This article is about common tasks that cybersecurity professionals have stated that they do on a regular basis. If you want to learn more about how to get into cybersecurity, check out our resource here. To learn about entry-level opportunities in cybersecurity, check out our article here.
If you’ve ever wondered what a cybersecurity professional does all day, you’re not alone. Many people wonder what it is that cybersecurity professionals really do on a day-to-day basis. That’s partly because cybersecurity is somewhat mysterious, it’s so new in our society, it’s always changing, and it involves cool concepts like hacking, social engineering, and data exfiltration, just to name a few. I decided to ask some cybersecurity professionals what they spend most of their days doing, so in this article, I’ll share with you what they had to say.
Ready to Start Your Cybersecurity Career?
Get my FREE 5-part series "Strategies for New Cyber Careers". These strategies can help you get your cyber career started. I'll also send you my weekly newsletter every Wednesday with resources that every cyber professional needs to know.
What does a cybersecurity person do? Cybersecurity professionals can be responsible for a wide variety of tasks, including general items such as planning, documenting, and administration; and also technical tasks such as conducting vulnerability scans and responding to cyber incidents. Most cyber jobs involve a combination of these tasks.
Let’s take some time now to dive in a little deeper and talk more about what a cybersecurity professional can expect to do on a day to day basis.
What Does a Cybersecurity Professional Do?
Most tasks that a cybersecurity professional is required to complete can be broken down into two categories: general and cyber-specific or technical. Cyber-specific tasks vary greatly from job to job, and from employer to employer, but also vary greatly based on the specific skill set of the individual cybersecurity professional. In some cases, even the credentials that a cybersecurity professional has, such as a specific certification, can dictate what she is or is not allowed to do. This is often the case when their role is part of a contract that requires certain certifications or qualifications.
Here are some of the technical tasks that you may have to do on a regular basis as a cybersecurity professional:
Most seasoned cybersecurity professionals that have defensive job responsibilities (meaning they are tasked with protecting systems from offensive attackers) will tell you that they spend a decent amount of time simply monitoring systems. There are many systems that can be monitored, or should be, or must be, and this can change from situation to situation, but the general concept is the same. There are systems, such as firewalls, databases, routers, switches, servers, and general endpoints that need to be monitored for intrusion or threats, and the cybersecurity professional is often the one responsible for monitoring those devices and ensuring their health and functionality.
Monitoring systems can include a wide variety of things, such as:
- Running vulnerability scanners, such as Nessus, on network systems.
- Running vulnerability scans on critical database systems, user accounts, or other devices.
- Reviewing vulnerability reports.
- Reviewing log files.
While the types of systems and monitoring tools vary greatly from job to job and employer to employer, and they are changing all the time, it’s important to know that monitoring systems are often a substantial component to many cyber jobs. Some cyber professionals may feel that this area of their job is boring or mundane, while others don’t mind it at all because monitoring healthy systems is better than having to deal with compromised ones.
Responding to Incidents
In many ways, cyber incident response is where the rubber meets the road and cybersecurity analysts really earn their paycheck when in a defensive role. Most pros find responding to these incidents interesting, sometimes stressful, and potentially career-changing. Responding to an incident can mean long, unscheduled hours, necessary paperwork, and having to explain to a customer or supervisor what happened and why.
Responding to incidents can include:
- Investigating systems that set off alarms to determine if something is a true positive.
- Determining that something is a false positive.
- Determining the scale of an incident, including any correlation between multiple alarms.
- Working to stop an active threat, which may include taking systems offline.
- Remediating issues once they are discovered and understood.
- Completing after-incident tasks, such as debriefing meetings and incident documentation.
How a cybersecurity professional responds to incidents will vary greatly from company to company, based on the systems the company has, but more importantly, the procedures they’ve put in place regarding how they plan to respond to incidents. As a cybersecurity professional, you may be in an environment that has very formalized incident response plans, or none at all.
General Systems Administration
When cybersecurity professionals aren’t responding to incidents or monitoring their systems, they can spend some amount of their time performing general systems administration. Just like every other task, this will vary from job to job but may include any number of things, such as:
- Performing system updates or installing security patches.
- Adding or administering user accounts.
- Performing maintenance on equipment.
- Installing new equipment.
- Generating keys for cryptography.
- Migrating services from one provider to another.
You may notice that some of these tasks overlap into general network or systems administration or even support desk work, and that can be common, depending on the scenario. Some smaller organizations will not have separate positions for systems administration and cybersecurity analysis, so those tasks may be combined into one role.
Conducting Offensive Attacks
Some cybersecurity jobs will include, or be mostly comprised of tasks that are offensive in nature, meaning that they are attacking or attempting to penetrate a system. While the specific scenario may vary, these types of tasks are based on the concept of penetration testing or hacking.
Penetration testers are individuals that are paid to test a system for weaknesses or vulnerabilities by attacking that system. Many organizations and businesses will contract with a penetration testing firm to complete a penetration test, which may be required for some sort of regulatory or industry compliance. This type of work requires a good amount of skill and experience since an incorrect action could cause real damage to an IT system. Conducting an offensive attack can include:
- Running scans on a network system to determine vulnerabilities.
- Conducting social engineering exercises, including simulated phishing campaigns.
- Documenting and reporting findings and recommending responses.
