united kingdom

Careers

Learn more about jobs and careers in cyber security

Questions we have been asked.

[1] What can I do to acquire the basic skills in this area?

There are a huge number of resources available on the Internet – literally thousands of blogs, pages, vulnerability databases, research information conference proceedings, articles...

However there is no substitute for direct, hands-on skills and experience.  Many security companies and even individual penetration testers or network/systems technicians will create their own labs in which they can configure and reconfigure systems, try out exploits, compromise the security of boxes and then try and harden defences and attack them all over again.

This might sound expensive but you can build this up over time if you have the resources (and space) and various Internet auction sites and local recycling groups are a great source of cheap hardware. Linux flavours that run on lower specification systems can be found and virtualisation can also enable you to run several virtual servers on a single physical host (and to recover them easily if you end up breaking the operating system).

[2] How can I gain experience in penetration testing?

The best way is to try things out and practice in a safe way and of course the Challenge games provides an opportunity to do this.  However, clearly this type of activity is normally illegal if carried out against systems in the public internet or on a corporate or campus network without permission.

If you are on a tight budget, see if any of your friends, family or local companies are disposing of any computers and ask if you can take those off their hands.  It might be interesting to try and find out what data they have left stored on them – but be responsible about this, tell them (See http://www.sans.org/reading_room/whitepapers/threats/define-responsible-disclosure_932) and DON’T view or misuse the data.

One thing to watch out for, there are many legitimate sources of information, research and tools on the web but there are also others that are less scrupulous – be aware that information, web sites and tools you might be offered could have effects or contain content that you might not expect or want.

[3] How can I get into a career in cyber-security?

There are many routes, but as ideas:

  • Firstly get involved in the Cyber Security Challenge – success in our competitions demonstrates your abilities and it is a great way to meet people within the industry and develop your skills.  Candidates have found that this can lead directly to a job offer or enable a move to a new role with their current employer.
  • Gain experience in a related discipline such as IT support and then migrate skills into, or specialise towards, the information, IT and cyber security fields through training or being self-taught.
  • Follow a formal education route, such as a degree or masters course in IT/Information security, cyber security or forensics.
  • There are many specialist information security job sites and recruitment agencies so it is advisable to set up a profile on LinkedIN and develop your links to Information Security, accessing the rights groups and getting involved in the discussions to find out more about the many companies and membership bodies that can provide careers and job pages. 
  • Spend time reading up on the subject, doing research on the Internet, build your own lab/test rig and develop skills in systems hardening, penetration testing, secure coding etc.
  • Invest in training courses in this area to give you knowledge and certifications upon which (hopefully) you can build experience.
  • Be prepared to work on a voluntary basis or as an intern in an organisation – if you are at school or university, see if you can get involved in supporting the IT network or create a ‘Cyber Society’ through your Student Union!

[4] Who do I talk to regarding getting into this industry?

If you enter the competitions and are successful, especially if you progress to the face-to-face stages you are likely to meet people in the same boat and those who can advise you on options.  So get involved!

Most of the challenge sponsors who attend the Challenge events are interested in identifying candidates with talent to add to their own ranks – many past competitors have found new roles through this route.

It is advisable to get a LinkedIN Account and develop your profile in order that you interact with the Information Security demographic.

Many membership bodies run regular events, sessions and lectures for their members and this would be a good way to meet with people inside the industry: such as

 

  • BCS Associate Membership (AMBCS) If you’re at the start of your career in IT, Associate Membership (AMBCS) will give you the tools, resources and opportunities you need. http://www.bcs.org/category/10969
  • IISP Affiliate membership is for those who are aspiring to the profession and who would like to adopt information security as a career. No experience or qualifications are required to join at this level: http://www.iisp.org/imis15/iisp/Member/Affiliate.aspx

(ISC)2 has free networking opportunities; as anyone seriously involved in the information security profession can attest, peer networking is an invaluable resource so join an (ISC)2 Chapter now: https://www.isc2.org/chapters/default.aspx

[5] What training courses would help me to become a cyber-security professional?

There are a range of private sector courses which might be suitable, some of which lead to certificates and accreditations. 

