|
08.11
Career Focus:
Cyber Security — A Growing Threat, a Growing
Career
By John R. Platt
"America's economic prosperity
in the 21st century will depend on cyber
security," said President Barack Obama in May
2009.
In the two years since those
words were spoken, the problem of cyber security
has only gotten worse. Wherever you look, cyber
crime is on the rise, threatening individuals'
privacy, corporate coffers, government secrets,
the security of financial institutions, the
operation of national infrastructures, and much,
much more.
But with the rise of these
threats also comes opportunities, as new careers
are opening up for people to protect us from
hackers, cyber criminals, organized crime, and
even terrorists. The field of cyber security is
growing in leaps and bounds, and by all accounts
there are simply not enough skilled
professionals to meet even the current need, let
alone the need projected over the next five
years.
As it stands, every industry is
at risk and in need of cyber security experts to
help mitigate that risk. "Cyber threats are
everywhere," says Ronald Woerner, assistant
professor at the College of Information
Technology at Bellevue University. "Hackers
target not only large companies, but also small
and medium businesses, local government, and
non-profit organizations. The latter are often
left unsecured due to a lack of money and
resources to properly secure their cyber
environments."
Even as the number of threats
rises, they are also evolving. Specifically, the
rise of mobile devices and cloud computing opens
up whole new areas for hacking to occur and
creates new vulnerabilities for companies. "As
more and more data is moving to the cloud, the
number of 'unique information access points' is
shrinking rapidly," says Rohit Nadhani, founder
and CEO of Cloudmagic.com. "Imagine a situation
when the company moves to the cloud for storing
all their documents. Now if that central
repository on the cloud is hacked, it is then
much, much easier to get a plethora of
information without a lot of additional effort."
The hacks themselves can cause
numerous types of damage: they can cost
companies money (sometimes a great deal of it),
information, time, or even, ultimately, their
reputation. And reputation, as we'll come back
to later, is critically important in today's
world.
The Opportunities
One of the biggest areas for
potential cyber security professionals to find
employment is in the government. "The U.S.
government is currently on track to spend over
$79 billion for financial year 2011 on
information security," says Mike Meikle, CEO of
the Hawkthorne Group. "They are the largest
customer for information security professionals
at the present time." Meikle says the next
greatest levels of need are within financial
institutions and the utilities/energy sector.
While government might have the
most immediate need, some see tremendous growth
for cyber security professionals elsewhere. "I
think we're going to see a lot of job growth in
the private sector," says Derek Manky, senior
security strategist at Fortinet, who points out
that one of Obama's initiatives is to work more
closely with private industry.
Whether it is government or
industry, "every sector is going to need
expertise in the field," says Dr. Nada Marie
Anid, dean of the School of Engineering and
Computing Sciences at New York Institute of
Technology. "Your regular IT department will
need to have a division of people with cyber
security expertise."
Consulting firms specializing in
cyber security will play an important role in
all of this. "Consultants are a major player in
security," says Shane Bernstein, managing
partner of Q, an IT staffing agency. "Big
enterprise companies or government agencies will
bring in professionals with niche skill sets."
There are also a variety of
roles cyber security professionals can play in
their field. "On our team, there are careers and
positions open for all areas," says Manky. He
says these include areas such as antivirus,
reverse engineering, and mobile code analysis.
"There are also specific opportunities for the
vulnerability researchers, the ones finding the
software security holes," he says.
Meanwhile, Anid points out that
additional people will be needed on the legal
side, as well as in the development of cyber
security standards.
No matter where the jobs are,
the need is expected to stay steady. "Our
forecast is a significant growth in demand for
skilled security people today," says Andrew
Herlands, director of security strategy for
Application Security, Inc., a database security
company, who points out that there already there
aren't enough pros to go around. "Tons of job
openings have gone unfilled because there aren't
enough people to fill them."
Skills You Need
Common in-demand skills for
security professionals, according to Bernstein,
include vulnerability assessment, source code
review and analysis, penetration and intrusion
testing, web app testing, secure system design
and network discovery, as well as a background
in policies and procedures.
Non-technical skills are also
vital, says Woerner. "It's equally important
that cyber security professionals also possess
the non-technical soft skills such as written
and oral communications, policy-writing, and
leadership," he says. He also points out that
since most security breaches are caused by human
vulnerabilities, "understanding how people think
and operate" is critical.
