6

I am doing my bachelor's in computer science and I have the chance to take multiple cybersecurity courses. Of course, before taking these course, I did some research about jobs in the field of cybersecurity to see what one does in day-to-day tasks, what paths exist, etc.

I found jobs that seem to mostly do documentation, meetings and reports. I don't see jobs where one only does "technical things". I will define "technical things" as building servers, configuring firewalls, doing pen testing, writing scripts, etc. In other words, jobs that do not require a lot of interface with people.

For example, if I search for cybersecurity analyst or just cybersecurity (since 90% of the jobs have for title cybersecurity analyst), here are the common tasks that I found between the different jobs:

  • Support and promote the various security and compliance policy governance projects.

  • Contribute to or conduct risk assessments across different projects or incidents.

  • Teach cybersecurity best practices during interactions with company employees.

  • Participate in evidence gathering activities for internal and certification audits.

As specialists who work in that field, what are your thoughts about jobs that are only technical?

Rodrigo de Azevedo
  • 244
  • 2
  • 13
Alfech
  • 63
  • 7
  • 6
    "building servers, configure firewalls... writing script" A lot of that is done by sysadmins. – nobody May 20 '22 at 12:37
  • 5
    Alfech, you may want to consider the possibility that many organisations do not really care about InfoSec all that much. What they really care about is to ensure that they comply with all regulations so that they do not encounter any legal trouble. They are [CYA](https://en.wikipedia.org/wiki/Cover_your_ass)-ing. The worst is not to be a victim, but to be a lone victim. If many others were victims of the same attack, that is not that bad, because no one looks all that incompetent. – Rodrigo de Azevedo May 20 '22 at 16:42
  • 2
    Sadly, Rodrigo de Azevedo is correct. Many organizations give security only enough budget to fill out a regulatory checklist. I'd recommend shopping around to find a security team that is given the resources needed to keep their organization protected. – John Deters May 23 '22 at 14:13

4 Answers4

6

If you’re looking for a career in software development, there are many companies that develop cybersecurity tools. These tools are used throughout the cybersecurity world:

  • Endpoint detection systems (anti-virus, data monitoring, etc.)
  • Network traffic monitoring
  • XDR engines and rules
  • Cryptographic services
  • Code scanning tools (static code analysis, dynamic code analysis, fuzzing, etc.)
  • CI/CD pipeline security tools
  • Incident Response tools
  • Malware analysis
  • And a thousand other examples I don’t really need to enumerate

And every software development organization needs security people to help secure their development processes, pipelines, endpoints, etc. Some of these jobs may be more sysadmin roles, but there is a huge boom in all kinds of security tools and services, and they all need developers.

It might help to attend a local security conference or two. You can see who the players currently are, what they’re selling, and who they’re hiring. It’s a good way to make connections.

John Deters
  • 33,897
  • 3
  • 58
  • 112
5

If you want a purely technical role, then there are only a few options. As Esa says, every technical role requires some "soft skills" like report writing. And more than that, there are so few cyber security experts that every expert will be asked to do more than their job description.

However, there are a few jobs that are very light on the soft side:

  • malware analysis
  • data science
  • and various code analysts
schroeder
  • 125,553
  • 55
  • 289
  • 326
  • I would add "application security (app sec)" to your list, especially if it's an architect level position, as well as "red team / pen tester / ethical hacker" since those basically pay you to do CTF challenges all day and you're only limited by your technical knowledge of the technologies you're trying to hack. – Mike Ounsworth May 20 '22 at 17:52
  • Also, how do we not have a canonical question for _"What are the cybersecurity career paths and what education do they each require?"_ ? – Mike Ounsworth May 20 '22 at 17:53
  • I take it back, this one's pretty good: https://security.stackexchange.com/questions/3772/what-are-the-career-paths-in-the-computer-security-field – Mike Ounsworth May 20 '22 at 18:00
4

In the field of cybersecurity, technical skills alone are not enough, but it is essential to understand the risks that the technical controls aim to manage. The tasks you mention are likely to include both administrative and technical security, and may focus on either. Customer requirements must be understood, so appointments are necessary. In penetration testing, even the best findings will not lead to anything if you are unable to analyze their significance for the client and report it comprehensibly.

Esa Jokinen
  • 16,725
  • 5
  • 51
  • 56
  • Indeed, in cybersecurity, or really any profession you go into, the single most important skill you can have is _communication_. You can be the most brilliant technical mind in the world, it doesn't mean squat if you don't also know how to tell other people about your ideas and win them over. You also need to really understand what the business needs and speak to what they value or they won't care how smart you think you are. – Seth R May 20 '22 at 18:15
  • 6
    I entirely disagree with this. There are some fields of cyber security that are basically dev positions but focusing on security aspects; for example malware reverse engineering, mathematical cryptography and related fields (ex. maintaining a TLS implementation), red team / pentester. Those are every bit as technical as your most senior dev position (and yes, even senior devs need to understand context of their work and be able to communicate clearly, but that does not make the work non-technical). – Mike Ounsworth May 20 '22 at 18:50
  • 4
    @MikeOunsworth: Speaking as a "regular" developer who is only peripherally involved in security-related issues: Developers have tons of meetings, send a lot of email, write design docs frequently, etc. "Real" development jobs generally involve a lot of work other than writing code. University programs like the one OP is (probably) taking frequently give the misimpression that writing code is the bulk of the job, but this is simply inaccurate. – Kevin May 20 '22 at 21:53
  • 1
    @Kevin I know that in the real life you need soft skill and I don't have any issue with them. The purposes of my question is that each time I search for cybersecurity jobs, it seems to be like 90-95 % soft skill and 5 % technical skills where, for example, you will do 60 % soft skills and 40 % of programming. I feel that cybersecurity jobs are management job which is something that does not interest me for now. – Alfech May 20 '22 at 23:18
  • @MikeOunsworth: Your points are valid, and maybe I was a bit too provocative. However, the "technical things" listed in this question aren't really in the field of cybersecurity, but more like general sysadmin tasks. The jobs you list, on the other hand, are. – Esa Jokinen May 21 '22 at 09:05
2

I'd suggest that related to the Cyber Security field, but notably not strictly Cyber Security would be Architectural roles such as Network Architect or Identity Architect or more hands on would be a DevOps/DevSecOps Engineer, where Senior/Lead roles will be expected to have a strong security grounding.

p.s. All roles will require people skills, a good rule of thumb being a Senior role will influence their direct team, a Principal their org unit and Head being org wide. But that's something that will likely come with experience.

Alex KeySmith
  • 319
  • 1
  • 9