Guide to Careers in Cyber Systems Planning, Testing, and Procurement
Cyber systems are those elements of computer systems, information technology (IT) infrastructures, and networked mobile devices that provide security, protect vulnerabilities, prevent unwanted incursions, and mitigate the damage caused by cyberattacks. Cyber systems can also be more broadly defined to include the personnel, policies, and organizational measures taken to maintain the security of digital assets, including physical components, the facilities that house those components, and the data contained in IT networks and storage banks. The work that goes into engineering, evaluating, installing, and maintaining hardware and software security solutions, as well as ancillary efforts to implement security policies and procedures, is the purview of professionals in the specialized field of cyber systems planning, testing, and procurement.
Developing plans to secure new and existing IT infrastructures, testing various components of those plans to ensure their viability, and facilitating the procurement of cyber systems security components represents an ongoing challenge within the field of cybersecurity. It typically requires the efforts and expertise of teams of engineers, researchers, analysts, programmers, and policy makers who can identify cyber system vulnerabilities, evaluate existing and emerging system security products and protocols, recommend patches and system security upgrades, and coordinate the integration of security hardware, software, and policy solutions. Thus, in addition to being a central concern in cybersecurity, cyber systems planning, testing, and procurement is an evolving field that requires a diverse array of trained professionals who possess complementary technical, analytical, and managerial skills.
Employment Opportunities in Cyber Systems Planning, Testing, and Procurement
Cyber systems planning, testing, and procurement typically draws on the skills and talents of multiple individuals who are knowledgeable about the computer hardware and software that comprise IT systems, the function of mobile communication networks, the nature of common cyberattack vectors, and the most up-to-date strategies for defending and securing cyber assets. Large businesses, organizations, and government/military agencies that have extensive IT and mobile communications networks and sensitive data to protect are likely to employ professionals in cyber systems planning, testing, and procurement capacities in specialized departments and/or as part of their overall IT strategy. This includes but is not limited to healthcare organizations, government agencies at the federal, state, and city levels, and businesses in the manufacturing, technology, and financial sectors of the economy.
While larger enterprises are more likely to have the resources to devote to cyber systems planning, testing, and procurement teams, cybersecurity has become a pressing concern for many small- to mid-size businesses and organizations as well. These entities and enterprises may desire or require the research and development expertise of cybersecurity specialists who analyze new and emerging cyber defense products and policies, engineer security solutions, and recommend effective approaches to securing IT systems, data, and components. As a result, there are an increasing number of independent contractors and consultancy groups that provide cybersecurity services, including cyber systems planning, testing, and procurement services.
Professionals working in this area of cybersecurity can thus find employment opportunities as in-house cyber systems analysts, architects, engineers, managers, and researchers, as well with contractors who specialize in providing cyber systems planning, testing, and procurement guidance to clients in one or more sectors of the economy.
Among some of the more common titles for professionals who work in this field are:
- Cyber Research and Development Specialist
- Cyber Systems Requirements Planner
- Enterprise IT Systems Security Officer
- Network and Systems Security Architect
Knowledge, Skills, and Abilities for Cyber Systems Planning, Testing, and Procurement
Planning, testing, and procuring is a multifaceted process in the field of cybersecurity, one that typically requires input from several different professionals with experience in areas such as IT architecture, enterprise information systems, network security, communications technologies, risk management, project and supply chain management, new and emerging cyber threats, and the latest advances in cyber defense tools and technologies. Indeed, an effective cyber system planning, testing, and procurement team might include computer programming and engineering professionals, cyber policy analysts, and enterprise IT management specialists, while also drawing on the expertise of penetration testers, malware experts, and others with capabilities in areas related to identifying and addressing system security vulnerabilities. Thus, it would be misleading to suggest that there is one clearly defined skillset associated with the process of planning, testing, and procurement of cyber systems.
However, there are key areas of expertise with applications that are central to cyber systems planning, testing, and procurement. These areas are addressed within the Workforce Framework for Cybersecurity (NICE Framework), a systematized analysis of work roles within the field of cybersecurity created by the National Initiative for Cybersecurity Education (NICE), a public and private sector partnership created under the auspices of the National Institute of Standards and Technology (NIST).
The NICE Framework defines 52 cybersecurity work roles and delineates dozens of Knowledge, Skills, and Abilities (KSAs) for each role. Among those work roles are Enterprise Architect, Security Architect, Research & Development Specialist, and Requirements Planner, which fall under the broader specialty areas of Systems Requirements Planning and Systems Architecture. This is the specialty area that encompasses cyber systems planning, testing, and procurement.
The sections below draw on KSAs associated with Systems Requirements Planning and Systems Architecture in the NICE Workforce Framework for Cybersecurity, as well as from actual listings for jobs in cyber planning, testing, and procurement.
