11

I am thinking of working in cybersecurity since a while now (I am doing a bachelor degree in computer science and I have one in mathematics). However, I don't know what it really looks like. And before considering what kind of future studies I should take, I would like to have the opinion of the people who are working in this area.

Is this an academic formation (university) or a more practical one (in collaboration with the police) ? Is there institutes where I can do a master degree or/and a Ph.D in this field ?

Despite it is very popular in the medias, I have never heard of a formation (maybe I don't ask the good questions or I don't know where to find the information...)

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Alan Simonin
  • 233
  • 1
  • 2
  • 9
  • There are plenty of jobs in the field; public, private, government, etc. What I have found is that most good security engineers have a background as an admin. I know plenty of people who went straight into security, and although they have a great theoretical background, they typically don't "get it." Also, to address degrees - although they do help, it's not always worth to get the MS or PHD if you're going to work for a business as a security guy. That's mostly for the academics or research people. – JZeolla Feb 28 '13 at 13:10
  • Thank you for your comment. This confirm what Lex and Thomas just said. When you say "they have a background as an admin", you mean a siteweb admin ? – Alan Simonin Mar 01 '13 at 05:41
  • 1
    Really any type of admin. Wintel, Linux, web, network, whatever. Just having that real-world hands-on multi-year (Wow that's a lot of hyphens) experience brings the security world into perspective. Otherwise it's hard to fully understand the challenges most teams go through regarding security. – JZeolla Mar 01 '13 at 16:01
  • You mean "learning by doing" and I agree totally. Thanks for the precision ! – Alan Simonin Mar 01 '13 at 20:49
  • Uh, kind of but not really. I don't mean do this in a home lab; I mean legitimately doing it as a job. – JZeolla Mar 03 '13 at 00:50

3 Answers3

12

The term cyber-security is large enough to represent many different sub-fields. As in many fields, there are theoretical approaches and more practical ones.

For instance, I now work at the Center for Cybercrime and Computer Security, and within the same place, there are people working on cryptographic protocols (quite theoretical/maths), people working on collaboration with the police, e.g., to work with battered women, people working on usability aspect of security, people working on quantitative techniques (probability/uncertainty) of security mechanisms, and that's just on top of my head.

If you take a look at the Information Security Group, where I was working before, you'll find different profiles, and different aspects of cyber-security. In both of these examples, and in many others, you can both do a Master and a PhD. And, of course, I'm only talking here about places I know for working there, but there are plenty of them in the world.

It's quite frequent that security groups are started by people whose primary background is not in security, and that's why there are many approaches: algebra, formal methods, quantitative, psychological, distributed systems, operating systems, networks, etc. So, to answer your question precisely, yes, there are many places where to get a proper formation in cyber-security, and you will probably find one that suits you best.

EDIT: As another example of great place to look at, since your profile indicates you're in Switzerland, the ETH Zurich is considered as one of the top places in the world, and their Information Security Master is probably very interesting (although with perhaps a more theoretical/academic aspect rather than concrete/applied).

Charles
  • 446
  • 4
  • 8
  • Thank you for the links, they are very useful to me. Do you think I could have a chance to make a Ph.D in such a school with a master degree in general computer science ? – Alan Simonin Feb 26 '13 at 22:31
  • 1
    @AlanSimonin: I'm not sure there is such thing as an MSc in "general CS". But for what it's worth, I had an MSc in theory of programming/formal methods, and I did my PhD in security (from a formal methods aspect though). The best in your case would be to first find a topic you'd be interested in for your PhD, and then to contact a potential advisor to discuss the possibilities. – Charles Feb 26 '13 at 22:36
  • Yes it would be the best way of doing that, but I am a home student (I follow courses from l'Université de Franche-Comté but I work too) so my choices are unfortunately limited... So I will ask my teachers which orientation they think is the best to be prepared for a Ph.D in cyber-security. And once I begin the Ph.D, I can earn my life. – Alan Simonin Feb 26 '13 at 22:42
  • Don't forget Stanford's [Program on Liberation Technology](http://liberationtechnology.stanford.edu/) and the excellent [mailing list](https://mailman.stanford.edu/pipermail/liberationtech/) that goes along with it. The mailing list is full of lively discussion of the compusec-social intersection, and is attended by some of the luminaries and rebels in the field. – ruief Feb 28 '13 at 09:50
10

Welcome @AlanSimonin; good question.

Another parallel question to this, on my way of thinking, is to ask: "What kind of jobs in IT Security are there?". Honestly I could not tell you all, but my approach to entering the industry (I am at an entry level too) was:

I tried to find out what types of jobs there were at an entry level and compare/contrast them to my skills, my liking and how I could get there: Junior Penetration Testing and Security Analyst, for instance. Then, once I had compiled a (very) small list of entry level IT Security Jobs, I looked at my background.

Then, I also considered the type of business (Financial institutions, Security Consultancy, etc).

For a Security Analyst for example, my view is that in some cases you only need a Computing Degree and be able to prove on your CV or Covering Letter that you do have a very keen interest in Security. How do you prove it? By demonstrating participation in blogs, or having your own website, or by publishing papers on researches you do. These researches do not necessarily need to be original, or revolutionary, but consistent in showing that you are capable of organizing your thoughts and having a good structure to present it.

