Do you know what your career path as a cybersecurity professional is? Have you ever really thought about that? Most don’t, as was reported in a recent study jointly published by the Enterprise Strategy Group (ESG) and the ISSA (Information Systems Security Association) earlier in November 2016. The study reported that over 65% of the 437 professionals surveyed stated that they do not have a clear career path.
When you talk to those who have been in the field for any length of time, you quickly discover that the progression in their career has been what some describe as “dumb luck.” Most have fallen into the role of information security — or cyber security as most have come to know it — as a result of “something happening” in the environment, whether it was a breach, release of new regulations, or just being the only one in the office at the time something suspicious happens.
Our profession has been based on a reaction to what is going on in the environment. Think about how it was started, something broke into the computer network and fingers were pointed at members of the IT staff to go figure out what happened and to address the issue immediately. Then the directive was to figure out how it happened (thereby computer forensics was born) and make sure it doesn’t happen again (system hardening, policies, and governance are born). It wasn’t until this scenario played out time and time again, that the State of California passed S.B. 1386 calling for data privacy of its residents. That was the catalyst for getting businesses to pay attention and to move to a pro-active stance.
Why do I tell this story? Because like students of history, it is important that we learn from our mistakes; being a reactive profession has been painful at times. One could argue that because our profession is reactive, there is a lot of confusion as to what exactly is our job. We see it as reducing risk to the organization, IT sees it as making sure the organization is compliant, and the business isn’t quite sure at all what we are supposed to do... other than they need to have security in order to meet regulations. Sure, we can keep going back to our job descriptions, but then many are written so that they are open to interpretation. So it is any wonder why we don’t meet expectations? Without an internationally-accepted career map, job titles, descriptions, and definitions, we will continue to feel that pain.
The challenge has been moving from a profession of reaction to one that is proactive is very complex and requires coordination from leadership. I have been an information security/cybersecurity professional for close to 30 years and have yet to see or know of a globally-accepted career map for cybersecurity professionals. There have been several organizations attempting to resolve the issue of standardization of career maps, including the ISSA with the Cyber Security Career Lifecycle. The US Federal government has also made a valiant effort with the National Initiative for Cybersecurity Education (NICE). But there needs to be more done to ensure international collaboration with these efforts.
And why is something like that important? Well, without a clearly-defined career map, how do we explain/educate as to what our jobs are; how are we to know what is it we need for skills and knowledge to be successful in our current jobs? What knowledge, skills and abilities (KSAs) do I need to strengthen to move forward to the next level? What is the next level? Where do I go to obtain the KSAs?
These questions, along with many others have been asked in the previously mentioned ESG/ISSA research survey, “The State of Cyber Security Professional Careers” that I would encourage all in the profession to take a look at the report. It is important that you, the cyber security professional stay engaged and informed in order to prepare for your next steps in your career and that is a good first step.
Hopefully I have set the tone for future articles that I will contribute here, to help inform and encourage you to grow as a cyber security professional! If you have questions or comments, feel free to contact me via ITSPmagazine here.
About Candy Alexander
Candy has nearly 30 years in the security industry working for companies such as Digital Equipment, Compaq Computer Corporation, and Symantec. She has held several positions as CISO (Chief Information Security Officer) for which she developed and managed Corporate Security Programs. She is now working as a Virtual CISO and Cyber Security consultant.