The most important element in a successful cyber security career will never be found in a position description, directly evaluated during a year-end review or taught in a college course.

Nothing trumps passion for the subject matter and passion for continuous learning.

More than any other IT discipline, cyber security is an evolving, dynamic industry. Cyber is not like learning a programming language, a codified body of knowledge unlikely to change at any great pace. Cyber security is rapidly evolving and holistic across the digital landscape, not confined solely to networks, end-user devices or applications.

And cyber, unlike most IT disciplines, faces a very different element—threat actors.

Most areas of IT are like golf, a game played against yourself. Barriers and complicating factors like budgets or processing power are like bunkers and trees on a golf course—fixed elements that raise the degree of difficulty, but are largely known by the time you tee off. 

Cyber security, meanwhile, is like boxing, a discipline that seeks not only to maximize your own fitness level and talent, but requires constant defense against an array of opponents whose skill sets you must adapt to and defeat. 

Like boxing, and unlike weekend golf outings, cyber security requires an intense passion to participate. Remaining viable in the field means being committed to constant training and self improvement.

After all, every week seems to bring the disclosure of yet another cyber security issue in IT.  Last week was "Heartbleed," the revelation that OpenSSL—an open source software product used across perhaps a half million Websites—had a programming error that would allow information contained in memory to be passed to an external hacker. No log entries are created, and, hence, no trace of an attack would be seen. Next week, it will be something else, as of yet undefined.

Understanding the technical details of an issue like Heartbleed requires a passion for constant education.

But along with passion should come purpose. Training should be well thought out and match with the holistic nature of cyber security.

At NJVC, we design training curricula with partners like InfoSec Institute, to gain maximum impact for every dollar and hour spent in pursuit of education—combining engineers' passion with purpose, and in focused areas of learning tailored by our Cyber Security team.

One way to channel passion with purpose is to consider cyber security in paths, and methodically attack path by path. For students or engineers working without training programs, consider each of the following avenues and cycle through learning classes within them to sharpen understanding of our evolving field.

Security Management

This path would provide macro perspectives on personnel, relevant technologies and the processes used to maintain secure IT operations. It should also include aspects of physical security, often overlooked in a cyber-only perspective. Social engineering attacks on employees often lead to cyber crimes where less protected assets are stolen and protected data such as personally identifiable information (e.g., Social Security numbers) are compromised. Position titles include senior exec spots, such as chief information security officers and anything with "manager" in it.

Penetration Testing

This path is very hands on and builds the skill set necessary to be able to infiltrate computer systems. Penetration testing involves a blend of networking knowledge, programming and scripting skills, as well as creative thinking. This skill is a component of performing vulnerability assessments for organizations and is widely used to determine how secure an overall IT enterprise is to compromise.  Knowledge of various attack patterns and tools is required. Position titles include pen tester, vulnerability assessor and security tester.

Security Operations

The focus here is on how to operate and maintain a secure IT infrastructure for an organization. Understanding and implementing best practices, such as configuration management and patch management, are key components. Rigor in applying engineering processes leads to high service level agreements, which are a widely used indicator of success. Titles include operations director/manager, system administrators and security administrators.

Risk and Compliance

This path requires a knowledge of various industry regulations along with hands-on knowledge of tools that can collect and generate appropriate compliance and audit reports. Risk and compliance can be a blend of industry-specific perspectives along with a strong sense of process engineering. Titles include compliance assessor and auditor.

Incident Response

This path requires strong technical skills to assess a situation and react quickly to shut-down threats. A general knowledge of sound computer science principles must be augmented with a cyber threat intelligence perspective to know what effective actions to take. Titles include security analyst, cyber threat analyst and malware analyst.

Digital Forensics

In digital forensics, an organization has been compromised in some manner, and the focus is on understanding what happened and ensuring that any security gaps are plugged. Analysts require dogged investigation skills along with sound technical credentials, ranging across software, hardware and network infrastructures. Of particular importance is an understanding of the chain of evidence so that actions taken do not contaminate the very systems and data being used to build legal cases that have strict guidelines. Titles include computer crime analyst, digital forensics investigator and threat analyst.

Security Architecture

This path needs to achieve a broad technical perspective spanning all aspects of IT architectures and how to secure each component. Software, hardware and networks are the three key perspectives that must be accommodated in the design phases to ensure adequate security is levied across an organization, and that no one component exposes security gaps. Titles include security systems architect and system architect.

Training Delivery Formats

Training comes in many flavors. Basic essential classes provide a platform for more advanced topics that require fundamentals to be understood before diving into specific technical details. Computer-based training can be a cost-effective method to gain base knowledge. More advanced topics are typically better conveyed by in-person instruction where questions can be directed to and answered by a knowledge source. Instructor training can be provided either in the classroom or by real-time video conferencing.

Boot Camps

These are intensive week or multi-week long sessions of immersive training. They typically have a defined objective at the end—to prepare for and pass a specific cyber certification exam. Along with the objective focus is a shared desire to achieve a common goal, and typically longer timelines with evening sessions evaluating whether a student understood the materials presented during day sessions.

Professional Training Vendors

To receive high-value training and be qualified and prepared to sit for various certification exams, it is necessary for an organization to partner with a training vendor that not only has a robust curriculum, but also maintains that curriculum by continually modifying course content as the cyber landscape changes.

NJVC teams with InfoSec Institute to provide high-quality course materials and instructors. InfoSec Institute certifies all instructors to make sure they have both excellent technical and communication skills. The focus can then be on making sure students comprehend the presented materials so they can apply that knowledge back on the job.

Ultimately, there is no one specific way to move ahead in a diverse field such as cyber security. Every person has unique aspirations, interests and objectives. In addition, there is a wide technical spectrum ranging from a very detailed perspective through a management perspective.  

But, with every accomplished cyber security professional, there are two common ties: passion and purpose.