To Specialize or Not to Specialize
To Specialize Or Not To Specialize
You wouldn’t go to a heart surgeon who had gone straight from their pre-med program in undergrad and went on to specialize in how to operate on the human heart, disconnected from the rest of the body, would you?
Maybe that’s why it’s so dismaying to see cybersecurity specialty degrees continuing to pop up, whether as undergraduate, graduate, or certificate programs. It’s the equivalent of putting a future doctor through a heart surgery residency without going through basic anatomy first. Not only is specializing in cybersecurity not required, it’s not the best thing for the industry in the first place.
Getting Down To Basics
As a training and workforce development company, we spend a lot of time working with employers to better understand their job roles and the skills that differentiate one area from the next. And what’s most surprising looking at all those conversations? The common theme that the underpinnings of a solid cybersecurity professional look pretty much the same, regardless of which speciality area you end up in: a solid understanding of networking and computing fundamentals, basic programming languages, an appreciation or security operations, and strong analytic, communication, and writing skills.
While the required depth of knowledge varies for a cyber threat intelligence analyst versus a pen-tester, it is clear that an initial baseline knowledge is paramount. Interestingly, it turns out we’ve met history majors in almost every category of cybersecurity job role. What they happen to have in common from a technical perspective is they had some exposure or experience in how networks and computers work as a threshold.
Soft Skills > Hard Skills
While the basics of information technology are a clear prerequisite, it’s hard to ignore just how often soft skills come up as some of the most needed skills across almost all cyber jobs and roles. In (ISC)2’s 2018 Cybersecurity Workforce Study, soft skills were listed as one of the top ten skills employers looked for in cyber candidates. That’s consistent with conversations we had in every company we’ve worked with: technical writing, communication, and analytic skills are absolutely necessary to excel as a cyber pro.
If the industry defaults to only identifying a pipeline of people that come through computer science or these new cybersecurity degrees, it’s likely going to miss out on the soft skills it claims is so lacking in the current workforce. In fact, some of the most advanced and experienced cyber professionals we talk to (think threat hunters, red teamers, pen testers, etc.) come from completely non-technical backgrounds but had exposure and training in IT and networking as they progressed in their careers.
Understanding The Ecosystem
Lastly, specializing in most fields still requires you to have a comprehensive understanding of how all the other areas of specialization function, and thus, work together. That heart surgeon needs to understand what (and why) the anesthesiologist is doing, even if they don’t need to know exactly what blend of gases or chemicals are best to get a patient through their procedure.
Similarly in cyber, each job role functions best when it understands how to work, collaborate, and function with other cyber job roles. For example, Threat Hunters are well versed in analyzing logs and identifying anomalies, much as a SOC analyst would. But in addition to leveraging their experience to quickly identify types of unusual traffic or network behavior, they also bring significant understanding of threat types and tactics, techniques, and procedures through research (something a typical Cyber Threat Intel Analyst would do).
What’s unique and exciting about cybersecurity in particular, is that it also happens to provide an avenue for career expansion. Cyber threat intel or SOC analysts can become threat hunters, threat hunters can become pen testers or incident responders; the pathways and possibilities are endless depending on your interests, strengths, and flexibility. In fact, having that cross-domain experience and exposure makes for a stronger (and more valuable) cybersecurity professional in the long run and ultimately makes our organizations and society more secure overall.
Cyber Is Not A Snowflake
You’ve heard it all before. Cyber is different, it’s multi-disciplinary. It’s so hard to find the right talent. Well, if that’s all the true then it turns out cyber is pretty much like a lot of other jobs out there. Those that treat their job as a punch list of technical requirements and toolsets will ultimately lose out to the eager candidate who wants to learn and uses that excitement to think about where she wants to go from there. It may be the longer view, but what this profession, and many other professions, ultimately share is the need for critical knowledge and foundations that underpin all that exists in cybersecurity.