Hi everyone,
With more than 20 years experience implementing managing and leading Software Development and Software Configuration Management teams, I have almost completed formalising my knowledge with ISC accreditations (CISSP,CSSLP,CCSP and soon the CISSP-ISSMP).
I have found as I have studied that there are many more commonalities with what I have been doing at an enterprise and large programme level for decades - everything from the technical understanding of the concepts through to how to prepare and implement strategies plans and cultural change through education, enablement and governance. So it's been a pretty natural step to get the necessary qualifications.
I must say I do like how the ISC exam questions are clearly written fly people with the practical implementation experience rather than just looking for exam takers to repeat by rote.
It appears that people coming from a software engineering background seem to be quite rare in cyber security. For example, when I was looking for someone to endorse me for the CISSP, I found only 2 of my linkedin contacts of over 1000 people who were CISSPs, for example.
But herein lies my problem. I get the impression now that many recruiters don't quite know how to stereotype me now. When they look at my experience, they don't see roles directly with security in them - even though a large part of what I have been doing has been ensuring teams respect the CIA triad.
I am even seeing roles that touch on software application security in the posting, and when the recruiter sends through their clients original request there was a much heavier focus on software than the other aspects. They had actually modified the requirements for the posting so it was less software centric.
Has anyone else experienced this sort of thing? Do you have any pointers?
As a bit of background, when Devops started to take off and I saw teams spinning up AWS instances using their credit cards instead of working with the infrastructure and security teams, I took a conscious decision to remain in SCM as I viewed and still view Devops as a subset of Software Configuration Management - or at least to the extent to which I have employed the discipline over the years, in any case. I think incidents like the Solarflares hack is probably a good example of how the focus on availability and schedules has predominated in the Software sector is resulting in adverse outcomes.
Anyway, if anyone has any tips here, I would really appreciate it.
If your still active in software development there has been more of a need for security engineering. In addition to being proficient in specific code ( .net, etc.) there is a need to understand vulnerabilities found in tools such as Fortify where a developer needs to fix/maj/minor releases in addition to integration with technologies (DB, ITL, web, access management, SIM, etc.). So I would consider learning new coding techniques for use in the Cloud, security tools that might required software coding/scripting, and even penetration testing.