Cybersecurity is a wide field that has room for practicioners from many knowledge domains. You definitely do need to have technical know-how on how to design secure architectures and configure security appliances, but there is much more to successfully managing cyber risk than this.
What is the problem we are trying to solve?
Often when people talk about cybersecurity they think about hackers, zero-day vulnerabilities and firewalls. Let’s take one step back and look at the problem cybersecurity is trying to solve: reducing the risk to your organization from digital threats.
A productive way to view risk is that it is the consequences of events occuering under uncertainty. This is a useful way to look at digital risk as well; digital risk is the consequences of events related to the use of information or information systems, associated with a probability of occurence, or a credibility of the event chain taking place.
The events we are talking about are events that can lead to compromise of the confidentiality, integrity or availability of a information system, data processed by the system, or the business process that this information system is supporting. The business process is key to understanding digital risk – this is where you can see what the actual consequences are in terms of revenue loss, reputation damage, legal implications or even loss of life in some circumstances. Managing risks in this context requires more than solid understanding of networking and security appliances.
Core knowledge for a good security program
If we try to establish a good security program, such as a ISO 27001 compliant information security management system or another “best practice” framework, there are certain activities the organization must be able to perform. Let us consider some main fields that must be covered (they are interdependent):
- Objectives and policy development
- Objectives tied to business strategy
- Metrics for assessment of objectives
- Development of policies
- Risk management
- Stakeholder mapping
- Business context development and communications
- Threat intelligence analysis
- Risk assessment
- Risk treatment and design of security controls
- Security operations
- Security architecture
- Security audits
- Secure development practices
- Log analysis and system monitoring
- Threat hunting
- Incident response
- Competence and HR management
- Knowledge requirements
- Security training (including awareness training)
- Cybersecurity in performance management and personal development plans for employees
This is by no means an exhaustive list but it shows some of the breadth of knowledge and activities that would go into a great security program.
The complexity of the tasks and the typical digital value chain is why we need diversity in the workforce owning the cybersecurity activities.
The need for a common language
One problem many people come across as a stumbling block when coming to infosec from another field is jargon. This would be the same for anyone crossing into a new discipline. Also, in addition to coping with jargon, there are certain baseline knowledge aspects that can take some time to get to grips with. Learning the basics of IT will be necessary to succeed – but you don’t have to know everything from the start. Here’s a quick checklist of things that are useful to know for anyone wanting to deal efficiently with business processes depending heavily on IT (by no means exhaustive, but if terms here are unknown you should put it on your todo list to read up on these things):
- The OSI model of networking
- Server-client architectures
- Common databases (at least SQL vs. document stores such as MongoDB)
- HTTP, XML, JSON, HTML, API’s
- Operating systems (at least know how to use them)
- Key applications used in your business sector
- Virtualization technologies
- Cloud computing (how to use a cloud provider instead of buying physical servers)
- Key regulations (such as the GDPR)
- Vulnerabilities why patching is important
Coming from …. to infosec
Based on the activity list above you probably have strengths that could help an information security program. In the following table we have highlighted some key strength and how they map to cybersecurity.
|Objectives & policies||Risk management||Security operations||Competence management|
|Business and sales||++||++||+|
|Health and safety||+||++||++|
|Communications, PR or teaching||++||+||+||++|
The more “plusses” the stronger correlation between past experience and infosec activities in that domain. This is by no means a scientific study, it is just an indication how past experience is relevant in any good security team.
So if you have the question “Am I too old, or am I not technical enough, or have I spent too much time configuring servers etc. to move into infosec?” – the answer is “No – you should be good!”.
Just make sure to bring your strengths to your new field while learning.