Cyber Careers #1 - CyberSecurity Manager

UPDATE June 20, 2020: I posted this a little over a year ago - but with so many people interested in security, I thought it was a good time to share again.

This is the first in a series of articles describing cybersecurity careers. I started this research project on the recommendation of a very smart woman (thank you, Heather) who said it was a shame those interested in cybersecurity did not have a good picture of the many cybersecurity career options. My intention is to find a broad spectrum of jobs in the cybersecurity arena and provide you with information on them.

My first "subject" is Jacob Hill. I met Jacob several years ago when he was quite young and we both worked for GDIT. I was so impressed with this young man who was already working in computer positions and was barely out of high school. He was also very polite and hardworking. I've been following Jacob's career and we keep in touch occasionally; he has done quite a lot since our GDIT days.

Name: Jacob Hill, lives and works in Northern Virginia

Works for: Alamo City Engineering Services (ACES), based in San Antonio, TX

# Years in CyberSecurity: 9+

Current position: CyberSecurity Manager

Currently works in the policy/compliance arena using the Risk Management Framework (RMF). RMF has six steps:

1.      Categorize

Determine what information your system will process, and assign a criticality rating (High, Moderate, or Low) to the CIA (Confidentiality, Integrity, Availability) triad for each information type. Then a CIA rating is derived for the overall system.

2.      Select

The system categorization drives the number of security controls (aka requirements) you will have to account for. The security controls come from NIST 800-53. In DoD, CNSSI 1253 defines the security controls that should be applied to a system for the various CIA criticality levels.

3.      Implement

Implement the security controls along with technical guidance such as DISA STIGs (Security Technical Implementation Guides), and perform a self-assessment of the system.

4.      Assess

An independent agent assesses the system and the security controls, and submits the results to the authorizing official (AO).

5.      Authorize

The authorizing official reviews and assesses the risk based on the security package you prepared and the independent assessment that was conducted. The output of this process should be an ATO (Authority to Operate) and ATC (Authority to Connect).

6.      Monitor

Responsible for monitoring the security posture of the system. Patch management, maintaining the hardware/software baseline as it changes, etc.

Additional position: Also runs a company called TEKFused LLC that focuses on web design, hosting, and online marketing.

What do you like most about your job?

Cybersecurity:

• I like that we can influence the design and architecting of a system.
• My customer is very easy to work with! As always, people make a big difference.

TEKFused LLC:

• I have been able to gain more technical knowledge about operating in the cloud, Linux and web servers! It has been a great experience and has aided me in my primary cybersecurity career.

What do you like least?

Cybersecurity

• RMF isn’t the most exciting work and can be quite dry.

TEKFused LLC

• The administrative side of running a business (Contracts, taxes, etc).

What work did you do prior to this position?

• I started in a technical support role at a small site with about 30 folks. Because I was at a smaller site, I was able to branch out into Tier 3 areas (Active Directory, etc). After that position, I moved to another technical support role with a much larger customer base.
• After that role, I moved on to a role with the federal government. This role was quite different as I was working with IT procurement, and then dealt with some project management and contractual activities. I also learned about the DoD’s acquisition process. This role was quite different, but it was a great experience in an area I hadn’t dealt with before.
• In my next role I began my journey into compliance as part of the Certifying Authority’s staff. The compliance framework at that time was the DoD Information Assurance Certification and Accreditation Process (DIACAP). I learned a lot here, and it was very beneficial to review the various packages as they went up to the Designated Approving Authority for an ATO.
• In my next role I helped create a RMF package for a weapons system. I also worked to integrate the cybersecurity activities into the program’s integrated master schedule (IMS). There were many organizations and many moving parts to this program, so this was a great way to learn how the program was managed and developed.
• In my current role, I’m leading the RMF charge! We have successfully achieved our three year ATO, and are continuously monitoring the security posture of the system. The system is a security appliance, so this is yet another interesting experience.

What do you see as your next step?

Level up in my managerial skills and obtain the Linux+ certification.

Salary range for your position: $115-160K 

Education & Growth

Degree or no degree: I believe a degree is valuable, however, many that I know do not think the investment is worth it, and that you can do just as well without a degree. I’m not sure that is necessary for an IT technician or a cybersecurity analyst, but I’m sure it would be difficult to compete for director-type positions in larger companies/government.

There are so many online free and paid IT learning platforms now. It is easier than ever to make a career change!

If degree, what degree?

I have a Bachelor’s degree in IT, concentrating in Information Security. I don’t believe I’ll ever invest in a master’s degree because I’m doing well without it. I’d rather spend my time and money on other things like growing my side business.

Certifications held?

CISSP, CEH, USMC Validator, Security+, ITIL v3, Google Analytics, Google Ads (Search)

What do you do to stay up-to-date, or grow, in cyber?

Configuring a web server has been very enlightening. I continue to learn and research various aspects of Linux, web servers, and web security as I find topics that I don’t have deep knowledge on.

Favorite cyber news source and/or podcast?

McAfee has a nice cyber podcast called “Hackable.” It is designed to appeal to the masses, so it isn’t very technical, but the scenarios are pretty interesting. I really enjoyed their podcast about hacking the car wash.

The National Vulnerability Database lists the most recent vulnerabilities and includes many references for vulnerability research.

Thank you to Jacob for being my first "subject" in this exciting research project.