How to work in cyber security

Security

Table of Contents

Every 39 seconds there is a cyber-attack and more than 1 billion malware programs exist, it is not surprising that cyber security is likely to be one of the growing careers of the future. 

This interview is with renowned cyber security expert James Bore, a leading chartered security professional and author of the Cyber Circuit about his journey and view of cyber security, as a career.

What is cybersecurity and how important is it in the world of business?

There’s an ongoing debate about that – some use it interchangeably with information security, some say it’s part of information security, some say information security is part of cyber security. I tend to think of them as overlapping but separate – with both being security applied in their domains. The cyber domain covers cyber-physical systems, or electronic systems which have an impact on the physical world, while the information domain is about information in all forms. Ultimately, it’s about security.

And for business, it’s important as cybercrime is now a major and very successful industry. With a huge shortage of the expertise needed, an ever-expanding number and range of attacks, and a scope that sometimes includes areas as diverse as fraud and physical security, it’s a difficult problem to solve.

What drew you to work in cyber security?

When I started it wasn’t called cyber security, and information security was still called information assurance. Data protection was still a new idea in many areas, and I was working in schools managing their IT networks. I then spent a couple of decades bouncing around different roles and industries, and at some point during that people started calling what I did information security, then cyber security.

It’s had its ups and downs, but I can’t imagine another field which would present me so often with new and challenging problems.

What are the types of cyber security roles?

The roles are a lot more varied than people might think. Most commonly known are penetration testing and SOC analysis, also known as red and blue teams, which are the traditionally offensive and defensive sides of the field. Because they’re well-known they’re also the most competitive areas to enter.

Aside from that, there’s a whole range of other roles, and almost any skill set can be applied within security. Education, risk assessment, technical skills, communication, and more. There are a lot of pathways available, some of which are recognised as security while others are less obvious.

What steps would you recommend for someone interested in breaking into the cybersecurity field? 

Start by understanding how you best learn. There are training courses available, degree pathways, certifications galore, plenty of self-study materials, and course learning on the job. If you’re going into security then there’s a definite need for constant learning, and knowing which blend works best for you will put you leaps ahead.

Beyond that, look for unexpected pathways. It sometimes feels that everyone wants to be a penetration tester or work in a SOC, and so the barriers to entry are high. Risk management, compliance, communications, software development, and many others can also be ways in – and in many cases, you can sidestep from an existing role by speaking to an employer and saying you want to develop that way.

Finally, join the community. I hate to say it but the recruitment landscape for cyber security is not in your favour. That’s beyond my ability to fix, but attending community events, speaking to a range of people in the industry, and asking for help will give you a much better possibility of breaking in. Mostly the industry is supportive and encouraging, but make sure to speak to a range of people to get diverse perspectives.

What is the typical salary in the Cyber security field? Are they as high as advertised?

No. Some of the unethical boot camps out there promise salaries like £72k from the start – that’s unlikely to happen and the best I know of as a starting salary is £55k coming out of a boot camp where the person already had relevant skills to their new role. Overall cyber security does pay better than average, but a lot of the exceptional salaries are reserved for the highest positions.

Are the best security certificates to break into the cyber security field? Can you get into cyber security without a degree?

You can get in without a degree (it’s part of where networking comes in), and I didn’t have a degree until nearly two decades into my career when I decided to take a part-time MSc course. There’s a huge number of certificates out there and generally, it’s best to view them as keys to unlock particular roles – where job descriptions talk about them as essential.

A set of certificates which are commonly asked for and respected are the CompTIA three. These cover technical and security basics and are a good set to start with. A+ covers basic computer troubleshooting and maintenance, Network+ covers the basics of networking computers together, and Security+ builds on those to provide a layer of security understanding.

There are also government-funded boot camps which occasionally come up, as well as self-funded, which work for some people. If you’re considering this route make sure to speak to prior students, and the general community if you can, to get an understanding of the boot camp from people with experience of it. Some are great and do well by their students, while others are less effective and arguably unethical.

What resources (books, websites, etc.) would you recommend for someone who wants to learn more about cybersecurity? 

The Cuckoo’s Egg by Clifford Stoll is a very readable account of possibly one of the first cases of cyber security espionage and a read of it will give you a good foundation in everything from incident management to forensic investigation, along with a solid appreciation of how poorly the field is understood.

