Cybersecurity is the practice of defending computers, networks, and data from malicious electronic attacks. It is often contrasted with physical security, which is the more traditional security practice aimed at controlling access to buildings and other objects in the real world.
Although there are plenty of high-tech physical security techniques, and sometimes physical and cybersecurity are joined together in the org chart under the same executive, cybersecurity focuses on protecting assets from malicious logins and code, not burglaries.
Types of cybersecurity
Cybersecurity is a broad umbrella term that encompasses a number of specific practice areas. There are a number of ways to break down the different types — Kapersky Labs has one schema, Mindcore another — but here are the most prominent types you'll hear about:
- Network security prevents and protects against unauthorized intrusion into corporate networks
- Application security makes apps more secure by finding and fixing vulnerabilities in application code
- Information security, sometimes also referred to as data security, keeps data secure from unauthorized access or alterations, both when it's being stored and when it's being transmitted from one machine to another
- Operational security, often abbreviated as OPSEC, is a process by which organizations assess and protect public data about themselves that could, if properly analyzed and grouped with other data by a clever adversary, reveal a bigger picture that ought to stay hidden
- Some aspects of disaster recovery are also considered to lie under the cybersecurity umbrella; in particular, techniques to remediate widespread data loss or service outages as a result of a cyberattack are part of the larger cybersecurity discipline
Each of these types of cybersecurity combat cybersecurity threats within a specific conceptual realm. Cybersecurity threats have come a long way since the days of phone phreaking of the '70s; modern threats include:
- Denial of service attacks
- SQL injection
- Cross-site scripting
- Man in the middle attacks
- Credential stuffing
The goal of each discipline within cybersecurity is to face these threats—and new ones that might emerge in the future—in a systematic way, largely by preparing for attacks before they happen and providing as little attack surface as possible to an attacker.
One of the ways in which you can lay this groundwork is to adopt a cybersecurity framework. This isn't some whiz-bang software tool or hardware appliance; it's a set of policies and procedures meant to improve your organization's cybersecurity strategies. These frameworks are created by various cybersecurity orgs (including some government agencies) to serve as guidelines for organizations to improve their cybersecurity.
Any cybersecurity framework will provide detailed direction on how to implement a five-step cybersecurity process:
- Identifying vulnerable assets within the organization
- Protecting assets and data, and taking care of necessary maintenance
- Detecting breaches or intrusions
- Responding to any such breaches
- Recovering from any damage to systems, data, and corporate finance and reputation that result from the attack
Cybersecurity frameworks can become mechanisms by which government security regulations are imposed. Both HIPAA and GDPR, for instance, contain detailed cybersecurity frameworks mandating specific procedures companies covered by the laws have to follow.
Of course, most cybersecurity frameworks are not mandatory, even ones developed by governments. One of the most popular of these is NIST's Cybersecurity Framework, version 1.1 of which was released in April of 2018. This framework has been mandated for use within U.S. federal agencies and is increasingly popular elsewhere, with voluntary takeup from banks, energy companies, defense contractors, and communications companies.
If you're reading CSO, it's very likely that you're interested in a cybersecurity career (or are already in one). Scanning the job boards, you'll likely encounter variations on three common job titles: security analyst, security engineer, and security architect. Job titles are notoriously squishy, but in general these are in ascending order of seniority and responsibility: analysts identify and tweak issues within existing systems, engineers implement major revisions or roll out new systems, and architects design those new systems. But these actual responsibilities can vary widely from company to company, so it's important to take a closer look at each job individually to understand it. At the very top of the food chain is the Chief Information Security Officer, or CISO, though even that title isn't set in stone.
Also referred to as cyber security analyst, data security analyst, information systems security analyst, or IT security analyst, this role typically has these responsibilities:
- Plan, implement and upgrade security measures and controls
- Protect digital files and information systems against unauthorized access, modification or destruction
- Maintain data and monitor security access
- Conduct internal and external security audits
- Manage network, intrusion detection and prevention systems
- Analyze security breaches to determine their root cause
- Define, implement and maintain corporate security policies
- Coordinate security plans with outside vendors
The security engineer is on the front line of protecting a company's assets from threats. The job requires strong technical, organizational and communication skills. IT security engineer is a relatively new job title. Its focus is on quality control within the IT infrastructure. This includes designing, building, and defending scalable, secure, and robust systems; working on operational data center systems and networks; helping the organization understand advanced cyber threats; and helping to create strategies to protect those networks.
