April 12, 2023
This is yet another article inspired by the success of a recent video series. Some of the most common questions following that series were “What certifications should I get if I want to do job X?“, and “What is the average salary for a person in job X?” We will look at several different job roles and cover as many areas as possible. You will find that my recommendation for nearly any role will involve some type of cloud services certification. This is because whether you’re a top CISO or an entry-level penetration tester, it’s likely you will have to deal with cloud services in a functional and operational way in your day to day duties. If not currently, you will in the very near future. Concerning these roles we will address the following things;
- Entry-Level Outlook
CISO – Chief Information Security Officer / VP of Security / CSO
It should come as no surprise that I start with CISO. It is generally regarded as the most senior cybersecurity role in most organizations. The CISO is also the one security person who knows a lot about what’s going on with the rest of the organization. They will often be in board meetings, both sometimes as the right hand of the CIO or in some organizations on their own accord. It is becoming more common to see CISO roles not reporting to the CIO role as they once almost always did. In some organizations, this role has become a peer of the CIO role. Be prepared to see it structured either way. This is a monumental and massive responsibility. The CISO is responsible for security operations (SOC), security risk, data loss, security engineering, digital forensics and incident response (DFIR), governance, and the overall health of the security organization. The majority of the CISOs I know personally are also some of the most gifted people on the planet.
RequirementsYou’ll be expected to have at least a bachelor’s degree in computer science, business or a related field. The hiring organization will usually want you to have 7 to 10 years experience with 3 to 5 of them being in a management role. Don’t think of this as written in stone because I know of a retired US Air Force fighter pilot who’s made a heck of a CISO. It helps to have had some exposure to a technical security role at some point, but it’s not 100% required. You’ll be expected to have some deep experience with compliance, dealing with things such as SOX, HIPPA, PCI, etc.
Some Complimentary CertificationsCISSP – Certified Information Systems Security Professional – The premier security management certification. Almost ready-made for the CISO role.
CISM – Certified Information Security Manager – Similar to CISSP but came a little later. Security management with a slightly more from the auditor’s perspective, as it comes from an organization grounded and founded in IT Audit.
CSIH – Computer Security Incident Handler – Most CISOs are worried about data breaches and data loss. Incident Handling is the triage and emergency room for data breaches. CISO’s should be versed not only in management principles but also have some basic technical aptitude in this area. This certification covers both. I first earned this in 2016 and it’s only gotten better.
CEH – Certified Ethical Hacker – One of the most important parts of understanding how to defend an organization’s data, systems, and people is understanding how the attackers find, exploit, and abuse those things. CEH is still the most sought after certification in this area. Pentest+ is definitely gaining some traction, but CEH has been around for a while. I got my first CEH all the way back in 2003 and it was already well known in security circles. I got the Pentest+ in 2018 and it was brand new then. So as of today I still have to say CEH. I will recommend this certification for a lot of the more hands-on technical roles, but for slightly different reasons.
CCSP – Certified Cloud Security Professional – This is ISC2 entry into the world of cloud security. This certification is more cloud security for security managers though, which makes it a nice fit for a CISO. There is not a ton of technical content for this exam (I earned the certification about 2 years ago and have taught 7 or 8 boot camps for it).
Average Salary – $223,000/year.Remember this number is an average across the US. I know of a couple of CISOs makes well over $400K. One of them recently left a job where they were making exactly that and wanted to know if I would consider taking that job, as this person was retiring. Based on current trends, this salary and the demand for qualified people to do this job will continue to increase. Sources:indeed.com, monster.com, glassdoor.com
Summary And Entry Level OutlookThis is definitely a position worth pursuing, however, if you are Entry-Level Traditional, just realize that it could be 10 years or more before you qualify for this position. You will almost always need either a strong background in managing other types of programs, a strong technical security background, or a strong background in other areas of security such as policy, compliance, audit, or risk. On a scale of 1 to 10, I would rate the likelihood of you coming in entry-level to be 1. It’s just not very likely. With that being the case, I can cite a couple of instances where someone with a strong management background and brilliant management style landed the job without any formal or informal security experience so it is possible. Also, I’ve seen people who have reached the point of being a CIO, which is often times the role a CISO would report to. Where I’ve seen this the most is a CIO taking a CISO job when they are a CIO at a small or medium-sized company, then moving to a CISO position in a large enterprise. Think of it as a college sports head coach going to professional sports taking an assistant coach position. It is both a move up and a move down depending on how you look at it.
