April 12, 2023
I would like to start part 2 of this series of articles by extending a sincere thank you to those of you who consume my content and continue to give me support and kind words. I continue to you do this in part to help others who may be where I was 15 or so years ago, and to some extent, those who were where I was a year ago. I think knowledge is a two-way street, so therefore, I don’t want to ever stop learning, or sharing. I will continue with three more jobs roles in this article. And for those who have submitted suggestions on other roles, they are coming soon. Thank you again. Now let’s dig into it. As is my standard for this article format, we will address the following things;
- Entry-Level Outlook
Cloud Security ArchitectSeemingly, the whole world is migrating to the cloud. And for the first time in history, we are at least considering security while we rapidly adopt new technology as opposed to our traditional arc of “adopt the coolest new tech, then figure out security later” meaning some organizations took the approach of let’s just dump our data and services into the cloud and all our problems will be solved. So there will continue to be a great demand for cloud security architects who will act as the principal technical resource for designing and implementing a secure cloud migration, and there will continue to be demand for the same architect to “fix” the migrations that were haphazardly thrown up. This is one of the reasons Cloud Security Architect is one of the hottest jobs, and in my opinion, one with built-in longevity. I’ve conducted many penetration tests that are either 100% cloud-based or heavily cloud-based, and there’s certainly evidence that this role is one where demand exceeds supply. It seems like this role will continue to rise in demand as more and more organizations migrate to the cloud and we start to see more and more cloud-hosted data stolen and more data breaches happen where cloud services happen to be the primary data and compute resource location. If you’re already in Cybersecurity and you’ve got some security architecture experience, this can be a great next step for you. Grab some cloud services and architecture certifications, get your hands on cloud chops up to par and you’re ready to start interviewing. If you’re a security architect with 10 years experience and you’re sitting on a salary north of 300k you might have to take a temporary pay cut the enter the role, but you should be able to make up for it relatively quickly, as I’ve seen some crazy bonuses for cloud security architects who orchestrated some successful and secure cloud migrations that saved the organization millions in what was a yearly capital expenditure. This logic applies similarly to seasoned cloud architects who may not have a strong security background; ramp up on your security knowledge, grab some security certifications, and apply that knowledge to your knowledge of cloud services.
RequirementsYou’ll be expected to have at least a bachelor’s degree in computer science, cybersecurity, or a related field. The hiring organization will usually want you to have 3 to 5 years of experience in either a cloud architect role or a security architect role. I know of 1 individual who lacked the bachelor’s degree but was put into the role anyway and he’s doing a great job in it. If you already have experience as a cloud security architect, that’s a huge bonus. Make no mistake about it, this is a technical role, and it’s also a role that will work closely with upper management and the CISO. You will most likely be required to have measurable experience with one or more of the major cloud services platforms, such as AWS, Microsoft Azure, and Google Cloud Platform.
Some Complimentary CertificationsCISSP – Certified Information Systems Security Professional – The premier security management certification. Almost ready-made for this type of senior roles.
CCSP- Certified Cloud Security Professional – This is the first ISC2 Cloud Security certification. In the same spirit of CISSP, it’s very broad and covers a large area of cloud security. This certification is also vendor-neutral and gives a good overall view of cloud security.
AWS/SA, AWS/Devops Engineer, AWS/Security Specialty – AWS Certifications – I know this seems like a lot, but these certifications can benefit any cloud security architect who works in or plans to work in an AWS environment. Solutions Architect is really the introduction and right of passage to the AWS professional level of certifications. It is becoming more and more difficult to be a good cloud architect, security or otherwise without a solid understanding of devops, which is why I list the DevOps certification as an important addition. DevOps being the marrying of development and operations, ensures software development projects and processes, has alignment with operational objectives and processes. Since we’re discussing a security architect role, the security specialization is probably the most natural fit here. It is essentially AWS from a security standpoint.
Microsoft Azure Security Engineer, Devops Engineer, Microsoft Certified Solutions Architect – Microsoft Azure Certifications – I recommend these certifications for the same reasons I recommend comparative certifications in the AWS world. Covers the same general areas of expertise.
Google Cloud Professional Architect, Professional DevOps Engineer, Professional Network Engineer, Professional Security Engineer- Google Cloud Professional Certifications. This would be somewhere along the lines of the equivalent recommendations for AWS and Azure.
When it comes to the three leading cloud services, I would actually recommend striving to have certifications and some level of expertise in all three. Remember as a Cloud Security Architect, you may be expected to be a key decision-maker in things as important and impactful as which cloud company the organization ends up partnering with, or using for their primary Cloud Service Provider (CSP). I think it would be at the very least, difficult for someone to make that decision without having knowledge of at least the top three players in that market. And when I say “knowledge” I certainly mean more than being able to recite the CSP’s marketing material. As the principal Cloud Security Architect, you may very well be the key decision-maker in the decision that will literally shape technology and IT for your organization for the foreseeable future. So you definitely want to get it right and have all the needed information.
