Make Sense of DoD 8570 and 8140

Need to understand what the U.S. Department of Defense (DoD) directives 8140, 8570, and 8570.01-M, are? don’t worry! You’re not the only one. These DoD directives may seem confusing, but they’re actually pretty easy to understand. This article can help you Make Sense of DoD 8570 and 8140 for you’re Cyber Security Career.

For those who are interested in information technology, DoD 8140 is actually a massive opportunity. As the DoD increased its focus on cybersecurity, thousands of jobs for trained individuals have been created. Large and small organizations and businesses are following the DoD’s lead and have begun requiring similar certifications for their employees to help mitigate risk and protect their organizational data.

August 2004
DoD 8570 Compliance

DoD 8570 (technically 8570.1) compliance is required of all authorized users of DoD information systems, including military service members, contractors, and government employees. If you’ve been searching for cybersecurity jobs, chances are you’ve seen a listing with DoD 8570 compliance requirement as part of the posting.

Signed August 15, 2004, DoD 8570 is a directive that requires the American National Standards Institute (ANSI) accredited certification for information assurance workers. You can achieve compliance by achieving specific IT certifications. DoD 8570 established three levels of certification requirements for Information Assurance Management (IAM) and Information Assurance Technicians (IAT). IAM roles are typically in a management or leadership position, whereas IAT roles are actively working with controlled information or on the networks that carry it. If you want to qualify for DoD Information Assurance jobs, you must obtain one of the certifications required for that position category or specialty and level.

August 2015
DoD 8140: A New Focus on Cyber Security

Recently, officials realized there was a need to change the way the DoD handled information and network security. Changes in those technologies since 2004 and an increase in cyber attacks were the driving force behind this new directive.

On August 11, 2015, the 8140 DoD directive was signed by representatives of the U.S. Department of Defense. Because of this change of focus, the “Information Assurance (IA) Workforce” has been renamed to the “Cybersecurity Workforce.”

DoD 8140 confirms the importance of popular IT certifications like A+Network+Security+, and CISSP as well as adding newly approved baseline cybersecurity certifications including CASPCEH, and more.

DoD 8570 Certifications Table

So what happens to DoD 8570?

DoD Directive 8140 “reissues, renumbers, and cancels DoD Directive (DoDD) 8570.01 to update and expand established policies and assigned responsibilities for managing the DoD cyberspace workforce” according to the Information Assurance Support Environment site. Despite this, DoD 8140 currently uses the DoD 8570 manual.

DoD 8140 will eventually have its own manual, but it takes a few years to create complex manuals like this. For this reason, the DoD will continue using the 8570 manual, called 8570.01-M, for the time being. When a new manual is released for 8140 it will most likely replace 8570.01-M.

One of the major changes that DoD 8140 will bring about once its new manual is released is more of a focus on training that includes live, hands-on exercises like the Mission Critical Institute CCRMP program.

The DoD wanted to make sure that the certifications required for the Cybersecurity Workforce Knowledge Units give their holders, not just the knowledge, but also the know-how to defend the United States’ networks, digital assets, and information.

Starting to Make Sense of DoD 8570 and 8140?

Circa 2020
A New Era for Cybersecurity

US DoD IO schools were recently re-aligned to 8140 based performance training – aligned to job role competency. Since it is aligned with the US Department of Homeland Security’s National Cybersecurity Workforce Framework Domains and the NIST Cybersecurity Framework, many academic, training and industry certification organizations are positioning existing programs to be recognized as cyber technical but do not meet the same IO workforce competency standards within specific job role competencies.

From a risk management perspective, the cybersecurity industry requires multiple levels of skills and talent.

  1. From Information Assurance and Enterprise Risk Management, which allows an organization to mitigate risks by implementing processes to manage, protect and defend its data, technical assets, and information systems.
  2. To Information Operations which is focused on the unique knowledge, skills, and abilities required to proactively deploy teams for cyber defense. with highly tactical individuals continuously identifying, mitigating and staying ahead of the adversary.

More and more cybersecurity education and training organizations will begin to release programs that focus and recognize performance based assessments at both the Information Assurance and Information Operations levels.

Both areas of the industry require skilled individuals to manage and mitigate organizational risk through appropriate enterprise processes and active defense.

Higher recognition will be given to those individuals that complete a program that can be articulated into, or offered directly in partnerships with accredited institutions that can award academic credentials and degrees.

The Mission Critical Institute cybersecurity CCRMP curriculum is aligned to the specialty areas of the National Cybersecurity Workforce Framework and listed as a provider on the Department of Homeland Security NICCS website. The program is directly aligned to the NIST Risk Management Framework and the NIST Cyber Security Framework as well as NICE Cybersecurity functions and roles.

CCRMP - Certified Cloud Risk Management Professional

The CCRMP covers 1) the Information Assurance and Enterprise Risk Management component and 2) Information Operations through an integrated e-learning eco-system that deploys an enterprise risk management dashboard and RMF/CSF alignment along with “Red” and “Blue” team virtual cyber ranges, software-defined infrastructures,  and network devices, on various Unix and Windows operating system, with related network architectures and technologies that allow Red/Blue teams to engage tactically.

Partnering for the Future
Developing Cyber Risk Management Professionals as well as Tactical Cyber Warriors

The Mission Critical Institute further partners with education institutions and coding boot camps, that produce software engineers, and can be upgraded into a Cybersecurity Career pathway to increase the Human Capital Development pipeline for all ends of the cybersecurity talent market.

You don’t have to be a software engineer to earn a Cybersecurity Cloud Risk Management professional Certificate or Degree, but it does require a baseline understanding of today’s technology.

From Cybersecurity Cloud Risk Management, to tactically placed Information Operation Individuals, that leverage technologies like Python and engage in TCP/IP stack, deep-packet analysis, network forensics, Windows and *NIX system operator fundamentals, malware triage and the pre/postcompromise.

