Information Security Engineer: A Road More Frequently Traveled
*Note: This article was originally published by the author on September 23, 2020.
Beyond the basic information security principles of Confidentiality, Integrity, and Availability (CIA triad), non-repudiation (undeniability), authentication, using unique passwords, replacing passwords with longer passphrases, defense-in-depth, least privilege, least functionality, multi-factor authentication (MFA), and many, many more principles and best practices that many infosec professionals are plenty familiar with there lies an entire universe of security subset domains that focus on different facets of securing all manner of technologies. It is really too much for any one person to learn or know it all, seriously this is the understatement of the century. However, that won’t stop some of us from trying. It is possible to accumulate a very solid knowledge level of each domain. To really gain an appreciation for just how complex each domain of information security engineering is, however, can take years of study and on-the-job or in-the-virtual-lab practical application.
Learning how to design secure applications, systems, networks, devices, Internet protocols, as well as how to harden them has always been a personal interest of mine. Of course, this goes hand in hand with my other calling as an independent security researcher. I tend to think that you can’t really know how best to protect a certain type of technology without having attacked and dissected it physically, if possible. You can call this hacking or just plain old figuring out how electronic hardware, software, and networks function. I think all the good IT professionals are a little hackers at their core.
No matter what your personal level of experience is in information security engineering, whether you’re already a highly established subject matter expert or a fledgling newbie who has a flickering interest in InfoSec, this is an exciting topic of study given the times we live where cybersecurity (Computer Network Defense or CND), cyber espionage (Computer Network Espionage or CNE), and cyberwarfare (Computer Network Attack or CNA) are proving to be such pivotal themes in national security and global economic development posturing.
The Better-Known Role of the Information Security Engineer
In my day job, I work as an information security engineer and in my spare time, I am also an independent security researcher who writes and publishes articles on information security and digital privacy-related topics. It may surprise some to learn that a good many cybersecurity jobs fall under the umbrella domain of Information Security Engineering in some way or another. Many information security professionals work in security engineering or a closely related discipline. The job title that someone holds is not necessarily an indicator of what that person actually does in their day-to-day in their job. You’ve probably seen examples of this throughout your career.
I can’t blame people for making the mistake of jumping headlong into a career field simply because they want to earn more money. Financial security is a major motivating factor in this life for everyone regardless of whether they admit it or not. So, yes, you can make a good living as an information security engineer or a privacy engineer, but it won’t be the money that is likely to keep your interest burning. You need to have a thirst to learn, a yearning to improve cybersecurity across a wide swath of domains or in a few niche areas (totally, your choice). You’ll naturally gravitate towards whatever motivates you more.
Perhaps you want to work on securing application security for mobile devices, so you decide to pursue a career as an App Sec Engineer. Or, perhaps cryptography is your passion and you decide to put your super math skills to the test developing cryptographic algorithms and methods of encryption for various devices and applications. That is very challenging work, my hats off to those who are knowledgeable and skilled enough to do this or really any other Information Security Engineering type of role. Reverse malware engineers are also incredibly knowledgeable and skilled at being able to read and dissect code to figure out what cybercriminals and state actors are trying to achieve with their malware tools.
Reverse Engineering (RE) is another fascinating topic of study and a personal favorite of mine. But there’s nothing plain-Jane about just focusing on helping to design secure Internet protocols (see IETF and IEEE) or computer chips. There are so many subsets of InfoSec Engineering that I think if you have any kind of interest in computers and cybersecurity, you should not be hard-pressed to find at least one area that you would enjoy specializing in.
The Common Body of Knowledge (CBK) Security Domain:
- Access Control Systems & Methodology
- Applications and Systems Development Security
- Business Continuity Planning & Disaster Recovery Planning
- Information Security & Risk Management
- Legal, Regulations, Compliance, & Investigations
- Operations Security
- Physical Security
- Security Architecture & Models
- Telecommunications & Network Security (Jacobs, 2016)
Each one of the CBK sub-domains is an entire industry unto itself with jobs available for those with the right educational, certifications, skill, and experience requirements. Maybe you’re an academic in which case you prefer to pursue a doctoral degree and want to work on research projects for a particular university or college while publishing your research work. Information Security Engineering is such a fascinating field of study that there is something for everyone.