Average Salary – $169,000/year.As usual, I want to remind you that this number is an average across the US. If you look at the sources I pooled and averaged this from, you’ll see that some of the higher-end roles are near $300,000/year. Sources:indeed.com, monster.com, glassdoor.com
Summary And Entry Level OutlookIt is clear that the two hottest buzzwords in the technology industry right now are Cloud and Security. With this role merging the two, it will remain highly prized and in demand for a while. This is not an entry-level position, but is a ideal opportunity for a seasoned security architect to really hit the cloud technologies hard, maybe apply for a cloud security engineer position as a stepping stone and an opportunity to get the right hands-on experience to get you into this position. I think it’s equally a good target “two years away” type role for a network security engineer or architect to move into as well. For example, if you are one of those absolute rockstar network engineers who knows routing protocols like you know your first name, this is the perfect time to start layering some Software Defined Networking (SDN) knowledge on top of that massive skillset. You’ll be cloud sharp in no time. Good luck!
Penetration TesterI will start the discussion of this role with a fun fact; penetration testing was my introduction to the world of technical cybersecurity all the way back in 2002, and if I could go back, I think I would start it the same way. This job also maintains a cool factor because you will also be known as an ethical hacker. Most people will associate the term hacker with the old movie hackers, the newer TV show Mr. Robot, or some other magnificent completely made up chain of events that are likely not even really possible, highlighted in some adrenaline-pumping scene where the hacker is saving the world. This stuff is usually thought up by a movie director or writer, and believe it or not, they are getting better at speaking with actual hackers to get it right. If you want to see my take on real vs fake hacking in movies, watch this session I did with Coder Foundry a month or so ago; Keatron Breaks Down Real vs Fake Hacking From Several TV Shows and Movies.
Now on to the job role! The primary goal of this job role is to find systems, networks, applications, buildings, and people, find vulnerabilities in them, exploit the vulnerabilities then recommend mitigations to make sure malicious actors won’t be able to do what we did as penetration testers. There are several different types of penetration tests, but generally, you’re testing all or some of the things I named above. For the most part, the type of penetration test you conduct in a given engagement will be dictated by what the customer requirements are. You will have to create documentation to relay your methodology, findings, and recommendations. Usually, when you hear the term penetration tester it’s likely that one of two types is being referred to; One is where you’re using primarily automated penetration testing tools that do a big majority of the work for you. Scanning, enumeration, vulnerability mapping, and even exploitation and report writing are largely automated with these expensive but required tools. The other kind is more manual, where some or all of the things described in the previous sentence are done more manually. Of course, the best results will generally come form combining both, which is what most of us do. For example, some argue that the manual method is always better, and before I ever conducted a penetration test of 100k devices I agreed. But trying to do manual testing of that many devices is not only unfeasible from a timeline standpoint, but also from a budget perspective. This is a great job role, and even though my practice has grown well past just doing penetration testing, it’s certainly still one of my favorite things to do. It is a great career.
RequirementsMore and more pentesting roles are dropping the bachelor’s degree requirement for experience. Or more often you’re seeing “bachelor’s degree in computer science or equivalent experience.” Let me explain what that actually means for most employers. And yes I’ve spoken with quite a few HR professionals and hiring managers about this at length. Generally when they say “or equivalent experience” it means if you don’t have a degree they are willing to evaluate whether the skills you’ve learned on the job, in practice, in training or somewhere else, equal enough knowledge, skills, and abilities to actually perform the job. And some of the most skilled penetration testers or hackers I know have not set foot in any university ever. Generally, the best candidates for this role is someone transitioning from another IT role, such as a senior network engineer, senior developer or some other roles along those lines. Even a desktop support person could do it, but probably starting as a very junior penetration tester role first. The things I normally look for include problem-solving skills, how you approach the problem, and your ability to adapt and learn and environment. When I do technical interviews for penetration testing roles, those things are what I care the most about. The pentesting chops matter a lot, but I can teach you those, as long as you have tenacity, problem-solving skills, and actually enjoy the work. These views are shared by many others in the same position I’m in.
Some Complimentary CertificationsKeep in mind I’ve excluded some of the traditional certifications like MSCE and CCNP as generally these would be certifications that people in these positions or applying for these positions would already be aware of and have.
CISSP – Certified Information Systems Security Professional – While this is rightfully usually associated with security management, it gives a great high level view of most things cybersecurity. One analogy I used many years ago which I still think rings true, is you can also think of the CISSP as your general practitioner license if you were in the medical field. Then think of the other certs in this role as your specializations. I will also take this opportunity to let the reader see how one certification, in this case CISSP, can have applicability to both technical and non-technical roles.
