Outline
All the tutorials in this course:
- Identifying the Modern Threat Environment
- Understanding Incident Prevention
- Preparing for Incident Response and Recovery
- Utilizing Resources and Opportunities
Practically, you can take what you've learned in this course and move in one of two directions: you and your team members could dive into one or more specific security technologies so you can apply at least those to your operations. Or you could reach out to hire a security professional - either in a full-time capacity, or as a consultant.
Whichever you choose, though, you might consider adopting one of the many pre-built security frameworks as a guide for building you security profile. I'll introduce you to some important frameworks in just a minute or two. First though, let's quickly run through a really long list of common job titles in the security space. I won't claim that each of these titles necessarily has a clear and unique meaning - or that there isn't plenty of overlap between them. Rather, I think this list is useful for helping us visualize what's possible: both in terms of the kinds of people we can hire, and in terms of the kinds of career choices that we ourselves can make if we're looking to get hired.
So here goes. When it comes to management-level positions, you'll see Chief Information Security Officers, Chief Security Officers, and Data Protection Officers. Professional specialities - which will often, but not always, require a college degree - will include security analyst, security engineer, security architect, and security administrator. You can add DevSecOps manager to that mix if your organization uses a DevOps methodology that you'd like to extend to more directly embrace security.
External security professionals might call themselves security consultants or auditors. But they might also specialize as auditors focusing on areas like PCI-DSS, HIPAA, GDPR, penetration testing, or vulnerability assessment.
Like everything in technology, the security field is constantly evolving, but excelling within any one of those niches is about as solid as a long-term career investment as you'll find anywhere.
As promised, I'll now focus on some of the key security frameworks out there that could be useful for you. Some of these are actually built as guidelines for compliance with specific legal or regulatory structures. But they're all effective at guiding us through the process of hardening our defences.
The NIST Cybersecurity Framework is a US government standard that's intended to help organizations identify security problems in their own infrastructure, assess their real-world risk, and take advantage of publicly-available security resources.
The ISO standards 27001 and 27002 are used to define certifications for validating an organization's compliance with basic security controls. Achieving certification can make it easier for vendors or customers to select your organization without worrying that integrating their systems with yours might expose them to unnecessary vulnerabilities.
The Service Organization Control Type 2 (or SOC2) is a standard governing how organizations manage client data. In other words, accounting or banking companies whose customers trust them with their private data, must meet some pretty strict compliance standards for managing and protecting that data. SOC2 is a difficult standard to meet but, for some industries, it's absolutely required.
At least in North America, power utilities are required to comply with NERC-CIP - the North American Electric Reliability Corporation: Critical Infrastructure Protection standard. The standard provides guidance for identifying potentially vulnerable critical infrastructure all the way up the supply chain, and for reducing the risks they face.
The European Union's GDPR law extended data privacy to all citizens of the Union, protecting them from improper use of their data by any online service-provider they might use. Practically, since most internet companies operate world-wide - and serve users in the European Union as much as anywhere else - this means that just about anyone operating online needs to worry about compliance.
The Federal Information Security Modernization Act (FISMA) is a framework requiring US government agencies - along with any third-party vendors who engage with the government - to protect themselves and their digital assets. In particular, FISMA governs the way government organizations control interactions with third-parties involving digital assets.
The US government's Health Insurance Portability and Accountability Act (or HIPAA) framework offers guidelines that are similar to SOC2 for managing private data, but the focus here is on data within the healthcare field. HIPAA compliance involves effective training and risk assessment operations.
Beyond such frameworks, you can also gain tremendously by following the curriculum objectives of well-designed cyber security certifications. Some of the more popular certs in that field include CompTIA Security+, Certified Information Systems Security Professional (CISSP), and Certified Information Systems Auditor (CISA).