The Confluence of Information Security and Digital Privacy
Before we can have a meaningful discussion about how best to interleave security and privacy, we must first have a solid grasp of the fundamental differences between each area of interest because one is often conflated with the other. So…
Security is defined as “the quality or state of being secure,” and more specifically related to computer or information security, “measures taken to guard against espionage or sabotage, crime, attack, or escape” (Merriam-Webster, 2020).
Privacy is defined as “freedom from unauthorized intrusion” and “secrecy” (Merriam-Webster, 2020). I think this definition is fitting but still there always seems to be confusion about the differences between security and privacy. The differences are often hard to describe and there’s often overlap, so I’ve tried to put it into an easy-to-understand format using a Venn diagram (I know, everyone’s favorite!). You’ll notice that several of these security principles and controls work for both security and privacy.
The reason I’ve chosen to highlight the conflation issue between security and privacy is that this is something you will undoubtedly encounter should you decide to pursue a career in the information security engineering or privacy engineering field. Privacy engineers work to develop technological privacy controls and privacy-enhanced applications and systems designs. Privacy engineering is not brand new, but I’d call it a newer subset of the information security engineering domain. Privacy is becoming increasingly more important to people around the world thanks to ubiquitous surveillance camera monitoring, Automatic License Plate Readers (ALPR), Facial Recognition Systems (FRS), and governments/law enforcement agencies deploying Stingray cell phone interception technology to spy on citizens. There will always be a need for privacy engineers who possess the necessary skills to develop secure, private technology to keep prying eyes out of our personal lives.
Integrating Both Security & Privacy Into Systems
Contrary to what you may have heard, the world is never just black or white. That’s what makes life so interesting. There are all kinds of shades of color in between that we enjoy without even thinking otherwise. In this same way, you can actually have your cake and eat it, too, in terms of having both privacy and security in applications or systems. It is possible to implement both. It just needs to be intelligently and carefully designed to achieve both to the greatest extent possible from the outset. This harmonious combination of privacy and security is best achieved in the initial secure/privacy design, not by bolting on security or privacy controls after a product is mass-produced for the market. It needs to be baked in with the original ingredients much like a batch of chocolate chip cookies. If you bake the cookies and then add the chocolate chips afterward, it will be a hot mess but it still might taste good!
Information Security Is A Continuous Loop
We also know that security is continuous, it is not linear. Meaning it is not a thing you do once by applying specific security controls and then never revisit it to determine if the control is still working as intended and is therefore still effective. You will need to continually circle back to aspects of your design to improve and further harden it so that it is protected against newly discovered cybersecurity threats. Cybercriminals including state actors are constantly looking for new methods to exploit security loopholes and weak security design flaws. Our jobs as information security engineers to ensure that this doesn’t happen and it is one reason why it is a best practice to employ a defense-in-depth cybersecurity strategy. In the field of information security engineering, what you don’t know and cyber threats you aren’t aware of can be your employers’ downfall. Therefore, it pays to continue learning, attend security conferences, and attempt to stay on top of cybersecurity developments.
The intent of this article is not to give readers a full rundown of every single aspect of information security engineering, but just enough to whet your appetite and perhaps pique your interest a bit. There’s so much more to learn and study for those interested. I highly suggest picking up a copy of Engineering Information Security: The Application of Systems Engineering Concepts to Achieve Information Assurance (Jacobs, 2016).
It explains many of the overarching concepts you need to be familiar with to work within the cybersecurity industry and many of these concepts are the same ones you’ll see on all of the IT security certifications that are needed to break into certain job specialties.
Security Researcher: A Road Less Frequently Traveled
*Note: This article was originally published by the author on May 5, 2019.