CEH – Certified Ethical Hacker – This certification is great for the person just coming off their Security+ certification as well as the people looking to transition from the roles I mentioned in the previous section, such as network engineer. It is a great first look at technical cybersecurity and will serve as a great foundation for your future skills growth in this area.
OSCP – The Offensive Security OSCP Site – This certification is one that is really not a “teaching” certification per se, but more of a prove you can do it certification. It is not for the faint of heart and will test your ability to find systems, find vulnerabilities, exploit those vulnerabilities and perhaps even write or tweak a new/zero day type exploit. The training is mostly a large library of videos, training manuals, and access to a lab environment that you can use to practice in.
CEH Practical – EC Council CEH Practical – This is the more advanced hands-on exam that is the natural evolution from the CEH. It’s similar to OSCP, but only in that it is a live lab environment that you will be testing in.
AWS SA Professional – Amazon Solutions Architect Professional– As a penetration tester hoping to stay in the industry for a while, you will need some cloud expertise. I would even recommend grabbing not only some Amazon, but Google and Microsoft Azure – Microsoft Certified-Azure Administrator Associate as well. Most of the penetration test we conduct against enterprise environments these days all include a significant amount of cloud services. Part of being able to secure or security test the environment is understanding the environment.
AWS Security Specialization – Amazon Web Services Security This will help you as a penetester understand the common security controls that you will encounter in your penetration testing. Same applies for Microsoft and Google Cloud Certifications.
Average Salary – $130,000/year.This is about what the average is. But I do know of some seniors who make north of 200K. Sources:indeed.com, monster.com, glassdoor.com
Summary And Entry Level OutlookThis is not an entry-level position. But if you’re new, consider a path of Entry Level SOC to Senior SOC, the Network Security Engineer, to Penetration Tester. If you’re coming from a place such as a senior network engineering background or senior developer background, you can probably come straight in and maybe even get a pay bump depending on what you’re making currently. I would recommend getting a few certs like CEH and OSCP before heading into that first interview. The outlook here is pretty strong, as long as you can marry your current knowledge base with some cloud knowledge. If you’re a senior developer, consider application security engineer a transition role, or if you can develop the chops soon enough, jump right in and maybe focus initially on Web App Pentesting then ease your way into the other areas of pentesting.
Jr Cybersecurity Analyst – Entry LevelAs is the case with all the articles in this series, the last job is the one that’s most likely to be filled by an entry-level candidate. One great thing about this role is as an entry-level person, you will likely be exposed to a lot of different areas and be somewhat the designated errand runner, but if you’re new to the industry, it’s a great opportunity to find out things and ask lots of questions. Keep in mind you might be working in a Security Operations Center (SOC), on a Security Engineering team, or maybe directly out of the office of the CISO (usually in smaller organizations). These roles are not the highest paying, and people coming from other established professional careers will likely have to take a pay cut, but this is the right type of job to start fresh and start the right way, learning fundamentals. One promising thing about this role is the fact that I’ve seen people excel in it coming from both other IT jobs and non-IT jobs. These jobs are generally more slowly paced than others and will give you the opportunity to learn at a more controlled pace.
Some Complimentary CertificationsMy certification recommendation here is based on making sure you have a solid foundation in technologies. Keep in mind some people applying for these positions may not have any certifications.
Security+ This is the most well known entry-level cybersecurity certification. It’s also been around for a really long time. A lot of the skills I noted above to line up with this job role, also line up with the Security+ syllabus and competencies. This certification can also be a help for nearly any role on this list if you are looking to work in government or the Department of Defense capacity in the US. This is largely due to something known as DoD 8140 which is a parent container of what some of you have always known as 8570. For certain job roles within the DoD people will have to have certain certifications such as Security+ to be in certain jobs. Even if the job is not technical per se. So having this certification and being compliant already could make you slightly more desirable over someone without it. (This excerpt is borrowed from the first article in this series).
Network+ – This is a fundamentals of networking certification. The fundamentals of how packets get from one place to another, the layers of the OSI model, and how they work together are important foundational pieces to being a good SOC operator.
Cloud+ – This CompTIA’s entry level cloud certification. Impress your new potential employer with your general knowledge of cloud services.
Amazon Certified Cloud Practitioner – Amazon’s entry-level certification. If the company you’re interested in is a Microsoft Azure or Google Cloud organization, go for those entry level certs.
Google Associate Cloud Engineer – Preparing for this certification allows you a perfect introduction into the world of Google Cloud. If your target organization utilizes Google Cloud Platform, this certification may be a bonus.
Microsoft Azure Fundamentals. – This is the entry level Azure certification. Again I would say if the organization is a Microsoft Cloud subscriber, this will be a bonus in the entry-level circles of that organization. If you’ve got the time, I certainly recommend putting in the work and grabbing all three of larger Cloud Service Provider certifications.