“Complexity is the worst enemy of security, and our systems are getting more complex all the time” — Bruce Schneier
Don’t Report to a Non-Security Manager
You’re new to the industry. You’re looking for mentorship, leadership, and you’re eager to learn.
Your boss isn’t a cyber security professional. Maybe he’s been given cyber security as part of his responsibilities. Maybe he’s simply a people manager.
Either way, you’re selling yourself short by reporting to someone who doesn’t understand cyber security. One cannot teach what one does not understand, know, of have experience in.
Don’t Work for a Company with Zero Cyber Security Maturity
Building up a company’s cyber security maturity can be a great challenge. However, if you’re new in the industry, you want to see what mature looks like. Building a decent level of cyber security maturity takes years, and you don’t have years to get started.
What is simplest way to assess how mature a company’s cyber security is? Ask to whom the head of cyber security reports.
If he reports to an infrastructure operations manager, a network manager, a risk manager, etc., then chances are that you’re dealing with a company with a low level of cyber security.
Cyber security tends to begin in technology operations — firewalls, cloud security, endpoint protection, password management, etc., then branch out into GRC (governance, risk, and compliance), architecture, application security, digital platforms, etc. As cyber security matures, CIOs realise that cyber security is a lot more than technology operations, covers all of IT, and requires more independence in order to be effective.
With the increased level of responsibility — and the realisation that security specialists may need to be independent from other IT functions — the head of cyber security often ends up reporting to the CIO. This is the ideal situation.
Larger companies have a CISO (chief information security officer). This means the company definitely has a decent level of cyber security.
(As a side note, be careful of cyber security managers calling themselves CISOs, a C-level position; they are not, and this delusion of grandeur seems to be common in Melbourne.)
The Best Position to Begin? Security Operations
I believe it’s best to have a generalist position before specialising. In security operations, one gets an opportunity to manage platforms, respond to security incidents, be involved in change/incident/problem management (or the cult of agile), deal with vendors, engage with GRC to manage risks, and occasionally work on projects. No one understands an IT department without understanding operations.
As a security architect, I’m better at my job because I’ve worked in security operations. I very much believe in designing systems for operations; a great architecture/design is useless if no one understands it and can maintain it.
Security operations roles do exist for new people in the industry, and when graduates enter the industry, it’s mostly for security operations roles.
If you’re into GRC, security culture/awareness, or another non-technical security role, then security operations isn’t going to be for you.
Don’t be Afraid to Quit
Would you like a promotion? A pay rise? Don’t expect one from your employer; the simplest way to get a promotion or a pay rise is to get a new job. Don’t be afraid to jump ship every 18 months; this is common in the industry, and many joke about “doing the rounds” in Melbourne: NAB, ANZ, Coles, IAG, Transurban, Seek, local government, etc.
I’ve quit a few jobs because my boss was terrible. Don’t be afraid to do the same. Don’t bother complaining to HR; HR exists to protect the company, and they’re generally a waste of time.
Find a Cyber Security Transformation/Uplift Programme
Cyber security uplift programmes are surprisingly common in Melbourne. For these programmes — mostly run over multiple years — budget is acquired, resources are ramped up, and a scope of work and buy-in is in place.
Cyber security uplift programmes are often the best places to learn cyber security quickly. Multiple steams of work exist to implement different functions of cyber security: privileged access management, endpoint protection, vulnerability management, network access control, security in the CI/CD pipeline, etc. etc. etc.
Cyber security uplift programmes are even great if the company has a low level of cyber security, as I wrote about earlier. This is because the budgets, buy-in, and streams of work have already been done. You’re employed to implement these systems and processes, not try to improve cyber security through the day-to-day grind. All the normal barriers are removed.
Internal opportunities come by getting on a project and having your position back filled. For people new in the industry, there are often BA roles, systems administrator roles, and network engineers roles in such programmes.
External opportunities typically come through recruiters as contract roles. And, yes, recruiters are necessary, and hence you want to be in contact with a few. They will ring you if opportunities pop up.
Don’t be Involved in Workplace Politics
This is my personal opinion. Don’t bother wasting your time with workplace politics. If you’re not doing GRC, stay away.
I spent too much of my career trying to be something that I am not. I’m a security geek, someone who enjoys reading about how SCIM can automatically provision users and groups in cloud systems.
I’m not the person to lead people, get buy-in, or attempt to security risk with the company’s risk management framework. All of these require venturing into workplace politics.
Don’t allow yourself to get sucked in to issues outside technology, as much as you can. Having good people skills is necessary, but you don’t need to be something that you’re not.
Decide your Path
Beginning in security operations will give you a great overview of IT and cyber security. However, there are multiple paths down which to travel in cyber security:
- Security architecture/design.
- Security engineer.
- SOC analyst.
- GRC specialist.
- Application security specialist.
- Penetration tester.
- Security consultant.
- Security auditor.
- Security awareness.
- Forensic analyst.
Most people make their way into the cyber security industry through a non-security role in IT.
Do your research, set a goal, and do the work to get your next position.