One of my greatest challenges is closing the delta between what I perform for work and what I invest in training/education.
At present, I work in Cyber Security as a consultant. My present responsibilities are largely tied to reviewing and evaluating policy documentation in the context of evaluating risk to a particular organization; while some technical knowledge helps with understanding how networked components behave, practical application is largely left to the extraction of Security Technical Implementation Guide (STIG) results.
By contrast, I’ve been investing quite a bit of time, energy, and money into (2) forms of training/education:
- Software Engineering / Computer Science degree: As a non-traditional entrant into the domain of tech, I began by taking software engineering classes with Arizona State University’s online bachelor program. This helped by taking requisite math courses that I hadn’t done in my first degree along with a few programming classes (things like Object Oriented Programming, Assembly, Data Structures & Algorithms). I’ve since applied to (and been accepted) to Georgia Institute of Technology’s Online Masters of Computer Science (OMSCS) program.
- Cyber Security Certifications: In order to better understand the technologies that I work with on the regular (and to remain a competitive hire in the job market), I’ve pursued a number of cyber security certifications. These certs come from an array of organizations, including SANS, CompTIA, eLearnSecurity, PenetrationTestingLabs, and more. However, the majority of my certifications have been oriented on the offensive side of cyber security (otherwise known as “Red Teaming”). If I look to remain in cyber security, I’ll want to continue getting more certifications.
Obviously, there’s a bit of a gap between what I’m seeking to learn and the work that I’m presently performing.
One interesting document I came across to this topic was National Institute of Standards & Technology (NIST) publication 800-181: the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework). This document is a resource that establishes a taxonomy and common lexicon to describe cybersecurity work and workers. Here’s a couple of excerpts that I found particularly interesting:
Software Developer
Develops, creates, maintains, and writes/codes new (or modifies existing) computer applications, software, or specialized utility programs.
Tasks:
- Analyze information to determine, recommend, and plan the development of a new application or modification of an existing application.
- Analyze user needs and software requirements to determine feasibility of design within time and cost constraints.
- Apply coding and testing standards, apply security testing tools including “fuzzing” static-analysis code scanning tools, and conduct code reviews.
- Apply secure code documentation
- Capture security controls used during the requirements phase to integrate security within the process, to identify key security objectives, and to maximize software security while minimizing disruption to plans and schedules.
- Compile and write documentation of program development and subsequent revisions, inserting comments in the coded instructions so others can understand the program.
- Confer with systems analysts, engineers, programmers, and others to design application and to obtain information on project limitations and capabilities, performance requirements, and interfaces.
- Develop secure code and error handling
Abilities:
- Ability to tailor code analysis for application-specific concerns
- Ability to use and understand complex mathematical concepts (e.g. discrete math)
- Ability to develop secure software according to secure software deployment methodologies, tools, and practices
- Ability to apply cybersecurity and privacy principles to organizational requirements
- Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.
Skills:
- Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems.
- Skill in conducting software debugging
- Skill in creating and utilizing mathematical or statistical models.
- Skill in creating programs that validate and process multiple inputs including command line arguments, environmental variables, and input streams
- Skill in designing countermeasures to identified security risks
- Skill in developing and applying security system access controls.
- Skill in writing code in a currently supported programming language (e.g. Java, C++)
- Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g. S/MIME email, SSL traffic).
- Skill in developing applications that can log and handle errors, exceptions, and application faults and logging.
- Skill in using code analysis tools.
- Skill in performing root cause analysis
- Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).