General Technical Knowledge
- Applications and potential vulnerabilities of network equipment, including hubs, routers, switches, bridges, servers, transmission media, and related hardware
- Cloud security concepts and protocols
- Computer networking concepts and protocols and operating systems
- Common cyber threats and vulnerabilities
- Cryptography and cryptographic key management concepts
- Extensible Markup Language (XML) schemas
- Information Theory
- Laws, regulations, policies, and ethics as they relate to cybersecurity and privacy
- Mobile communications network architecture
- Network security architecture tools and concepts
- Object-oriented programming languages such as Java and C++
- Public-Key Infrastructure (PKI) encryption
- Transmission Control Protocol (TCP0 and Internet Protocol (IP), as well as the Open System Interconnection Model (OSI), and the Information Technology Infrastructure Library (ITIL)
- Unified Modeling Language (UML)
Systems Planning, Testing, and Procurement Knowledge and Skills
- Common computer systems security and access control frameworks, such as the Bell-LaPadula model, and the Biba and Clark-Wilson integrity models
- Electrical engineering and the use of circuit boards, processors, chips, and computer hardware in network architecture
- Hardware, software, and malware reverse engineering techniques
- Middleware applications
- Penetration testing tools and techniques
- Personally Identifiable Information (PII), Payment Card Industry (PCI), and Personal Health Information (PHI) data security standards
- Software-based cybersecurity tools (e.g., software firewalls, antivirus software, and anti-spyware)
- Supply chain risk management practices
- System design tools, methods, and techniques
- Systems engineering processes
- System software and organizational design standards, such as the International Organization for Standardization [ISO] guidelines for system design
- Systems testing and evaluation methods
- Interpersonal communication and management skills
- Scientific research skills
- Technical writing skills
Training and Credentials in Cyber Systems Planning, Testing, and Procurement
Working and advancing in the field of cyber systems planning, testing, and procurement typically requires a combination of formal training in computer and IT systems, and professional experience in areas such as enterprise/data systems management, systems security administration, penetration testing, digital forensics, and computer engineering. While the process of acquiring these skills can begin in high school and college with coursework in computer programming, information science, electrical engineering, and other adjacent technical fields, it typically includes a degree program and/or several years of experience in a computer or IT field.
Graduate degree and certificate programs that provide advanced technical training in systems architecture, programming, engineering, and/or information security are also an effective means of cultivating a career in cyber systems planning, testing, and procurement.
Bachelor’s, Master’s, and Graduate Certificate Programs in Cyber Systems Planning, Testing, and Procurement
There are a number of different academic pathways that can prepare students for work in the field of cyber systems planning, testing, and procurement, including undergraduate and graduate degree programs in computer science, computer engineering, information science, and information technology (IT) systems. It is also increasingly common for computer science and engineering departments at accredited colleges and universities to offer designated cybersecurity, cyber systems, and IT systems security specializations and/or degree programs that focus on KSAs that are central to planning, testing, and procurement in the field of cybersecurity.
Bachelor’s in cybersecurity programs typically provide foundational training in computer science and programming with coursework that focuses on the theories and practices used to defend and secure cyber systems, providing students with a grounding in many of the skills needed pursue a career in cybersecurity. At the master’s level, there are cybersecurity degree programs, as well as engineering, computer science, and IT degree programs with cybersecurity specializations that offer advanced training in cyber systems design, secure digital technologies, and other topics that have applications in the field of systems planning, testing, and procurement.
In addition, for students who have completed a bachelor’s or master’s degree and have some technical training in computer programming, IT management, or cybersecurity, some schools offer graduate certificate programs in cyber and information systems security. Completing a graduate certificate program in cybersecurity is another way to cultivate KSAs that have direct applications to careers in systems planning, testing, and procurement.
Professional Credential and Certifications in Cyber Systems Planning, Testing, and Procurement
Outside of academia, there are non-profit professional organizations and private, for-profit entities that offer bootcamps, training programs, and certifications in various cybersecurity specializations, such as IT systems security, penetration testing, and cybersecurity management. For example, the International Council of Electronic Commerce Consultants (EC-Council), a private company based in the US, offers training and certification programs in many subject areas that have applications in the planning, testing, and procurement processes associated with cybersecurity.
The certifications and training programs offered by the EC-Council include: Certified Network Defense Architect (CNDA), Certified Penetration Testing Professional (CPENT), and Certified Cloud Security Engineer (CCSE). These are all subject areas that are integral to cyber planning, testing, and procurement.
The Council of Registered Ethical Security Testers (CREST) is an example of a non-profit organization that offers professional credentials that can be useful to professionals in cyber planning, testing, and procurement. These include, Registered Penetration Tester (CRT), Certified Infrastructure Tester (CCT INF), Registered Threat Intelligence Analyst (CRTIA), and Registered Technical Security Architect (CRTSA).