Some examples of providers are:

  • (ISC)2 is an international membership organisation, administrators of the CISSP and other qualifications: https://www.isc2.org/   
  • SANS provides internationally recognized intensive, immersion training designed to help you and your staff master the practical steps necessary for defending systems against the most dangerous threats - the ones being actively exploited: http://www.sans.org/
  • IISP – The independent accreditation authority advancing the professionalism of information security practitioners and the industry as a whole: https://www.iisp.org/imis15
  • InfoSec Skills, is a training and education company, comprising an expert team of security professionals from across the industry. Our super faculty of subject matter experts formulates both industry-accredited and bespoke training courses that meet the needs of today’s information security professional. http://www.infosecskills.com/information-security-courses.html
  • BCS, The Chartered Institute for IT champions the global IT profession and the interests of individuals engaged in that profession for the benefit of all: http://www.bcs.org/category/6927
  • 7Safe, a PA Group Company is the leading provider of information security, computer forensics and related education and training. We support a range of public and private sector customers. We are part of PA Consulting Group, a management and IT consulting and technology firm which operates globally in over 30 countries: http://www.7safe.com/training.htm

And of course there are a number of academic courses at a variety of Universities.

[6] Can you provide any information on where to find jobs. Where can I search or apply for roles in cyber security?

There are many specialist information security job sites and recruitment agencies so it is advisable to set up a profile on LinkedIN and develop your links to Information Security, accessing the rights groups and getting involved in the discussions to find out more about the many companies and membership bodies that can provide careers and job pages.  It is worth reading up about the Challenges sponsor companies to see what they offer too. (See https://cybersecuritychallenge.org.uk/careers-with-sponsors.php)

[7] What resources, web sites, blogs, RSS feeds and/or books would help me learn more about this subject and keep up to date?

The Internet is full of research and views on this topic... there are even dozens of notable bloggers and many companies such as:

General news feeds from the BBC News or The Register http://www.theregister.co.uk/ show how cyber security breaches regularly make their pages and virus threats are often decomposed by anti-virus software vendors like Symantec’s: http://www.symantec.com/about/news/release/article.jsp?prid=20130415_01 and Microsoft: http://www.microsoft.com/en-gb/business/news/UK-failing-to-combat-cyber-crime-effectively-MPs-warn-801618744.aspx

[8] I was wondering how challenge competitions interacts with the likes of CREST and CLAS?

CREST is an assessment and certification process for companies and their penetration testers.  Several of its member companies such as PwC, IRM, 7Safe, QinetiQ and KPMG support the Cyber Security Challenge.  Taking part in the Challenge process and becoming a penetration tester by trade will probably mean looking at progressing through the specific qualifications in that field such as CREST or the Tiger Scheme at some point.  CREST awards the cost of its exam as one of the Challenge prizes.

  • CLAS is the CESG Listed Adviser Scheme - a partnership linking the unique Information Assurance knowledge of CESG with the expertise and resources of the private sector.  The Adviser Scheme aims to satisfy this demand by creating a pool of high quality consultants approved by CESG to provide Information Assurance advice to government departments and other organisations who provide vital services for the United Kingdom.  Details of CLAS are provided at http://www.cesg.gov.uk/servicecatalogue/CLAS/Pages/CLAS.aspx  Knowledge and experience in cyber security can be used as evidence when applying for IA certification: http://www.cesg.gov.uk/AwarenessTraining/IA-certification/Pages/index.aspx which is a prerequisite for future applications for CLAS membership.

[9] I am an IT professional; web developer; I.T. support person; computer science graduate: What prior technical skills or experience is required for the challenges and/or a career in cyber security?

A background in IT will always be useful in cyber security, information security, penetration testing and forensics.  However, it is not essential and some people enter the profession from backgrounds like Theology, Business Studies or Geography.  Key qualities are the ability to think outside of the box and to enjoy solving problems.   Many disciplines are specialisms that can be learnt, developed or progressed into – for example a networking professional might find a niche in network security or forensics, an application developer could move into application security testing and a systems administrator could develop forensics skills.

