Tim Holman, CEO of 2-sec, presents his average day including work on data breaches, penetration testing and security audits. He also discusses the skills gap in the information security industry and how ISSA-UK is attempting to coordinate training across the industry to improve the problem.

1. A Day in the Life of a Cyber
Security Professional
Tim Holman, CEO of 2-sec
18th June 2015

2. Focus on:
• Typical day to day activities as CEO of 2-sec.
• The highlights (and lowlights) of my cyber
security career.
• How to develop YOUR career as a cyber security
professional.
• How can the ISSA created Cyber Security Career
Lifecycle™ help?

3. Tim Holman, CEO 2-sec
• 20 plus years security experience in Cyber security
including:
– auditing
– penetration testing
– credit card security
– ethical hacking
– training
– incident response
• Awarded Microsoft MVP Security in 2004, 2005 and 2006
• Director of the ISSA International Board, Fellow of ISSA
and Previous President of ISSA-UK

4. What do I do all day!?
• Work in a multi disciplinary team across the South
of England.
• Help many different types of UK businesses from
SMEs to large conglomerates.
• All market sectors, including retail, financial,
professional services hospitality.
• Penetration Testing, Audits and Assessments, PCI
DSS, CISO, Physical Security and Training.

5. What do I do all day!?
• Most of my time is ADVISING existing and new clients.
• Also responsible for projects including:
– Security assessments including pen testing/physical
– Card security
– Auditing companies to gain industry compliance e.g. PCI
DSS.
– Incident Response Planning
• Disaster management during data breaches.
• Managing ISSA.
• Each day is different.

6. Highs and Lows of my Career
Highs (or the good bits)
• Recognition
• Making a difference
• Helping others
• Defeating cyber
crime
Lows (or the bad bits)
• Box tickers
• Some vendors
• Sales guys
• Bootcamps

7. Why are we successful?
• Experience of our consultants who are
KNOWN to be experts in their fields.
• Experience in many different sectors.
• Our commercial understanding.
• We communicate well with our clients.
• We provide simple, cost effective solutions
in non technical language.

8. Cyber Security as a Profession
• Over 50 different career types within cyber
security.
• Reports of 300,000 and 1,000,000 current
cybersecurity positions are vacant.
• Demand is expected to rise as public, private and
government sectors face unprecedented numbers
of cybersecurity threats.
• The lack of cybersecurity talent can be an
organization's biggest vulnerability, exposing it to
serious risk.

9. Problems with the Profession
• The Information Security profession has
developed largely in reaction to threats.
• Now we are paying the price with an enormous
gap of skilled professionals and an entire “missing
generation.”
• No synergy around defining cyber security roles;
e.g Network Security Analysis in USA may not
have same responsibilities as those working for
other countries.

10. The profession has developed in
REACTION to threats
Somebody is trying to
get in – stop them
Somebody got in – find
out what they did
How do we stop somebody
from getting in?
Stop them at the border with
firewalls, then with intrusion
prevention/detection
• General IT support staff
(system managers, networks,
operators, etc.)
• Security Analysts
• Network Security Engineers
Locking down systems to
prevent further damage and
retrace the steps
• General IT support staff
(system managers, networks,
operators, etc.)
• Security Analyst
• Network Security Engineers
• Forensic Analysts
• Cyber law enforcement
• Cyber legal council
Locking down systems and
building the defense in layers
• General IT support staff
(system managers, networks,
operators, etc.)
• Security Analysts
• Network Security Engineers
• Forensic Analysts
• Cyber law enforcement
• Cyber legal council
• Security Architects
• GRC Specialists
• Secure Code Developers

11. There really IS a problem
• Our reactive development has not allowed for:
• Developing a professional career map.
• Building what we need to be proactive.
• “next generation”.
• Well rounded skill sets.
• Our industry has taken a knee jerk reaction:
• Tremendous push by governments to fill the gap through
formal education programs.
• New training and education programs are popping up
everywhere.
• No collaboration between entities or countries.
• No “voice” speaking for the profession/professional.

12. The Cyber Security Career Lifecycle™
The CSCL is a systematic approach that:
• Enables professionals to discover the areas of
weakness.
• Defines personalized career map.
• Provides guidance, resources, and a support
system to achieve skills and career goals.
www.issa.org/cscl

13. What is the CSCL?
The CSCL is a systematic approach that:
– Enables professionals to discover the areas of
weakness in their skill sets and aptitudes.
– Defines personalized career map according to the
individuals knowledge, skills, aptitudes and interest.
– Provides guidance, resources, and a support system
to achieve skills and career goals.

14. The Cyber Security Career Lifecycle™
Pre-
Professional
Entry
Mid-
Career
Senior
Leader

15. Understand your career!
Self -Assessment
Knowledge, Skills, Aptitudes
Career Mapping
Personal
Guidance

16. Understand your career!
Understand where you currently are in your career
• Career Mapping
• Self assessment using KSAs
ISSA resources to strengthen & grow
• Knowledge sharing
• Formalized training
• Networking
• Mentoring
Direct feedback for new services

17. ISSA Career Progression Continues…
• Focus on the “missing generation”
• Meet-ups (virtual & in person)
• Mentoring
• Continuing support of all phases
• Journal
• Webcasts
• International Conference/ CSCL Tracks
• New service development using CSCL phases
• International Consortium for Cyber Security Education
and Professional Development (ICCE&PD)

18. Thank you very much!
STAND BH514
tim.holman@2-sec.com
0844 502 2066
@2_secure
www.2-sec.com
Any Questions?