The further I embark on this journey to demystify the world of cybersecurity, the more I come to realize that a background in engineering provides a good set of skills that are transferable. Not only transferable, but quite important to the success of being a cyber professional. I’d like to share my thoughts on how I believe those skills to be relevant and give you confidence to emphasize them on your resume.
You may recall I reference KSATs in another post of mine – Step 2: Explore Areas of Interest. As I thought of my own engineering skills and how they were applicable to the Security Architect role I am pursuing, I’ve cross-referenced the KSAT number to give you examples if you’d like to follow along.
Alright, let’s get into it:
- Configuration Management. Knowledge 109A / NIST K0275. I’m a believer that when you say “engineer” to people, they often think of a person tinkering away in the garage/lab creating wonderful and complex things. While in a development environment you get exposure to configuration management, you most certainly become intimately familiar with it when in a production environment. Any engineer having done work for a system in production knows this to be true – management of the product baseline is critical. Cybersecurity is no different. Be sure to emphasize any and all configuration management experience you have, especially if you play a more senior role. Such as presenting to Configuration Control Board regarding the changes when seeking approval.
- Requirements Derivation. Task 2248 / NIST T0314; Skill 197A / NIST S0152; and Task 412A / NIST T0427 as examples. If you’re following along, search the page for “requirement” and you will find many more results. Requirements play a large role in cybersecurity just as they do in systems engineering. You start off with a Stakeholder requirements document, Concept of Operations (CONOPS) and/or numerous regulatory and organizational requirements. Part of the job is to take these inputs and decompose them to ultimately understand the constraints you are able to work within when analyzing or building an architecture. If you’ve had to read through policy or regulation and determined that you must or cannot do something with respect to your project, you’ve found a requirement. Be sure to emphasize any of these instances on your resume as well.
- Interoperability / Interface Management. Task 994 / NIST T0268. Systems engineers know about interoperability and interfaces. Especially when a piece of hardware running software, needs to be integrated with another system. Aside from the physical interaction between the two, ensuring that signals and data that may be passing between them also needs to be addressed. Have you ever had to analyze how data from one system is received by another system? Ensuring the format of the data can be interpreted? This applies to cybersecurity as well. Information systems need to pass data between them, and often needs to be “translated”. This introduces the need for software in some capacity, to perform the translation, which also introduces potential for vulnerabilities.
- Architecture (SysML) Diagrams. Ability 68B / NIST A0061; Ability 1072A / NIST A0048 as examples. If you’re following along, search the page for “architecture” and you will find many more results. Systems engineers know the fundamental System Modeling Language (SysML) diagrams. Recall you have diagrams for requirements, structure and behavior. I would state that the most relevant ones are the Context Diagram, Block Definition Diagram and the Internal Block Diagram. To me, these best depict how different components are connected and interact, which you can draw parallels to a network topology. The ability to develop an architecture, communicate the architecture to a wide audience, and the ability to analyze architectures is of fundamental importance. You first need to understand how systems and components are connected to understand the vulnerabilities that are present that may be exploited. Be sure to emphasize any work you’ve done in creating/analyzing diagrams, such as network topologies, etc.
- Traceability and Documentation. Task 646A / NIST T0484. Systems engineers understand the importance of maintaining traceability and documentation. Traceability may not seem important, but it becomes evident when there is a lack of it years later. Have you ever been confronted with a requirement and didn’t know how it came to be? Or a requirement stating a number, without any context of how that number came to be? Blame poor traceability/documentation for this. One example I have experienced within the context of the Risk Management Framework for cybersecurity, is the selection of security controls to be implemented in a system. These controls are based on the importance of confidentiality, integrity and availability, as defined by the stakeholder. These controls are then documented to form one part of your security posture, and ensuring there is reference (traceability) back to the source document provided by the stakeholder, is a great example of this.
Though I have listed 5 areas where systems engineering and cybersecurity overlap, there are many others. I encourage you to read my post Step 2: Explore Areas of Interest to find work roles that are of interest to you. Once you find ones that speak to you, read through the KSATs and determine how much overlap there is between your current role and the one you would like to have.