You can research IT security and related skills on the Internet and try out skills in a lab or test environment – it is easier than ever to get hold of second hand IT and networking hardware on various Internet auction sites or through local recycling groups.

There are many specialist information security job sites and recruitment agencies so it is advisable to set up a profile on LinkedIN and develop your links to Information Security, accessing the rights groups and getting involved in the discussions to find out more about the many companies and membership bodies that can provide careers and job pages.  

[10] I have a mathematical background. What prior technical skills or experience is required for the challenges and/or a career in cyber security?

Mathematics has a part to play in several areas of computer science and security – base conversions (Unicode characters and IP subnet calculations), algorithms (in computer programming), statistics (in anomaly detection, traffic analysis and risk analysis), modular arithmetic and number theory (in cryptography), electro-magnetics (disk drive and flash memory operation) and even game theory.

It would be worth developing IT and IT security skills as well as more general information security awareness from a variety of sources or books on the subject and then see what opportunities allow you to move in your chosen discipline – the challenges are an excellent way to improve and develop these skills and several people have used these to move into a cyber security career.

[11] What qualifications, courses, experience etc. would help me to get noticed in this industry?

There are several qualifications and accreditations that have value.  Several MSc course offer specialised and well regarded Masters Programmes in computer and information security, and lots of BSc programmes in IT and related disciplines will have computer or network security modules.

Then there are specialist qualifications and professional memberships – some operate at a level where some competence and experience exists and others have a more graduated path.

  • IISP – Institute of Information Security Professionals – this has membership grades from student member to full member, they also run the Government ITPC scheme and are one of the Certification Bodies for the CESG Certification for IA Specialists (http://www.cesg.gov.uk/products_services/training/roles-skills.shtml)www.instisp.org
  • CISSP – operated by (ISC)2 is a good baseline qualifications, covering many domains within security – www.isc2.org
  • CISM/CISA – Certificates Information Systems Auditor/Manager – run by ISACA and aimed at the practitioner level www.isaca.org
  • CREST – Council of Registered Ethical Security Testers – an accreditation scheme for companies offering penetration testing services and their staff – different levels of membership and specialisms and widely regarded as being a reassuringly tough examination and assessment process – www.crest-approved.org
  • Tiger – Similar in some ways to CREST, this has a lower level of membership so might be more suited to those at an earlier stage of their careerwww.tigerscheme.org
  • PCI QSA – (Payment Card Industry – Qualified Security Auditor) this is a qualification that allows you to conduct audits of credit card handlers within the PCI scheme – you have to work for a QSA company to have this qualification.
  • DISA – Defence Industry Security Association has membership for professionals working in the defence security industry and run a number of BTEC accredited courseswww.thedisa.org

Then in the UK government space:

CLAS – the CESG Listed Adviser Scheme; a partnership linking the unique Information Assurance knowledge of CESG with the expertise and resources of the private sector.  The Scheme aims to satisfy this demand by creating a pool of high quality consultants approved by CESG to provide Information Assurance advice to government departments and other organisations who provide vital services for the United Kingdom.  Details of CLAS are provided at http://www.cesg.gov.uk/servicecatalogue/CLAS/Pages/CLAS.aspx

[12] What university courses are there to learn about network, computer and cyber security?

There are a number of academic courses at a variety of Universities.

If you like our Facebook page you will see that we have started to follow the universities that deliver these courses.

Specifically our main academic sponsors are listed here:

[13] I have some certifications (e.g. CCNA, CompTIA Security+) would I need additional qualifications or certifications to work in cyber security?

There are several skill areas that you could research, read up on or learn – these range from IT systems operation, operating systems and security models, application development and modern programming languages, networking and communications – there are also specific security areas such as penetration testing, reverse engineering, protocol analysis and computer forensics that are more advanced but may be of use particularly if you are already working in a technical discipline. (See DEVELOPMENT PATHWAYS https://cybersecuritychallenge.org.uk/development-paths.php)

[14] Do recruiters or employers look only for technical skills or are they interested in interpersonal and/or soft skills too?

