More about a career as a Cyber Security Generalist
You cover a wide variety of responsibilities, which makes the role very interesting and, sometimes, challenging. The broad responsibilities make it more likely that you will need to work more hours - including unexpectedly when there is a cyber security incident - than if you were in most types of specialist role.
There are three types of generalist jobs:
- an apprentice
- as the only person (or one of just a few people) managing cyber security in a large organisation
- a consultant providing cyber security services to organisations
If you work directly for an organisation, you're typically be one of a handful of cyber security experts - or, possibly, the only expert - in the organisation. You're responsible for much of the cyber security protection for the organisation: from identifying and assessing risks, to managing the implementation and operation of security controls. To do this, you will work very closely with other teams, particularly IT development and operations staff, and external providers.
The exact scope of your responsibilities may vary substantially, depending on the size and type of the organisation and, particularly, on the extent to which senior management is focused on cyber security. If your organisation’s senior management is very focused on cyber security, you may find yourself reporting directly to senior management and accountable for significant decisions even as a fairly inexperienced cyber security practitioner. If your senior management team is less engaged with cyber security, you may find yourself less accountable, unless or until there is a cyber security incident.
If you work as a consultant, providing broad advice on any aspect of cyber security to customers, you may be part of a structured team in your home organisation. This gives you a more focused role with a defined development path.
Compared to being a specialist in an organisation where there are more roles defined in more detail, the generalist role can provide good opportunities to learn a wide range of skills and to manage broad responsibilities at an earlier stage in your cyber security career.
As a Cyber Security Generalist, you'll be largely responsible for every aspect of the security of an organisation’s data and its information systems.
In detail, you may:
- track vulnerabilities in software, systems and networks
- identify and assess cyber threats
- identify and assess cyber security risks and recommend measures to manage them
- design security controls, including those affecting the selection and development of systems
- draft cyber security policies and procedures, particularly for the secure operation of systems
- test and report on the security of an organisation’s systems and networks
- manage external providers
- advise IT staff and business managers on cyber security risks and controls, including procedures and staff behaviours
- brief and train non-cyber staff on cyber security awareness and safe practice
As a senior practitioner, you may also:
- be responsible for the overall performance and security of live systems
- work with managers in other teams to ensure effective cyber security across the organisation
- recruit, train and assess practitioners
- remaining calm under pressure
- communicating with non-technical colleagues about technical matters
- producing written and verbal reports
- managing suppliers
- prioritising complex sets of demands
- understanding business and user needs
- evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action
- risk assessment and management
- project management
- cyber security awareness training
- monitoring system performance and security
For senior practitioners
- staff management
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs).
A generalist role may cover any set of cyber security responsibilities, so any and all of the CIISec Skills Groups could be relevant to a generalist. Any of the work could be outsourced, but the generalist would still need to be able to direct and monitor this. The Skills Groups listed here are the minimum set which any generalist, with broad responsibility for cyber security in an organisation, would need to be able to ensure an adequate level of cyber security if the technical services are very largely provided by third parties.
A1 – Governance
- directs, oversees, designs, implements or operates within the set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage Cyber and Information Security at an enterprise level, supporting an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements and ensuring compliance with those requirements
A6 – Legal and Regulatory Environment and Compliance
- understands the legal and regulatory environment within which the business operates
- ensures that Information Security Governance arrangements are appropriate
- ensures that the organisation complies with legal and regulatory requirements
A7 – Third Party Management
- identifies and advises on the technical, physical, personnel and procedural risks associated with third party relationships, including systems development and maintenance, contracts, end of service, outsourced service providers and business partners and sub contracting
- assesses the level of confidence that third party Cyber and Information Security capabilities/services operate as defined
B2 – Risk Assessment
- identifies and assesses information assets; uses this information and relevant threat assessments, business impacts, business benefits and costs to conduct risk assessments and identify and assess potential vulnerabilities
B3 – Information Risk Management
- develops Cyber and Information Security risk management strategies and controls, taking into account business needs and risk assessments, and balancing technical, physical, procedural and personnel controls
E1 – Secure Operations Management
- establishes processes for maintaining the security of information throughout its existence including establishing and maintaining Security Operating Procedures in accordance with security policies, standards and procedures
- coordinates penetration and other testing on information processes
- assesses and responds to new technical, physical, personnel or procedural vulnerabilities
- engages with the Change Management process to ensure that vulnerabilities are mediated
- manages the implementation of Information Security programmes, and co-ordinates security activities across the organisation
G1 – Data Protection
- directs, oversees, designs, implements, contributes to, or operates within the set of multi-disciplinary structures, policies, procedures, processes and controls to manage the protection of personal data at an enterprise level, supporting an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements, and ensuring compliance with those requirements
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
Generalist may be at one of three levels: junior practitioner, practitioner and senior practitioner.
Generalist roles are very suitable for apprentices, since an apprenticeship normally requires the apprentice to gain some experience of multiple specialisms. Apprentices initially have a low degree of responsibility but, in some organisations, may be given the opportunity to take on fairly substantial responsibility as they progress, particularly at Apprenticeship Levels 4 and 6. They may, at this point, be operating as practitioners.
