Anyone work in Cybersecurity?

[ilovetomatoes]

I’ve been offered a funded place on a skills boot camp. I was in a senior role in banking recently and thinking about retraining.

are these skills boot camps valued by employers? Does it help to secure a role? Would you have to start at entry level despite decades of experience in another field?

I work in tech, though not in cyber security directly. The boot camp would be an excellent way to determine if you would enjoy this line of work, and would be valued by employers - the organisation the boot camp is with may even be able to secure you a job afterwards. If you're thinking of retraining anyway and can afford the time off, I'd definitely go for it. You would be starting at entry level, as your previous experience won't be transferable to working in cyber, assuming you'd be working as a developer and not in management.

I retrained into tech a few years ago and it's been such an incredible change for me, I don't regret it for a second. I adore what I do, and look forward to working most days.

What do you do @num? I would love to have the feeling of adoring my work! Can’t remember the last time that happened!

I did a front end bootcamp last year, many went on to get jobs but my dh got cancer and I had to look after him, with that and the grieving I haven't found employment yet but I am trying now to get a job before Christmas.

I want to work in companies that help the environment & make beautiful websites 🙂I have low overheads though and don't mind starting at the bottom again.

I work in cybersecurity.

The boot camps are a good way to get a foundational knowledge and decide if you like it.

A big caveat is that some over promise and say that you'll be able to get a £50000 a year job fresh out of the camp and it's just not realistic.

You will be able to apply for entry level roles, anything beyond that will expect 2-3 years experience, so set your expectations. The potential for quick(ish) promotion is there in cybersecurity but employers want to see that you can take the theory and apply it to practice.

The theory is all well and good but in practice you can't work like the books say. Cybersecurity is not revenue generating, it's a risk mitigation measure and a cost to the business. That means that it will always be a fight and a compromise between Sec and Ops, you have to be pragmatic, able to adjust the processes to get the most of what you need without impacting the bottom line too much. You have to be able to negotiate, get buy in, find information without creating non-revenue generating work, convince the Ops and Tech teams that you aren't just there to be the fun police and that they want you to be part of their projects and they want to document technical security controls even if that means less time developing the fun new features. You have to find ways to make awareness content/training engaging and get people to care about how complex their passwords are or whether they have adequately risk assessed their code before pushing it to QA. If you are part of the pen testing process or the vulnerability management team you have to be able to motivate the teams to fix the vulnerabilities in a timely manner even if there's a sales team hounding them to put in a new function that could simplify purchases and increase sales by 10%.

@FormerlyPathologicallyHappy im so sorry for your loss that must have been devastating. I hope you find a fulfilling role soon x

@CyberCritical this is so helpful thank you. I don’t mind starting low ish but would want to progress quickly on the salary scale to be honest. I was thinking more along the lines of risk/governance given my background in those areas so perhaps that might be more realistic in terms of progression?

what are the hours like? I was quite burnt out in my last role, working weekends and evenings. Definitely don’t want to go back to that life.

My job is Director of Cybersecurity, Governance, Risk and Compliance in the GRC space at Entry Level I'd be looking for someone who has a working understanding of:

• Risk Management processes
• Legal and Regulatory frameworks - NIST, ISO, FedRamp, NCSC guidelines, UK GDPR, EU GDPR
• CIA triad (Confidentiality, Integrity and Availability)
• Corrective action and Continuous improvement processes (Plan-Do-Check-Act PDCA cycle)
• Cybersecurity domains - Asset security, Security architecture, comms & network security, identity & access management, security assessment & testing, SecOps, software Development Lifecycle
• Formal meeting governance - agenda, papers prep, minutes etc.

That would be primarily theory based rather than years of doing the job but I'd want to be able to see from discussion that the person has awareness of these things and a general understanding of the concepts. That would get a GRC analyst role at around the £30-40k mark. A year or so of experience and being able to evidence doing these things would be a Snr analyst at the £40-50k mark.

