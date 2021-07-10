Every time the news of a major security breach in a large company hits the media, technological security gains in valuation and with it the experts in this field.

This is causing demand for security experts increases so that 3 million jobs are left unfilled worldwide, according to the Cybersecurity Workforce Study report by (ISC) ², a global organization of information security professionals.

Consequence of this? That, even though the profile of cybersecurity expert is not the most demanded, it is one of the two most sought after According to the Adecco Labor Market Report: the position of CISO (Chief Information Security Officer, head of security) has a salary that, according to this report, ranges between 45,000 and 95,000 euros in our country.

Cybersecurity lives not only from engineering

How to become a security expert? Perhaps the typical or more traditional cybersecurity profile is more associated with the profile of a computer or telecommunications engineer, with experience in the area of ​​systems, networks and cloud and a specialization in security. As specified by Javier Tobal, Computer Engineer, Computer Judicial Expert and CISO at Fintonic, given that there are many aspects that come together in cybersecurity “they should be known, among them: software development, systems architecture, network design and architecture.”

Javier Tobal, Computer Engineer, Computer Judicial Expert and CISO at Fintonic

A vision that Francisco Ángel Marzal, Quant Developer at Axpo Iberia agrees with, who also lists two additional fields: Regulations and Legislation and, depending on the area of ​​cybersecurity you want to dedicate yourself to, Ethical Hacking, Bastioned, secure software development and Analysis Forensic.

Speaking of legislation: not all cybersecurity experts have to have an eminently technical profile. Elena Cobo-Reyes, Client Portal Implementer at Adecco Group, explains that cybersecurity has many niches and sub-markets and that, therefore, depending on the functions that the person is going to carry out within a company, their profile will be more technical or less. In this field, the legal field has more and more impact. “Any protocol or procedure has to go hand in hand with the legal aspect”, especially when data comes into play. Depending on the sensitivity of these data (the health or public or banking sector is not the same as the rest of the sectors, which is a protection of special sensitivity), the more important this legal role will be.

College career. Yes or no?

With the rise of cybersecurity expert positions some universities are starting to offer Bachelor’s degrees in Cybersecurity, in many cases as a specialization of degrees in computer science. But is it necessary to have a higher degree to work in this field?

Studying Computer Engineering or Telecommunications can be a good start, but more specific and specialized training is needed

Lorenzo Martínez, CTO & founder of Securizame, a company specialized in computer forensics and security, and a computer engineer, believes that It is not essential “but it is something highly recommended”. Why? “Studying a career gives you a foundation in what it is focused on. But not only that, the passage through the university is a place of learning to fly, to look for life, to investigate, to create ”. Although he argues that university is not the only way to achieve this knowledge, “it is an option that I cannot stop recommending.”

Something in which Francisco Ángel Marzal fully agrees. “Studying a degree such as Software Engineering, gives you solid knowledge and is a guarantee and endorsement for companies seeking these profiles. If this degree also has a cybersecurity mention positions you on a technical level with a very attractive profile to start a professional career in a sector with so much demand for profiles ”. Computer Engineering, Software Engineering, Cybersecurity, Mathematics would be the careers recommended by this expert.

Eduardo Arriols, professor in the Degree in Software Engineering and in the Double Degree in Software Engineering and Computational Mathematics at U-tad

Javier Tobal would add to this list the double degrees of Business Administration and Management and Computer Engineering as well as the masters in computer engineering

“The good thing about the technology sector is that, either out of necessity or because it mutates too much in three years, it is very open. You don’t have to be a senior engineer to dedicate yourself to cybersecurity“, Adds Elena Cobo-Reyes, who nevertheless acknowledges that for positions of greater responsibility (such as security director, CISO), companies do opt for qualified profiles, although the determining factor ends up being” specific training and that they come with experience”.

Martínez acknowledges that, after the Covid-19, there are some differences in how the training is imparted. With the rise of telematic options, this expert sees some challenges in the aspects that require teacher-student interaction. “We continue to provide face-to-face training with all health and safety measures. But if a student evades class in person and starts doing other things, online it is even easier for that distraction to occur,” he reflects. And, for that reason, he emphasizes that what is needed on the part of the student is “rigor and getting to it. It requires an extra level of commitment.”

