Hoping to get a career in cyber security? We asked Jim Wheeler, the Director of Operations at PGI Cyber some questions about what a job in the sector entails.
1. What are the major cyber threats that organisations face; how serious and how widespread?
Information security is still a growing industry, as many organisations - both big and small, are still in the process of establishing security policies and procedures, implementing security controls and training staff to recognise security threats. In today's world, 'Hacking' and 'Cyber' are both words that conjure images of movie-like sci-fi; perhaps a darkened room filled with monitors and poorly dressed young adults who rarely expose themselves to the sun. Every user in an organisation is individually responsible for changing passwords, removing sensitive documents from their workspace at the end of the day and verifying the identity of visitors asking them to reveal sensitive information. This is, of course, a very small sample of the responsibilities of staff, however, they are the most common reasons for a breach.
2. Who are organisations in danger from?
There are a number of individuals who may, for one reason or another, attempt to hack corporate, government or personal systems. These range from those who find the concept interesting or 'cool' and will practice skills learned from online resources against production systems to professional, underground hackers who pursue financial gain. Due to the diversity of vulnerabilities out there, both of these can be just as effective at compromising an organisation, and as such it is the motivations of these users which is the most important point to consider. The list of reasons why an individual may attempt to hack a system is endless, therefore, it is important for businesses to identify who may wish to compromise their systems, and understand the methods that may be employed to do so.
3. How do they protect themselves, and who do they hire to do it?
Organisations protect themselves by implementing policies and procedures to govern how information security is maintained. A number of individuals must be employed with a variety of specialities in order to achieve information security, such as information assurance professionals, penetration testers and network engineers with security experience. These individuals all bring niche expertise to the business and are therefore important components to its security posture.
4. What roles are there in cyber security, and what do they entail, what do these people actually do?
Cyber security is still a developing industry, however, there are a wide range of roles which cover all matter of specialities. A typical cyber security organisation will usually have penetration testers who simulate attacks against clients in order to identify vulnerabilities, exploit developers who will research new vulnerabilities and publish their findings and information assurance consultants who will advise clients on security policies and procedures. Larger organisations often have dedicated security teams who will develop policies and procedures for the business, and may also have technical teams who implement security controls across the network.
5. Is it all machine-to-machine or do you have to interface with people too?
Providing cyber security to organisations is a professional service, and therefore, face-to-face interaction with the customer is a very important aspect of the service we deliver. At PGI we aim to provide a tailored solution to all of our customers, therefore, we must identify their specific requirements before proposing a solution. This requires lengthy discussions at both management and technical level, and often our technical consultants will personally attend the customer site to establish their needs.
6. What’s the job like – how difficult, intellectually or emotionally challenging, and how dangerous?
As with all professions, a career in cyber security requires a great deal of theoretical and on-the-job training. Due to the ever evolving nature of technology, this training never ends; new vulnerabilities, applications and systems are released every day, and as a security expert it is primarily our job to stay on top of these evolutions. Cyber security is very intellectually challenging on a daily basis, and as such requires certain characteristics of a successful individual, such as a motivation and keen interest to exploit a system. Working in the security industry may often seem like a dangerous job, however as cyber security experts working in a corporate environment, we rarely get into situations which could cause harm to ourselves anymore so than other I.T professionals. One exception to this, however, may be physical assessments (red-team) tests, where our aim is to gain physical access - often without the employees knowing. If caught, there are some obvious complications to this, however, we insist that all consultants carry a letter to explain their presence and that one employee at each site is always aware.
7. Do they ever meet ‘black hat’ hackers?
We regularly attend international security conferences - such as DEFCON and 44CON, in order to attend presentations and workshops to enhance our skills. These conferences are open to the public, and therefore it is not uncommon for 'black hat' hackers to attend. Whilst this is common knowledge, black hat hackers will rarely introduce themselves as such to a stranger, and therefore it is rare for professional consultants to knowingly converse with a black hat.
8. Greatest satisfaction?
The greatest satisfaction when conducting a test is getting the highest level of access to a network. Once you have gone as far as possible and have full control over every system in it. This is, however, a double-edged sword. Whilst you get the sense of achievement from 'pwning' the network, there is also empathy for the client, who is A) very insecure, and B) will have to exert a great deal of effort to remedy the vulnerabilities identified and exploited. This means you will also have a very big report to write!