There will typically be a demand for both; some engineering type roles will place a greater emphasis on raw technical talent, ability, skills or qualifications – others, perhaps those which could be consultancy based or client facing, will require the ability to communicate widely, give exposure to different people from different backgrounds.

In some roles the ability to convey highly technical information to a non-technical audience is one of the greatest attributes.  Even in a deeply technical role you will benefit from the ability to work individually and as part of a team, to show enthusiasm and creativity, to be able to clearly document findings, results or designs in document or presentation format.  However the course of your career could place a greater or lesser emphasis on all these aspects based on what you enjoy and are good at.

[15] I dont have any qualifications beyond A-level. Can I apply for a job in cyber security?

YES.

The purpose of the Challenge is to help identify talent, irrespective of what you may or may not have done in the past, as many cyber security roles give opportunity to enter the workforce based on skills, aptitudes and capability; rather that academic track record.  Some companies and employers will inevitably draw candidates from the graduate community, and some will look even closer and seek out those with specific security components in courses studied, whether private, degree or at MSc level.

[16] Are there any apprenticeship schemes so I could get qualifications in cyber security on the job?

YES. There is a lot of information on IT apprenticeships available:

On the e-skills UK website: http://www.eskills.com/apprenticeships/individuals/ and through, The National Apprenticeship Service: http://www.apprenticeships.org.uk/   with more focussed cyber security initiatives in this area being developed – so watch this space.

[17] I have just left secondary school, what should my next step be as I am really interested in cyber security?

(Here are a few answers from the Challenge Alumni LinkedIN Group, and are opinions based on their experience only)

  • So I was in a vaguely similar situation going into my A-Levels. I wasn't sure if I wanted to go to university, or just join the Navy straight after. One of my friends won me over to the university side by reminding me that I couldn't fly forever, and that eventually I’d have to do some work ;) Having an Engineering degree would then make me much more attractive to future employers. So similarly, I would suggest going to university, and doing a respected academic course in something that interests you. (Computer Science / Electrical Engineering / Aero Engineering is pretty cool (we get to build UAVs). Then while at university, hammer the Cyber Security Challenge for every prize and opportunity they can give you. Get three summer placements at decent Security firms, (if it's a 4 year degree). Then when you come out, you have transferable skills to a wide range of possible jobs. You have a respected degree; you have research skills, teamwork skills. If you hammered the Challenge hard enough then you will have industry level qualifications, and if you did a number of placements within industry then you'll have plenty of classified project goodness to talk about (or not) in Job interviews. HR will bend over backwards to let you in, and at that point you can demonstrate your skills. Not only that, but you'll then possess the necessary skill set to move around within the industry, or even within the field of technology itself, depending on what you enjoy doing. Anyway, just my two pence worth, and from experience, sponsored degrees are the best way to do university... 
  • I would suggest finding a company that does roughly what you want to do, e.g. Cassidian, Qinetiq, Detica etc and approach their recruitment teams and ask what opportunities they have. I would imagine more recently, they would be keener to sponsor you through any further education so that they get your hands-on skills early on. Approaching them and asking their opinion doesn't mean you are committed to working for them but would allow you to see what their preferred option is. Getting sponsored to take a degree is sweet!  
  • So this is just my experience based on 16 years in IT, and 18 months trying to get into Cyber Security. My best advice for a school leaver would be to go to college and then university. The range of degrees that are available now compared to when I was at that stage is vast and I honestly believe that you are now better off getting a cyber-security degree if you want to advance in that field. I understand you might be eager to get into cyber security but this is a field you can't rush into. Over the last 18 months I have learnt a lot and thanks to the Challenge gained the opportunity to learn more, plus there are lots of things you can do while at college and university. There is a number of community driven events that you can benefit from as I think it takes a while to decide which area of cyber security you want to specialise in as you might imagine.  
  • I think this is a really tough call to make, academic qualifications are preferred by many companies, I am studying for a degree just because it is on so many job requirements; but on the other hand getting experience in my opinion adds focus to class room lessons.  I would say it is a decision only the individual can make, for some the idea of University is quite daunting or unappealing, for others they may feel they need qualifications to gain confidence.