Submission By: Tom Gilheany
Cybersecurity jobs are growing three times faster right now than IT jobs in general, and 12 times faster than the overall job market. In a 10-year period, IT security jobs have grown 74 percent. That growth is accelerating. Worldwide, organizations face a shortfall of 1.5 million cybersecurity-trained workers by 2019.
Hiring trained cybersecurity professionals is a huge challenge. That’s why more than one-third of employers ask job candidates for industry certifications.
So what should students study to give themselves a solid foundation that prepares them to learn security skills? There are four areas to consider.
Four Pillars of a Security Career
The first pillar is operating systems. These include systems like Windows, Linux, and macOS for computers, and iOS or Android for mobile devices. Your goal is to move from a user/desktop understanding level to an administrator/server’s level of understanding. You should know how subsystems, applications, and users reside in an operating system and how they are controlled and interact with each other. This knowledge will also become useful if you ever need to “clean up” after a system has become compromised.
The second pillar is some experience with coding. Software vulnerabilities represent a large percentage of the attack surface. Software automation is pervasive not only in information systems, but also in security controls. It is extremely helpful to know at least one programming/scripting language. C, Python, or Perl are good choices to learn.
The third pillar is networking. Networking and communications are critical functions of our information systems, but also leveraged by many security threats. With today’s web-based, and distributed, applications, you must have a fundamental understanding of networking to know how systems can be remotely breached or compromised, and how information is exfiltrated from a system.
Finally, the fourth pillar is basic security principles. Be sure to include both general security and environmental security. What’s the difference? If we use the example of a bank, knowledge of locks and keys would fall under general security, since that technology is used universally to secure all kinds of assets. Environmental security is specific to an industry, organization, or system, and would cover knowledge of what “normal” business transactions look like, versus what would constitute suspicious activity. Anything ensuring the confidentiality, integrity, or availability of information and assets can count as security skills—even traditionally “non-cyber” items that reduce risks, such as disaster recovery planning, can be helpful experience to draw on.
For the past decade, one of the most well-known security team frameworks used to organize large-scale security teams has been the U.S. Department of Defense Directive 8570. Many government institutions and large organizations have used this framework to help them organize and define IT security jobs.
Cybersecurity Offers Many Job Choices
The 8570 directive outlined 14 job roles under four different categories, but in the intervening years, security has grown more complex, and job roles have diversified. In 2015, the DoD set up Directive 8140. It includes moving toward the adoption of a new NICE Cybersecurity Workforce Framework (NCWF) from the National Institute of Standards and Technology's (NIST's) National Initiative for Cybersecurity Education (NICE), in conjunction with the Department of Homeland Security's National Initiative for Cybersecurity Careers and Studies (NICCS). Much of the U.S. federal government is moving to align with this new framework.
This new framework has seven activity categories and 31 specialty areas, more than doubling your cybersecurity job options. So, think about the kind of work environment and activities you prefer when looking at all of the roles.
The Work You Like to Do
For example, if you work best in an orderly 9-to-5 job, then a role like information assurance compliance in the "securely provision" category is probably more to your liking. But if you thrive in less predictable circumstances and don’t mind working odd hours, then you might want a computer network defense job in the "protect and defend" category. Anything in security operations may be to your taste, too.
Once you’ve identified the job(s) that interest you, find out more about the knowledge, skills, and abilities (KSAs) required to do that job. Knowledge is defined as a body of information applied directly to the performance of a function. Skills are an observable competence to perform a learned action. Abilities are competence to perform an observable behavior, or a behavior that results in an observable product. KSA’s were originally designed to quantify job competence of job candidates in a measurable way.
The U.S. federal government has been working to phase out KSAs, but many organizations still write job descriptions based on them. Although they proved tedious to job applicants applying for federal jobs, they can prove helpful to get a good idea of what it takes to do a job, and what a hiring manager may be looking for.
What You Need to Get Started
Do you have, or plan to attain, the competencies or KSAs you need for the job(s) that interest you? Most hiring managers ask for, or are required to hire, people with industry certifications, in order to provide evidence of competence. Certifications help employers verify that you have the minimal amount of training, knowledge, skills, and abilities to perform a job you already have or one you want.
Each job under the older 8570 security framework has a set of certifications, and everyone performing a particular job is required to hold a certification from that job’s certifications list. Cisco's CCNA Security and Cybersecurity Specialist (SCYBER) certifications are two 8570 baseline certifications available right now. Eventually, different federal departments, and the individual DoD branches, will evolve and shift to the new workforce framework, alongside a newer list of certifications mapped into each of the 31 specialty areas.
If you are called to a career in cybersecurity, it will take a lot of hard work and ongoing study to keep current. But there is an unusual amount of job security and rewards in this profession. Imagine being one of the white hats taking on the bad guys to protect and defend your country, your company, and your customers—making the digital world a safer place for everyone.
And if you need folks to bond with in your early pursuit of a cybersecurity operations role and, perhaps, its accompanying CCNA Cyber Ops certification, head on over to the CCNA Cyber Ops Study Group here on the Cisco Learning Network.
Tom Gilheany is Cisco’s Product Manager for Security Training and Certifications. He has a diverse background in startups through multinational Fortune 100 companies. Combining over 20 years of product management and technical marketing positions, and more than a dozen years in IT and Operations, he has conducted nearly 50 product launches in emerging technologies, cybersecurity, and telecommunications. Tom is a Certified Information Systems Security Professional (CISSP), holds an MBA, and is an active board member of the Silicon Valley Product Management Association and Product Camp Silicon Valley.