One big industry, lots of different options
I regularly speak at universities and careers fairs about opportunities and pathways within the cyber security industry. More often than not, the first type of role always discussed is penetration testing. This is indeed a great career path. However, there are other options!
Here at Context Information Security, we provide holistic solutions to our clients. As such, this puts us in a good position to talk about a variety of different career paths, which could be open to you! This isn’t a complete insight into every available role within the industry (that would be impossible in such a short blog). However, this is a good cross-section of potential pathways.
Incident Response is an ever-changing field in the cyber security arena where no two days are ever the same. One day you may be developing signatures to detect a new exploit that has been reported in the news, and the next, responding to a security incident unravelling how an infection was able to take hold of a network.
Working in this field means that you are often exposed to interesting cases, from ex-employees hacking into their previous employer’s networks, to large-scale security investigations tracking the movements of nation-state actors around a network. In amongst this analysis work, there is also plenty of time to pursue other interests and attend training courses in order to specialise in areas of interest.
If you are the sort of person who has an analytical approach to investigating problems and enjoys piecing together evidence to come to the right conclusion, then a career in Incident Response will likely be a good fit for you.
Cyber Consultancy will involve you assisting organisations to develop a comprehensive and effective cyber security strategy. This can include a wide variety of areas including threat management, cyber risk and compliance, security architecture, security operations, analytics and reporting.
You will work with organisations to evolve and optimise their existing cyber strategies and recommend or assist in implementing bespoke solutions, complementing existing capabilities and investments.
Is this for you? You will need exceptional communication, problem solving and project management skills. It can be a varied and rewarding career path if you like dealing with people and complex challenges!
At Context, Security Research involves us being engaged by users and third parties to assess the security of software and hardware products. This can involve us finding vulnerabilities in web browsers, operating systems, mobile and embedded devices, and enterprise applications. You name it we’ve done it.
This type of work is focussed less on specific technologies and more on skills: most of our Researchers and Research Developers are happiest when reverse engineering and looking for vulnerabilities, and developing high-assurance software. Technologies come and go, but over the last two years the team has worked a lot on mobile, embedded and radio technologies. Crucial to research is the ability to tackle a task where the right solution is not obvious from the beginning; or even where there may not be a solution.
Assurance (Penetration Testing)
Being a penetration tester is essentially hacking with the client’s permission. Doing this without permission will wind you up in jail.
As a penetration tester you aren’t just going to be hacking things and then walking away. You are there to give the client a clear insight into what vulnerabilities they have and assist them in quantifying what actual risk this poses to their business, providing recommendations for remediation along the way.
An important part in articulating this to a client is in the delivery of a report. It needs to be detailed but it also really needs to distil the key issues and what the potential impact of these could be to the client’s business. Therefore, the report needs to address the findings from the test in a non-technical and technical way.
As a penetration tester you are not going to have the luxury of time afforded to conventional attackers. Everything will be defined and scoped with the client before an engagement, with clear times set for delivery. The exception to this is obviously red team engagements, where you are really trying not to get caught. These types of engagements are more open ended but even in these cases there will still be timeframes attached to the engagement.
What skills are required?
Although there are a multitude of roles available, quite often many of the core skills needed remain the same.
Attitude: in my mind, this is the most important factor. You need to have a passion for security. Unless you have this, it is unlikely that you are going to have the drive required to upskill and maintain the personal development required to reach the top of this competitive field.
Communication skills: a big part of the role is about communicating effectively, not only with clients but also with colleagues. This includes both written and verbal communication. When dealing with clients you often need to be diplomatic and understanding of the client’s situation. They are our customers, therefore they expect a good experience throughout the engagement and a thorough and valuable report at the end of it. Good communication skills, and more generally, consultancy skills are very important.
Be capable of thinking on your feet: things are not always going to go as you planned or expected. Therefore, you need to be comfortable and capable of thinking on your feet. If you are on site with a client, never be afraid of phoning back to base to get the opinion or viewpoint of a more senior colleague.
Thirst for knowledge: you will never know everything. There is always going to be someone that knows more than you. Realise that. Surround yourself with smart people and learn from them.
What tips can we offer you?
Read blogs and security news, listen to podcasts. Cyber security is a fast moving industry, new breaches, attacks and vulnerabilities are happening almost daily and it is essential that you stay up to date with the latest industry developments.
If you do find something that you would like to learn more about, for example malware analysis, consider setting up a home lab environment to learn more about it. Attempt CTF challenges (like you are today). Not only will this teach you a lot about a subject you are interested in, but also it is something that can be a great talking point in interviews with potential employers.
Talent and Employer Brand Manager