Eduardo Arriols, Red Team Manager, author of the book: “CISO: The company’s Red Team”, and professor in the Degree in Software Engineering at U-tad in the mention of cybersecurity, agrees that the study plans have not changed, but requests that the training be remote. “More services like ethical hacking are demanded. But the approach remains the same.”

Francisco Ángel Marzal, Quant Developer at Axpo Iberia

The specialization goes by neighborhoods

All these experts assure that the field of cybersecurity is so wide and is expanding so much that those who want to work here should specialize in some of their areas.

On the one hand, there are certifications such as CEH, OSCP, CHFI that are “highly demanded in the world of work”, according to the Quant Developer at Axpo Iberia.

Complementary or primary training in legal and ethical issues is increasingly in demand among experts

Just look at the CISO White Paper to verify the number of certifications that exist in cybersecurity: CCSP (Certified Cyber ​​Security Professional), CDPD (Data Protection Delegate Certification), CDPP (Certified Data Privacy Professional), CISA (Certified Information Systems Auditor), Certification for auditors from ISACA (Information Systems Audit and Control Association – Association Control and Audit of Information Systems), CISM (Certified Information Security Manager), CISSP (Certified Information Systems Security Professional) …

“The university leaves with a generalist basis, but the real problems are seen in the street, in the companies and organizations we serve,” explains Lorenzo Martínez to justify that training must be complemented with something more specific for cybersecurity. “In my company, Securízame, in which we dedicate ourselves every day to providing cybersecurity services, since 2014 we have launched a series of specialized courses in subjects such as ethical hacking, systems securing or forensic analysis, and we also have a semester plan for training actions with specific syllabi to develop and enhance this knowledge ”.

Lorenzo Martínez, CTO & founder of Securizame

The importance of law

Although many of these certifications and specializations are very technical, there is an increasing demand for cybersecurity professionals to control other matters, such as legal aspects. So for many of these experts we have spoken with, there is little doubt that it is necessary for professionals to have training in ethics / legal. “Many of the tools or techniques that can be used can be considered illegal in certain countries,” warns Francisco Ángel Marzal.

The increasingly extensive regulatory and legislative field that affects computer security (such as RGPD, NIS, PSD2, etc.) forces this. “Knowledge does not take place (although it takes time that can be dedicated to learning or improving other things). There is so much to know that it is important to select. Have knowledge of law (basic) especially if you are going to dedicate yourself to computer expertise work, which you will have to ratify later in the room, is important ”, explains Javier Tobal, who also recommends developing personal skills for public exposure. “It is becoming more and more important to make yourself understood, both in writing and orally. Both to make a report to a client, as well as to orally present its content in a summarized way, I believe it is important that this type of actions that improve communication skills”.

This complementary training becomes more necessary as the years go by and, above all, if you aspire to positions of more responsibility. “Having the visibility of the business and how cybersecurity is applied in it is vital for your professional development”Explains the IT Manager of Spring Professional. “In technology we tend a lot to 4×4 profiles, that you ask, that you have concerns.”

And now that I am trained, how do I start working?

This same expert ensures that specialization in the field of cybersecurity comes more over time, although new specific studies on the subject appear. “You cannot transform a person overnight because you have to gain experience.”

How can we achieve it? Currently there are many companies that in these new areas do preparation hub, so if you are interested you can access these resources. Also exist CTF (Capture The Flag) events where challenges are posed to solve or platforms like hackthebox where you can exercise your knowledge. “These are two good initiatives to get started and make contacts in this sector in addition to simply solving problems”, explains Francisco Ángel Marzal, while Javier Tobal considers it useful to have experience “handling a code debugger (IDA debugger), an analyzer of network (for example, wireshark) and the most popular hacking tools (those that can be found in forensic distributions like KALI) ”.

As Lorenzo Martínez concludes, “There is no excuse for not practicing on your own. With free alternatives such as Virtualbox you can set up a laboratory with a multitude of machines in which to test different operating systems, both the exploitation of their weaknesses, such as security solutions running on them, or even the forensic traces that remain after the execution of certain actions ” .

And, even if you get your first job as a junior, “it is not good to stay with the fact that training ends when the working day ends, but the passion for knowing more and improving, even if it is as self-trainingIt should be something complementary to what is seen at work ”.