team, meaning their coding knowledge and experience wasn’t relevant for a job in cyber security because they don’t work in cyber security.
I remember at one organization where I was in a team with five other cyber security architects and one of my co-workers was mentoring some interns, who were doing some work experience as part of their university degree program. He had taught them some basic python, to be able to run reports and be able to extract information out of files and quickly import the information into Microsoft Excel spreadsheets from where reports could be created.
My co-worker had a serious knowledge of python and could code to a very high level, in fact, I’m sure if they wanted to get a coding job as a developer, they would easily manage that as their proficiency was so great. However, my co-worker used to moan that we didn’t get any opportunity to use python other than what he was doing with the interns and this was because it wasn’t needed for our day to day jobs.
If you like to coding and want to work in cyber security in a job involving coding, then some of the security engineering jobs could be ideal for you. The security testing jobs like penetration testing, ethical hacking to working in red teams and blue team, may also be more relevant.
Do you have to be smart to be in cyber security?
On average, you do not need to be smart to work in cyber security for most cyber security jobs, as these jobs involve applying the principles, standards and best practices of cyber security to projects and situations. Once these cyber security principles and standards are understood, they can easily be applied across any organization.
I’m of average intelligence and would never class myself as being overly smart but I do find it easy to get jobs in cyber security. Simply because I understand what cyber security really means, what the typical threats and attacks to watch out for are and how the principles, standards to security best practices can be applied.
Over time I’ve developed a mindset in thinking in how an attacker like a hacker would operate and this allowed me to understand the measures needing adoption to thwart these types of hackers.
Whilst there are many jobs that do not require very smart people,there are also jobs in cyber security that do require people who are smart. There are jobs involving complex coding, analysis to threat determinations. These cyber security jobs tend to attract only the smartest applicants but as a whole, they form a smaller part of an organizations overall cyber security team.
I do not have a degree; I only have high school education, but I am constantly approached by organizations who want me to work for them. The reasoning being my vast experience in cyber security that I have built using the principles and standards of cyber security.
I use many of the following principles in my day to day work:
- Accounting (Auditing)
- Principle of Least Privilege
- Separation of duties
I can easily apply these principles to any cyber security project I’m been tasked to review. So, with the first principle listed, authentication, I will check whether the project is using authentication in it’s deliverables. This could be a web application like a website where customers have to log in. Authentication provides a mechanism to prove the customers are who they say they are, and this is done by them having a username and a valid password to login.
The principles around authorization would involve ensuring the customers can only see information relevant to them when they login, as they are authorized to see this information. Customers won’t be able to see information about other customers as they are not authorized to see this. If they can see information about other customers then that’s a warning sign to me that the authorization isn’t working properly or worse still, there is no authorization in place.
The Accounting principle would mean all interactions with the website and any other services by customers, employees, third parties to contractors are logged. So, every time they try to login, a security event is written to a file called a log, with the username of the person logging, the time and date. If the login fails because for example the wrong password is entered, then this is also logged.
Logging is important as it keeps a record of security related events and these can be analyzed to look for suspicious patterns, like logging in from unusual locations like outside the country where the user normally logs in from. This could indicate the user account has been compromised and by acting quickly on this by suspending the account by disabling it, can stop potential cyber attacks.
The principles around confidentiality are vitally important in protecting an organizations information by ensuring only those people are authorized to see the information including ensuring the information is protected if it does get stolen. This can be done in most instances by ensuring the data component of information is encrypted whilst it’s stored and during any transmission through the use of encrypted channels.
Integrity principles are important to make sure information isn’t tampered with and altered, like a report about the companies profit showing a severe loss, is altered to show bumper profits. This alteration has changed the integrity of the report, as the information it contains is not correct and the share price of a company or a merger or takeover could be influenced by the report. Leading to investors suffering potential losses as a consequence of tampered information, leading to potential job losses to stem the loss of profit.
Availability ensures information can be used, so a website where doctors can access medical records about their patients, doesn’t suffer an outage, leading to doctors not having important information available at their fingertips.
Typical distributed denial of service (DDoS) attacks are used by malicious parties to knock out services like websites, stopping legitimate users from accessing them. The DDoS attack overloads the systems used to support the website like web servers to load balancers, reducing and in some cases crippling access.
The principle of least privilege is important to ensure the privileges someone has on a system befit the job they are doing. So, a normal user who just needs to log in and use Microsoft Word, Microsoft Excel and check their email doesn’t need administrator level privileges. They just need basic level privileges to do their job.
The Separation of duties principle aims to dissipate privileges across a number of people to ensure, one person doesn’t have the privileges that are considered to be too powerful across the board. So, when software is being developed, tested and released, there’s no single person who has privileges to develop the software, test the software and release the software into a ‘real live environment’ like production.
Instead the different stages of the release cycle are split into different roles with different levels of privileges to ensure, not only the principle of least privilege is observed but no one person can do everything in the development, testing to the release of an application.
I really enjoy working in cyber security, finding it incredibly interesting and certainly not boring. My day to day job responsibilities are very rewarding especially when they involve collaborating with other employees, meeting suppliers, discussing new cyber security tools and looking at ways of improving cyber security risk postures across my employers organization.
I don’t find the roles I’ve done stressful as I’ve not been actively involved in stressful roles especially around incident management. I try to get into a 9 to 5 routine and once this is firmly established, my responsibilities are easily managed, and I’m not overwhelmed by work tasks as I’ve got pretty good at planning my work schedules.
I’m someone who is of average intelligence, but this hasn’t hindered me working in cyber security. I’ve managed to get to grips with the major principles of cyber security and have been effective at getting these principles applied wherever I’ve worked.
There’s no need to get any coding experience for most cyber security jobs however some jobs, especially if you want to get into ethical hacking, engineering or some of the analysis jobs, may require some programming knowledge. But for the stuff I do and generally most people do in cyber security, the need for coding and programming skills is not there.
Overall cyber security is definitely worth going into as it’s not only financially rewarding but can be an extremely interesting career to be part of. I find the work I do very fulfilling and the social interaction with people I meet is a massive benefit for me. I thoroughly recommend it to anyone interested in a new career or a career change.