A good information security architect straddles the business and technical worlds. While the role can vary in the details by industry, is that of a senior-level employee responsible to plan, analyze, design, configure, test, implement, maintain, and support an organization’s computer and network security infrastructure. This requires knowing the business with a comprehensive awareness of its technology and information needs.
The CISO is a C-level management executive who oversees the operations of an organization’s IT security department and related staff. The CISO directs and manages strategy, operations, and the budget to protect an organization’s information assets.
Security leaders have elbowed their way into the C-suite and boardrooms, as protecting company data becomes mission critical for organizations. A chief security officer (CSO) or chief information security officer (CISO) is now a core management position that any serious organization must have.
If you're looking through job ads, you might also notice some more specialized job titles out there; Valparaiso University lists some of them, and you'll recognize that they tie into the types of cybersecurity we listed above. The days of the generalist security analyst are fading fast. Today a penetration tester might focus on application security, or network security, or phishing users to test security awareness. Incident response may see you on call 24/7.
Cybersecurity jobs are plentiful, and those who can fill them are in high demand: most professionals agree that there's a skills shortage, with three-quarters of respondents to a recent survey saying the lack of skilled job candidates had affected their organization.
Cybersecurity courses and cybersecurity degrees
But how do you get those skills? Historically, as is true in many facets of IT, cybersecurity pros learned their skills on the job. This was especially true as cybersecurity took a while to emerge as a distinct discipline; many departments developed de facto security pros from within, just out of folks who were interested in the topic.
However, as is also true of many aspects of IT today, cybersecurity has become more and more professionalized, and many college courses and even majors have sprung up to prepare potential cybersecurity staff. Perhaps the greatest indication that cybersecurity has matured is the emergence of multiple cybersecurity graduate programs, many with specific focuses. For instance, at Tufts you can get a master’s degree in Cybersecurity and Public Policy.
How do I get a cybersecurity job? Cybersecurity career paths
Of course, getting a cybersecurity degree is just the beginning of a career—and isn't the only way to start. The truth is that there's no one true path to a cybersecurity career: teen hackers gone legit to naval intelligence officers with cyberwarfare backgrounds to political staffers who focused on privacy issues have all gone on to have successful careers in cybersecurity.
For a nifty way to visualize what a career path in cybersecurity might look like in practice, check out Cyber Seek's Cybersecurity Career Pathway, an interactive tool created in partnership with the National Initiative for Cybersecurity Education (NICE). The tool shows you what entry level, mid-level, and advanced jobs might look like in the field, based in roles that might feed into them.
As you might expect in jobs where skills are in high demand, cybersecurity pros can be handsomely rewarded. In September 2019, CSO took a look at eight hot IT security jobs and what they pay, and found that even entry level jobs like information security analysts were lucrative, with salaries ranging up to almost $100,000. "At the very highest levels, the right person can command over $400,000," says Paul Smith, vice president of business development at PEAK Technical Staffing.
The details of cybersecurity jobs are, like any high-tech job, always changing, and the key to continuing success is to keep learning and stay flexible: as CSO columnist Roger Grimes puts it, "re-invent your skills every five to ten years."
One way, though certainly not the only way, to demonstrate that you're keeping up with the industry is to pursue some cybersecurity certifications. CSO's Grimes has put together a list of the top cybersecurity certifications, along with details of who should be most interested in each. For instance, he recommends the SANS certs for those who "want to learn a lot about computer security, how hackers hack, and how malware is made," while ISACA's certifications are for those "interested in computer systems auditing or computer security management."
Cybersecurity is definitely a challenging environment—but, as most practitioners will agree, a rewarding one.