If you do have a robust and tactical understanding of today’s technology then an Information Operations position may be right for you.

Learn more about the CCRMP Program here.

How will DoD 8140 affect you?

For many IT professionals, and those interested in IT, this presents a huge opportunity. With the DoD’s increased focus on cybersecurity, certified individuals are in high demand. DoD contractors operate all over the United States and even abroad, which makes it easy to take you’re credentials just about anywhere and get hired.

For those who are serving in the military, DoD 8140 (and 8570 before it) provides a way to gain valuable experience that translates directly into a lucrative civilian career. If you can work in the Cybersecurity Workforce during you’re service, you’ll come out of you’re military career with military clearance and certifications that will give you a huge head start in the civilian world.

For cybersecurity education and training companies like the Mission Critical Institute, DoD 8140 was a major driver towards the development of 100% hands-on performance based CCRMP program certificate, that also allows an individual to earn 8570 compliant CISSP, CEH and CAP certificates.

Time to Join the Cybersecurity Workforce?

The average annual salary for a cybersecurity trained individual is $95,000 and there is a huge shortage of qualified workers. In the U.S. alone, over 40,000 jobs for information security analysts are going unfilled every year, and employers are struggling to fill 200,000 other cyber security-related roles, according to CyberSeek. With demand for these professionals at record levels, you can be sure that getting certified will pay off in spades.

Mission Critical Institutes Cybersecurity Academy offers high-velocity IT training programs that can help you complete you’re information security certifications and be job-ready in weeks. Day and night class schedules make it easy for you to get the training you need fast in a way that works with you’re schedule with both 100% performance-based approaches and certification based constructs. You won’t leave the Mission Critical institute with just a certificate or academic degree (through our partners) you achieve the skills you need to be successful in you’re career. Our industry-expert instructors will make sure you have the knowledge you need to excel in a new job role, whether it’s through DoD 8570 or DoD 8140. We hope this article helps you make sense of DoD 8570 and 8140

Get started by completing the Cybersecurity Career Readiness Assessment



NIST’s Ron Ross on the state of cyber:

After Chinese hackers infiltrated a Navy subcontractor’s computer network and stole a trove of highly sensitive data on submarine warfare, it spurred the government to revise the standards that contractors must follow to ensure government data is properly protected data.

What the hackers took was “the equivalent of the stealth technology for the Air Force,” said Ron Ross, a fellow at the National Institute of Standards and Technology who focuses on computer security.

“We literally are hemorrhaging critical information about key programs,” Ross said during a fireside chat I moderated at the RSA Federal Summit Tuesday. “They’re coming after you every day. They’re either going to bring down you’re capability, they’re going to steal stuff from you, or they’re going to plant malicious code in you’re systems and they’re going to come back at some point under their timetable and bring you down.”

As for the revision of those standards, it’s currently parked in the Office of Management and Budget awaiting approval, Ross said. Ideally, the Defense Department would begin to use those standards within the next 18 months to help determine whether to award a business a contract.

But will those standards solve the problem? Here’s how Ross described the challenge during our fireside chat. An excerpt of that conversation is below.

FIFTH DOMAIN: I know the Department of Defense is working with NIST to update standards used by contractors to secure data. Will that document establish requirements and responsibilities that extend to the supply chain, considering those smaller companies are often more vulnerable?

ROSS: It doesn’t. The requirements are the requirements. But the problem you described is a real one. Information that’s critical doesn’t lose value because it goes from the federal government to a prime contractor and that value stays just as high when it goes to the sub. I think the ultimate solution is you have to protect the information no matter where it is, and somebody is going to have to pay for that. There’s no free lunch. We are always talking about what’s the [return on investment] for doing all the security stuff. We never look in the rearview mirror and say what was the cost of the cleanup? And if you remember the OPM breach not that long ago, in 2015, that cleanup I believe cost over a half a billion dollars. The cleanup is an order of magnitude more expensive than it would have taken to protect the system to start.

FIFTH DOMAIN: You talk about the need to devote money to this, and yet we’ve had programs that were awarded recently by DoD where the bids were particularly low. These were for massive platforms. It begs the question of whether those trickledown cyber protections are even being considered at the front end?

ROSS: I think that there’s always a question about whether we have enough money or enough people to solve this problem. I’m going to come at this from a counter view. We developed a publication two and a half or three years ago. It’s NIST 800-160. That’s a system security engineering guideline. We took an international standard, a joint standard on systems engineering that had nothing to do with security [and used that as the basis to establish] everything you need to do in a life cycle process to make sure security is integrated into that system that your building.

The first couple of the steps in the life cycle are called stakeholder requirements. That’s where you sit around the boardroom, or with the war fighters, and they’re saying, “what kind of a weapon system do we need to defeat the bad guy? Or what’s our business model in a Fortune 500 company?” Then you have to say, “Okay, we are totally dependent on technology to accomplish that mission. Knowing that, I’m going to build a system with a certain set of functional requirements.” Now we have a step that says your required to put you’re security requirements right in with those functional requirements and there’s something called a trade space discussion that takes place with every system. That’s where the war fighters say, I want everything in the world, and then they say, well, you got cost, schedule and performance. You can’t have that function requirement because it costs too much. You can’t build the antigravity machine. Eventually you stabilize on a set of requirements that you build to.

That’s where we’re running off the rails now because largely those discussions don’t take place in the life cycle development. It may turn out we have plenty of money.

FIFTH DOMAIN: For years, people have criticized FISMA as being a box checking exercise. Could the expanded focus on artificial intelligence help the state of cybersecurity?

