Cyber security is changing. Not the threat actors, vulnerabilities, or technology (these change constantly). How we do cyber security as a profession in this modern world is changing.
The days of fresh-faced SOC analysts glued to computer screens in a dimly lit room are fading away. The lone penetration tester sitting in a company’s conference room and testing their security are numbered. Even the head honcho Chief Information Security Officer (CISO) work is starting to look a lot different with the rise of virtual CISOs.
The cyber world is shifting to a new era of employment. You must be aware of this shift and learn to take advantage of it to stay relevant. However, to understand how we got here and where we might be heading, we must look at how cyber work has changed over the last few decades.
Cyber security was first done internally
The dawn of cyber security began with traditional IT administrators doing their best to secure their networks. They set up basic firewall rules, checked user login activity, and monitored who accessed what files. No sophisticated Endpoint Detection Response (EDR) or even simple Anti-Virus (AV) existed. It was down to the IT admin to check if anything nefarious was happening.
You can learn more about the start of cyber security in The Cuckoo’s Egg. This true-story spy thriller recounts how a sole IT administrator hunted down a Russian spy ring operating in his University network as they tried to steal sensitive military secrets.
As computers transitioned from Universities to corporations, security became more important. Internal security teams were created (still made up of IT admins), the security software industry was born, and investments were made in ensuring some level of security in computer networks. This focus on security was accelerated by the rise of the World Wide Internet in the 1990s and the subsequent dot-com bubble, which required a secure e-commerce process.
The idea of an internal security team was only an option for large organizations with big budgets. Small and medium-sized businesses had to find another way to secure their systems, and so they turned to the guys who helped them create and manage their systems in the first place, their Managed Service Providers (MSPs).
Cyber security was then outsourced
MSPs saw an opportunity in the demand for increased cyber security and created what we know today as Managed Security Service Providers (MSSPs). These organizations handle the security architecture, monitoring, investigation, and remediation for tens, hundreds, and even thousands of organizations.
A small or medium-sized business will outsource its security to an MSSP via a Service Level Agreement (SLA) that shifts the security responsibility to the MSSP at a fraction of the cost it would take to stand up a complete internal security team. There are different levels to this outsourcing of security, with some organizations choosing to go hybrid and perhaps only outsourcing their security operations (SOC), others just outsourcing incident response, and some outsourcing everything.
Some degree of outsourced cyber security has become the norm nowadays. Most organizations can’t afford to maintain a fully stacked cyber security team with expertise in every role, as well as the hefty subscriptions security software companies charge for their products. As such, they choose to outsource many of the niche roles, including:
- Threat intelligence and hunting
- Digital Forensics and Incident Response (DFIR)
- Detection engineering
- Malware analysis
- Penetration testing (including red teaming, mobile testing, WebApp testing, etc.)
The MSSP, or a specialist third-party security company, will take on these roles and perform this service for the business. However, in light of the COVID-19 pandemic and the remote work revolution, things are shifting in a new direction.
Cyber security was then made remote
The global lockdowns caused by the COVID-19 pandemic catalyzed the remote work revolution. This revolution transcended cyber security and changed how employees thought about work, the necessity to commute, the flexibility working from home offered, and the need to be physically present to perform their role.
Remote work continues to be a major trend in cyber security, with more companies shifting their operations online and more jobs becoming remote or hybrid. This trend has had various impacts on cyber security, but a less-mentioned impact has been the one on the outsourcing of cyber security work.
The change to a remote-first work culture has seen the need for large MSSPs and specialist cyber security companies diminish. There has been a constant cycle of tech layoffs throughout 2022 and 2023, with cyber security being no exception. This has freed skilled cyber security professionals to explore other opportunities.
What are these other opportunities?
There has been a rebranding of work from company-focused to individual-focused, where an individual’s needs are slowly beginning to be clawed back from huge corporations. Company revenues will also be put first, but cyber security professionals are slowly starting to realize that their skills are in high demand they can take advantage of this in other ways than just working long hours for massive corporations.
A recent article by Daniel Miessler detailed the opportunities available to skilled professionals and how he realized he could take advantage of this skill set by becoming an entrepreneur making over $700K!
Where is cyber security going next?
So with a remote work culture and many skilled cyber security professionals looking for work or wanting to get away from the constraints of working for a large corporation, where is cyber security heading? You need to look no further than where the job market has been heading over the last few years to answer this question… the gig economy.
The gig economy is a labor market characterized by temporary, short-term, or project-based work usually facilitated through digital platforms. Individuals work as contractors or freelancers and undertake short-term tasks, projects, or assignments for multiple companies rather than working for one corporation.
There are pros and cons to the gig economy compared to traditional employment. The work is flexible, diverse, and often pays well (if your skills are in high demand). However, there is a lack of job security and benefits that often come from working for a corporation. Many people associate the gig economy with low-skill, low-wage jobs like being an Uber or food delivery driver, but this is not necessarily the case. If you are skilled, you can make a lot of money by diversifying your income streams and taking on gig work.
How Does the Gig Economy Apply to Cyber Security and You?
So how can skilled cyber security professionals take advantage of the gig economy? The first step is to shift your focus from company-first to individual-first. You need to see yourself as the business and identify opportunities where you can leverage your skills to make money.
All businesses are profit driven. We tend to focus on security rather than profit in cyber security, so making this mindset switch can be difficult. Try asking yourself questions like:
- Can I perform my skill remotely?
- Can my skills be used to solve a problem for someone?
- Can my skills be used to solve a recurring problem?
- Can my skills be used to solve a problem for someone who has money to spend?
- Can my skills be turned into a product, a course, a newsletter, a blog, or any other form of content that people consume?
- Can I automate or refine my skills into a repeatable process that can serve many customers?
- Can I make passive income from my skills (e.g., content, a retainer, etc.)?
- Can I easily sell or market my skills?
- Is there a platform to sell my skills on, or will I need to create one?
- Can I leverage my skills to have multiple streams of income?
Once you answer these questions, you will transition from an employee to an entrepreneur (or business owner), and you can choose what work you want to do. You may choose to work the same long hours and make more money, or you may choose to have a more flexible schedule and adopt the digital nomad lifestyle. Just remember to outsource the critical business functions you don’t want to do to someone else (e.g., accounting, bookkeeping, sales, etc.).
This is not to say that transitioning your cyber security skills to the gig economy is easy. Substantial risks in job security, income variability, and lack of benefits come with all entrepreneurial pursuits. This is why I believe cyber security work will take on a hybrid approach as the gig economy grows. Many will choose to keep their corporate job but slowly focus less on this work and invest more time in gig work to supplement their income and eventually provide a different lifestyle.
Conclusion
Cyber security work is changing. It always has. From internal teams to outsourcing to remote work, the workplace constantly evolves as technology shifts and people’s perspectives on work change. However, we are on the precipice of a much larger change with the rise of remote work, the downsizing of traditional cyber security companies, and the birth of the gig economy.
There has been no better time for cyber security professionals to redefine how they make money from their unique skills and see themselves as a business rather than just working in one. The challenges are plentiful, but so are the opportunities.
This is not to say you need to be part of the gig economy right now. You may enjoy your corporate job, way of working, and your compensation. That is awesome! It is just important to be aware of what is happening around you. How others are shifting their work habits, how others are taking advantage of their skills, and how others are setting themselves up for potential future success.
Keep an eye on the trend toward the gig economy and how it could benefit you.
