Cyber Risk Advisory

A Day in the Life of a Cybersecurity Professional

April 24, 2019

After I graduated from high school, I knew I wanted to do something in computers and IT, but I did not know exactly what – the IT help desk route, databases and database management, programming and software development, or something else perhaps? I knew one thing though – I did not want to be in a job where I was going through the same monotonous task(s) day after day, sitting in a cubicle and not talking to or interacting with anyone. I wanted a job that was dynamic, exciting, and brought about new challenges and opportunities for growth every day.

Surprisingly, as I was moving forward in my college experience and gaining exposure to the different avenues of IT, I finally had that “aha” moment where I thought, why not go into cybersecurity? It provides a plethora of opportunities for young people like me. It only made sense, as not only was I interested in it and liked the work, but there is also no shortage of employment opportunities and areas for growth. Cybersecurity is an ever-growing and ever-changing field with new challenges and opportunities coming virtually every day. Especially in today’s market, there are a plethora of jobs available. This is my story: how I ended up in the challenging, engaging, and rewarding career of cybersecurity (and some added tips for others looking to enter the field).

I started my journey by attending Northern Virginia Community College to pursue my Associate of Science (A.S.) degree in IT, which covered a wide breadth of topics and fields in IT. I got exposure to all the different areas in technology; however, I stumbled upon cybersecurity when I was taking an introductory networking course. We only really covered one chapter on cybersecurity, but I remember that one class more than anything I learned throughout the rest of the semester. It just amazed me how someone can gain access to a private system and steal confidential data. I wanted to learn more and see how that process unfolds from the hacker formulating his/her plan to how it ends by him/her retrieving the data. Before that class, cybersecurity was not even on my radar – I guess the field chose me, and the rest is history.

After I completed my A.S degree in IT, I transferred to the George Washington University (GWU) and got my Bachelor of Professional Studies (B.P.S.) degree in Cybersecurity. It was a very diverse program that consisted of networking, security, and compliance courses, and I believe it prepared me well for the work I do today. I am proud to say I am part of the first graduating class from the GWU College of Professional Studies in the Cybersecurity program.

After months of applying, I finally landed a job at a company in Reston, VA, called Coalfire. It turned out this was a great decision for me, as I would learn a lot, especially with the vast range of clients that come to Coalfire for advisory and assessment services. There were a few differences I immediately noticed in the real world of cybersecurity vs. my expectations and what I learned in school. My preconceived notion of the cyber world was that it was all hacking, getting past firewalls, and espionage, trying to get access to a confidential system and steal data. I realized it is not all that sensational, as it is not all hacking and, unfortunately, I was not going to get the James Bond secret agent experience that I hoped for. The first thing I noticed is that cybersecurity itself has many different areas of expertise, just like the broader field of IT. There is security awareness and training, security architecture, network security, application security, vulnerability management, compliance, and digital forensics. It is nice to know there are different areas I can go into if I feel like what I am doing now is not for me. After working at a cybersecurity company for the past six months, I have learned a lot of interesting things; I wanted to share a few tips and tricks to any future cyber professionals or anyone interested to know a little more about the field.

I am extremely fortunate to work for a company where its core business is cybersecurity. Coalfire is a security advisory and assessment company that offers professional services to clients looking to get certified for a compliance framework such as FedRAMP, FISMA, NIST, ISO, SOC, and others. Some clients come to us to assure they are meeting the compliance guidelines; while others come to us to assess their overall security posture (outside of, and/or additional to, a compliance framework). I work in the vulnerability management space of security. This encompasses vulnerability scanning, remediation efforts, and methods for tracking open vulnerabilities to protect them from being exploited in an attack. The team I work with must make sure that Cloud Service Providers (CSPs) are following the compliance requirements to satisfy the RA-5 security control of vulnerability scanning. This means they must have a process in place for not only vulnerability scanning, but also for analyzing the results and remediating the vulnerabilities within the required timeframes, which depends on the severity of the vulnerability (30 days for High impact level of an incident, 90 days for Moderates, and 180 days for Lows).

I was surprised at how some clients were so unprepared for the assessments, and how some did not even have a process in place for vulnerability analysis and remediation, which is kind of scary considering the attack landscape today and how easily these systems can be exploited. A big part of the job is reading, writing, and drafting reports. Before every assessment I must read up on the client’s System Security Plan (SSP) and make sure they are following through with what the SSP says they are doing. I then report my findings in a final scan report to the FedRAMP lead at Coalfire, which then goes to the Joint Authorization Board (JAB) or agency sponsor for review and official certification and approval. What I learned again through this is that the biggest misconception about cybersecurity is that it is all coding and technical – and that is not the case. Especially if you are working in compliance, there is a lot of reviewing documentation and writing reports for clients to explain a situation or scenario and explain the technical jargon in easy-to-understand language.

My advice for future cyber professionals is there are times where you are going to be frustrated and not understand what is going on. At that point you must relax, take a deep breath, and know when to ask for help. That is why l like working here at Coalfire – because everyone is collaborative and open to helping you. Do not be afraid to ask questions as it is better to ask questions and get it right, than to not ask and get your deliverable sent back to you because your submission had many errors in it. You will learn new things daily.

Technology is changing at a rapid pace, and therefore you need to stay ahead of the game when it comes to specific technologies. Constantly reading up and staying current with the cyber threats and techniques being used will give you an edge. Industry certifications such as the CISSP, Security+, or AWS/Azure certifications are worth pursuing to bolster your technical knowledge and demonstrate your expertise to clients. Also, as just a warning to all, be wary of phishing emails: as you join the cybersecurity space, you will become a target for potential hackers, not only at work but also your personal email. An email offering a $100K per year job opportunity – and all you need to do is click on the link and input your social security number – is most likely a scam.

My final advice to anyone who wants to step into the cyber world is be vigilant, be ready to learn new things every day, and be open to change, as what you are doing today might become obsolete tomorrow. Cybersecurity is one of the most interesting and rewarding fields to be in right now, as you hear of a new company being hacked almost every day. I am glad I chose this profession, and so far, it has been a fun ride. I am excited for the opportunities and challenges ahead of me and cannot wait to see what the future holds.