When many people think of cybersecurity, they might envision the exciting world of hacking; testing the limits and capabilities of everything from large networks to small devices. The hands-on nature of cybersecurity is what initially attracts so many people to the field. However, as many quickly discover, cybersecurity is a broad discipline, with responsibilities that extend beyond the high-profile, applied aspects.
One aspect that cybersecurity analysts need to master is report-writing, as well as any other documentation. Documenting the steps that were taken to achieve a goal may be regarded as a distraction, however, it is equally as important as the hands-on activity. Sometimes, the documents will not be authored by you but will require you to interpret and explain to those who are not cybersecurity experts.
Documents are Important
Businesses run on documentation. Nothing ever takes place in any legitimate business without the memorialization of events. Everything from meeting minutes to annual reports are all necessary for the efficient administration of a business. What does this all have to do with cybersecurity? At some point in your career in cybersecurity, you will not only need to work with reports, but you will probably need to interpret the documentation authored by someone else. Moreover, you may need to explain the documentation to others. For example, think of all the regulations that are now part of the cybersecurity landscape.
Whether your organization is subject to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or a combination of many regulations, the task of interpreting, and explaining an organization’s responsibilities in adherence of a security or privacy regulation will most likely fall to you. You may think that this is something that the lawyers should worry about, but let’s examine why this is not necessarily true.
A simple example can be found in any regulation that stipulates encryption of data at rest, and data in transit. The concept is easy to understand, and while you may recognize your role in implementing encryption in your organization, you need to be cognizant that there are parts of the encryption methodology that will need to be documented and explained in greater detail. An attorney is responsible for all the legal aspects of the organization, not the nuances of encryption technology. Some questions that an attorney, or other business executive may ask include:
- What exactly is encryption?
- How does encryption work?
- Are there different types of encryption, and which one is best for us, and why?
- Are Public Key Cryptography and Public Key Infrastructure the same thing?
Right now, you may be rolling your eyes, thinking that no one outside of technology would ever have heard of PKI, or key pairs, but do you want to be caught off guard when the topic arises?
There are many reasons that a non-security person would want to know about the technology that is protecting their business. One simple reason is that an executive can no longer hide behind the excuse of unawareness. They are legally responsible for knowing the operations of the organization. Remember that you need to explain these topics at a high level, not in deep detail involving a whiteboard and mathematical equations. You are there to ease their concerns, not conduct a lesson.
Subject Matter Expertise
Another example of why your job as the subject matter expert is important is because many of your colleagues may not understand that security and privacy, while intertwined, are two different undertakings. Many regulations focus on one aspect over the other, such as the CCPA, and GDPR, which are primarily privacy-centric. The implementation of security to accomplish compliance with these regulations is left up to the covered entity. Other regulations, such as the New York State Department of Financial Services Cybersecurity regulation is more security-centric, and more prescriptive in its approach.
Sometimes, your job as a cybersecurity professional will require you to understand a regulation in order to keep everyone grounded. It is easy for some people to get lost in security discussions. Part of your job is to reign in the extreme fears and apprehensions of all involved, keeping the discussion focused on what works best for the business.
How the CISSP Credential Can Help You Succeed
As you progress in your cybersecurity career, there will come a time when you will need to be prepared to discuss topics that are not only technical, but administrative as well. No certification can better prepare you for this than the CISSP. With its broad range of domains, the Common Body of Knowledge (CBK) is the perfect course of study to prepare you for many of the discussions that may come your way.
Not only does the CISSP CBK dedicate an entire domain to Security and Risk Management, but it specifically addresses many of the global regulations that impact all organizations. Other topics, such as understanding the Software Development Lifecycle, and Cryptography, work in tandem to give a CISSP candidate full exposure to subjects that go beyond the knowledge set of many similar certifications.
Where can CISSP certification take you as a security professional? Explore possibilities in the latest installment of our interview series featuring AJ Yawn, the co-founder and CEO at ByteChek.
To discover more about CISSP read our whitepaper, 9 Traits You Need to Succeed as a Cybersecurity Leader.