home |
About |
Contact Us |
Editorial Info |



 search archive


reader feedback
  search by date
also in this issue
Career Focus: Circuits & Systems
Cogent Communicator: How to Listen
Backscatter: Toys for Techies
Lessons of the Internet Age: The International Telecommunications Union and the Internet Society
NCEES Model Law Revisions Impact Professional Licensure Education and Experience Requirements
Free IEEE-USA E-Books for Members in December 2014 and January 2015
Your Engineering Heritage: Which Stimulates Innovation More, War or Peace?
World Bytes: American Ingenuity Awards
Tech News Digest: December 2014
other career focus pieces

Jul 14
Career Focus: Tips for Effective Skype Job Interviews

Jun 14
Career Focus: Quality Assurance Engineering

May 14
Career Focus: How to Get Started as a Consultant

Apr 14
The Internet of Things: The Next Big Thing for Technology Careers

Mar 14
Career Focus: Biometrics



Career Focus: Cyber Security A Growing Threat, a Growing Career

By John R. Platt

"America's economic prosperity in the 21st century will depend on cyber security," said President Barack Obama in May 2009.


Cyber Security Profile:
Steve Santorelli
" It's all about trust and people, more so than technology..."  
+ See full profile


In the two years since those words were spoken, the problem of cyber security has only gotten worse. Wherever you look, cyber crime is on the rise, threatening individuals' privacy, corporate coffers, government secrets, the security of financial institutions, the operation of national infrastructures, and much, much more.

But with the rise of these threats also comes opportunities, as new careers are opening up for people to protect us from hackers, cyber criminals, organized crime, and even terrorists. The field of cyber security is growing in leaps and bounds, and by all accounts there are simply not enough skilled professionals to meet even the current need, let alone the need projected over the next five years.

As it stands, every industry is at risk and in need of cyber security experts to help mitigate that risk. "Cyber threats are everywhere," says Ronald Woerner, assistant professor at the College of Information Technology at Bellevue University. "Hackers target not only large companies, but also small and medium businesses, local government, and non-profit organizations. The latter are often left unsecured due to a lack of money and resources to properly secure their cyber environments."


Cyber Security Profile:
Dave Merkel
" When you are responding to a breach, you're applying problem-solving skills, asking yourself 'did I figure it all out or am I missing something?' If you missed something, the bad guy is still there in your system."  
+ See full profile


Even as the number of threats rises, they are also evolving. Specifically, the rise of mobile devices and cloud computing opens up whole new areas for hacking to occur and creates new vulnerabilities for companies. "As more and more data is moving to the cloud, the number of 'unique information access points' is shrinking rapidly," says Rohit Nadhani, founder and CEO of Cloudmagic.com. "Imagine a situation when the company moves to the cloud for storing all their documents. Now if that central repository on the cloud is hacked, it is then much, much easier to get a plethora of information without a lot of additional effort."

The hacks themselves can cause numerous types of damage: they can cost companies money (sometimes a great deal of it), information, time, or even, ultimately, their reputation. And reputation, as we'll come back to later, is critically important in today's world.

The Opportunities

One of the biggest areas for potential cyber security professionals to find employment is in the government. "The U.S. government is currently on track to spend over $79 billion for financial year 2011 on information security," says Mike Meikle, CEO of the Hawkthorne Group. "They are the largest customer for information security professionals at the present time." Meikle says the next greatest levels of need are within financial institutions and the utilities/energy sector.

While government might have the most immediate need, some see tremendous growth for cyber security professionals elsewhere. "I think we're going to see a lot of job growth in the private sector," says Derek Manky, senior security strategist at Fortinet, who points out that one of Obama's initiatives is to work more closely with private industry.

Whether it is government or industry, "every sector is going to need expertise in the field," says Dr. Nada Marie Anid, dean of the School of Engineering and Computing Sciences at New York Institute of Technology. "Your regular IT department will need to have a division of people with cyber security expertise."

Consulting firms specializing in cyber security will play an important role in all of this. "Consultants are a major player in security," says Shane Bernstein, managing partner of Q, an IT staffing agency. "Big enterprise companies or government agencies will bring in professionals with niche skill sets."

There are also a variety of roles cyber security professionals can play in their field. "On our team, there are careers and positions open for all areas," says Manky. He says these include areas such as antivirus, reverse engineering, and mobile code analysis. "There are also specific opportunities for the vulnerability researchers, the ones finding the software security holes," he says.

Meanwhile, Anid points out that additional people will be needed on the legal side, as well as in the development of cyber security standards.

No matter where the jobs are, the need is expected to stay steady. "Our forecast is a significant growth in demand for skilled security people today," says Andrew Herlands, director of security strategy for Application Security, Inc., a database security company, who points out that there already there aren't enough pros to go around. "Tons of job openings have gone unfilled because there aren't enough people to fill them."