ROSS: Good AI programs, they’re just programs. They’re algorithms and those programs run on you’re system stack – applications, middleware, operating systems, firmware, down to the integrated circuits. So, if you’ve got a whizzbang application and you tell me it’s a trusted application, but it runs on an untrusted operating system, it’s game over. Any AI program that your running at the application level is totally going to be bogus information. You can’t trust it if the adversary’s already taken control of you’re system with a root kit.

Now, if you can build a trusted platform and take advantage of artificial intelligence, machine learning, you’ve got a great brave new world there. That’s awesome and we should be doing all of that. But you can’t hunt you’re way out of this problem because the attack surface is getting so large and complex and most of it’s unmanaged and most of it’s unprotected. And that’s a formula for going down in the long term.

“How To” Cyber Blog Series: Part V

Mission Critical Institute blog post: How to Negotiate the Best Cyber Job Offer

“Ensuring that you are paid what you are worth, is worth the time to research other company benchmarks, payscales, and benefits packages.”
Christine Olyer, MSOL Director of Academic Programs, Mission Critical Institute

Only about 37% of people negotiate during a job offer; the others don’t negotiate at all or only occasionally, mainly out of fear and lack of negotiation skills. But buckling under may mean depriving yourself of thousands of dollars of income and other benefits. There’s a huge shortage of cybersecurity professionals, which could reach 3.5 million by 2021; leverage that knowledge to you’re advantage. And reach out to a mentor who really understands the cyber job marketing to help you negotiate.

Let’s look at these key points for negotiating a cyber job offer:

  • Research why you’re KSAs are worth ahead of negotiations
  • Evaluate both salary and/or other benefits
  • Negotiate the entire offer or just a section of the offer
  • Be able to use another current job offer as leverage

Research Your Worth
Browse PayScale, Glassdoor, and similar job sites for the typical average salary of the cyber position you’re interested in. For example, a Google search for “cybersecurity risk manager average salary” results in several hits, including here and here. Notice that some sites offer a free salary report, matched to the experience, education, and skills you provide, to help you identify you’re worth in the market.

When inquiring about salary, a job candidate typically has three primary choices:

  1. Let the employer offer a salary: Don’t tell them you’re expected salary – let them offer a figure to you. Assume the organization is offering you less than they can afford.
  2. Ask for a specific salary: According to a Columbia Business School study, people “making an offer using a precise dollar amount … versus a rounded-off dollar amount … were perceived to be more informed about the true value of the offer being negotiated.” That means, asking for $92,650 is a better tactic than asking for a flat $92,000 or $93,000.
  3. State a salary range: Your salary range should be based on research of similar jobs in the area and you’re professional worth.

Negotiating Salary and Benefits
Although it’s fine to inquire about a position’s salary range by the second (or later) interview, you negotiate salary and benefits after receiving a job offer. During this critical stage, it’s important to understand everything about the position – responsibilities, schedule, number of direct reports (if any), and so on. Ask probing questions rather than make demands, and don’t bring emotions into negotiations.

If you have any flexibility with you’re current finances, don’t immediately accept the first job offer. Most employers expect you to negotiate, and they typically hold back on some income or benefits in the initial offer. Don’t lose money by taking the first offer without even asking if the salary is negotiable.

If the salary is lower than advertised or less than what you expected, counter with a higher figure. For example, “I’m genuinely excited at the thought of working for XYZ but expected the salary to be in the range of $XXK to $XXXK, based on .”

Then, explain why you’re worth the bump in salary. That is, describe what can you bring to the organization to justify the higher income. If you have other offers but prefer to work for XYZ (the organization with which you’re negotiating), mention that as well, and explain that XYZ is you’re top choice and why.

If the organization can’t meet you’re salary request due to a stringent budget or salary cap, ask about benefits, a flexible schedule, work at home opportunities, stock options, or paid training. Let’s say you have a cloud security risk management graduate certificate and want to pursue an MBA or MSIS; does the organization pay (fully or partially) for higher education for employees? What are the eligibility details?

Finally, ask for 24 to 48 hours to consider the offer. This gives you time to mull over all aspects of the offer, and to reach out you’re mentor for their opinion.

Evaluate the Package
Salary shouldn’t be you’re only consideration during negotiations. Consider everything in the job offer package – salary, sign-on bonus, hours, commute time, amount of travel, benefits, opportunity for employer-paid training or certification, government clearances – before making a decision.

Opportunity for advancement is another important factor. An SMB, nonprofit, or government agency might have a smaller compensation budget than a large corporation, but it’s possible to make a more immediate and noticeable impact. You could then be considered for positions with more responsibility, whether with you’re current employer or at a different organization.

After weighing all pros and cons and getting advice from a mentor, get back to the person who made the job offer within the agreed upon time and continue the negotiation process, if necessary.

“How To” Cyber Blog Series: Part IV

Mission Critical Institute blog post: How to Ace the Cyber Job Interview

Relatively few people breeze in and out of interviews without some level of anxiety. If you took the advice in the last post in this series on preparing for the cyber job interview you should be ready for the meeting. Try to relax a little and go with it, letting the prospective employer see that you really are the perfect candidate for the job.

Getting Started
Brush up on current events the day before or the morning of you’re cyber interview. Is a significant security event taking place, such as a spreading ransomware attack, or was new legislation passed that may affect the company’s compliance? Know about it and be prepared to share a few details if it comes up in conversation.

To help you remember the interviewer’s name (and it’s easy to forget a name when you’re stressed), repeat the person’s name during the introduction. For example, say “It’s a pleasure to meet you, Ms. Jones.” It really does work!

Bring a few copies of you’re resume and cover letter printed on stock paper and ask the interviewer and other stakeholders in attendance if they would like a copy. This is also a good time to turn you’re cell phone off or ensure that all sounds – ringer, message notifications, and so on – are silent.

