My wife has been studying programming for a while and found that she doesn’t love it, greatly. She’s pivoting into QA automation, since that tends to be a bit more linear, but she’s curious whether she should look at cybersecurity.
I have no sense for what people who work in cybersecurity actually do every day (I’m a software developer). I can imagine it being anything from managing software on computer hardware, reading source code for security issues, writing scripts, analyzing logs, and/or all of the above or something else entirely. Likewise, I’m not sure if it’s something that you can do as a relative beginner or if it’s more like a specialist field that you can go into after having already established a good base in various hardware and software stacks.
We’re also curious whether it’s a good field that’s hiring? Whether she (a Russian) would have problems finding work in the field? And whether it would be a welcoming culture for a fairly normal person, or if trends towards certain personalities?
Cybersecurity is a burgeoning field the need for which is obvious from anyone observing the recent cyberattacks against businesses, government agencies, hospitals and healthcare systems, and critical civil infrastructure such as electrical and water utilities. Many of these systems have a legacy basis going back to the ‘Nineties when cybersecurity was basically hashing password databases and enforcing complexity requirements. All of the tasks you list are a part of cybersecurity but also include penetration testing, software and operating system maintenance, creating and assessing total security architectures including all ways of compromising a system including human vulnerabilities in addition to those that facilitate direct and ‘back door’ access, assessing cryptographic vulnerabilities, forensic analysis of exploits, bugs, and viruses, and much more.
You definitely need to have some experience and certifications to get hired to lead a cybersecurity effort or team but there is so much demand that having the fundamentals and a clean work and personal history is probably enough to find a job. Having some application programming experience is useful, but as long as you understand TCP/IP protocols, basic scripting in Python, Perl (a declining language but widely used for CGI applications), Bash, and maybe some JavaScript, plus possibly enough C/C++, Ruby, Java, et cetera to understand what is being explained to you by someone analyzing code is adequate. There are a lot of turnkey tools for network analysis and to test systems but you shouldn’t just expect to turn a crank if you want to advance in the field, and like anything else in (computer) ‘tech’ you have to keep up with innovation, changing threats, new certifications, et cetera to stay relevant. Being from a Russian background would likely preclude, or at least make it very complicated, to get a federal (DoD or DoE) security clearance but there are a lot of commercial opportunities for which that wouldn’t be a problem with a clean work and financial history.
As far as “…whether it would be a welcoming culture for a fairly normal person,” while cybersecurity tends to attract people interested in hacking culture, it has become a broad enough profession that there are plenty of ‘normal’ people working in it, although I think it does take a bit of an obsessive nature in problem solving to really excel. If you watch a Cory Doctorow lecture and your internal response is “That guy is saying some really interesting things even if I may not totally agree with him,” you probably have the right mindset to be able to work in the field. If you find that kind of discussion boring, however, cybersecurity is definitely not a field that is likely to engage your enthusiasm.
I spent the last 14 years working for a company that sells security software. Aside from learning to write security conscious code our developers weren’t especially certified or trained. Our security team and architects were a different story - they had some extensive backgrounds in security work. Their training and certificates were important, but their experience was got them their positions.
We trained and worked with security teams that used our software - they were a pretty elite breed, very skilled and top notch. Our customers were always searching for more trained operatives, occasionally poaching people from our company.
I work in HR in a highly regulated industry requiring us to be serious about security. In my previous position, I was involved in compliance and I handled HR related audits from the government, our clients, and internally. I also worked pretty closely with our cybersecurity on a large, multi year project to get us a security accredidation that required me to write many policies and procedures for onboarding employees and contractors.
Depending on the company, someone in cybersecurity might have to work with a lot of different departments with employees who aren’t involved in security or even programming. As far as regular people go, I tend to deal with managers and supervisors in IT Security, so maybe they’re a little more people oriented. But most programmers seem like regular people to me and it’s no different for the security folks.
I work for a city, and our security guys do a mixed bag of stuff.
They do things like collaborate on and review new designs to make sure they’re secure, they review new solutions, they handle stuff like identity and access management, they do network security, and pretty much everything in between.
It’s a pretty broad field- there’s room for just about anything you’d be interested in, and it’s somewhere technically focused people will thrive.
The question I’d ask though, is what about programming is it that your wife doesn’t like?
She can start with CompTIA Security+ and a couple of other low-level certs. Then once been in cybersecurity for a few years, she can go after the ISC2 CISSP which may lead to much higher income.
Cybersecurity is a great field to be in, but it kind of requires the right kind of person. Because you said she shifted from programming to QA automation, I’m not sure if she’d enjoy cybersecurity. Security involves knowing a lot of nitty-gritty details about the computing environment and how to configure things properly. Hackers are very good at finding cracks and exploiting them. A good cybersecurity person will be proactive about ensuring that any possible vectors for attack are secured. It’s a lot more like interacting with the system at a low-level than the high-level of QA automation.
What kind of studying is she doing at the moment? Is she in school or is she studying on her own? Is she working in the tech field already? If she’s on her own it won’t hurt to look at security, but it’s unlikely she’d get hired if she was self taught unless she was really skilled at it. If she’s working in tech already, then there may be opportunities within her company to move more into a job that deals with security.
There’s a lot more than just the technical aspect of cybersecurity. Large companies also have to do a lot of work around training employees (ie to avoid phishing attacks) and creating policies and procedures.
Yes. Any and all of those. I’ve been in IT for 45 years, the last 20 doing security stuff. My wife (whom I met at my first vendor, almost 40 years ago, where she was a sales rep) will often point to some cybersecurity story and say “Is that relevant to what you do?” and a lot aren’t, because it’s such a broad field.
I look at our excellent QA folks and don’t see them as fitting well into doing cybersecurity stuff, FWIW.
My kid’s Engineering program he’s in at Iowa State now offers a minor in cyber-physical systems. Since so many devices/machines/vehicles have a remote access component these days there is a huge focus on making that access secure.
The training part is often called security awareness and training.
Creating policies and procedures is the governance part of Governance, Risk, and Compliance, or GRC. That’s what I do - helping people get their systems in compliance with the rules, sometimes auditing compliance. I’ve mostly worked with the NIST Risk Management Framework, which is required for IT in the US federal government. There are other cybersecurity frameworks for compliance, such as the NIST Cyber Security Framework, PCI-DSS for credit cards, HIPAA Security Rule for health IT, and ISO-27001 for European and commercial organizations.
The nice thing about these is I’ve gotten to work with people in many different areas, both technical and not. The not so nice things are that it’s a lot of “paperwork”, and nobody wants to follow the rules, so I’m the bad guy nobody wants to talk with.
I can send you more info, if your wife is interested.
Yeah, this is sort of tangentially related to what I do. It’s such a broad area that it can be pretty much almost anything.
Long ago, I used to do a lot of work in data forensics and electronic discovery. My expertise was more about going through databases, but the more technical folks would often get into the details of tracking down evidence of intrusion into computer systems.
The project I’m working on now is more data compliance related. At the moment it’s really just tracking down paperwork for thousands of projects so the team can write more paperwork that demonstrates to the regulators how the bank completed these various projects to address all the regulatory obligations they came up with. It’s not super interesting.
Really that’s what a lot of cybersecurity actually is AFAICT. Not duelling with hackers across big flat screens streaming Matrix-like code but a lot of paperwork tracking that companies are following those various frameworks and auditing systems to ensure they have the latest security patches.