I am currently working in IT Security Management for a financial institution; answering your question, what it is like working there? First of all, it is great. I love my job, the hours are flexible, I have the option to work from home, and my Team is small but a bunch of really nice and helpful people. A lot of what I do is related to creating and improving process for handling incident response, Firewall Access Requests, DDoS, Vulnerability Management, liaising pentesting with projects to come, log analysis, etc. So it is pretty much an IT management role with almost all of its focus on Security: I love it. I spend a lot of time exchanging e-mails and using Word and Excel (...world is not perfect). Another thing I do is being a member of our CAB (Change Advisory Board, which if a project needs to implement any changes within the infrastructure, the project manager has to go through approval from the CAB's members). I also have some technical stuff too, but that is for me to support the management of wider scope. I get paid very well considering this is an entry level job. I also get extra money for working OnCall.

In terms of certifications to take, don't go too crazy on them. Specially because they are very expensive and whenever you start joining companies, they will likely invest on you and pay for your training and certifications as it happened to me already. Do you have a stronger coding or networking background?

Answering your next question, whether this is an academic matter? Good question, actually very good one: The Degree is your foot on the door. It helps you getting your first job; your following jobs will be based primarily on your experience and prestige within the Security community. To be honest, in terms of what I learnt at University, I am using very little at work. Most of the things I am using at work came from my own independent curiosity in learning. Let's put it this way: suppose you know someone important in a security company that knows your way of thinking, your moral integrity and acknowledges your passion for security. It is very likely that - if this person is really open-minded about security - will give you a Security Analyst job even though you might not have a Degree. A Degree in my opinion is a way a future employer has to know that you (as someone this employer does not know) have spent enough time to prove that you really enjoy your area of study: it does not prove knowledge or experience; other than that, I believe Security Degrees are pretty useless. The same applies for certifications. I have worked with highly skilled pentesters that don't even have a Degree! I swear. But of course, if you want credibility you got to have a couple of certificates under your sleeve.

Finally, just to throw an idea back at you, if you do not have a very strong technical background, but enjoys the Security way of thinking, do some researches in anti-fraud and e-crime prevention within financial institutions: they don't pay as much as the security in IT, but there has been a new trend of merging those two disciplines together (i.e. anti-fraud and IT). Perhaps by getting into one, you could use it as a way of sneaking into the other as someone I know has done already. (Apologies for being so prolix)

Lex
  • 4,247
  • 4
  • 19
  • 27
  • Thank you for your very interesting answer, you seem to have a very nice job ! When you say that I just need a CS degree, which one do you have in mind ? Bachelor, Master or PhD ? – Alan Simonin Feb 28 '13 at 16:55
  • You are welcome. From my team, not a single person has a Masters. In fact, I don't know where you are, but in UK they have Honours as well, which is another year after graduation. I did not bother doing it as I found it condescending and unnecessary. I believe Masters and PhD are mainly applicable for non-technology areas like psychology, Classics, History, etc. In those cases, Academic path is really necessary. IT Security need people that can do the job, at least this has been my experience. – Lex Feb 28 '13 at 16:59
  • I leave in Switzerland but I dont think (I have never heard of honors) it exists. I am glad to see that degrees are not so important because as I said in my previous comment, it is easier to learn CS alone that other courses... – Alan Simonin Feb 28 '13 at 17:35
8

"Cybersecurity" is both an awfully hyped term, and a very large field.

One part of IT Security is on the construction side of things; you design system architectures in order to fulfill some security characteristics. For that you have to understand what attacks do and how they work; being able to actually run them is not that important (i.e. knowing what a buffer overflow is and what it can lead to is very important; being able to write the assembly code for the actual exploit, or knowing by heart all the commands of metasploit, does not help as much). On part of designing security architectures is using cryptographic algorithms and protocols, which requires knowing what they do and what they don't.

I am professionally involved in a lot of PKI, so that's a lot cryptography and right into my own formation (a PhD in cryptography)... in theory. In practice, most of my day-to-day job is:

  • wading through thousands of pitiful excuses for documentations, often in "blog format" (yes, I'm talking about you, Microsoft);
  • writing the occasional script or .NET code to glue some tools together, or fill a blank (e.g. decoding and validation of the fields in a PKCS#10 request);
  • decoding network traces of SSL handshakes;
  • explaining things to people.

The last item is probably the most important: I spend most of my time explaining things to other people, propagating information and trying to kill off myths and unfounded rumours. For that matter, my day job looks a lot like what I do on Security.SE.

The most advanced formations will be, by necessity, extremely specialized, so you will not use them much afterwards (actual cryptography is less than 5% of my time). What you need is to be curious, inquisitive, eager to learn new things; you should spend quite some time at home trying to develop attack or defence code. It helps to have some theoretical knowledge (algorithmics, some algebra...). An actual diploma is convenient to make people listen to you, but not an absolute requirement: IT in general, IT security in particular, is a field where most employers know that competence is not acquired in schools. If you want to follow the academic road, though, then a PhD is necessary (both to be accepted by your fellow academics, and because doing a PhD is the only known way to learn how to "do Science").

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Thank you for your answer ! I agree with you to say that CS can be learned on one's own. I have learned so many things just by watching/doing tutorials (there are a lot of them in internet) or analysing source codes of sites. And the documentation is very rich (PHP, jQuery, ....) – Alan Simonin Feb 28 '13 at 17:04