The certifications noted above, and several other credentials that have applications in cyber systems planning, testing, and procurement, are listed below:
- Certified Information Security Management (CISM), offered by ISACA (formerly the Information Systems Audit and Control Association)
- Certified Network Defense Architect (CNDA), Certified Penetration Testing Professional (CPENT), and Certified Cloud Security Engineer (CCSE), offered by the EC-Council
- Certified SCADA Security Architect (CSSA), offered by the Infosec Institute
- CompTIA Advanced Security Practitioner (CASP), offered by the Computing Technology Industry Association (CompTIA)
- GIAC Defensible Security Architecture (GDSA), GIAC Certified Enterprise Defender (GCED), and GIAC Information Security Professional (GISP), offered by the SANS Institutes Global Information Assurance Certification program
- Information Systems Security Architecture Professional (ISSAP), offered by the International Information System Security Certification Consortium (ISC²)
- Registered Penetration Tester (CRT), Certified Infrastructure Tester (CCT INF), Registered Threat Intelligence Analyst (CRTIA), and Registered Technical Security Architect (CRTSA), offered by CREST
Examples of Jobs in Cyber Systems Planning, Testing, and Procurement
The section below provides examples of the types of positions for which companies and organizations are commonly hiring in the field of cyber systems planning, testing, and procurement. These examples are composites that draw on actual job listings. They are meant to offer a representative overview of common work responsibilities, as well as the educational and training requirements and other qualifications for work in this field.
Cyber Infrastructure Support Operational Planner
- Primary Responsibilities: Provide operational planning support to government clients on policies, procedures, and strategies governing the planning and coordination of cyber defense operations; assist in the research, development, maintenance, and revision of cyber defense plans; and report to clients and stakeholders on critical cyber operational issues.
- Education: Bachelor’s degree.
- Experience: Three or more years in positions that involve researching, writing, and editing operational planning documents for government or military agencies preferred.
- Credentials: None specified.
- Technical Proficiencies: Thorough understanding of cybersecurity and cyber defense concepts and terminology; ability to apply common cybersecurity frameworks, such as the NIST Cybersecurity Framework; and familiarity with government and military procurement procedures.
- Other Attributes: Ability to write clear and effective reports for executive senior leadership; ability to work independently and collaboratively; strong verbal communication skills; and eligibility for government security clearance.
Cybersecurity Research Engineer
- Primary Responsibilities: Design and maintain resilient networks; perform malware analyses and reverse engineering projects; design, implement, and test components of research prototypes and software systems with cybersecurity applications; and work as part of a team to analyze, assess, and test cybersecurity components.
- Education: Bachelor’s degree in computer science, computer engineering, electrical engineering, applied mathematics, physics, or related scientific/engineering field.
- Experience: Five or more years with bachelor’s degree; three or more years with master’s degree; one year with doctoral degree.
- Credentials: Computer engineering and/or cybersecurity professional certification preferred for candidates without a graduate degree.
- Technical Proficiencies: Coding in C, C++, Java, Python, Go, or a similar language; working knowledge of Linux, MacOS, Windows, and mobile operating systems and platforms; familiarity with computer networking technologies and development toolsets (e.g., Git, subversion, CI/CD toolchains); knowledge of networking protocol design, network emulation, and virtual networks; and knowledge of reverse engineering methods.
- Other Attributes: The ability to apply mathematics, statistics, and linguistics to data sets in order to uncover patterns and extract useful information; knowledge of the Department of Defense (DoD) research community; and eligibility for security clearance.
Enterprise Security Engineer
- Primary Responsibilities: Coordinate data security operations; conduct and document vulnerability assessments; provide data security recommendations to research and development team; participate in the design, implementation, and analysis of security practices, to include threat assessments, patching, and network maintenance; verify software implementation protocols from a product security standpoint; and assist engineering teams in internal and external infrastructure risk assessment and compliance efforts.
- Education: Bachelor of Science (BS) or Master of Science (MS) in computer science, information security, or computer engineering.
- Experience: Four or more years in enterprise network security.
- Credentials: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), or similar professional certificate preferred.
- Technical Proficiencies: Working knowledge of industry standard security frameworks, such as the NIST Framework and the International Information Security Standard (ISO); experience with threat/vulnerability assessment and penetration testing tools and methodologies; computer network maintenance capabilities; and experience working with Linux operating systems.
- Other Attributes: Ability to communicate sensitive information effectively to a variety of key stakeholders.
Cyber Security Architect
- Primary Responsibilities: Identify security design gaps in existing and proposed architectures; design enterprise security products using existing and emerging technologies; integrate security products into existing architecture to mitigate threats as they emerge; and interface with project management and strategic operations teams.
- Education: Bachelor’s degree in computer science, engineering, or cybersecurity required; master’s degree preferred, depending on level of professional experience.
- Experience: Five or more years in enterprise architecting/engineering and IT security operations.
- Credentials: None specified.
- Technical Proficiencies: Computer programming, networking, and engineering; knowledge of COTS (commercial-off-the-shelf) enterprise security solutions; and familiarity with disaster recovery and business continuity planning.
- Other Attributes: Technical and non-technical communication skills; and eligibility for Department of Defense (DoD) security clearance.