For many years, companies viewed cybersecurity as a technical challenge. When IT architectures were more contained, the primary goal for security was to build a perimeter in order to keep all the bad guys out, then inspect endpoint devices to see if anything bad had snuck through. Basically, companies focused on firewall and antivirus as their main security tools, and they treated security as one responsibility of the overall infrastructure team.
More recently, companies are taking a different approach to security. Cloud computing and mobile devices have made traditional methodologies insufficient, and the heightened reliance on digital operations means that security is a much higher priority. CompTIA’s whitepaper on A Functional IT Framework describes how security is becoming a standalone discipline for many organizations. The largest companies often have a CISO managing a team of security professionals, and smaller businesses are exploring ways to achieve the same results with limited resources.
CompTIA’s 2018 Trends in Cybersecurity research report takes a closer look at this trend, examining the actions companies are taking to form security teams or security centers of operation.
One common thread through all the efforts is the drive toward specialization. There is a growing demand for dedicated security resources, rather than resources with security as a small part of their job role. For IT pros considering a deep dive into security, there are actually three sets of skills that must be considered:
Foundational IT Skills
Why is security often treated as part of the infrastructure function? In order to secure different parts of IT architecture, you have to know how they work. Even as companies are looking toward more specific security skills, they acknowledge that some prerequisite IT knowledge is needed. In order to be effective with security, companies say that candidates should have skills in areas such as server administration, networking, or endpoint devices. This need to understand IT basics is why CompTIA A+ is the first step on CompTIA’s Cybersecurity Pathway.
There are obviously many security skills that have been around for a while now, but companies are still looking for improvement in these areas. Because they have a relatively strong understanding of fields like network security or access control, they know exactly where the gaps exist. Then there are newer fields, like cybersecurity analytics or penetration testing, that are less understood. Companies know that they need to get started in these areas. It’s a lot for a security practitioner to tackle, but certs like CompTIA Security+, CompTIA CySA+, and CompTIA PenTest+ are designed to help build the necessary technical skills.
Soft Skills for Cybersecurity Jobs
As with other areas of IT, cybersecurity now has a strategic component. It’s not enough to just set up the systems and hope for the best. Companies need to know that their investments are paying off and that the efforts are in line with corporate objectives. New security metrics are a major part of new ROI calculations, but from a skills perspective, security pros need to have the soft skills that can drive business conversations. Between October 1, 2017 and September 30, 2018, a significant number of cybersecurity job posts tracked by the labor analysis firm Burning Glass included soft skills as requirements. Certifications such as CompTIA Project+ and CompTIA Advanced Security Practitioner address the soft skills needed for security success.
Security teams aren’t popping up all over the place yet, but they appear to be an emerging strategy for companies trying to get serious about improving their security posture. Whether someone is just starting on a cybersecurity career path or hoping to build some advanced skills, there is no shortage of options that could make an IT pro a valuable member of a security team.