If defending IT infrastructure and networks, hacking sites on behalf of an organisation or combating cyber crime appeals to you, consider a career as an information security specialist
As an information security specialist, your work will focus on understanding risks to the security of information or data.
You'll analyse where security breaches may occur or have occurred, and repair or strengthen systems against such breaches. This relates to the systems and networks used by companies and organisations to manage their information and information technology.
You may have expertise in working with different types of computer networks. These could include networks associated with the government, the defence industry, or the banking sector and, for example, with those associated with:
- cloud computing
- mobile telephone and application technologies
- the Payment Card Industry (PCI).
Within the broad field of information and cyber security, there are many roles dealing with its different aspects. These roles do not, and cannot, exist in isolation of each other and it's likely that, as a specialist working in one area, you will develop understanding of the work in other areas.
As employers use slightly different job titles for the same role, overlaps between roles can occur. Therefore, when exploring careers in information and cyber security, read job descriptions thoroughly to get an understanding of what's involved with a particular role.
Some job roles and their responsibilities are described below:
- Information security/risk/incident analysts or managers support the front-line defence of networks, protecting information from unauthorised access and violations. They do this by analysing and assessing potential security risks, developing plans to deal with such incidents by putting measures in place such as firewalls and encryption, monitoring and auditing systems for abnormal activity, and executing corrective actions. They also prepare technical reports.
- Penetration testers or ethical hackers carry out tests on a system to expose weaknesses in security. Essentially, they do everything a hacker would do, but they do it on behalf of the organisation who owns the network. This means they will try to access information without usernames and passwords, and will try to break through whatever security applications are in place. Reports of their findings can then inform what upgrades are implemented.
- Computer forensics analysts or investigators work in cyber crime, a growing phenomenon. To try and combat it they work in private and public sector organisations, as well as with the police and law and security enforcement agencies. Work is extremely varied and can include recovery of deleted files; analysing and interpreting data linked to crime; analysing mobile telephone records; and uncovering links between events, groups and individuals through pursuit of data trails. Specialists working in this type of role need to keep detailed records of their investigations and will often provide evidence in court.
- Graduate starting salaries are around £25,000 per annum.
- With a year's experience, you can command up to £35,000.
- After five years, and working in more senior roles, you can expect to earn in the region of £45,000 to £80,000.
Gaining professional qualifications and certifications can help you to move up the salary scale.
Income figures are intended as a guide only.
Your working hours will generally range from 35 to 40 per week, although you will need to be flexible depending on the type of assignment or investigation being carried out. Many organisations demand 24/7 cover, with staff working on a call-out rota, allowing for fast responses to information and cyber security incidents.
What to expect
- Much of your work is likely to be office-based, but you may have to travel to visit clients if you are working as a consultant, either for an employer or if you are self-employed. In certain roles, such as those concerned with forensics, you may have to travel to multi-agency meetings or to court.
- Opportunities for self-employment exist. You could set up an independent information or cyber security company, or you could choose to operate on an independent consultancy basis. It is possible to embark on self-employment as a new graduate, but most people gain experience by working for an employer in the sector to embed and develop their knowledge and skills first.
- The majority of professionals working in information or cyber security technical roles are male, while women tend to be employed in more commercial roles. To inspire more females to enter the sector and to provide information and events targeted at girls and women, initiatives such as Cyber Security Challenge UK, WISE (Women into Science, Technology, Engineering and Mathematics), Women in Security, and the WSS (Women's Security Society) exist.
- The majority of information and cyber security job roles are located in the South East of England; however, consultants can be based anywhere and travel to meet clients, both nationally and internationally.
- You may face restrictions on how much you are able to talk about your job outside work, particularly if you work in government, the Ministry of Defence or police departments. This is due to the sensitive nature of some of the information you may encounter. You might also have to view information and images that you find distressing.
- If you are involved in information and cyber forensics roles, you may be called upon to act as an expert witness and give evidence in court cases.
- Some roles require employees to be security cleared, so individuals with criminal records may be excluded from applying for these roles.
It is possible to enter these professions without a degree by starting with an entry level position in IT, such as help-desk support, and working up to an information security role.
However, recent entrants to the profession are graduates, from specifically-related degrees in cyber security or more general computer sciences/IT degrees.
Useful degree subjects include:
- computer science
- cyber security
- forensic computing
- mathematics, physics and other STEM subjects
- network engineering
- networks and security.
If you are interested in this area of work and do not have an IT-related undergraduate degree, look for graduate schemes that will take on graduates from any discipline.
Equally, you could choose to undertake further study. Search for postgraduate courses in cyber security.
The National Cyber Security Centre lists Government Communications Headquarters (GCHQ) certified Masters' degrees from a range of universities.
You will need to have:
- a keen interest in IT and developments in the sector
- attention to detail, analytical abilities and the ability to recognise trends in data
- creativity and patience
- logic and objectivity
- an inquisitive nature
- a proactive approach with the confidence to make decisions
- a methodical and well-organised approach to work
- the ability to work under pressure and meet deadlines
- communication skills and the ability to interact effectively with a range of people
- understanding of confidentiality issues, and the law relating to them.
You might need to undergo security clearance if you have access to sensitive information; for example when working for government or law enforcement agencies.
There are skills shortages in the information, cyber security, science and engineering sectors. An initiative that is working to address these shortages is the Cyber Security Challenge UK.
There are a number of graduate schemes and you can find opportunities across the public and private sectors. You could find yourself working in:
- financial service institutions
- government departments
- IT companies
- local authorities
- security consultancy services
Look for job vacancies at:
Once you are working in information or cyber security, it's advisable to keep up to date with developments. There are a number of industry-related qualifications and certifications, which may help your career development.
Typical certifications include:
- Systems Security Certified Practitioner (SSCP) - an entry-level certificate suitable for practitioners with as little as one year's experience.
- CompTIA Security+ - aimed at specialists with more than two years' experience in information or cyber security.
- Certified Information Systems Security Professional (CISSP) - around four years' experience is required to achieve this certification. It's the most commonly held certificate in the sector and is often seen as a prerequisite for career development.
- Certified Information Systems Auditor (CISA) - practitioners must have five years' experience in information systems auditing, control or security to achieve this certification.
- Certified Information Security Manager (CISM) - this certification is suitable for practitioners with at least five years' work experience in the field.
- Cisco Certified Network Associate (CCNA) is a more general IT certificate, and is often held by those in highly technical network engineering roles. Cisco also offers security specific qualifications, such as CCNA Security.
- Certified Ethical Hacker (CEH) - this is more often held by specialists working in penetration testing or security analytics.
A number of resources, including course details and events, are offered by The Tech Partnership.
The National Cyber Security Centre offers the CESG (Communications Electronics Security Group) Certified Professional (CCP) scheme, which is acknowledged as the UK Government's approved standard for information security specialists. It assesses at three levels, appropriate to the skills, qualifications and experience of the specialist at practitioner, senior practitioner and lead practitioner level.
The National Cyber Security Centre also runs the CESG Certified Cyber Security Consultancy Service (CCSC), which is a professional accreditation scheme of approved consultants.
Similarly, the Institute of Information Security Professional (IISP) consortium certificates the CESG Certified Professional scheme for UK Government information assurance (IA) professionals.