Here I am, again, with my selected articles, in the form of a newsletter. While this will be a weekly newsletter, all of my articles are available on my website (https://sripati.info). Subscribers on my website will get my articles immediately, as I publish them.

I am a top-down guy. I made lot of mistakes. I learnt from my mistakes, my website and this newsletter is a reflection of them.

I hope you like it. Not my mistakes, but the learnings.

This edition summarises a series of articles from my blog "Risky Context" on various aspects of cybersecurity careers.

Enjoy.

Offense vs. Defense (https://sripati.info/offense-is-not-sexiest-defense-is/):

1. Glamour doesn't equal value: While offensive security roles like penetration testing or bug bounty hunting often hold a "glamour quotient," defensive security is equally crucial.

2. Leveraging existing skills: System and network administrators transitioning to cybersecurity can leverage their expertise effectively in defensive roles like threat hunting or SOC analysis.

3. Understanding "why cybersecurity?": Choosing a career path (offense or defense) should be driven by genuine interest and a clear understanding of "why cybersecurity," ensuring long-term motivation and success.

Top-down vs. Bottoms-up Thinkers (https://sripati.info/it-matters-in-cybersecurity-if-you-are-a-top-down-or-bottoms-up-person/):

1. Different approaches to learning and problem-solving: Cybersecurity professionals can be categorised as top-down (systems-level thinkers) or bottom-up (preferring hands-on learning) learners.

2. Career paths aligned with thinking style: Recognizing your thinking style is crucial for choosing a fulfilling career path. Top-down thinkers thrive in roles like auditors, risk assessors, and architects, while bottom-up thinkers excel as security testers, programmers, and bug bounty hunters.

3. Bridging the gap: While individuals naturally gravitate towards one style, it's possible to develop skills in the other, albeit with additional effort and time. A penetration tester moving to an auditing role will need to learn risk assessment and reporting, while an auditor transitioning to penetration testing will need to acquire technical skills and methodologies.

Cybersecurity Job Descriptions and Expectations:

https://sripati.info/on-cocktail-jds-in-infosec-and-why-they-will-keep-coming/

1. Cocktail JDs: The cybersecurity industry is characterized by "cocktail JDs" that combine diverse skill requirements due to security being a cost center and companies seeking to maximize ROI on their hires.

2. Bridging the gap between GRC and technical skills: While GRC professionals focus on strategic and governance aspects, having hands-on technical experience enhances their effectiveness. Understanding tools and processes allows for better documentation, risk identification, and audit performance.

https://sripati.info/please-don-t-kill-your-ciso-if-he-doesn-t-know-how-a-virus-works/

1. The evolving CISO role: The CISO role demands a balance of management and technical expertise. While deep technical knowledge like understanding how a virus works might not be necessary, understanding the team's technical explanations is crucial for effective decision-making.

2. Certifications as enablers, not guarantees: Certifications like CISA and CISM provide valuable knowledge but don't automatically translate to competency. Continuous learning, practical experience, and the ability to apply knowledge are essential.

The Realities of a Cybersecurity Career:

https://sripati.info/risks-of-a-cybersecurity-career/

1. Burnout risk: The dynamic and demanding nature of cybersecurity makes burnout a real risk. Juggling multiple tasks and constant learning can take a toll on mental and physical health.

2. Importance of "why cybersecurity?": Having a strong "why" is essential for navigating challenges and staying motivated. Understanding your motivations helps you persevere through difficult phases and achieve success.

3. A day in a pen-tester's life: Beyond the technical aspects of penetration testing, the role involves significant planning, coordination, reporting, and client communication. https://sripati.info/a-day-in-a-pen-tester-s-life/

4. Security as a cost centre: Recognising that security is often viewed as a cost centre (except in companies providing security services) helps professionals navigate organisational dynamics and advocate for resources effectively. https://sripati.info/security-is-a-cost-centre/

Key Quotes:

1. "While offense is glamorous, defense is better." ("Offense is not the sexiest game in town, defense is...")

2. "Knowing your thinking and learning process (top-down or bottoms-up) is crucial in general, but it takes center-stage when you mull over a career switch." ("Are you a top-down or bottoms-up person? It will matter while switching career in cybersecurity")

3. "What is invisible (individual needs, desires, and greed) will always drive what is visible (JDs, compensation, market preferences in infosec hiring and purchases, etc.)." ("On cocktail JDs in infosec and why they will keep coming...")

4. "Burn-out is real, more so in cybersecurity." ("Risks of a cybersecurity career")

5. "That “why” will be the only thing that could guide you from darkness to light, from “being naked” to “running naked with eureka”." ("Risks of a cybersecurity career").

So that's all for this week. See you next week, with some more articles. Please consider subscribing to this newsletter. Being member on my website will get you these articles as soon as I publish them.