According to the ISC2 report “Strategies for Building and Growing Strong Cybersecurity Teams”, there are currently 4 million cybersecurity specialists missing, including 300,000 in Europe. This job is clearly one of the future.
After 16 years of professional experience and more than 20 years since my first IDS, I present in this article my humble opinion on the keys and elements to consider in order to start a good career in this field.
1. Be passionate, learn every day
To succeed in this profession, you have to be passionate. Security has shifted from managing access in the Mainframes of the 1980s to connected objects and artificial intelligence in the past two years. Threats and defence concepts are changing every day and every hour.
Also the technological monitoring, the self-training, the participation in forums and conferences, the analysis of the latest research articles, etc. are vital elements to increase its efficiency and its expertise. Eating code and documentation will be and must be your daily routine for many long years.
In order to acquire the basic knowledge in our field, a specialized school of cybersecurity could be the best and fastest way. Now, if you don't have this chance, you can achieve this goal all the same by acquiring basic knowledge in networks/systems/development etc.and then by completing specific security training/certifications.
Remember also that the stakeholders of your projects (i.e. your internal and external clients) are also competent. Your customers, too, receive dedicated training, participate in events, communicate and work with others at your level. They therefore acquire new knowledge and express new needs; they must be met !
A simple tip : Set your goal to learn a new concept daily, it will make you more than 350 novelties a year.
It is also necessary to be humble in the face of success, but also to relativize “failures”, being able to question oneself and to ask for help, in case of need.
2. Building your career
A successful cybersecurity expert is a student who has known, even before graduating, where he will be in the next 15 years.
Thus, career management should be effective. Unfortunately or fortunately we can not all be pentesters (most expensive dream of all students). In cybersecurity there are several professions and the noblest profession remains, in my opinion, at the heart of defensive security activities:).
In 2015, a working group composed of Representatives from higher education, industry and the ANSSI developed a list of "job profiles" in the field of digital security (or information systems security, or cybersecurity, etc.).) :
* Security administrator,
* Threat analyst,
* SOC analyst,
* Security Architect,
* Security Project Leader,
* Organizational security Consultant »,
* Technical security Consultant »,
* Security correspondent,
* Data Protection Officer (DPO )),
* Security developer,
* Safety assessor,
* Expert incident response,
* Security integrator,
* Cybersecurity lawyer,
* Information Systems Security Officer,
· Business continuity plan (BCP) leader),
* Cyber crisis management specialist,
* Security technician.
An example of a coherent and relevant path could be: the first 5 years in a technical context with a title of "security engineer", the next 5 years in a function of "security consultant", then 5 years in a role of "Project Management / Security Management".
At the beginning of his career, it is essential not to think of "remuneration" but rather technicality and relevance of the missions and projects that you will carry out. The return on investment will come eventually, don't worry about it.
3. How to listen
Our job is to protect the business and the continuity of the operations for which we are mandated. To do this, we need to listen to the stakeholders with whom we work (its clients, its partners, its hierarchy).
Whether you are a listener, integrator or project leader, it is very important to let your interlocutors express their security needs, the threats they are worried about and the optimal solutions they wish to implement. This will make you more efficient.
Even if you are a very good speaker, let others speak and just ask the right questions or provide the right answers. And please remember the slogan of Kali Linux: The quieter you become, the more you can hear »
4. Communication skills
If there is anything I really regretted after leaving my university, it was not being diligent and disciplined in language classes. I never imagined that in professional life, knowing the latest quantum encryption algorithms is worth nothing if we can't write a report or make a presentation without spelling or syntax errors.
Thus, several engineers / consultants are sanctioned in their careers, even if they are of an interesting technical level, because of the quality of their renderings, of their presentations. This may seem unfair but it is so !
Communication is also an extremely important point in the professional life of a security expert. Explaining to a manager or manager that their company's website is vulnerable to a Blind SQL injection or CSRF is a real challenge.
Sometimes you will be faced with conflict situations : on a deliverable for example, on a result of an intrusion audit disputed by the network teams involved. The security expert must always listen, and always provide the right answers, approach the issues with diplomacy in a permanent concern of the continuous improvement of the security of its customers.
In short, you need to be able to prepare a specific vocabulary and communication with each profile of your stakeholders.
5. How to integrate
Another injustice : the "super techos" the "geek" who locks himself in his bubble and stays behind his screen, without sharing or exchanging with his colleagues, will always remain in his bubble and behind his screen even after 30 years of career.
Tomorrow you will not only set up firewalls NG, you will manage people, projects, budgets. Therefore, integration into the business environment is an extremely important element.
6. Meeting your commitments
The client, the stakeholder for whom you work invest in you and need to trust you. Respect for the commitments concerning the dates of delivery, the content of the deliverables, the progress of the performances, the actions/services previewed are vital elements to maintain this confidence.
7. Know how to dare, create, invent
The implementation of the basic security measures and concepts that you believe in and defend is not easy in real life. This sometimes becomes more difficult or even highly restrictive in a culture like ours where the "change" of habits is delicate. However, you don't have a choice, you have to deal with it.
Mechanically, if you don't have any creativity, you're going to struggle to evolve and make things evolve.
8. Know how to respect your profession
A security expert must love what he does, respect his profession, respect the law, and commit himself totally to a code of ethics. It is indeed a sensitive business that can put the business of its customers at risk.
As such, a safety expert should be neutral and should be included in all recommendations. He undertakes to respect a strict confidentiality of the information entrusted to him or that he can see, hear or understand. He or she is not fulfilling a mandate for which he or she does not have the required expertise.
In conclusion, I would like to share with you this beautiful story of the best cybersecurity trainer I have had the privilege to assist, who has today become CISO / RSSI one of the largest multinational companies in the world, and who began his career with a degree in ... philosophy! We are fortunate to have an exciting job where everything is constantly changing and anything can happen. Let's enjoy it for the next few years.