what is it like working in the Cyber Security industry?

I often get asked about what it is like working in an industry like this. What is the easiest route into this profession? What degree must one do to get into this? Are there any certifications that you should look at before committing yourself to this line of work? This blog post will attempt to answer these questions and more.

For the purposes of giving some perspective and before I start tackling the big questions - I’ll give a brief description of my professional life leading up to now. I am based in the United Kingdom and I have spent almost all of my life here. In terms of formal education, I’ve studied here from my early formative years all the way up to university level. I was born and raised in a small town in the middle of Lincolnshire, UK. Although it was quiet, there wasn’t really much in the way for exposure to the world of computing and cyber security. I remember my first sparks of interest in the world of computing came when I learnt Scratch for IT classes in high school. Scratch back then was very basic and although it had very simple functionality when compared to now - it was a great introduction to the word of programming for me. It introduced the concept of functions and loops to me, and what I really remember well was the fact that this software taught programming in ‘blocks’. You can think of each of these blocks as individual commands. Blocks are often easier to work with than text-based programming, as blocks do not need to be memorized like typed commands and syntax errors cannot occur - thus it is well-suited for learning for young children.

I didn’t immediately seek formal education but when I eventually left my hometown - I didn’t choose to study a degree in an information security. I chose to study a degree in Aerospace Engineering. Although this doesn’t seem to immediately sound like it’s related to Cyber Security, there were a lot of fundamental skills I learnt during that course which have helped me in my career sp far. Some of those things are Mathematics, Physics, Programming (Python, MatLab), Presentation skills and Lab work. I spent 4 years at university and ultimately got a Master’s degree. I did some odd jobs during this time which included a stint as a brand representative for the UK’s national rail operator and a large multinational engineering company. I also worked in an office-based marketing role for a large multinational furniture retailer.

After I graduated, I was lucky enough to have received an offer to work for one of the “Big Four” accountancy companies as a Cyber Security Consultant during the end of my second year of university. I then decided to start my professional career there. Early on, I was able to engage with C-suite individuals about their cyber security concerns in their businesses. Sometimes, I did feel very overwhelmed and out of my depth - however there was enough expertise on hand for me to find a leader or a subject matter expert (SME) to help answer any technical questions I had. For future engagement, I decided to combat this fear and feeling by shadowing senior leaders in my own time and promising myself I would record issues or subjects that I did not know about during the working day, to then research in my own time at home. Later on in my work with the company I had honed my skills and learnt that I wanted to strike the perfect balance between consulting clients on their Cyber Risk in general, as well as being able to dive into the technical detail with stakeholders if necessary. Looking back, I owe a lot to that company as they had supported me through some very difficult personal issues in my life and they had supported my learning and allowed me to gain cyber security certifications which benefit my development and work to this day.

As I write this I now work for a company who is a market leader in Cyber Defence and Automated response. The company prides itself in it’s product offering which is an AI-driven tool which treats a corporate network much like the human body’s immune system. Much like the body’s immune system - it adapts it’s response and alerting of events based on common network behaviours for devices (the network being the human body in this case). I’ve been working in their SOC service offering from the start and this has been my first experience working in a SOC environment. I’ve found it to be a very significant learning experience as I have had the opportunity to have assessed a huge range of customer’s environments in such a short space of time. I am lucky to have worked in a place like this because I’ve had ample opportunities to upskill outside of work. For example, I have had the chance to learn how to develop and build my own website from scratch after working here. Not only am I able to all of the above, I am able to upskill when it comes to consultancy. I have been given the chance to engage with clients throughout the several stages of a product offering. Starting with the inital scoping, and any questions they have about the product itself, and how it works - all the way to the final stages of implementation and any questions around how the system will interact with current security solutions for example.

The moral of the story is that absolutely anyone can get into this field! I mean that in the most absolute way possible. In my career so far in the cyber security industry, I have worked with people who’s backgrounds are from: biology, law, medicine and art, to name only a few. Long story short, you really DO NOT need to have a formal education in information technology, cyber security, or even any related formal qualification. You can get started with nothing more than a strong analytic drive, an attention for detail and a keen interest in learning complex topics. A lot of the concepts and ideas that makes a good cyber security analyst, for example can be self-taught. In my case, I have self-taught myself general web design, HTML, CSS and Javascript - all to aid me in building this website.

In the future I would like to work in the public sector. I don’t know what form this will take or whether I will still be interested in doing this as much as I am now - but I would like to get a feeling for how security in the public sector works. I would also like to work on developing my learning, and building on the qualifications and certifications I already hold. I already hold SSCP, I would like to get CISSP, for example.