I’ll quickly point out that this article is not sorted by salary, or importance of job role or anything like that. Cybersecurity Engineer has been an evolving role. I’ve also found that the day-to-day function of this role can vary greatly and still remains very ambiguous. For example, I recently read two job descriptions, both from reputable companies for this exact role and here’s a snippet of the first one;
- Engineers configures, deploys, and maintains Web Application Firewall solutions
- Develops advanced scripts for manipulation of multiple data repositories to support analyst requirements
- Develops scalable security management tools and processes
- Responsible for the security of all applications.
- Collaborates with key stakeholders within Information Security and Engineering teams to develop specific use cases to address specific business needs
- Creates WAF rules to mitigate threats and implements best practices
Now right on the exact same job board, under the exact same job title I found the following completely different responsibilities;
- Conduct penetration testing throughout the company.
- Design and implement security-related policies.
- Maintain Snort and Industrial Defender IDS Systems
- Deploy and maintain modern security incident and event management systems.
- Manage, maintain and update network infrastructure
- Manage Active Directory Environment
- Enable Firewall Rules
Clearly the two people getting these jobs will be doing two completely different things. And this characterization of difference is not uncommon. Let me explain what is generally behind this. The short easy answer is different companies have different needs in the role. While there’s truth to that, it’s actually a little more involved. So let’s examine how a lot of these job descriptions are created. If the role is being vacated by someone getting a promotion or moving on to another position, then the HR or management team will likely recruit this employee to help create the description for the potential incoming candidate. So the job description will be based a lot on what the current position holder does, and to some extent what they think the role should include. I’m going to say this and there is no ill intent; sometimes the current role holder feels some pressure to make the job look “busier” than it actually is. Look at the description above in the last line. It literally says “enable firewall rules”. This is an atypical and specific thing to put into a cybersecurity engineer job role description. It almost seems like someone was just thinking of things they’d done in the last year and adding them as a job role. For example, I’ve reviewed companies’ incident response policies once or twice, but I wouldn’t say it’s something I do on a day-to-day basis. In most companies big enough to have a full-time cybersecurity engineer, they might also have a dedicated firewall engineer, and in some cases even separate WAF, Network, and other specific kinds of firewall engineers. So it’s possible this organization is small enough to not have a dedicated firewall engineer so the cybersecurity engineer has absorbed that job role as well. And here’s the most important possibility to consider. It would seem that the person who had an influence in writing this description has a strong background in infrastructure. As for the first description, I’d venture to say that person who influenced that writing had a stronger development background. A big chunk of the people who make up the cybersecurity field, at least the ones who’ve been in it for 5 years or so, come from either a network engineering background or a development background. Of course, we have people from every career you can imagine in this industry, but I’m speaking of the majority. So when you see the ambiguous roles like Cybersecurity Engineer and they seem so different from one company to the other, consider these possibilities, and prepare yourself accordingly for that interview. This role is also most likely to be filled by someone with some other cybersecurity experience. The exception is if the title has the word jr, or entry-level in the title. It is a great role that allows you to get hands-on with many different technologies and areas.
RequirementsThe initial ad might say that the company prefers a bachelor’s degree, but I’m finding this is changing somewhat. If you’ve got 3 to 5 years’ experience doing something cybersecurity-related, a lot of companies are willing to overlook the lack of a bachelor’s degree and opt for the experience with some certifications. Bonus if you have some cloud experience (AWS, Azure, Google Cloud, IBM),
Some Complimentary CertificationsKeep in mind I’ve excluded some of the traditional certifications like MSCE and CCNP as generally these would be certifications that people in these positions or applying for these positions would already be aware of and have.
CISSP – Certified Information Systems Security Professional – While this is rightfully usually associated with security management, it gives a great high level view of most things cybersecurity. One analogy I used many years ago which I still think rings true, is you can also think of the CISSP as your general practitioner license if you were in the medical field. Then think of the other certs in this role as your specializations. I will also take this opportunity to let the reader see how one certification, in this case CISSP, can have applicability to both technical and non-technical roles.
