More about a career in Cryptography & Communications Security
Roles in this specialism vary, but all are fairly technical and some are very technical, requiring a very high level of mathematical ability. Even for those roles which don’t include these kinds of skill, you need a good understanding of the fundamentals of cryptography, communications standards and technologies, and of some other elements of information technology.
There are two strands of the pathways through this specialism, but a role may combine elements of both. There are not many jobs as a pure cryptographer. But, if you do work as a cryptographer, you develop, test and improve cryptographic elements: algorithms, key handling procedures and security protocols. The more common role in cryptography involves building, maintaining and testing existing security protocols, sometimes in hardware but more often in software,
The other strand in the pathway is in communications security, which offers more jobs. As a more junior practitioner you focus on implementing and maintaining crypto services as part of a larger system. If the systems on which you work are public facing, particularly through websites, you may be involved in the management digital certificates. You may be responsible for managing the distribution and retirement of keys, as a crypto custodian. This activity normally proceeds at a steady pace, although in some organisations you work on a 'shift' rota. However, if a security incident affects the communications services you manage, you may be required to work quickly to investigate whether secure communications channels have been breached or bypassed.
As you gain more experience in communications security, you may provide expert technical advice and guidance for a diverse range of cyber security projects and tasks. You are probably part of internal Change Advisory Board meetings, commenting on proposed changes taking place on the network. You may explore how cryptographic techniques and related cyber security controls could be used to secure the organisation's products and services across a wide range of application areas, so you will have a broad view of the organisation’s business. You may also be responsible for developing the knowledge and experience of more junior team members.
Given the central role of cryptography in most network communications, almost any work that you do in this specialism will need to align with industry or governmental standards, such as those of the US National Institute of Standards and Technology (NIST).
Work in this specialism involves protecting, against accidental exposure and malicious attacks, information either communicated internally, or exchanged with individuals or other organisations.
As a Cryptographer, you might:
- design security protocols, including key management rules
- assess the threats posed by changes in technology
- investigate how emerging technologies can be used to increase both agility and security
- produce analyses, reports and presentations
As a Senior Cryptographer, you might:
- supervise the manufacture and management of cryptographic keys
- develop new cryptographic primitives, such as algorithms (this is a very rare requirement)
As a Communications Security Practitioner, you might:
- advise systems developers or implementers on suitable communications security components
- build or support the integration of communications security elements in new systems
- support public key infrastructure (PKI) systems, including by managing digital certificates
- create and maintain meticulous records of PKI certificate details, especially when they expire
- operate and maintain secure communications systems
- ensure that the processing of individual messages adheres to the handling requirements of classification levels (particularly in government and military roles)
- manage alternative communication channels for special classes of messages
As a Senior Communications Security Practitioner, you might:
- assure the effectiveness of communications security systems, including through regular and rigorous audits
- oversee the strategic alignment and delivery of cluster-specific Cryptographic materials
- manage a cryptographic programme, including the proper control of commercial or Governmental key material
- support, supervise and manage more junior colleagues
Few organisations outside particular government departments, universities or specialised commercial companies employ cryptographers. But, where such roles do exist, cryptographic practitioners do the more basic research and design work fairly independently, within the constraints of the agreed programme of work, guided and overseen by senior practitioners.
Communications Security practitioner roles are far more common. However, given the specialist nature of the work, few organisations will employ more than one or two practitioners - except for some large organisations which may have substantial teams managing their secure communications systems.
In these organisations some of the practitioners may be primarily responsible for managing cryptographic keys. Organisations with a substantial amount of secured public-facing communication, particularly in e-banking or e-commerce, may have several roles managing digital certificates, which will include both practitioners and senior practitioners, partly to provide a separation of duties.
Overall: the most common roles in this specialism are in managing secure communications technology, particularly in government bodies and military units. In such organisations there will be a formal hierarchy, with multiple levels, ranging from a trainee communicator or signals specialist to a communications manager or unit commander.
- logical thinking
- methodical approach to problem solving
- rigorous adherence to standards
- written and verbal communication skills with the ability to present complex technical information to a variety of audiences
- evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action
- application of Identity and Access Management Protocols (e.g., OAuth2, SAML2, LDAP, OpenID, Kerberos)
- Communications Security (COMSEC) accounting, with experience of conducting COMSEC inspections
- application of COMSEC custodian controls
- installing, maintaining and troubleshooting communication devices and networks
- creating drivers and encryption and decryption programs for commercial and bespoke communications security devices
- incident handling to assist investigations
- application of security paradigms (secure boot, chain-of-trust, etc.) and assessment of related security threats, exploits and prevention
- application of cryptographic security protocols and techniques (encryption at rest, TLS, hashing, etc.)
- vulnerability management experience specifically for the analysis of cryptographic algorithms
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)
C3 – Secure Development
- implements and updates secure systems, products and components using an appropriate methodology
- defines and/or implements secure development standards and practices including, where relevant, formal methods
- selects and/or implements appropriate test strategies
- defines and/or implements appropriate secure change and fault management processes
- verifies that a developed component, product or system meets its security criteria (requirements and/or policy, standards and procedures)
- specifies and/or implements processes that maintain the required level of security of a component, product, or system through its lifecycle
- manages a system or component through a formal security assessment
E2 – Secure Operations & Service Delivery
- securely configures and maintains information, control and communications equipment in accordance with relevant security policies, standards and guidelines; this includes the configuration of Information Security devices (e.g., firewalls) and protective monitoring tools (e.g., SIEM)
- implements security policy (e.g., patching policies) and Security Operating Procedures in respect of system and/or network management
- undertakes routine technical vulnerability assessments
- maintains security records and documentation in accordance with Security Operating Procedures
- administers logical and physical user access rights
- monitors processes for violations of relevant security policies (e.g., acceptable use, security, etc.)
