An Expert By Any Other Name

Cybersecurity can be confusing, especially to those who want to hire qualified cybersecurity people.

An Expert By Any Other Name

What comes to mind when you hear "cybersecurity"? A pentester? Security researcher? Compliance officer? IT Support? MSSP? EDR? "Cybersecurity" has a multitude of meanings - almost every company wants a "cybersecurity expert," but what does that even mean? What needed skills are those companies looking for in a candidate?

Major distractors and impediments to seeking and finding such a person or role reside in a conflation of terms. What does someone mean when they say they need a cybersecurity expert? What does a cybersecurity skill set entail? (1)

The term could mean the technical aspects of information security (e.g., packet inspection, Nmap, malware analysis, threat hunting). It could entail the usual aspects of a sysadmin's duties (e.g., access control, permissions, firewall config, server auditing).  Perhaps it refers to what someone in tech support does every day (e.g., workstation imaging and deployment, disabling access when an employee leaves)? Maybe it means the umbrella terms of Information Assurance or Information Security.

It could even mean a skill set involving GRC (governance, risk, compliance).

This link has an excellent map of the Cybersecurity domains, it's entitled Cybersecurity Domains, but is it "Cybersecurity?" Or is it "Information Security?"

What are the Implications?
The areas referenced above are each and all vital aspects of securing the online world. And each connotation involves different, even widely varying, skill sets. These variations on a theme create significant issues, both for those looking for jobs and those looking to fill jobs.

A business leader might think of cybersecurity in the technical aspect of securing their IT infrastructure. When looking for a new position and not wanting to sound outdated, they may look for a "cybersecurity" expert, whereas what they truly need is someone who is more qualified as a sysadmin/tech support.

Maybe the org is looking for someone with a cybersecurity title or cert in their skillset, while the candidate, truly able to do the actual job required, only appears to have outdated or basic tech support skills.

HR personnel may only know what is seen in the marketing ads. They've been tasked by their board to find a cybersecurity expert, so HR is looking for new hires with offensive and/or technical security expertise. But what they need is a generalist with a jumble of skills.

New job seekers might not be able to translate their skills to the job descriptions. Companies might not know what they're looking for, and are concerned that they'll have to spend $1,000s extra a year to train a person.

Another aspect that causes confusion is that university graduates may have been told that they can make a huge salary, yet the salary range reports where they live do not agree. Local orgs might need someone with more experience than the local talent pool has, perhaps even needing expertise – anything beyond just exposure.

What Else Causes Issues?
Information security is a puzzle. The dimensions of the puzzle, the number of pieces, and the complexity of the shapes are all determined by the factors such as the size of the company, the talent required, the regulations involved, and the industry. And, regardless of the puzzle, you don't have a box top for the picture.

There's not one single "golden image" available for infosec. People may cry "Security is broken!" This assumes that there's an ideal picture out there that has been overlooked. Who's to say whether you need Splunk or not? What's the best solution for 2FA? Does the org need biometrics? Is on-prem or cloud better? Maybe hybrid? Linux or Windows?

What Can Be Done?
A task for job-seekers is to go line-by-line through the job description and figure out if they have Exposure, Experience or Expertise for each line. That's one way to weed through the jargon. Another step is, if at all possible, to get in front of those who hire. It could be at a conference or a job fair - just get out there. Potentially nerve-wracking? Yes. Effective? More so than being just an avatar and a PDF.
 
On the grander scale, it's important to note that there are some foundational pieces to the infosec puzzle (e.g., corners and edges), but even these aren't a must-have for all because there are so many factors that are possible (think of a circular puzzle – all edges, no corners). These pieces include, but are not limited to: regulated industry, types of data that needs to be protected, points of data entry, building size, number of employees, and geographical regions.

The puzzle included in this post is a place to start. One can use it to start to get a handle on what's needed in the company, or to see where one has some skills that apply to the necessary aspects or corporate security.

Here are the pieces -  
Information Security (primarily directed at SMBs)              
1. Patching              
2. Backups              
3. Trusted Advisor              
4. Endpoint Protection              
5. Education              
6. Authentication              
7. Contract Review              
8. Cyber Liability

All the best to you in finding a fulfilling role or candidate.

Stay safe!

The ideas are mine, but thanks to PresentationGO for the template.

(1) see Page 13 of (ISC)2's 2019 Workforce Report (https://www.isc2.org/Research/Workforce-Study)

The awesome image used in this article is called Orchid Garden and was created by Ale De La Torre.