If there is only one cyber security generalist in the organisation, that person is likely to be a senior practitioner. If there are several generalists managing cyber security, there may a senior practitioner and one or several generalists at practitioner level.
In some organisations, the generalist (or, sometimes, the several generalists) will be part of a very small cyber security or security team. In other organisations they will be part of the IT team - or, perhaps, even a central corporate team such as Finance.
A Cyber Security Generalist needs to have some understanding of most cyber security specialisms but, in most cases, need not be an expert in any of them. What's most important is having the breadth of vision and the confidence to manage several or many important aspects of an organisation’s cyber security.
This means that experience in some other types of role can provide useful experience for taking on a role as a cyber security generalist; some of these are listed below. Note that few organisations would be willing to give substantial responsibilities for cyber security to someone who lacked significant experience in at least one cyber security specialism, so it's very unlikely that any of the jobs listed here would be sufficient on their own:
For a junior practitioner:
- IT helpdesk
For a practitioner or senior practitioner:
- IT project manager or development manager
- IT operations manager
- business operations manager
- security officer or manager
Working in a cyber security role requires specialist knowledge, and some roles require a lot. Such knowledge can be acquired in several ways and, although the requirements for any given role are described here in terms of Knowledge Areas (KAs) from the Cyber Security Body of Knowledge (CyBOK), this doesn't mean that a cyber security specialist must read the relevant sections of CyBOK.
Increasingly, however, cyber security qualifications, training and skills definitions are being mapped to CyBOK - so the KAs are a good way of describing the knowledge associated with a specialism.
As with skills, as a Cyber Security Generalist you may, in some cases, need to have some knowledge of every aspect of cyber security. In most cases, however, you will not need to be able deliver the services, needing only to know enough to be able to commission and assess the provision of technical services by others, which may include external suppliers.
The Knowledge Areas (KAs) listed below are therefore those you're most likely to need. You may need additional KAs, depending on which services you're most closely involved in delivering.
You're most likely to have a very good understanding of the Core Knowledge, which is essential to performing the role. You may still need a good understanding of the Related Knowledge, but not to quite the same degree. You may need a much less detailed understanding of the elements of Wider Knowledge, which provides context for your work.
Coming into such a role, you will not be expected to have all his knowledge initially. But, given the wide range of tasks and the rigour with which standards must be followed, you'll need to have most of the Core knowledge.
Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation.
The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence.
And, if the responsibilities include Industrial Control Systems (ICSs):
Security challenges in cyber-physical systems, such as the Internet of Things and Industrial Control Systems, attacker models, safe-secure designs, and security of large-scale infrastructures.
International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare.
All aspects of identity management and authentication technologies, and architectures and tools to support authorisation and accountability in both isolated and distributed systems.
Technical details of exploits and distributed malicious systems, together with associated discovery and analysis approaches.
Usable security, social & behavioural factors impacting security, security culture and awareness as well as the impact of security controls on user behaviours.
Techniques for protecting personal information, including communications, applications, and inferences from databases and data processing. It also includes other systems supporting online rights touching on censorship and circumvention, covertness, electronic elections, and privacy in payment and identity systems.
Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security.
And, if the responsibilities include public-facing systems:
Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models.
The application of security software engineering techniques in the whole systems development lifecycle resulting in software that is secure by default.
The collection, analysis, and reporting of digital evidence in support of incidents or criminal events.
You might start, as a junior generalist practitioner, as an apprentice.
Alternatively, you may start as a graduate, with a degree in:
- cyber security or information security
- software or computer engineering
- computer science
Or, within an organisation, you might move into this specialism from a role in:
- IT development
- IT management
- business risk management
You might also move into this specialism from a different role in one of these cyber security specialisms:
Cyber Security Generalists generally work in organisations that employ no specialists. However, your organisation may employ a few specialists, even though the majority of cyber security duties are handled by generalists. In such cases, or if you accept a position in another organisation which employs specialists, you should be well-equipped, even without acquiring additional specialist skills, to move into:
- Cyber Security Audit & Assurance
- Cyber Security Governance & Risk Management
- Vulnerability Management
If, as a generalist, you have developed good skills in any of the specialisms, you should be equipped to move into almost any of them. The exceptions are cryptography development (in the Cryptography & Communications security specialism), Secure System Development or Security Testing.
With several years of experience as a generalist, you might take a senior management role, such Head of Cyber Security, or the Chief Information Security Officer (CISO).
For generalist practitioner roles. titles include:
- Cyber Security Engineer
- Cyber Security Consultant
- Cyber Security Analyst (note that this is also sometimes used as the title for specialists working in Security Operations Centres, otherwise known as SOC Analysts)
And, for generalist senior practitioner roles:
- Cyber Security Manager
An apprentice cyber security generalist might earn between £13,000 and £20,000 a year.
A cyber security generalist practitioner might earn between £22,000 and £55,000 a year. The median salary in March 2021 was £45,000.
A senior cyber security generalist practitioner might earn between £45,000 and £75,000 a year. The median salary in March 2021 was £55,000.
The salary ranges are based on job vacancy advertisements published online in March 2021. They may not be representative of the salaries for such roles in all sectors or all regions. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk.