Hoping to get a career in cyber security but don't know where to start? We asked Jim Wheeler, the Director of Operations at PGI Cyber some questions about what a job in the sector entails.
1. What are the major cyber threats that organisations face, how serious and how widespread?
Information security is still a growing industry, as many organisations - both big and small, are still in the process of establishing security policies and procedures, implementing security controls and training staff to recognize security threats. In today's world, 'Hacking' and 'Cyber' are both words that conjure images of movie-like sci-fi: perhaps a darkened room filled with monitors and poorly dressed young adults who rarely expose themselves to the sun. Every user in an organisation is individually responsible for changing passwords, removing sensitive documents from their workspace at the end of the day and verifying the identity of visitors asking them to reveal sensitive information. This is, of course, a very small sample of the responsibilities of staff, however, they are the most common reasons for a breach.
2. Who are organisations in danger from?
There are a number of individuals who may, for one reason or another, attempt to hack corporate, government or personal systems. These range from those who find the concept interesting or 'cool' and will practice skills learned from online resources against production systems to professional, underground hackers who pursue financial gain. Due to the diversity of vulnerabilities out there, both of these can be just as effective at compromising an organisation, and as such it is the motivations of these users which is the most important point to consider. The list of reasons why an individual may attempt to hack a system is endless, therefore, it is important for businesses to identify who may wish to compromise their systems, and understand the methods that may be employed to do so.
3. How do they protect themselves, and who do they hire to do it?
Organisations protect themselves by implementing policies and procedures to govern how information security is maintained. A number of individuals must be employed with a variety of specialities in order to achieve information security, such as information assurance professionals, penetration testers and network engineers with security experience. These individuals all bring niche expertise to the business and are therefore important components to its security posture.
4. What roles are there in cyber security, and what do they entail, what do these people actually do?
Cyber security is still a developing industry, however, there are a wide range of roles which cover all matter of specialities. A typical cyber security organisation will usually have penetration testers who simulate attacks against clients in order to identify vulnerabilities, exploit developers who will research new vulnerabilities and publish their findings and information assurance consultants who will advise clients on security policies and procedures. Larger organisations often have dedicated security teams who will develop policies and procedures for the business, and may also have technical teams who implement security controls across the network.
5. Is it all machine-to-machine or do you have to interface with people too?
Providing cyber security to organisations is a professional service, and therefore, face-to-face interaction with the customer is a very important aspect of the service we deliver. At PGI we aim to provide a tailored solution to all of our customers, therefore, we must identify their specific requirements before proposing a solution. This requires lengthy discussions at both management and technical level, and often our technical consultants will personally attend the customer site to establish their needs.
6. What’s the job like – how difficult, intellectually or emotionally challenging, and how dangerous?
As with all professions, a career in cyber security requires a great deal of theoretical and on-the-job training. Due to the ever evolving nature of technology, this training never ends; new vulnerabilities, applications and systems are released every day, and as a security expert it is primarily our job to stay on top of these evolutions. Cyber security is very intellectually challenging on a daily basis, and as such requires certain characteristics of a successful individual, such as a motivation and keen interest to exploit a system. Working in the security industry may often seem like a dangerous job, however as cyber security experts working in a corporate environment, we rarely get into situations which could cause harm to ourselves any more so than other I.T professionals. One exception to this, however, may be physical assessments (red-team) tests, where our aim is to gain physical access - often without the employees knowing. If caught, there are some obvious complications to this, however, we insist that all consultants carry a letter to explain their presence and that one employee at each site is always aware.
7. Do they ever meet ‘black hat’ hackers?
We regularly attend international security conferences - such as DEFCON and 44CON, in order to attend presentations and workshops to enhance our skills. These conferences are open to the public, and therefore it is not uncommon for 'black hat' hackers to attend. Whilst this is common knowledge, black hat hackers will rarely introduce themselves as such to a stranger, and therefore it is rare for professional consultants to knowingly converse with a black hat.
