The Importance Of Skills And Professionalism In Cyber Security
Charlie Smith, a year one Computing and Information Security student at Plymouth University has decided to pursue a career in cyber security. He is seeking recommendations on the most appropriate role and how to reach it. As cyber security is a wide field, I have spoken with him and discovered that he is interested in becoming a forensic analyst, therefore I will be focusing on this role. I will discuss the background to this report in the next section, covering why skills and professionalism are important especially given the current skills shortage, giving evidence to justify this. I will also discuss what is involved in being a forensic analyst. In the third section I will identify what skills are needed for this career path mapped onto the IISP skills framework which is produced by the Institute of Information Security Professionals. My research will identify the particular skills and challenges of this role. I will also identify from my research what additional opportunities Charlie could take while at University and beyond for a successful career as a forensic analyst.
Finally, in the conclusion I will summarise my findings and give a set of recommendations and observations for Charlie to achieve his intended career path.
Background
Nationally there is a shortage of skilled cyber security professionals; the UK’s National Cyber Security Strategy says the skills gap represents a national vulnerability. The skills shortage is so severe that academia interviewed by the National Audit Office said that it could take 20 years to bridge the skills gap.
Globally there is a growing shortage – organisations claiming a problematic skills shortage grew from 23-51% from 2014-2018. This has an impact on information security in companies, for example 33% of companies said it takes more than six months to fill posts and 37% said fewer than one in four candidates have the required qualifications.
The lack of an available pool of talent is significant because information security does not work if staff do not have the necessary skills, security can’t be done poorly. A company with poor security will become a target for hackers. In terms of forensic analysis, a lack of competence leads to errors. There is a known tendency for forensic investigators to be biased. Inadvertently changing data through a lack of skills and knowledge could cause the integrity of data to be compromised, and a court case to collapse. Because of the need for the authenticity and integrity of data to be preserved, the Association of Chief Police Officer has specific guidelines for this. Another reason for the need for skilled professionals is the rise in cyber-attacks. As cyber-attacks increase, without a corresponding increase in skilled professionals, companies are increasingly at the mercy of hackers. Attacks such as the WannaCry ransomware showed how critical data could be compromised if security was not up to date. The need for skilled professionals is identified in the ISO27002 Information Security Standard, section 6. 1. 1 which sets out best practice and says information security responsibilities need to be defined and allocated. How this is implemented is not stated but clearly unless there are skilled professionals it will not be possible to fill appropriate roles.
Another consideration is the need for professionalism in the industry. A person could be a great programmer, but can they be trusted when dealing with data that could cause the meltdown of an organisation if something went wrong? Professionalism means having the skills, sound judgement, acting politely to be trusted to do a competent job.
What is involved in being a Forensic Analyst
Forensic Analysts are needed to secure evidence and then analyse it when there has been a security breach. This can then be used to find vulnerabilities in the system, find out what sort of security policy and legal breaches have occurred; to write reports for use as evidence in court or reports with recommendations for a business to act upon. They use specialist equipment or software, maintain the integrity of the data, and then analyse it. Clearly, a Forensic Analyst needs to be competent in the use of such software and hardware because of the risk to data integrity as discussed previously. However, while collecting evidence may be onsite, it may also involve securing it remotely.
Because a Forensic Analyst will need to write reports for businesses and potentially to be used as evidence in court he would have to have excellent communication skills and a high level of literacy both verbal and written. He may have to appear in court as an expert witness and be cross examined. He would also have to have a good knowledge of security policies, laws and regulations to be able to identify where breaches had occurred. Lastly personal professional development and keeping up to date with the latest developments and emerging technology would be vital given the rapidly changing nature of cyber-crime, as cybercriminals are constantly developing new techniques.
A broad understanding of computing and information security is clearly expected. Excellent communication and English language skills would necessary to present reports and perhaps to appear in court. A professional attitude would be expected. Good analytical and problem-solving skills would be as asset for this type of work, as the investigator would be faced with the complex problem of tracking down security breaches and being able to correctly interpret the data. This is clearly challenging work where time may be limited so a person who likes solving puzzles would be suited to this type of work.
How to Achieve these Skills and other Opportunities at University
Having a degree in Computing and Information Security is clearly one step to becoming a competent Forensic Analyst. The degree modules on Forensics would be especially useful together with a general background in Computing. However, some practical experience and certification is expected. Gaining an internship or placement year with a company that does digital forensics would clearly be a good way of gaining practical experience and might be the most important step into the profession. It would also give the company a chance to get to know Charlie. Charlie could get involved in digital forensic research. He could focus his third-year project in this area. He could even try for a Kaspersky award if he was able to come up with a ground-breaking idea. If possible, he could attend digital forensic conferences. Obtaining CertificationBecause of the rapidly changing nature of cybersecurity its more important to keep up to date. For example, updates to mobile phones can occur every two weeks. Peter Sommer asks the question whether certification means anything in such a rapidly changing environment.
Nevertheless, because employers like to see some certification there are some which do not require work experience such as CEH (Certified Ethical Hacker) and GSEC (GIAC Security Essentials Certification) and CompTIA Security+ which could be achieved while at University. The top vendor independent certification within the EU is CCFP (Certified Cyber Forensics Professional). This involves both having a suitable degree and work experience. It covers six domains: “Legal principles, Ethical principles, Forensic science, Application forensics, Hybrid technologies, Emerging technologies”. Charlies could aim for this once he has been working in the field for a few years.
Learn Digital Forensic Software – Opensource or Proprietary?
There are pros and cons between using opensource or proprietary software. Charlie could spend some time learning open source digital forensic software as 70% of firm use it. According to Graham Horsman, proprietary software is hard to verify because the source code is not available, and benchmarking and the sharing of results may be prohibited by the EULA. On the other hand, he notes that opensource software lacks support and the resources for development. While opensource software is easier to verify, nevertheless a company may expect knowledge of proprietary software and a job advert may ask for experience with these. EnCase claim that SC Magazine had endorsed its, “EnCase Forensic” software as the Best Computer Forensic Solution for 8 consecutive years, and that this software has a track record of court acceptance.
My conclusion is that it would be best for Charlie to get as much experience in digital forensic software as possible whether opensource or proprietary. For Charlie to reach his goal there are several recommendations I would make based on my research:A university degree in Computing and Information security is recognised as one part of what is needed to make one competent in the field, but there will be an experience gap. Companies are looking for candidates with experience who are competent, given the importance of preserving data integrity. Therefore, activities at university that help to fill the skills gap will increase Charlie’s chances of being successful.
Using digital forensic software is something he could put on his CV and discuss with a potential employer. He could also be involved in research and could demonstrate that he is up to date with the latest developments. He might not be able to get the most prestigious certification while at University but if he can demonstrate he is at the cutting edge of developments this might impress an employer that he is the best candidate. However, he could aim to achieve certification such as CEH or GSEC while at University as these are online multiple-choice exams which do not require work experience. Gaining an internship or placement year would be an invaluable way of closing the experience gap and getting to know potential employers. He could also attend events such as Secure South West where industry figures are going to make addresses to gain contacts in the industry. He might also want to join some clubs such as the Cyber Information Security Club where he could further his cyber security skills and knowledge, or perhaps a club such as a walking club to show he has some outside interests. If he took a leading or responsible role in one of these clubs or societies this would help demonstrate that he had some professional skills which employers are looking for.