Working in cyber security
sometimes means thinking like a detective.
Indeed, some people working in the field started
their careers in law enforcement. "I was a cop," says Steve Santorelli, who
started with Scotland Yard's Computer Crime Unit
and now works for the internet security research
company, Team Cymru. "I taught myself the geek
side of things. Now we're actually getting a few
people going the other way, leaving industry and
taking pay cuts to go back into law
enforcement."
Dave Merkel, Chief Technology
Officer of Mandiant, also started in law
enforcement, which he says taught him the skills
needed to do his job. "When you are responding
to a breach, you're applying problem-solving
skills, asking yourself 'did I figure it all out
or am I missing something?' If you missed
something, the bad guy is still there in your
system."
Merkel says that Mandiant, which
is having trouble finding enough candidates to
fill its open positions, likes people who
themselves like fast-paced, busy environments,
as well as people who understand that their job
hours might be a bit unpredictable. "It's not a
9-to-5 job," he says. "The bad guys don't have a
lot of respect for holidays and birthdays."
Getting Hired
Getting hired in cyber security
often means making yourself known. "Attend cyber
security meetings and conferences," says Merkel.
"A lot of times, if you're really smart and
you're good at what you do, ask someone you know
in information security for a referral into
their company. A known entity is always valuable
to us."
That sense of trust is a common
thread in the industry. "It's all about trust
and people, more so than technology," says
Santorelli. "The majority of the people I deal
with on a daily basis are the same ones I was
dealing with ten years ago."
Santorelli says it's a small
community, so it can appear daunting for people
trying to break in. He advises blogging, using
Twitter, and contributing to public security
efforts to get noticed. "Get your name and your
face out there and make a contribution. There's
nothing to stop someone from learning a
debugging tool and posting your results out
there; it's for the good of everybody."
Fortinet's Manky agrees with
this approach. "Find the blogs that security
experts are reading. Post comments. Join the
mailing lists. Get your voice out there. Getting
involved is one step closer to getting your foot
in the door."
If you're already working in
computer science, NYIT's Anid suggests looking
for master's programs or shorter courses to get
yourself acquainted with security issues. "There
are going to be many training courses for anyone
who wants to earn that skill or enhance their
own education," she says.
The Career Does Have Some
Risks
Despite the need, and the
challenge the career provides, cyber security
might not be for everybody.
For one thing, many cyber
security careers will be with government
agencies, a field some might find limiting. "For
those who are familiar with private sector
employment, working for a government client can
be a bit of a shock due to the cultural and
business environment," says Meikle. On the plus
side, he says that government positions tend to
be far more stable or "secure" than private
employment.
Another challenge is that you
might never get that satisfaction of actually
stopping a bad guy for good. "Usually the number
one priority is getting the bad guy out,
managing the risk and exposure," says Merkel.
It's less important to get the hacker caught and
charged for his crime than it is to simply "make
the pain stop." As such, he says, few cyber
criminals are actually stopped for good. "If
your strategy hinges on getting the bad guy,
it's a bad strategy," he says. Instead, the job
is more about solving a breach and preventing it
from happening again.
Because the hackers never really
go away, cyber security can sometimes be
frustrating. "It's a never-ending battle," says
Woerner.
Conclusion
Cyber security is "a fantastic
career," says Team Cymru's Santorelli. "From my
perspective, it's a great place to be. You make
a real difference. You really help people, but
you don't need to wear body armor. But you still
get the thrill of the chase with the
investigation. You need to word things in the
right way to inspire an investigation. You get
to contribute to antivirus products. At the end
of the day, you're part of the psychological
deterrent. "
Manky agrees. "It's a very hot
industry. I never get bored."
Additional Resources &
Reading
"Department of Homeland Security
Seeks Cyber Pros" [NextGov]
"Cyber Security, the Next
Frontier for NASA Engineers" [SC
Magazine]
"Government, Military Face
Severe Shortage Of Cyber Security Experts" [National
Defense]
NYIT Cyber Security Conference (September
15, 2011)
Open Web Application Security Project (OWASP)
IEEE Security & Privacy Magazine
John R. Platt is a freelance
writer and entrepreneur, as well as a frequent
contributor to Today's Engineer,
Scientific American, Mother Nature
Network and other publications.
Comments may be submitted to
todaysengineer@ieee.org.
|