Jot down notes when the interviewer discusses the organization and open position. You might need those notes to prepare for a second or third interview and taking a few notes during the interview can signal you’re interest. When it’s you’re turn to ask questions, blend in a point the interviewer made earlier, such as “You mentioned that XYZ company recently acquired ABC company. Will this position be responsible for managing cloud security risk for ABC as well, or act as a liaison between XYZ and ABC?”

When Answering Questions
First and foremost, be honest and authentic, and make eye contact. Provide answers that are relevant and to the point; avoid long, rambling answers.

Make sure you’re answers include specific examples from you’re past to demonstrate you’re experience. If you’re asked a “what would you do” type of question and aren’t sure how to address it, feel free to ask a few questions to make sure you understand the issue.

It’s OK to take a few moments to think about an answer to a question. One technique that helps is to repeat the question back to the interviewer for clarification or to buy some time. Interviewers don’t expect you to have a ready answer for every question, and quickly stating the first thing that comes to mind can make you appear overzealous. If you simply can’t answer a question, say so instead of making up an answer that isn’t relevant.
Try to match you’re skills/accomplishments/goals with something the organization is actively working on or recently completed. For example, “I read about XYZ company’s recent initiative to incorporate stronger security in its systems. I’m familiar with applying the six steps of the NIST RMF, including security controls, and appreciate the effort it takes to provide customers with a highly secure product.”

Focus on how you can help the company, or how you’re skills and background can solve a problem the company faces. For example, ask the interviewer to describe the primary challenges of the position, and then explain how you would overcome those challenges.

If you must explain why you did something in the past, say “My understanding was . . . ” rather than “I assumed . . .”. Also, don’t discuss former employers or co-workers in a negative way; in fact, it’s best to downplay previous negative experiences. Instead of saying a previous situation was “horrible” or “a train wreck,” say it was “challenging.”

Salary: When to Ask
Wouldn’t the job hunting process be so much more convenient if the starting salary or salary range was stated in every job description? When you’re unsure of the salary, a general guideline is to inquire when invited to a second interview or sometime during that interview. Some interviewers might ask for you’re previous salary, which could be quite a bit lower than the new position. In that case, respond by stating you’re desired salary or salary range and see if the company can meet it. (Note: Watch for the next blog post in this series, “How to Negotiate the Cyber Job Offer,” for tips when negotiating a compensation package.)

Winding Down the Interview and Post-Interview Tasks
Thank the interviewer any stakeholders for their time, ask when they expect to make a decision, and find out how they would like you to follow up, such as calling or emailing. If you don’t already have the interviewer’s business card, ask for one before leaving the room or stop at the reception desk on the way out.

Some interviewees suggest asking the interviewer if there was anything discussed that gave them reservations that you could do the job. If they provide an example, clear up any misunderstandings and address the issue in a way that underscores you’re value.

Finally, follow up with a thank-you note within 24 hours of the interview, which can be handwritten or via email, as well as a LinkedIn connection request if you hadn’t done so prior to the interview.

“How To” Cyber Blog Series: Part III

How to Prep for the Cyber Job Interview

During pre-interview screening and the interview itself, employers whittle down their list of job candidates to those with the strongest technical knowledge as well as exceptional management and engagement skills. It’s critical to be able to articulate you’re knowledge and skills with various stakeholders across several interviews.

So, much like actors in plays and movies, doing well in a job interview means research, review, and practice. Let’s explore tips for preparing for the cybersecurity job interview.

Research the Employer

Search the Internet to learn about the organization for which you’re interviewing. What products and/or services does it offer? What is its organizational structure and key personnel? It’s also important to research key industry challenges the company faces, as well as its competitors. The purpose is to be able to relate aspects of you’re cybersecurity experience with the organization’s needs during an interview.

If you have the interviewer’s name and title, search LinkedIn and the company website for background information. When employers interview for cybersecurity leadership positions, they usually bring a team of stakeholders to the table. Ask ahead of time who will be attending so you can learn about their roles and responsibilities around cybersecurity. Also, find out whether you attended the same schools or worked for the same companies in the past.

You may also want to know whether the organization is financially healthy, and how employees feel about working there. If it’s a publicly traded company, its financial statements or annual report should be available on the company’s website. Check Glassdoor or a similar site for reviews by current and former employees, or reach out to cyber professionals on LinkedIn who have worked for the company to get their insights on company culture and values.

Review the Job Description and Your Resume

Thoroughly review the job description and be prepared to address questions related to anything mentioned. Then, compare you’re resume to the job description. If you’re resume doesn’t paint a complete picture of why you’re an excellent candidate for the job, create a list of experience and background examples to discuss during an interview.

Practice Interviewing Skills

Interviewing skills are soft skills, like listening and speaking. Recent graduates of Mission Critical Institute-sponsored programs emphasize the importance of rehearsing for interviews before the real thing. Work with a friend or associate, or just answer anticipated questions out loud, to yourself, to prepare for responding during an actual job interview. Practice answering typical questions such as “What aspects of you’re education and background have prepared you for this job?” and “Why are you the best candidate for this position?” completely yet succinctly (in under two minutes).

Some interviewers like to ask oddball questions to see how you react, and how well you can think on you’re feet. Research the Internet or ask friends about unusual or unique questions they were asked during the interview; some good examples are here and here.

Then, prepare a list of questions you’ll want to ask during the interview. One of the big ones is salary, but it’s best to hold off on that until you’re contacted for a second interview. (You’ll learn more about asking about salary in the How to Ace the Cybersecurity Job Interview blog post.)

Dress for Success

Have at least three interview outfits ready, if possible. You’ll likely want to wear a different outfit for successive interviews with the same organization, and make sure everything is clean and pressed.

Also, you can’t be late for an interview, so visit the location beforehand so you know how to get there, where to park, and so on.

The Day of the Interview

Work out, do yoga, meditate – do something that’s healthful and relieves stress. Bring extra copies of you’re resume, and business cards (if you have one), and arrive early.