ECIH – EC Council Certified Incident Handler – This is a technical certification with some process, procedure, and high-level content. It’s is important the most Cybersecurity Engineers have good knowledge of incident response techniques, tools, and procedures. One reason is that it’s advisable to consider incident response efforts and processes when engineering a security solution. It is definitely not the only consideration but it should be one of the considerations.
CEH – Certified Ethical Hacker – This again, is one of the most important parts of understanding how to defend an organization’s data, systems, and people. While this certification is generally meant for people who are penetration testers, there are several valuable gains here for the Cybersecurity Engineer; 1. They will learn how to test their own solutions for flaws and reliability before the bad guys get to. 2. If the engineers have deep knowledge of how attackers operate, it can enhance their ability to engineer better solutions. One of the biggest gaps currently is the fact that in some regard we still engineer solutions for attack vectors the threat actors abandoned a long time ago in the spirit of process, compliance, and the likes. This knowledge base for a cyber engineer will help close this gap.
AWS SA Professional – Amazon Solutions Architect Professional– Let’s face reality, AWS still leads as far as deployed/implemented cloud services. In my opinion, anyone looking to have longevity in cybersecurity will have to gain deep some mastery of cloud services. If you are going to be in non-technical roles, then non-technical cloud certs will suffice. But for technical roles such as cybersecurity engineers, you must gain technical mastery. I’m going to recommend AWS SA Professional, with AWS-SA Associate as the minimum. Just to give some context about why cloud is so important if you look at that top 5 banks in the US, all 5 of them have migrated at least 60% of their IT environment including compute, network and storage, to a cloud service.
Microsoft Azure – Microsoft Certified-Azure Administrator Associate – Same as above. With Microsoft winning the very large DoD contract last year, they have made it clear they are not to be counted out yet as far as cloud services domination. If the organization you are trying to work for is a 100% AWS shop, then you could replace this recommendation with another AWS specialization, namely security. If they’re a Microsoft shop, then Azure Security specialization would come next.
AWS Security Specialization – Amazon Web Services Security Amazon and Microsoft both have an entire suite of cloud security solutions. If you’re to be engineering security solutions that are either already in the cloud or will be deployed to the cloud, you will benefit from having deep knowledge of each one’s respective security specializations.
Google Cloud Certifications. Same applies here if the organization uses or will be using Google cloud services.
Average Salary – $135,000/year.This salary is an average, but it is very likely that you will demand a higher salary if you have some experience combined with the certifications listed above. Sources:indeed.com, monster.com, glassdoor.com
Summary And Entry Level OutlookThis is definitely not an entry-level position, but its a good one for an entry-level person to put in their sites as a goal. Cybersecurity Engineer is also a job role that people end up there from any number of other previous roles. You will find people that were seasoned and very skilled senior network engineers who made the transition. You’ll also see cloud engineers who made the same transition. You surely find some senior developers or software engineers who made the transition as well. The good news is this role is clearly one that’s friendly to transfers from other roles that may not be security-focused. This also makes logical sense, as it is logical that for one to engineer the security of a network, one should probably know something about engineering a network period first. Same for applications and software engineering. You may not end up getting a cybersecurity engineering job as your first role, but there are certainly some junior cybersecurity engineer roles which I will write about in a future article in this series.