Beyond that, there is a huge range of books out there covering almost every aspect of security, and your best bet is to ask for recommendations when you have an idea of which area you want to enter. Website-wise connecting with people on LinkedIn and asking for their advice is always a good step. Generally, people in the industry are very supportive, though it helps to think about which way you want to go first as that’s likely to be the first question you’re asked.

For penetration testing and technical knowledge, websites like TryHackMe and HackTheBox provide a lot of free resources.

Can you walk me through a typical day in your role as a cybersecurity expert? 

With what I do now there’s no such thing as a typical day. It might be carrying out an audit, which will mean interviewing people and reviewing evidence, to dealing with an emergency incident where a company’s been attacked and helping them to recover.

For someone working in a SOC (Security Operations Centre), your day-to-day will involve monitoring, training, and triaging alerts that come through. For pen testing, there’ll be some testing of systems and a lot of assessing and writing up the results. Most security roles though cover a variety of areas so there’s rarely a typical day.

What are the biggest challenges you face in your day-to-day cybersecurity work? 

Security is not in a good place – systems are poorly built and vulnerable, people are unaware of security threats and the habits to protect themselves, and cybercrime is a well-established and highly profitable industry in its own right. The biggest challenge many people face within the industry is keeping their spirits up.

What are some of the most rewarding aspects of working in cybersecurity? 

Despite the challenges, it is an industry where a real difference can be made to people and organisations. Fraud accounts for about 40% of crime in the UK, and most of that is cybercrime, so it’s a field where you can help protect people and empower them to protect themselves.

What are the different career paths available within cybersecurity? 

This is over-simplified, as there are many more, but the UK Cyber Security Council recognises 16 different career paths in cyber security – https://www.ukcybersecuritycouncil.org.uk/careers-and-learning/cyber-career-framework/

A model I prefer is the colour spectrum.

  • Red team, the breakers who attack systems when authorised to find out how they can be broken into and advise on how to fix it
  • Blue team, the defenders, monitoring for attacks and taking the results of offensive security testing to strengthen systems
  • Green team, designed secure systems from the start to reduce the attack surface
  • Orange team, training, awareness, and education
  • Yellow team, builders who construct systems (theoretically) following green team designs
  • Purple team, a mix of red and blue skills

What skills are most important for someone who wants to advance in their cybersecurity career? 

Learning to learn and research is probably the most important thing you can learn.

To advance in your career, speaking and presenting at events is one of the most important things to do as it establishes your place as an expert on your topic and shows you have the communication skills to make use of your expertise.

What kind of professional development opportunities are available in cybersecurity?

A lot – from community and commercial events to more courses than you can shake a bundle of sticks at. A good employer will encourage and support professional development as it’s so essential to the work.

With the rise of artificial intelligence, how will it be used offensively and defensively in cybersecurity?

We’ve had artificial intelligence since the 70s. While the much-hyped LLMs are most people’s first experience, their application within cyber security is limited since they cannot be relied upon to provide accurate information. A large language model (LLM) is a type of artificial intelligence (AI) program that can recognise and generate text, amongst other tasks.

The biggest uses are around disinformation (deliberate spreading of false information), and to improve fraud attempts. There are some potential uses for developing new malware code, but they’re limited.

What are the expected cyber security threats of the future? What is cybersecurity and how important is it in the world of business?

There’s an ongoing debate about that – some use it interchangeably with information security, some say it’s part of information security, some say information security is part of cyber security. I tend to think of them as overlapping but separate – with both being security applied in their domains. The cyber domain covers cyber-physical systems, or electronic systems which have an impact on the physical world, while the information domain is about information in all forms. Ultimately, it’s about security.

And for business, it’s important as cybercrime is now a major and very successful industry. With a huge shortage of the expertise needed, an ever-expanding number and range of attacks, and a scope that sometimes includes areas as diverse as fraud and physical security, it’s a difficult problem to solve.

The balance between cybersecurity and privacy is a complex issue. How can we ensure strong security measures without sacrificing individual privacy rights?

This is an ongoing debate, and it needs to remain that way. The balance will vary depending on different factors and continuously change. No one answer can be set for all time.