“How To” Cyber Blog Series: Part II

How to Find Cybersecurity Job Openings
Anyone can post a resume on popular job boards like Indeed and SimplyHired, and conduct targeted searches. But there are more effective ways to find cybersecurity job openings, particularly for advanced positions. This post dives into finding cybersecurity job openings through social media and you’re professional network.

Make LinkedIn Work for You
LinkedIn has become one of the best online resources for finding a job, especially those in cybersecurity. The LinkedIn Jobs database just keeps getting better, and the platform itself makes many useful connections for job-seekers.

Create a profile that attracts attention
Here are some tips for setting up a LinkedIn profile for maximum visibility:

  • Consider you’re profile – you’re summary, experience, skills, links, and so on – as you’re online resume. Fill it with relevant details, and get recommendations from managers, co-workers, and higher ed faculty. Be sure to double-check for grammar, spelling, and punctuation errors.
  • Ensure you’re profile contains keywords appropriate to you’re background/experience and the type of job you want, such as cloud security, risk management, NIST RMF, and FedRAMP. If you have experience applying the NIST RMF steps, for example, include more specific keywords in you’re description, such as Security Authorization Package, SSP, POA&M, SAR, control selection, SP 800-37, NIST SP 800-59, and NIST SP 800-137.
  • Customize you’re profile URL. For example, instead of using the long, random URL that LinkedIn provides you by default when you create an account, change it to include you’re name, like this: . Your profile will be easier for others to find, and it’ll look more professional on job applications.

Connect with recruiters
One way is to type “recruiter” in the Search box, and then select Recruiter in Jobs or Recruiter in People. From there, select filters to narrow you’re search and then connect with a few recruiters. Let them know a bit about you and what you’re looking for, so they understand you’re situation.

Even if you don’t purposely connect with recruiters or mention in you’re LinkedIn status that you’re looking for a job, recruiters and hiring managers may contact you anyway. A well-developed LinkedIn profile works for you, drawing in employers and recruiters who are seeking candidates with you’re skills and background.

Join industry groups
Once you’re LinkedIn profile is in shipshape, join some industry groups. Most security-related associations, such as ISACA and (ISC)2 have a presence on LinkedIn, as well as organizations like ISCN (Information Security Careers Network) and the VIB (Veterans in Business) Network. Just search for the acronym or name, and then click the Ask To Join button. (Or just type “security” in the Search box to see which groups pop up.) After joining a few, watch group posts for job notifications. If you feel it’s appropriate, let people in the group know you’re looking for a job (see the “Tips for Cyber Job Seekers” section later in this post first).

Search for jobs
Then use LinkedIn Jobs to start the real job search activity rolling. Go to the Jobs tab, search for a job role you’re interested in (such as “security analyst”), and add you’re preferred location. One of the best features of LinkedIn for job searches is that you’re connections will appear alongside associated job descriptions. For example, if you connected with Mary, a former cyber classmate, who now works for XYZ organization, she will appear in a job description for XYZ. You can then reach out to her for information about the hiring process at XYZ or ask for a referral. Be sure to also set up a search alert to notify you via email, text, or desktop notification when new jobs are added.

Finally, browse you’re LinkedIn homepage and the Notifications tab regularly. Recruiters and hiring managers often blast notifications for open positions, especially those at a higher level or that are difficult to fill.

Lean on Your Professional Network
Building you’re cyber professional network is one of the best ways to find a top cyber job. Several alumni of Mission Critical Institute-sponsored cyber graduate programs have shared that they found a job through co-workers, fellow students, or instructors, and each source provided either an introduction or referral on the candidate’s behalf. Those “insider” opportunities are highly effective in getting the job you want with a desired organization.

Other ways to meet like-minded security folks who may, eventually, be great job resources is by attending association meetings (such as ISACA chapter meetings), through MeetUp, and even through Twitter. As you meet people and perhaps exchange business cards, always follow up by sending a connection invite on LinkedIn to further build you’re online network, which is what the platform is all about.

Tips for Cyber Job Seekers
Don’t just tell you’re associates that you’re looking for a job and ask if they can help. That’s too vague, and it puts the burden on them to essentially look for a job for you. Tell you’re associates specifically and concisely about the type of job you want (“I’m looking for a cloud risk manager position, preferably in the public sector or for a defense contractor”), and provide a link to you’re public LinkedIn profile. Then ask them to notify you if they learn of a job that fits or if they know someone they could introduce you to.

Sign up for at least one online cybersecurity job fair to get the experience. The contacts you make can lead to personal interactions with potential employers, and possibly some interviews.

“How To” Cyber Blog Series: Part I

How to Choose a Cyber Career Path
With thousands of positions available daily and no slowdown in sight, a cyber career is a great choice. But knowing which specific path to take requires some introspection, as well as an understanding of the big picture of the security landscape.

Many Types of Job Roles to Choose From
Most cybersecurity jobs fall into an analysis, technical, or management category, but there’s a great deal of overlap among the categories and even the job roles themselves.

Popular analysis-related job roles include the following:

    Cybersecurity analyst: Essentially the same as “information security analyst,” this role covers a wide breadth of tasks. An analyst typically detects security threats and exploits against an organization, implements controls, and responds to incidents. May also be responsible for security monitoring, aspects of risk management and control auditing, among other things, depending on the size of the organization.
    Cloud security risk management specialist: Focuses on assessing and managing risk within a cloud environment. Is often required to apply the six-step NIST RMF and FedRAMP standards.

Upper-level management roles include:

    Chief information security officer (CISO): Develops the foundation for the IS program and sets policy, and is typically responsible for ongoing compliance with regulations and standards.
    Information systems security manager (ISSM): Researches, develops, and reviews information security (IS) requirements, determining which security controls to implement. The ISSM works with the CISO to maintain the security posture of an organization.