Entry-Level SOC Analyst
Out of the three roles covered in this article, this is the one most likely to be your ticket to entering cybersecurity. As I have visited companies, agencies, and other types of organizations SOC teams, the entry-level SOC analyst role continues to be one of the roles where people came into that role with the least amount of direct security experience. It can most definitely put you in the front lines as you’ll be on the team that get’s the first alerts that something is wrong or that there’s been a security breach or an attack. You will also likely be side by side with the incident response teams as most IR teams operate out of the SOC. Having managed several incident response teams, as well as worked as an outside consulting IR lead many times, I can tell you from my experience and from speaking with others who do the same, a lot of people end up in the coveted IR roles as transfers from the SOC analyst roles. As a Level1 or entry-level analyst, you’ll spend a lot of time looking at alerts and logs, then passing the alerts on to a level 2 analyst who will investigate further based on other criteria to determine if the alert warrants any further effort and if so, how much effort. A big part of this whole system these days is something we in the industry refer to as a SIEM or Security Information and Event Management system. Eventually, if you make it to a Level 3 position you might be one of the people creating the criteria inside a SIEM that the other lower-level roles use to make their decisions. Lower-level SOC operators might also use the same SIEM but as a tool to access and correlate that rules and other information populated by SOC Level 3. SOC Level 3 analysts are also often the point person for the IR team, or they may even be an extension of it. SOC is also a regular communicating body for penetration test teams. When it comes to whitelisting ip addresses, behavior, and other things that a pentest team might need put in place, the SOC needs to know what’s going on as not to kick off an expensive and unnecessary IR process due to false positives generated by the penetration test team. Although I’ve been involved in some engagements where the SOC was left completely in the dark to in parallel to the pentest, test the SOC’s ability to detect certain types of attacks. This is all subject to individual organizations and projects. For example, it could depend on how blind a blind penetration test is.
RequirementsSome organizations treat this role as a true entry-level into the cybersecurity world, while others present it expecting the applicant to have other cyber experience. If you’re new to cyber, then you want to make sure you look for the signs that show friendliness to no cyber experience. For example, if it says something like;
“degree in Computer Science, related field or equivalent experience, understanding of TCP/IP, Networking, Windows OS, Linux OS’s, understanding of basic security principles, hacking, and cyber defensive tactics. “Then it’s a good indicator that they are ok with someone not having hands-on cyber experience. Alternatively, something like the following;
“degree in Computer Science a related field or equivalent experience, hands on applied knowledge of Networking, and hands-on experience with vulnerability scanners, penetration testing, and cyber defensive tactics”It is a pretty strong indicator that the organization is looking for someone with some hands-on cybersecurity experience. Even if the role says entry-level, they’re still expecting you to have run Wireshark, done some basic network forensics, and other things along that line. So you want to be careful to know the difference. I think one of the worst things that can happen to a newcomer is to have a bad interview experience right off the bat. And making sure you are at least somewhat aligned with the job requirements, will minimize the chances of that happening. So the most common requirements will include a degree or at least a few years experience doing something else in IT. Again it may not always have to be cybersecurity experience. Another bonus for this job role is that it is one of those roles that will almost always have a 24/7 type operation if it is enterprise. So there may be more flexibility for an entry-level 11:00 PM-6:00 AM shift than there would be for a normal more desirable 6:00 AM to 3:00 PM shift.
Some Complimentary CertificationsIt’s nearly impossible these days to work in a SOC and not have some day to day exposure to a SIEM. SIEM Certifications from vendors such as Splunk, Logrythm, Q-Radar, Nitro, IBM, and Alienvault to name a few. There are some generic relatively vendor-neutral SIEM certifications, and also some for open source products. This is also a point where some of the entry-level cybersecurity certifications can be an edge as well. Here are some to consider.
Security+ This is the most well known entry-level cybersecurity certification. It’s also been around for a really long time. A lot of the skills I noted above to line up with this job role, also line up with the Security+ syllabus and competencies. This certification can also be a help for nearly any role on this list if you are looking to work in government or the Department of Defense capacity in the US. This is largely due to something known as DoD 8140 which is a parent container of what some of you have always known as 8570. For certain job roles within the DoD people will have to have certain certifications such as Security+ to be in certain jobs. Even if the job is not technical per se. So having this certification and being compliant already could make you slightly more desirable over someone without it.
Network+ – This is a fundamentals of networking certification. The fundamentals of how packets get from one place to another, the layers of the OSI model, and how they work together are important foundational pieces to being a good SOC operator.
Splunk Entry-Level Certifications Do your homework and find out what you’re primarily seeing for organizations in your area, or the area you’d like to be in. If you see a lot of SOC positions mentioning Splunk, then maybe take a look at that as a vendor-specific certification.
Logrythm is included here for the same reason we see Splunk.
Rapid7 InsightIDR– See above
Q-Radar IBM – See above