Skills You Need

Common in-demand skills for security professionals, according to Bernstein, include vulnerability assessment, source code review and analysis, penetration and intrusion testing, web app testing, secure system design and network discovery, as well as a background in policies and procedures.

Non-technical skills are also vital, says Woerner. "It's equally important that cyber security professionals also possess the non-technical soft skills such as written and oral communications, policy-writing, and leadership," he says. He also points out that since most security breaches are caused by human vulnerabilities, "understanding how people think and operate" is critical.

Working in cyber security sometimes means thinking like a detective. Indeed, some people working in the field started their careers in law enforcement. "I was a cop," says Steve Santorelli, who started with Scotland Yard's Computer Crime Unit and now works for the internet security research company, Team Cymru. "I taught myself the geek side of things. Now we're actually getting a few people going the other way, leaving industry and taking pay cuts to go back into law enforcement."

Dave Merkel, Chief Technology Officer of Mandiant, also started in law enforcement, which he says taught him the skills needed to do his job. "When you are responding to a breach, you're applying problem-solving skills, asking yourself 'did I figure it all out or am I missing something?' If you missed something, the bad guy is still there in your system."

Merkel says that Mandiant, which is having trouble finding enough candidates to fill its open positions, likes people who themselves like fast-paced, busy environments, as well as people who understand that their job hours might be a bit unpredictable. "It's not a 9-to-5 job," he says. "The bad guys don't have a lot of respect for holidays and birthdays."

Getting Hired

Getting hired in cyber security often means making yourself known. "Attend cyber security meetings and conferences," says Merkel. "A lot of times, if you're really smart and you're good at what you do, ask someone you know in information security for a referral into their company. A known entity is always valuable to us."

That sense of trust is a common thread in the industry. "It's all about trust and people, more so than technology," says Santorelli. "The majority of the people I deal with on a daily basis are the same ones I was dealing with ten years ago."

Santorelli says it's a small community, so it can appear daunting for people trying to break in. He advises blogging, using Twitter, and contributing to public security efforts to get noticed. "Get your name and your face out there and make a contribution. There's nothing to stop someone from learning a debugging tool and posting your results out there; it's for the good of everybody."

Fortinet's Manky agrees with this approach. "Find the blogs that security experts are reading. Post comments. Join the mailing lists. Get your voice out there. Getting involved is one step closer to getting your foot in the door."

If you're already working in computer science, NYIT's Anid suggests looking for master's programs or shorter courses to get yourself acquainted with security issues. "There are going to be many training courses for anyone who wants to earn that skill or enhance their own education," she says.

The Career Does Have Some Risks

Despite the need, and the challenge the career provides, cyber security might not be for everybody.

For one thing, many cyber security careers will be with government agencies, a field some might find limiting. "For those who are familiar with private sector employment, working for a government client can be a bit of a shock due to the cultural and business environment," says Meikle. On the plus side, he says that government positions tend to be far more stable or "secure" than private employment.

Another challenge is that you might never get that satisfaction of actually stopping a bad guy for good. "Usually the number one priority is getting the bad guy out, managing the risk and exposure," says Merkel. It's less important to get the hacker caught and charged for his crime than it is to simply "make the pain stop." As such, he says, few cyber criminals are actually stopped for good. "If your strategy hinges on getting the bad guy, it's a bad strategy," he says. Instead, the job is more about solving a breach and preventing it from happening again.

Because the hackers never really go away, cyber security can sometimes be frustrating. "It's a never-ending battle," says Woerner.


Cyber security is "a fantastic career," says Team Cymru's Santorelli. "From my perspective, it's a great place to be. You make a real difference. You really help people, but you don't need to wear body armor. But you still get the thrill of the chase with the investigation. You need to word things in the right way to inspire an investigation. You get to contribute to antivirus products. At the end of the day, you're part of the psychological deterrent. "

Manky agrees. "It's a very hot industry. I never get bored."

Additional Resources & Reading

"Department of Homeland Security Seeks Cyber Pros" [NextGov]

"Cyber Security, the Next Frontier for NASA Engineers" [SC Magazine]

"Government, Military Face Severe Shortage Of Cyber Security Experts" [National Defense]

NYIT Cyber Security Conference (September 15, 2011)

Open Web Application Security Project (OWASP)

IEEE Security & Privacy Magazine


John R. Platt is a freelance writer and entrepreneur, as well as a frequent contributor to Today's Engineer, Scientific American, Mother Nature Network and other publications.

Comments may be submitted to todaysengineer@ieee.org.

Copyright 2011 IEEE