I2 – Applied Research (for a small number of roles in this specialism)
- vulnerability research and discovery, leading to the development of exploits, reverse engineering and researching mitigation bypasses
- cryptographic research leading to the assessment of existing algorithms
- in the Information Security field, uses existing knowledge in experimental development to produce new or substantially improved devices, products and processes
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
Cryptography roles require very special knowledge and skills which can be acquired only through advanced academic studies or, for a few people, puzzle-solving. It's therefore unlikely that someone could demonstrate transferable skills from another job for such a role.
However, a Communications Security Specialist might draw on a range of experience from previous jobs, including:
- police services: secure communications
- Armed Forces: communications systems operator, technician, engineer or manager
- intelligence services: secure communications
- governmental secure communications
- commercial communications/network security
Working in a cyber security role requires specialist knowledge, and some roles require a lot. Such knowledge can be acquired in several ways and, although the requirements for any given role are described here in terms of Knowledge Areas (KAs) from the Cyber Security Body of Knowledge (CyBOK), this doesn't mean that a cyber security specialist must read the relevant sections of CyBOK.
Increasingly, however, cyber security qualifications, training and skills definitions are being mapped to CyBOK - so the KAs are a good way of describing the knowledge associated with a specialism.
As an experienced practitioner in a Cryptography & Communications Security role, you'll typically use the knowledge in the KAs listed below, although not always to the same level of detail. You're most likely to have a very good understanding of the Core Knowledge, which is essential to performing the role. You may still need a good understanding of the Related Knowledge but not to quite the same degree. You may need a much less detailed understanding of the elements of Wider Knowledge, which provides context for your work.
Coming into such a role, you will not be expected to have all his knowledge initially. However, all but the most junior practitioners need a good understanding of the Network Security KA. Anyone working in cryptography needs, in addition, a solid understanding of the Cryptography KA.
Security aspects of networking and telecommunication protocols, including the security of routing, network security elements and specific cryptographic protocols used for network security.
Security mechanisms relating to larger-scale coordinated distributed systems, including aspects of secure consensus, time, event systems, peer-to-peer systems, clouds, multitenant data centres and distributed ledgers.
For a Cryptographer only:
Core primitives of cryptography as presently practised and emerging algorithms, techniques for analysis of these, and the protocols that use them.
Security concerns and limitations of the physical layer including aspects of radio frequency encodings and transmission techniques, unintended radiation, and interference.
For a Secure Communications operator:
Core primitives of cryptography as presently practised and emerging algorithms, techniques for analysis of these, and the protocols that use them.
All aspects of identity management and authentication technologies, and architectures and tools to support authorisation and accountability in both isolated and distributed systems.
Operating systems protection mechanisms, implementing secure abstraction of hardware, and sharing of resources, including isolation in multiuser systems, secure virtualisation, and security in database systems.
International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare.
Techniques for protecting personal information, including communications, applications, and inferences from databases and data processing. It also includes other systems supporting online rights touching on censorship and circumvention, covertness, electronic elections, and privacy in payment and identity systems.
You might start in this specialism, as a Secure Communications Operator, as an apprentice.
Alternatively, you might start in this specialism as a graduate, with a degree in:
- computer science
- computer engineering
- communications/telecommunications engineering
- computer/network security
- cyber security or information security
In pure Cryptography, you might start as a graduate with a degree in mathematics.
You might take up a role in this specialism on retirement from an operational or technical position in a military unit.
Within an organisation, you might move into this specialism from another IT role or cyber security specialism, such as:
From a job in this specialism, you might move into one of these other cyber security specialisms:
- Vulnerability Management
- Security Testing
- Secure Operations
- Digital Forensics
- Cyber Threat Intelligence
- Cyber Security Governance & Risk Management
- Network Monitoring & Intrusion Detection
You might earn a more senior role in Cryptography and Communications Security, perhaps managing a team of cryptographic /communications security specialists.
With more experience and higher-level qualifications, you might move into cryptographic research.
For a practitioner in this specialism, titles include:
- Cryptography Analyst
- Cryptography Systems Consultant
- Cryptosecurity Engineer
- Information Security Specialist
- Network & Security Prototyping Architect
- Platform Solution Engineer
- Research Engineer
- Quantum Researcher
- Secure Communications Engineer
- Security Engineer
- Security Consultant
- Space/C4ISTAR Systems Engineer
For a senior practitioner, titles include:
- Senior Security Engineer
- Senior Security Research Engineer
- Senior Principal Cryptosecurity Engineer
- Senior Cryptography Security Analyst
- Senior IT Assessor/Trainer in Cyber Security & Networking
- Head of Communications Security & Assurance
A Communications Security Practitioner might earn between £35,500 and £51,115 a year. The median figure in March 2021 was £43,500.
A Cryptography practitioner might earn between £47,500 and £86,250 a year. The median figure in March 2021 was £62,500.
There is insufficient data to provide either a valid salary range or a median figure for senior practitioners in this specialism.
The salary ranges are based on job vacancy advertisements published online in March 2021. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk.