Contrary to what many people imagine, the figure in a dark hoodie sitting in front of a glowing computer screen is not the face of a career in cybersecurity. In an overwhelmingly digital world, cyber adversaries can target a vast attack surface. Threats are pervasive. Every point across an organization's attack surface must be protected. There are thousands of pieces that must successfully work together to do that—which takes people with varied expertise.
Ed Adams, the CEO of Security Innovations, recently published See Yourself in Cyber: Security Careers Beyond Hacking, an insightful discussion of integrating cybersecurity into the many facets of today's organizations. The book also challenges the myth that working in cybersecurity requires deep knowledge of coding, attacker tools, and procedures or multiple sets of technical credentials.
You Need Security Skills Everywhere
The reality is that the only way to improve cybersecurity across and within an organization is by identifying, hiring, or training security-aware and security-conversant people who inhabit various interconnected roles. Security-skilled people are needed everywhere. This means attack and defend specialists working in IT and security teams; engineering, development, and product teams with security skills; and people setting policy, assessing risk, and managing legal requirements within the context of today's pervasive threat environment.
If your organization is a security solution vendor or manages IT/security services, you also need sales, marketing, technical support, and customer relations people who understand the cybersecurity landscape and can help customers maximize their protections. Some roles require specific certifications, which can be obtained through relevant training. Many others merely require the interest and ability to learn.
Introducing the Color Wheel
Traditionally, cyber roles have been seen as either protecting or defending roles. But it's really an interconnected landscape. In See Yourself in Cyber: Security Careers Beyond Hacking, Adams begins by organizing the multiplicity of roles needed into a color wheel. Primary roles align with primary colors, and secondary roles align with secondary colors.
Primary Roles
Primary roles include Breakers (red), Defenders (blue), and Builders (yellow):
- Breakers - These include employees or contractors hired to break things like networks, systems, or software. They work to find security vulnerabilities that malicious actors can exploit. Traditional red teaming is a Breaker role.
- Defenders - Defenders work to protect an organization and its data with cybersecurity defenses like firewalls, cloud security, endpoint protection, identity management, and a host of other solutions. Traditional blue teaming is a Defender role.
- Builders - These roles build and maintain infrastructure, systems, and software products. They include job titles like software engineer, IT systems architect, or network designer.
Secondary Roles
Secondary roles represent collaborative and interdisciplinary roles between primary roles. These individuals often engage in specific activities that synthesize or fuse the strengths of surrounding primary roles.
- Purple - These teams bridge gaps between red and blue teams to facilitate collaboration, share information, and accelerate real-time learning. Their role contributes to the continuous sharpening and strengthening of both red and blue team skills.
- Orange - Individuals in orange roles enable the organization to strengthen its overall security posture by leveraging red team findings for building security into systems and products.
- Green - A green team takes the findings of blue teams and uses them to build resilience into IT systems and software.
The White Center
Adams describes the white center of the color wheel as the "Bakers" domain. These essential roles focus on aligning cyber strategy with business risk. They collect, analyze, and communicate the requirements of the myriad security and privacy regulations imposed on organizations. With a heavy focus on risk assessment, compliance management, and security oversight, their roles touch every other color on the wheel in some way.
Outside the Color Wheel
As mentioned earlier, if your organization provides security solutions or services, cybersecurity awareness and skills must be present in an even wider range of roles. You don't need highly technical people with security certifications. You need people willing to learn and effectively analyze problems, develop solutions, and communicate within a cybersecurity context. There are dozens of opportunities for integrating security into customer-facing, sales, marketing, and technical support functions.
A Framework For Success
This is just an overview of the color wheel and a framework for thinking about how to build a diverse, cyber-resilient organization. See Yourself in Cyber: Security Careers Beyond Hacking provides a much more in-depth discussion of specific roles, as well as examples of real-life job descriptions within each role. You'll learn how to create a relatable framework for the dozens of existing cybersecurity jobs. At the same time, you'll be able to complement—and build on—existing cybersecurity education and hiring frameworks with practical experience as you identify and define realistic expectations, job descriptions, and recruiting strategies.
How We're Helping
Our commitment to closing the cybersecurity skills gap means we always strive to create meaningful ways to bring new people into cybersecurity. Learn more about the free hacking and training events we've run at non-profit conferences, educational institutions, and community events to inspire security-minded individuals - from middle school students to seasoned professionals!
Contact us today to learn more about our hands-on cyber range events and how we help teams get smarter about software security and prepare for future challenges.
Get your own copy of See Yourself in Cyber: Security Careers Beyond Hacking here.