So You Want to Become a Security Professional
Just as someone had once shared with me the resources necessary to pursue my career in information security, I want to pass on the knowledge and share with you what I have learned along the way, and where to look to establish your own career. In this three part series I will present an introduction to security, discuss how to get started in the community and your chosen career, as well as go over all that I have learned with the many specialized domains and leave you with additional resources.
Round The Clock, Round The World
Security is still considered a relatively new field despite having been deemed crucial since the early days of information technology. We have seen more maturity over the last decade and the trend will continue. Veracode illustrates nine domains with many subdomains of specialization in their model. Before we rush into the domains and specializations, we will dive deeper into these high-level roles in the next section.
There are many career options where we wake up in the morning, try to enjoy that morning coffee (or tea) and make our way to work. We do the job and go home. However, unlike most jobs that end by five o’clock, security is not a field where that is an option. Security is not your typical nine to five. It is a round-the-clock responsibility, very similar to an operations role. While there are some roles that are demanding each day and night such as Incident Response, security engineering, or being part of the C-Suite, there are others that allow for easier work days like security auditing or technical policy.
This will be a factor when determining the role you want to specialize in. Do you want to maintain your work-life balance? or are you ready and prepared to step into the metaphorical fire? But, know that you are not alone in this. There will be entire organizations to protect, and those organizations are full of people. Your responsibility is to protect the business.
Information Security vs Cybersecurity
Before we go further, it is important to delineate just what information security and cybersecurity are. While different communities have their own definitions, I want to share how I have come to understand the two. I often find that “cyber” will be a popularized buzzword,used interchangeably with the Assessment & Authorization (A&A) process when what is meant is Informance Assurance (IA); or a CISO will request an assessment and implementation plan for an enterprise information security program and then set forth the requirements to only build a SOC and Incident Response team.
Information Security is the practice of employing defensive mechanisms to protect information systems against unauthorized entry. It is also the protection of data against fraudulent use meant to harm individuals and entities. The goals of protecting data are meeting the Confidentiality, Integrity, and Availability. This is also known as the “CIA triad”. While maintaining confidentiality and data integrity, it is also important to note that operational availability is to ensure that data is available at all times and restoration mechanisms are in place.
Cybersecurity is the protection from fraud, theft, and damage to computer systems and their hardware, software components, and the data stored. This also includes protection from disruption of services caused by physical and electronic hijacking of those services. The offensive objective is to gain unauthorized access to information systems or electronic data while the defensive objective is to prevent unauthorized access. Cybersecurity has grown substantially since the early 2000s and is now included into political and strategic decisions as cyber warfare has become more prevalent. As electronic devices are increasingly integrated into the larger interconnected ecosystem, the need for offensive or defensive techniques and operations increases and compliance becomes more valuable.
As we dive further into the fundamentals in part two of this series we will also go deeper into the misconceptions and ensure you receive the information needed to take the paths that are right for you.