What is a cybersecurity professional?
There’s a lot more to the job than most people think
It’s just one of those things. If you are in it, you forget that others may not know what the heck you are talking about. That is exactly the case with cybersecurity, though when I first started it was called information security.
I have been fortunate enough to have grown up with the profession and often forget that a lot of people have no idea what it is exactly, I do. Usually, when I get the “what do you do for a living?” question, I respond with “I’m a cybersecurity professional.” Then, I get a wide-eyed look along with, “Oh, that’s nice.” Some of those same responses have been from former bosses, leading me to the topic of this article.
My capacity working with an international professional association of information security professionals has allowed me to stay on top of hot trends in the profession and the industry as a whole. In the past two to three years there has been a lot of media surrounding a gap of skilled and qualified cyber security professionals to fill upwards of 1 million open jobs, and that’s just here in the United States.
This is pretty amazing, since most businesses don’t even understand what the job entails, never mind needing someone to fill it.
This is due to the fact that many regulations (either legislative or industry) require companies to have a skilled and qualified individual identified to lead the “security” effort.
That brings us back to the question, “what exactly is a cybersecurity professional?” The simple answer is an individual who has been specifically trained to protect information in our cyber world. As you might imagine, there are different degrees of knowledge and different disciplines. I guess you could say that it’s one of the world’s best-kept secrets. And, that’s been our problem.
The reason it’s a problem is because when it comes to protecting cyber environments, many believe that you just need to get the “IT guys/gals” in to put in a firewall, or some other security technology. But if it were that easy, we wouldn’t have data breaches and hacking incidents like we’ve experienced in the past few years.
Don’t get me wrong, the “IT guys/gals” can do wonderful things with technology, but it does take more than that. There is an adage we often use: a sound approach to cybersecurity is three-fold – people, process and technology. And the “IT guys/gals” have one of them covered.
Cybersecurity professionals are trained in all three areas. When I first started, it was learned by trial and tribulation, and now there are many colleges and universities offering undergrad, certificate and graduate programs in information security and information assurance.
The topics that cybersecurity professionals must understand go beyond that of technology, such as human behavior and motivation in order to understand why people hack – kind of like the saying, “In order to catch a thief you must think like a thief.”
When you get to the higher levels of the profession, it is also important for cybersecurity professionals to understand what organizational governance is, how to motivate people to change their habits – like not opening emails that promise fortune or outlandish claims.
The most important aspect that a good cybersecurity professional needs to understand is how to work with all groups within the business. Like other core functions, such as HR, finance and IT, it is necessary to work across the board in order to identify what is important and how best to protect it.
So if you need to hire a cybersecurity professional, check to see what their qualifications are and if they have any security-specific certifications.
If you need to find out more, the federal government’s National Initiative for Cybersecurity Careers and Studies is a good starting point. The Information Systems Security Association can also provide guidance, especially if you are interested in making a career change or are just starting out.
Or you can contact me and I will set you into the right direction.
Candy Alexander is a New Hampshire-based cybersecurity consultant and a member of the international board of directors of the Information Systems Security Association. She can be reached at firstname.lastname@example.org.