Technical roles include:

    Information systems security engineer (ISSE): Safeguards an organization’s computer networks, systems, and data by designing, implementing, and monitoring security measures.
    Penetration tester: Also referred to as an ethical hacker, performs pre-planned and sometimes invasive tests on computer systems, networks, and web-based and mobile applications to assess vulnerabilities and exploits.
    Incident responder: Monitors operations and security events, analyzes and verifies security threats, and responds to attacks.
    Security architect: Designs, builds, and oversees network and computer security implementations. The security architect is a senior position that works with the ISSM, or in place of the ISSM in many organizations.

So which type of cybersecurity job role interests you the most? Choosing one doesn’t prevent you from moving laterally or up the ladder in the future — for example, you can progress from an analyst role to a more technical position, or jump to management — but knowing where you’re interests lie today will help you properly assess you’re job readiness, evaluate needed training or education, and narrow you’re job search.

More Considerations for Your Ideal Career
When choosing a cyber career path, are you interested in the public or private sector? Some people have a great desire to be a public servant, whereas others are attracted to the perceived faster pace and agility of a corporate or consultant position. The situation you choose should match you’re values and desires best.

Do you already have IT or security experience, and certifications? Even if you haven’t worked in cybersecurity, you probably have skills you can bring to a security career. IT networking and programming skills, for example, lend themselves well to security positions. If you have relevant experience, think about which aspects of you’re experience appeal to you most and move in that direction.

What is you’re target salary or salary range? Security salaries and benefits packages vary quite a bit, and they climb appreciably for senior-level positions. The interactive Cybersecurity Career Pathway tool on the Cyber Seek website is handy for checking current average salaries for common security job roles.

Finally, spend some time identifying you’re short-term cyber career goals (say, six months to three years) and longer-term goals (three to eight years). What do you need to do to meet those goals, or just to get started?

Let Mission Critical Institute Help Guide You
Fast-tracking to advanced cyber positions often requires a graduate education and one or more certifications. By signing up for an Mission Critical Institute-sponsored cyber graduate program, you can become job-ready with a graduate education in under a year, and earn a certification and credits toward an MBA or MSIS along the way.

To learn more, complete the Mission Critical Institute cybersecurity career planning survey.

How to Get a Top Cyber Job in 6 Steps

Have you set you’re sights on getting a top cyber job? Are you ready to take the necessary steps to get the offer you want, or, even better, multiple offers? You’ll find out what it takes to get an upper-level cyber job with a sought-after employer in this series of blog posts.

The demand for qualified, job-ready cyber professionals is accelerating. With over 1 million unfilled cyber positions worldwide, employers are scrambling to find exceptional candidates. You only need one of those positions. What does it take?
To land a top cyber job requires six main steps:

1. Get the attention of top cyber employers.
2. Find job openings.
3. Get the interview.
4. Prep for the interview.
5. Ace the interview.
6. Negotiate the best offer.

The Mission Critical Institute team of career architects, practitioner faculty and behind-the-scenes facilitators have helped thousands of people move in or move up in the cybersecurity field. Our goal, through comprehensive graduate education, certifications and networking, is to help you be successful and get the cyber job you desire. The following graphic provides a snapshot of Mission Critical Institute’s accomplishments in this area.

Throughout the “How to get a top cyber job” series of posts, we’ll draw upon examples of students we have helped that will prove our methods work. Let’s start with Step #1: how to get the attention of top employers.

Step #1: How to get the attention of top cyber employers

Hiring managers at top employers – Booz Allen Hamilton (BAH), Wells Fargo, Harris Corp, Cisco, the federal government – sift through thousands of resumes every year, looking for the best cyber job candidates. How do you make sure you’re resume is on the top of the stack? Branding.

“Your brand is what other people say about you when you’re not in the room.” Jeff Bezos, founder of Amazon, gets credit for that saying, and it absolutely applies to cyber job seekers. In a competitive job market, you have to market you’re background and skills to get the attention of employers. That means you need a brand that appeals to the employer you want to attract.

First, you build you’re brand by gaining education, skills, credentials and so on, and then you communicate you’re brand by providing evidence you have these things.
Here are items employers look for in a cyber candidate, which form the foundation for a cyber brand:

Experience: Employers prefer candidates with direct, hands-on cyber experience who are job-ready. In other words, employers really want workers they don’t have to train. For example, an employer seeking to fill a cloud security analyst position looks for someone with FedRAMP experience and who knows the NIST Risk Management Framework (RMF) top to bottom. In advanced management and analyst positions, an employer may look for someone with business case development who can make cybersecurity program investments in the enterprise.

Background and education: Cyber employers want candidates who know how to apply knowledge and competencies to solve problems, and a graduate education does just that. The best cyber graduate programs are taught by leading cyber practitioners who work at top cyber employers. Plus, employers can bill employees with a graduate certificate, MBA or MSIS at a higher rate, which helps both of you earn more money. You also may need to pass a thorough background check and meet the requirements for a security clearance.

Credentials: This includes earning one or more industry certifications, such as the CISSP, CAP and CEH. Even better, couple an industry certification with a performance-based cloud security certification, such as the newly released Certified Cybersecurity Cloud Risk Management Professional (CCRMP) Certification. Cyber employers increasingly seek performance-based certifications that validate a candidate’s skills and capabilities, rather than having to rely only on exam-based cybersecurity certifications.

Writing skills: Cyber employers need staff with strong writing skills, whether creating internal memos or generating large, complex reports.

Recommendations: Use a business social media platform like LinkedIn to form a network of cyber-focused contacts that includes faculty, fellow students and employers.

