A Day in the Life of a Cyber Security Professional

Tim Holman, CEO of 2-sec18th June 2015

Focus on:• Typical day to day activities as CEO of 2-sec.• The highlights (and lowlights) of my cyber

security career.• How to develop YOUR career as a cyber security

professional.• How can the ISSA created Cyber Security Career

Lifecycle™ help?

Tim Holman, CEO 2-sec• 20 plus years security experience in Cyber security including:

– auditing – penetration testing – credit card security – ethical hacking – training – incident response

• Awarded Microsoft MVP Security in 2004, 2005 and 2006• Director of the ISSA International Board, Fellow of ISSA and

Previous President of ISSA-UK

What do I do all day!?• Work in a multi disciplinary team across the South

of England.• Help many different types of UK businesses from

SMEs to large conglomerates.• All market sectors, including retail, financial,

professional services hospitality.• Penetration Testing, Audits and Assessments, PCI

DSS, CISO, Physical Security and Training.

What do I do all day!?• Most of my time is ADVISING existing and new clients.• Also responsible for projects including:

– Security assessments including pen testing/physical – Card security – Auditing companies to gain industry compliance e.g. PCI DSS.– Incident Response Planning

• Disaster management during data breaches. • Managing ISSA.• Each day is different.

Highs and Lows of my CareerHighs (or the good bits)• Recognition• Making a difference• Helping others• Defeating cyber

crime

Lows (or the bad bits)• Box tickers• Some vendors• Sales guys• Bootcamps

Why are we successful?• Experience of our consultants who are

KNOWN to be experts in their fields. • Experience in many different sectors.• Our commercial understanding.• We communicate well with our clients.• We provide simple, cost effective solutions

in non technical language.

Cyber Security as a Profession• Over 50 different career types within cyber security.• Reports of 300,000 and 1,000,000 current

cybersecurity positions are vacant. • Demand is expected to rise as public, private and

government sectors face unprecedented numbers of cybersecurity threats.

• The lack of cybersecurity talent can be an organization's biggest vulnerability, exposing it to serious risk.

Problems with the Profession• The Information Security profession has

developed largely in reaction to threats. • Now we are paying the price with an enormous

gap of skilled professionals and an entire “missing generation.”

• No synergy around defining cyber security roles; e.g Network Security Analysis in USA may not have same responsibilities as those working for other countries.

The profession has developed in REACTION to threats

Somebody is trying to get in – stop them

Somebody got in – find out what they did

How do we stop somebody from getting in?

Stop them at the border with firewalls, then with intrusion prevention/detection• General IT support staff

(system managers, networks, operators, etc.)

• Security Analysts• Network Security Engineers

Locking down systems to prevent further damage and retrace the steps• General IT support staff

(system managers, networks, operators, etc.)

• Security Analyst• Network Security Engineers• Forensic Analysts• Cyber law enforcement• Cyber legal council

Locking down systems and building the defense in layers• General IT support staff

(system managers, networks, operators, etc.)

• Security Analysts• Network Security Engineers• Forensic Analysts• Cyber law enforcement• Cyber legal council• Security Architects• GRC Specialists• Secure Code Developers

There really IS a problem• Our reactive development has not allowed for:

• Developing a professional career map.• Building what we need to be proactive.

• “next generation”.• Well rounded skill sets.

• Our industry has taken a knee jerk reaction:• Tremendous push by governments to fill the gap through

formal education programs.• New training and education programs are popping up

everywhere.• No collaboration between entities or countries.• No “voice” speaking for the profession/professional.

The Cyber Security Career Lifecycle™

The CSCL is a systematic approach that:• Enables professionals to discover the areas of

weakness.• Defines personalized career map.• Provides guidance, resources, and a support

system to achieve skills and career goals.

www.issa.org/cscl

What is the CSCL?

The CSCL is a systematic approach that:– Enables professionals to discover the areas of

weakness in their skill sets and aptitudes.– Defines personalized career map according to the

individuals knowledge, skills, aptitudes and interest.– Provides guidance, resources, and a support system

to achieve skills and career goals.

The Cyber Security Career Lifecycle™

Pre-Professional

Entry

Mid-Career

Senior

Leader

Understand your career!

Self -Assessment

Knowledge, Skills, Aptitudes

Career Mapping

Personal Guidance

Understand your career!Understand where you currently are in your career

• Career Mapping• Self assessment using KSAs

ISSA resources to strengthen & grow• Knowledge sharing

• Formalized training • Networking• Mentoring

Direct feedback for new services

ISSA Career Progression Continues…

• Focus on the “missing generation”• Meet-ups (virtual & in person)• Mentoring

• Continuing support of all phases • Journal• Webcasts• International Conference/ CSCL Tracks

• New service development using CSCL phases• International Consortium for Cyber Security Education

and Professional Development (ICCE&PD)

Thank you very much!STAND BH514

tim.holman@2-sec.com0844 502 2066

@2_securewww.2-sec.com

Any Questions?