Most successful penetration testers have strong systems administration backgrounds and have a wide body of knowledge, including familiarity with Linux or Python, for example. Almost all start in some other area of IT or cybersecurity before moving into a position that includes these types of penetration testing tasks.
Providing Technical Support
This may surprise you, but quite a few cybersecurity professionals reported that a common task within their jobs was simply to provide support to other IT professionals within their organization. This occurred more frequently in situations where the cyber professional had specialized knowledge, but it was commonly a core component of many jobs that those individuals were to provide technical assistance and advice to others. This can include:
- Providing cybersecurity-related advice to general IT staff.
- Conducting cybersecurity audits for systems managed by other IT staff, or other departments.
- Advising IT management or senior management on cybersecurity topics.
In rare cases, some cybersecurity professionals will also serve as a backup for other non-cyber IT professionals within an organization if an incident were to occur.
Now that we’ve covered the general technical tasks that a cybersecurity professional may have to do, let’s dive into the non-technical tasks that cyber pros are also responsible for. Many new cybersecurity professionals shy away from these tasks or even dread them, but being proficient in these areas is important for long term career success and separates average cybersecurity professionals from good ones.
Planning is something that is very common within intermediate to senior-level cybersecurity jobs. This is because it’s important to know what response will be taken when an incident occurs, or how the company should move forward with security initiatives. Cybersecurity professionals often spend some amount of their time simply planning. This may include:
- Creating plans for incident response, including who is to be notified and when.
- Planning for system maintenance, downtime, and upgrades.
- Planning for penetration tests and other assessments.
- Budgetary planning for future security needs.
As a cybersecurity professional, you are often responsible for systems that the entire organization relies on, and therefore proper planning regarding anything that will affect those systems is important. All of this planning will eventually need to be documented, which brings us to our next task.
Documenting is a component of almost every single cybersecurity job. Documenting provides the means for cybersecurity professionals to communicate with bosses, customers, and team members, and provide a written record of what occurred. Think about it: As knowledge workers, cybersecurity professionals are paid for what they know. And the most effective way for an organization to get what you know out of your head and into a form that the company can use is to document. If you don’t think documentation is important in cybersecurity, try to find a cybersecurity job posting that doesn’t list written and verbal communication as a required skill!
Documentation includes putting into a written form anything that you’ve done that needs to be recorded. This can include:
- Documenting processes for fellow cybersecurity professionals and team members.
- Documenting systems information for auditors.
- Writing up reports to provide to customers, including penetration testing findings.
- Writing up reports to higher-ups, including vulnerability scan results.
Many cybersecurity professionals state that being able to document properly and effectively has been critical to their success, and interestingly, poor documentation that is written by other cybersecurity professionals always stands out and is obvious.
Unfortunately, meetings are a part of the work-life for most people, and cybersecurity professionals are no different. It appears that in most cases, the number and length of meetings are manageable, however, so that is a positive in comparison to many other positions in the workforce. Just like with written documentation, attending meetings is a way to communicate to others what you know, so it naturally is a part of being a cybersecurity professional. As a cybersecurity professional, attending meetings may include:
- Meeting with higher-ups regarding system or budgetary needs.
- Meeting with higher-ups or customers regarding incident response.
- Meeting with colleagues regarding planning.
Meetings may occur face to face, and with the increase in remote work, many meetings may take place online via virtual meeting software. This means that you may be in meetings with people from various places in the country or even the world, and you may be in those meetings from anywhere as well, including from home or while on vacation.
To stay sharp and learn something new, training is important. Many employers will provide paid training as a benefit to cybersecurity employees, and this training may be onsite or virtual. One overlooked aspect of employer provided training is whether the employer will provide an adequate amount of time away from work in order to complete the training. There are many professionals that fall into the trap of having access to training, but not access to the time away from work to complete the training. Regardless, many cybersecurity professionals report that a decent amount of their time is spent in training. This may include:
- Going to a face to face training, which may include travel to another location.
- Completing online training at a set time.
- Accessing training materials or information available at any time.
- Preparing for certification exams.
If you’re in a cybersecurity position, training, either on the employer’s time or your own, or both, will be a necessary part of your job.
Some cybersecurity positions have a team lead or management responsibility, so managing other people often becomes part of the cybersecurity job experience. Some cybersecurity professionals have no interest in having a management role and find that remaining in a strictly technical role is more enjoyable for them. For others, moving up and receiving a promotion means taking on management responsibilities. This can include:
- Conducting employee reviews.
- Interviewing, hiring and firing employees.
- Addressing employee concerns.
- Delegating tasks to employees.
Many professionals do not receive formal managerial training before assuming a management role, or even during the time that they are in that role.
General Employee Tasks
A part of almost every job is the requirement to complete tasks that are assigned to all employees. Some amount of your time as a cybersecurity professional may be devoted to performing these tasks, which may include:
- Attending all-staff meetings.
- Reading or responding to company-wide communications.
- Completing general training programs, such as safety or harassment training.
Cybersecurity jobs vary greatly and are changing all the time. Tasks that you may find in one environment may be completely unnecessary in others. Just like with every other field, cybersecurity professionals report that there are tasks that they both enjoy and dislike within their day to day job responsibilities. Those looking to enter the field of cybersecurity should consider all aspects of a specific cybersecurity job, such as written and verbal communication and managerial responsibilities, location and other factors when evaluating a career opportunity in cybersecurity.