Once you complete the nuts and bolts of brand building, the next step is effectively communicating you’re brand to potential employers. To begin, review/revise you’re resume and LinkedIn profile to add keywords that zero-in on you’re experience and qualifications, such as “NIST RMF” and “cloud security.” Also have writing samples available that showcase you’re work, such as projects completed as part of you’re degree program. A good way to do this is to display a link to an e-portfolio of NIST RMF or ethical hacking projects. And include you’re accomplishments as well as faculty recommendations in you’re LinkedIn profile that testify to you’re experience. Think about the impact on employers when they see you have recommendations from leading cyber practitioners who work at BAH, the US Army, Harris Corp and Cisco.

Another part of you’re brand lies in social media. If you’re resume makes the short list, hiring managers will want to know a lot more about you’re character, integrity and reliability. They’ll check LinkedIn for testimonials from instructors, co-workers and managers, and they’ll browse you’re Facebook and Twitter posts. Will they find photos and posts that could potentially misrepresent the company’s mission statement and values, or affect you’re ability to achieve a security clearance? Keep in mind that HR is not an employee advocate; it exists to protect companies from legal lawsuits. HR must be thorough in evaluating potential employers, and that includes a candidate’s social media presence.

Mission Critical Institute can help you build and you’re brand and teach you how to communicate it effectively. You can gain the knowledge and hands-on skills needed by cyber employers by completing an Mission Critical Institute-sponsored cloud security risk management master’s program, earning the CCRMP, and getting you’re CISSP, CAP or CEH.

Mission Critical Institute career architects know what it takes to get the attention of top cyber employers and are ready to talk strategy with you.

How do I pick the best cybersecurity graduate program for me?: Part 2

So how do you choose the cybersecurity graduate program that’s right for you?

The best cybersecurity career program is the one that most rapidly and cost-effectively executes you’re cybersecurity career plan to achieve you’re objectives. You also want a program with enrollment advisors who are highly knowledgeable in cybersecurity career path options and can advise you appropriately.

Mission Critical Institute (Mission Critical Institute) continually researches cybersecurity career trends to determine how you can rapidly move up or into high-demand cybersecurity career paths. We identify hot niches in cybersecurity that can rapidly propel you’re career.

For example, one of the hottest cyber career trends today is in cloud security. Intel Security predicts that 80% of IT budgets will be devoted to cloud services by 2018, but employers are struggling to find qualified candidates to fill positions. A key element in cloud security is risk management. The federal government, the financial services sector, cloud service providers, the health care sector and IoT all must content with managing cloud security risks.

If you decide to pursue cloud security risk management opportunities, you may find Mission Critical Institute guidelines for the ideal cybersecurity graduate program useful. These guidelines recommend programs that possess these seven features:

1. Combines coursework, relevant, job-ready projects and internships so students graduate with real-world experience that follows them into the workplace
2. Embeds preparation for the most desirable cybersecurity certifications – such as the CISSP, CEH and CAP – into the program
3. Is taught by leading cyber practitioners who expand you’re professional network and know what employers are looking for
4. Offers stackable credentials, where completion of core courses results in graduate certificates that make you cyber career-ready and that you can apply toward a cyber MBA or master of science in information systems (MSIS)
5. Enables students to complete the program 100% online, accessible 24/7, with ample access to faculty
6. Provides cyber-focused career support for you’re resume and LinkedIn profile, with accomplishments and employer references
7. Offers a tuition reimbursement program with cash awards based on academic performance
Mission Critical Institute identifies high-quality universities as its cybersecurity partners and recommends qualified students to these partners. In the cloud security sector, Mission Critical Institute has partnered with Baker College to offer Cloud Security Risk Management MSIS and MBA programs — the only online programs of their kind in the U.S.

The Baker cloud security graduate programs offer all seven features of the ideal cybersecurity graduate program set forth above. The Baker programs’ flexibility lets students earn a degree from anywhere in the world while working full-time. Plus, the curriculum is based on National Institute of Standards and Technology (NIST) and FedRAMP recommended industry standards and best practices for managing cloud security risks, which are used in 50% of U.S. organizations.

To take the next step in you’re cybersecurity career planning and learn whether the Cloud Security Risk Management career path will meet you’re career objectives, get in touch with an Mission Critical Institute Cybersecurity Career Architect. You can schedule a consultation by clicking here.

How do I pick the best cybersecurity graduate program for me?: Part 1

Advancing you’re career, or switching from one career to another, is a smart reason to pursue a higher education certificate or degree. Achieving a cybersecurity graduate certificate or degree lets you move directly into cyber management positions upon graduation, jump-starting a career with higher pay and greater career advancement opportunities.

The last five years have seen a marked increase in the number of cybersecurity graduate programs offered at educational institutions across the U.S. However, a CloudPassage study of university cybersecurity programs reports that employers are frustrated that graduates are not cyber job-ready. These grads lack the skills, project experience and certifications that would make them valuable in the workplace.
To begin the process toward pursuing a cybersecurity career, you must first determine the following:

• Your cybersecurity career objectives
• The education, background and experience combination that employers want you to have
• How you’re background stacks up
Once you have identified these factors, move on to these tasks:
• Determine the credentials you need to achieve you’re objectives
• Identify the best education plan for achieving you’re career objectives

At this point you’ll be ready to research graduate programs that prepare you to be job-ready. Part 2 of this blog post will cover seven characteristics of the ideal cybersecurity graduate program.

Cybersecurity job trends: An interview with Eric Handy

Cybersecurity job trends: An interview with Eric Handy

As the CEO and general manager of Handy Information Assurance Solutions, LLC, it’s fair to say that Eric Handy is immersed in the art and science of cybersecurity. He began his path toward cybersecurity by earning an undergraduate and two graduate degrees, and achieved a string of IT certifications, namely the CISM, CISSP, CIPP/G and PMP. Eric is also part of the Mission Critical Institute (Mission Critical Institute) faculty team that teaches the Cybersecurity Graduate Program at Concordia University, St. Paul.