Thanks @CyberCritical. I would be hoping to start at higher level than analyst as I have experience of audit and running large operational risk functions. Would that make a difference to you?

@CyberCritical

earlier this year I completed the ISc2 cc In cybersecurity course and covered all of that

I didn’t think I’d get a post on that alone so it’s good to hear

Just be sure to take the time to really assess your transferable skills/experience and address all of the requirements in the job spec when writing your CV/application.

For example the job spec I put out may say that one of the responsibilities of the role is to progress the resolution of Non-conformity findings in internal audit. You may not have direct experience of doing that but you may have experience of chasing actions on a meeting action log. You could write:

• Tracked resolution of identified actions by liaising with relevant stakeholders. Provided updates to management and flagged where timelines were at risk. Captured resolutions and confirmed outcomes as per PDCA cycle.

In interview I could then explore that by asking you to expand on your understanding of the PDCA cycle, how you would handle someone challenging the non-conformity, what you would do if despite repeated requests for update you weren't getting any traction, when would you escalate, how you would vary your approach to take into consideration other people work styles.

It would be a risk to me in the company that I work for to bring on board a GRC manager in the technology/cybersecurity space who doesn't have any direct experience of IT/Information security risk assessment or audit.

Financial audits are different, there are similarities but the financial sector in general is more structured and regulated, banks for instance have very tight controls in place for segregation of duties and transparency and have done for long enough now that typically I find people transferring from that environment tend to have had a very narrow scope. They have worked on their part of the process and that process was well defined and specific.

It can mean that people find it difficult to operate in an environment where processes either don't exist or are very high level, where Tech teams try hard to pretend security guidelines don't exist, where mergers and acquisitions mean that there is a wide range of tech platforms/infrastructure with varying security controls in place or where the only person who knew how the system was configured has left without handover.

You'd need to be prepared to address those kind of concerns in your CV and interview to demonstrate that you would be able to lead a GRC functions in that kind environment.

I guess my job counts, identity and access management is in the security sphere anyways. I'm not really convinced by any certifications, but it can't hurt in at least helping you to be considered despite lack of experience. I wormed my way in through having scripting and coding skills which seem to be in short supply .. at least in terms of being good. A few people in my team can code but nothing like good practice, producing code that's easy to maintain and improve 🤷‍♂️

So sorry for your loss

@FormerlyPathologicallyHappy Apologies, the Gin was a thumb-slip. That was inappropriate 🙏

My job title is full stack engineer, but I work predominantly in the front end. I work for a company making social care more accessible, so I have the added bonus of knowing that my work is making a difference, but even without that, my work is varied, interesting, enjoyable and I learn new things all the time. I'm well paid and I work from home (my choice), which gives me tons of flexibility and allows me to do my best work.

Full stack development is quite different from cyber, but there are a good number of transferable skills between the two. There are lots of really interesting routes to take in tech, and it generally isn't all too difficult to move between roles if you find you don't enjoy the particular route you've chosen.

@PabloandGustheGreySquirrels Its ok, alcohol gets you through times like this.

@CyberCritical

that is incredibly helpful - thank you so much.

that’s also exactly where I go wrong and underplay my transferable skills so 👍 thank you

I am in project management now and there’s a lot that can be transferable - action logs, gantt files, raid logs, trackers, etc

I’m also someone who really benefits from being in a place and learning from those around me

There's plenty of tutorials about to play with from home, and learn different aspects of cyber security. Just don't go trying to exploit vulnerabilities. It's fine to do a lot of checks so long as they're not invasive ones that'll trigger alerting.

That's a way to do something practical, rather than reading too much theory. You can follow that up with courses and certifications when you're confident you will enjoy it and put effort in.

Most of my learning came between jobs, or finding optional tasks in a job that'll double as education. Nobody I work with has a really good grasp of ansible or git, just enough to get by. I was in the same situation. So I bought some books for reading and making myself a relative expert on both within the team. I've got some opportunities to use that improved knowledge, ansible in particular, to help with work