Education, certifications, and cybersecurity

The question of cybersecurity certifications comes up very frequently on discussion boards.  What is the best certificate to get?  Is a college degree better for getting a cybersecurity role?  What education or skills are needed for various cybersecurity roles?  And many, many more.  In this post, I'll try to clarify some of these questions and more.

Before heading down the certification path or degree path, ask yourself, what is my end goal?  A career in Cybersecurity is relatively demanding and requires commitment.  Cybersecurity is a vast field of endeavor that involves many skills, with so many different paths.  For example, if your goal is eventually to become a Chief Information Security Officer (CISO), not having a degree could limit your opportunities.  For other cybersecurity roles, the requirements vary considerably.  On the other hand, if your passion is identifying weaknesses and vulnerabilities - being an ethical hacker, a college degree is not necessary.

Let's begin with a list of typical roles in Cybersecurity, and explore some of the requirements for these roles. We'll follow up with some of the ways to meet these requirements and the education needed.  Some of these roles are engineering-focused, while others require creativity, and some positions have legal or regulatory mandates.

  • SOC Analyst – the SOC Analyst role means different things in different organizations; some may think of this role as a threat analyst. Others consider this role as a technology jockey that monitors firewalls and Intrusion Detection/prevention Services (IDPS). For this post, I’ll use the former term of threat analyst.
    To be a successful threat analyst, one needs to be able to apply deductive analysis techniques. In other words, decompose the actions that lead to an observable outcome.  Useful skills for a threat analyst are the ability to troubleshoot and reverse engineer.  Knowledge of networking and system administration are foundational to this role.  Over time the threat analyst will understand threat actors Tools, Tactics, and Procedures (TTP).  The threat analyst will spend much of their time using threat analysis tools like Security Information and Event Management (SIEM) or Security Orchestration, Automation, and Response (SOAR) tools.  Many of the SIEM and SOAR vendors offer certifications that the analyst might want to pursue.
  • Network Security Engineer – These engineers typically install, setup, configure, and maintain network security technologies, such as firewalls, proxy servers, Network Intrusion Detection and Prevention devices, and Network Access Controls (NAC).
    There are many vendor technologies that a network security engineer will have to master; thus, it is beneficial to pursue vendor certification for various technologies.
  • Cloud Security Engineer – this role is similar to the Network Security Engineer and is focused on specific technologies.  In this role, the engineer will design, implement, and maintain security controls in cloud environments.  Desired skills for this role include an understanding of cloud-based technologies, security controls, and attack vectors.  The major cloud vendors  provide training and certifications for their offerings, including Cloud Security Engineering certifications.  Additionally, the Cloud Security Alliance (CSA) and the International Information Systems Security Certification Consortium (ISC)² offer vendor-neutral cloud security certifications.
  • Penetration Tester/Ethical Hacker – in the role, you'll find ways to break into networks and systems circumventing security controls to help organizations and clients improve the security posture.  Several certifications are available for this role, yet none are required.  To be successful in this field, one needs to learn how systems work and how to bend or break the system's predefined rules. An essential skill in this role is writing compelling reports highlighting inherent system weaknesses and providing remediation recommendations.
  • Digital Forensics and Incident Response (DFIR) analyst – in this role, the Analyst will track down an attacker in the network or on a system, reconstruct the activities the attacker has taken, contain the attacker, and recover the environment back to normal operations.  In cases where forensics are required, the Analyst takes additional evidence preservation precautions and prepare their findings for legal proceedings.  Skills needed in this field include reverse engineering, deductive reasoning, network and systems expertise, and the ability to solve puzzles.  There are several vendor-specific and vendor-neutral certifications in this field; these certifications include Encase EnCE, SANS GCFE, and GCFA, and many others.
  • Governance, Risk, and Compliance analyst – the previous roles are technical, while this role focuses on processes, procedures, and regulations.  An understanding of control frameworks, risk management, and regulatory compliance are requirements of this role.  The most prominent certification for this role is from the Information Security and Control Association (ISACA), the Certified Governance of Enterprise IT (CGEIT).  There are additional certifications covering auditing and Risk that one might consider pursuing in this role.

Cybersecurity is a vast field of endeavor; there are many paths to follow and technologies to master.  As such, there's a place for everyone.  At the end of the day, what education or certifications are best for pursuing a cybersecurity role?  The short answer is none!  To be successful in Cybersecurity, one needs to have the drive and passion for continuously learning and challenge conventional wisdom.  In other words, paraphrasing Alvin Toffler, Cybersecurity professionals of the 21st century need to be able to learn, unlearn, and relearn.

Here's the original quote for reference: "The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn and relearn."


Article Link: