Information security specialists' work centres on understanding the risks to the security of information or data.
They analyse where security breaches may occur or have occurred, and repair or strengthen systems against such breaches. This relates to the systems and networks used by companies and organisations to manage their information and information technology.
Information security specialists may have expertise in working with different types of computer networks. These could include networks associated with the government, the defence industry, or the banking sector and, for example, with those associated with:
- mobile telephone and application technologies;
- the Payment Card Industry (PCI);
- cloud computing.
Within the broad field of information and cyber security, there are many roles dealing with its different aspects. These roles do not, and cannot, exist in isolation of each other and it's likely that a specialist working in one area will develop understanding of the work in other areas.
As employers use slightly different job titles for the same role, overlaps between roles can occur. Therefore, when exploring careers in information and cyber security, read job descriptions thoroughly to get an understanding of what's involved with a particular role.
Some job roles and their responsibilities are described below:
- Information security/risk/incident analysts or managers support the front line defence of networks, protecting information from unauthorised access and violations. They do this by analysing and assessing potential security risks, developing plans to deal with such incidents by putting measures in place such as firewalls and encryption, monitoring and auditing systems for abnormal activity, and executing corrective actions. Preparation of technical reports is also a requirement of the role.
- Penetration testers or ethical hackers carry out tests on a system to expose weaknesses in security. Essentially, they do everything a hacker would do, but they do it on behalf of the organisation who owns the network. This means they will try to access information without usernames and passwords, and will try to break through whatever security applications are in place. Reports of their findings can then inform what upgrades are implemented.
- Computer forensics analysts or investigators work in cyber crime, a growing phenomenon. To try and combat it they work in private and public sector organisations, as well as the police and law and security enforcement agencies. Work is extremely varied and can include recovery of deleted files; analysing and interpreting data linked to crime; analysing mobile telephone records; and uncovering links between events, groups and individuals through pursuit of data trails. Specialists working in this type of role need to keep detailed records of their investigations and will often provide evidence in court.
- Starting salaries for graduates are usually around £20,000 to £25,000 per annum.
- With a years' experience, you can command up to £35,000.
- After 5 years, and working in more senior roles, you can expect to earn in the region of £40,000 to £60,000.
Gaining professional qualifications and certifications can help graduates to move up the salary scale.
Income figures are intended as a guide only.
Working hours generally range from 35 to 40 per week, although overtime can occur depending on the type of assignment or investigation being carried out. Shifts across 24 hours, operating seven days a week are common, with staff working on a call-out rota, allowing for fast responses to information and cyber security incidents.
What to expect
- Much of the work is office-based, but specialists working as consultants, either for an employer or as self-employed, may travel out to visit clients. In certain roles, such as those concerned with forensics, travel out to multi-agency meetings, or to court may be essential.
- Opportunities for self-employment may exist in setting up an independent information or cyber security company, or to operate on an independent consultancy basis. Although it is possible to embark on self-employment as a new graduate, self-employed practitioners tend to have spent some time working for an employer in the sector to embed and develop their knowledge and skills first.
- The majority of professionals working in information or cyber security technical roles are male, with the numbers of females employed in more commercial roles being slightly higher. To inspire more females to enter the sector and to provide information and events targeted at girls and women, initiatives such as Cyber Security Challenge UK, WISE (Women into Science, Engineering and Construction), Women in Security, and the WSS (Women's Security Society) exist.
- The majority of information and cyber security job roles are located in the South East of England; however, consultancy roles may see the consultant living and working in one region, while their employer is based in the South East.
- Restrictions on how information and cyber security specialists are able to talk about their job outside of work hours may exist, particularly if working in government, Ministry of Defence or Police departments. This is due to the sensitive nature of some of the information that they're working with. Depending on the type of department the role's based in, a specialist may view information and images that some may find distressing.
- Those involved in information and cyber forensics roles may act as expert witnesses and give evidence in court cases.
- Some roles require employees to be security cleared, so individuals with criminal records may be excluded from applying for these roles.
- If working as a consultant the job might involve more frequent travel. Travel could be international depending on the client.
Although it is possible to enter these professions without a degree by starting with an entry level position in IT, such as help desk support, and working up to an information security role, statistics show that it's becoming more difficult to enter the field from a more general IT role.
This suggests that more recent entrants to the profession are graduates, and supports the growth of information security as a sector.
With the rise in prominence of the sector, and the emergence of specifically related degrees like cyber security BSc, more graduates are being recruited now than ever. This trend is evidenced by the numbers of graduates in junior positions.
Approximately half of information security specialists have an undergraduate degree, with the most common degree subject being IT.
That said, there are a number of graduate schemes available which will take on graduates from any discipline. They look for evidence of the types of skills and attributes mentioned below.
Useful degree subjects include:
- cyber security;
- network engineering;
- networks and security;
- computer science;
- forensic computing;
- mathematics, physics and other STEM subjects.
You will need to have:
- a keen interest in IT and developments in the sector;
- attention to detail, analytical abilities and the ability to recognise trends in data;
- creativity and patience;
- logic and objectivity;
- an inquisitive nature;
- a proactive approach with the confidence to make decisions;
- a methodical and well organised approach to work;
- ability to work under pressure and meet deadlines;
- communication skills and the ability to adapt communication styles to suit different recipients of information;
- understanding of confidentiality issues, and the law relating to them.
Applicants might need to be security cleared as, depending on the role, they'll have access to sensitive information; for example when working for government or law enforcement agency establishments.
For a useful overview of what's involved in the different types of national security clearance and the types of roles which they apply to see CW Jobs - National Security Clearance.
Statistics from the UK Commission for Employment and Skills (UKCES) and the Office for National Statistics (ONS) show that the science and engineering sector, within which information and cyber security sits, has skills shortages of almost double that of all other sectors.
The data also shows that the numbers of people predicted to be working in the sector will have risen significantly by 2020.
Although these statistics relate to the sector as a whole, there have been reports in the media and specialist press, which suggest similar skills shortages for information and cyber security. An initiative that is working to address these skills shortages is the Cyber Security Challenge UK.
There are a number of graduate schemes and opportunities can be found across the public and private sectors. Graduates could find themselves working in:
- government departments;
- local authorities;
- financial service institutions;
- IT companies;
- security consultancy services.
Information and cyber security research opportunities within universities may exist, again emphasising the growth of this exciting sector.
Look for job vacancies at:
There are a number of specialist recruitment agencies which handle information and cyber security vacancies.
There are a number of industry-related qualifications and certifications that can be completed once working in information or cyber security. It's advisable to do so to keep up to date with developments in this fast-moving sector.
Employers may put their specialists through this training, although some elements can be gained through undergraduate study.
For example, some undergraduate cyber security courses cover content of certain industry-related certificates within modules, with the option for students to potentially pay a reduced fee to gain certification prior to working in the industry. Check with individual institutions to find out what might be available.
Typical certifications include:
- Systems Security Certified Practitioner (SSCP) - an entry-level certificate suitable for practitioners with as little as one years' experience;
- CompTIA Security+ - aimed at specialists with more than two years' experience in information or cyber security;
- Certified Information Systems Security Professional (CISSP) - around four years' experience is required to achieve this certification. It's the most commonly held certificate in the sector with 54% of information security practitioners possessing it according to e-skills UK, the Sector Skills Council for Business and Information Technology. It is often seen as a pre-requisite for career development;
- Certified Information Systems Auditor (CISA) - practitioners must have five years' experience in information systems auditing, control or security to achieve this certification;
- Certified Information Security Manager (CISM) - this certification is suitable for practitioners with at least 5 years' work experience in the field;
- Cisco Certified Network Associate (CCNA) is a more general IT certificate, and is often held by those in highly technical network engineering roles. Cisco also offers security specific qualifications, such as CCNA Security;
- Certified Ethical Hacker (CEH) - this is more often held by specialists working in penetration testing or security analytics.
Postgraduate study can provide a greater understanding of information and cyber security. The strong emergence of the sector has seen Government Communications Headquarters (GCHQ) fully, or provisionally, certify a number of Masters degrees, based on the appropriateness and quality of their content. They include:
- Advanced Security and Digital Forensics MSc - Edinburgh Napier University;
- Cyber Security MSc - Lancaster University;
- Software and Systems Security MSc - University of Oxford;
- Information Security MSc - Royal Holloway, University of London;
- Cyber Defence and Information Assurance MSc - Cranfield University;
- Information Security MSc - University of Surrey.
Within the different specialisms of information and cyber security it's possible to follow career paths.
As such, two sets of learning pathways, which practitioners can follow, have been developed by e-skills UK:
- CESG (Communications Electronics Security Group) Certified Professional (CCP) scheme is acknowledged as the UK Government's approved standard for information security specialists. It assesses at three levels, appropriate to the skills, qualifications and experience of the specialist at practitioner, senior practitioner and lead practitioner level. Once achieved, certification is valid for three years. The CCP is a pre-requisite for membership of the CESG Listed Advisor Scheme (CLAS). Membership of the CLAS shows credibility to work with and audit sensitive information held by government departments and law enforcement agencies.
- Institute of Information Security Professional (IISP) scheme assesses skills, qualifications and experience at four levels beginning with entry-level positions with up to three years' experience such as information security practitioner, to senior information security practitioner, through to senior management level - lead information security practitioner.