8. Greatest satisfaction?
The greatest satisfaction when conducting a test is getting the highest level of access to a network. Once you have gone as far as possible and have full control over every system in it. This is, however, a double-edged sword. Whilst you get the sense of achievement from 'pwning' the network, there is also empathy for the client, who is A) very insecure, and B) will have to exert a great deal of effort to remedy the vulnerabilities identified and exploited. This means you will also have a very big report to write!
9. How do you become a cyber security professional – what are the routes in?
This is a great time for individuals to kick-start a cyber security career, due to the high demand for professionals and the rapid growth of the industry. There are a number of challenges out there - such as the Cyber Security Scheme, from which employers hire skilled personnel whom may not have a traditional computing education. The best way into the industry if you don't feel like doing a degree is to start reading books (such as Web Application Hacker's Handbook), following online blogs and tutorials on different aspects of hacking, and to practice at home using virtualised environments. Take part in competitions, network as much as possible and start pushing your CV to every employer you can find. If you've got the skills or the potential, it won't take long to spark some interest.
10. What sort of people make good cyber security professionals, and bad ones!
A good cyber security professional needs to master a wide range of skills, such as a professional and corporate attitude, report writing, low-level technical knowledge and a thirst for learning. The worst security consultants are those who think they can stop learning, as two months down the line a vast amount of their knowledge will be outdated and largely irrelevant.
11. What personal qualities do you need, and do you have to be really nerdy!
Being a security consultant requires a great number of personal qualities. One day we may attend a meeting with the executive management of a medium sized business in order to elicit his requirements and put together a proposal for work, and the next we're picking padlocks on the back entrance to a car dealership. Each of these tasks requires a very different mentality and attitude, therefore, a security professional must be able to change hats quickly and seamlessly. Whilst most people with excellent technical skills are nerdy, this can often be below the surface. The most successful individuals within the I.T industry seem to be exceptionally nerdy and technical, but also have great social and professional skills; it's all about getting the balance right.
12. Interests – do you have to have been an amateur hacker from adolescence?
The most important thing to develop at a young age is an in-depth knowledge of computer systems and networks, as this is the foundation for security expertise. Once a concrete understanding of computing has been developed, you can then begin to study and understand security; at the end of the day, it is simply a specialisation, just as a doctor may choose to specialise in brain surgery. Experience is not required when starting a career in information security. At a junior level, it does not matter where you have come from, it is your skills, willingness to learn and potential that an employer will be interested in.
13. Can you transfer from other ICT jobs, or from outside the industry altogether?
Of course - as with any industry it can be much more difficult to start a career later in life, however, there is no reason why it can't be done. To start with, you may have to take a considerable pay cut whilst training in the cyber security specialisation, but once fully trained the pay is exceptional.
14. Rewards/benefits – compared to other ICT careers, other security professions
Much of this is down to the individual. Those with a technical interest, keenness to learn and professional attitude will find the industry very engaging and exciting, whereas those who wish to do their job and go home will struggle with the fast-paced nature of the job. As a consultant, I daily get to practice skills which would be considered illegal if applied in any other context, and that alone gives me the motivation to get out of bed in the morning. It's a fantastic job with a lot of perks, but you have to be in the right mindset to enjoy them.
15. Prospects – career progression etc.
There are a whole host of career paths one could choose with a specialism in information security. You could contract in the private sector, contract for government departments like the MoD, pursue a management route reaching as high as CIO or choose to get as high as Principle Security Consultant and stay there forever. Each of these paths will pay you very well, therefore, it is down to your personal interests and ambitions.
16. Tips on getting a job in cyber security
Learn as much as you can about general computing, networking, programming and security by reading, watching videos and practising in virtualised environments. Join security challenges, attend conferences, and get involved with online forums and blog posts. Apply for as many jobs as you can find out there and you will find one in no time. Networking is one of the most important ways to enhance your cyber career!
Jim holds eight years’ experience at the cutting edge of cyber security at a national level, working within the British Government developing operational techniques to protect the United Kingdom against threats to national security. He has pre-eminent experience in Cyber Security, Insider Threat, Social Engineering, IT Forensics, Intruder Detection Systems, Access Control, Border Security and Physical Security and is the only individual (to date) to qualify and work as a specialist in all of these areas of UK Government.