As a cybersecurity expert Having worked within information technology and healthcare, as well as with government agencies and Big 5 consulting firms, Eric knows the job market and how cybersecurity fits in to each sector. We interviewed him to get his take on trends in cybersecurity jobs, skills that employers are looking for and tips for becoming job-ready.

What do you see as the top significant areas of cybersecurity job growth in you’re industry?
Enterprise risk management, cloud security, privacy, and security program management

What are the top three hiring criteria you’re organization uses for cybersecurity positions? For example, what special skills do you look for? Are certifications important to the hiring process?
Our top three hiring criteria are:
1. Information security job experience
2. Formal information security education at the university level
3. Security certification (preferably the CISSP)

Information security job experience is also critical to gaining a client’s confidence that a resource can perform the job as required. According to (ISC)2, there are at least eight domains of security, so job experience gives you an idea of where best to position the resource in order to be successful.

Formal information security education at a university is also important. It provides insight as to whether the candidate has the necessary background to be successful in the field. In many cases, a degree also helps an employer determine which skills outside of information security that the resource could transfer to the position of need. For example, a person with an undergraduate degree in English and cybersecurity education or experience could serve as an ISSO System Security Plan (SSP) documentation writer.

A security certification is key because employers expect that it verifies specific skills and indicates a person can perform the duties assigned. In that respect, certification serves as assurance that due diligence was followed in the hiring process. In some instances, an organization can receive higher ratings for certified versus non-certified personnel.

How can a graduate degree in cybersecurity advance a person’s career in you’re organization?
A graduate degree shows that a person is willing to continue to learn and improve his or her skillset. It also indicates willingness to put forth the extra effort required to be successful. Because the cybersecurity has a rapidly changing risk and technical enviroments employers need candidates who can rapidly acquire new knowledge and apply it immediately on the job. As a result, when combined with other transferable skills, a cybersecurity degree can help an individual acquire a job even though he or she may have limited hands-on information security experience.

Most importantly, a cybersecurity degree often allows a job candidate to get a face-to-face interview. Once at the interview, the degree can be part of the candidate’s sales pitch as to why he or she is a great fit for the position.

How does Mission Critical Institute’s Cybersecurity Graduate Program offered at Concordia University St. Paul compare to other programs of its kind?
The Mission Critical Institute Cybersecurity Graduate program is one of kind. The curriculum is cutting edge. It focuses on NIST Special Publication 800-53 Rev. 4, and the cyber lab provides a simulated real-world experience for students. The program is taught by experienced practitioners who actually work in the field and understand today’s challenges regarding implementation of the NIST RMF into various environments.

As of this writing, there is no other curriculum in the world that addresses the NIST Risk Management Framework (RMF) to the level of detail that students experience at Concordia. For example, students learn how to create each of the NIST RMF documents. Most of the time they get this type of experience only through on-the-job training. As a result, students are job-ready once they complete the graduate program.

What is the best way for a person to move into the field of cybersecurity?
In my opinion, a person needs to acquire the following:
• Formal cybersecurity training at the university level
• Cybersecurity certifications, such as the CISSP, CISM, CAP and CEH
• Relevant cybersecurity training or job experience

Ready to plan you’re cyber career? Complete the Mission Critical Institute cybersecurity career planning tool.

Why a Cybersecurity Education is Worth Pursuing: Advancing Cybersecurity Skills and Thought Leadership

You’ve likely heard about the cybersecurity talent crisis – the huge expected shortfall in security workers (1.5 million globally) through 2019/2020, even though salaries and job satisfaction are increasing.

One reason for the shortfall is the speed with which organizations have made security a high priority, mainly in response to the escalating number of cyberattacks and the proliferation of malware (including ransomware). This uptick in importance came with more money budgeted for additional security equipment, software and services, as well as personnel to install, manage and maintain the systems. As a result, security trainers, educators and recruiters have felt the squeeze, and simply haven’t been able to keep up with employer demand for skilled workers.

What kinds of jobs need to be filled?

Employers are looking to fill all types of cybersecurity positions, especially those associated with cloud, networking, mobile, application development and the Internet of Things (IoT). Among those areas, risk management and the National Institute of Standards and Technology Risk Management Framework (NIST RMF) figure prominently, extending to jobs across industry’s, such as financial services, healthcare, high tech, insurance, government, national defense and more. (ISC)2, ISACA and several other security-focused organizations highlight risk management as a significant tool for controlling threats to business assets and preventing breaches.

One of the most common security job roles that pops up on sites like, and LinkedIn Jobs is the “security analyst.” During a recent search, a total of 7,890 security analyst jobs in the U.S. appeared across all three sites. Employers also look for risk management analysts, risk managers, security engineers, auditors, network and systems administrators, project managers, penetration testers, vulnerability assessors, security software developers and the upper-echelon security architects and chief information security officers (CISOs).

What can be done to meet the risk management or cybersecurity staff shortage?

For several years, a combination of security certifications and general IT experience served as a conduit into most entry- and intermediate-level IT security jobs. Today, employers look for workers who can join an organization and provide value from day one, with minimal training. That often means having a bachelor’s and/or master’s degree, certain certifications, and relevant, focused experience.

Although experience trumps all other qualifications, of the 7,890 security analyst job descriptions mentioned previously, about 60% stated a college degree (predominantly a bachelor’s or master’s) as preferred or required. A degree can help a person develop hard and soft skills, both of which are highly important to employers. Being able to list a degree on a resume or application also makes one candidate stand out among others during the screening phase.

A graduate degree qualifies you for more advanced positions and can boost you’re salary, often by thousands of dollars annually. For example, the U.S. median income of a risk management analyst with a bachelor’s degree and up to 3 years of experience is $73,442 (as of December 28, 2016), according to Compare that to a risk manager, where the median income is $105,596 with a bachelor’s degree and seven years of experience. However, many employers require a master’s degree for risk managers, which increases the earning potential further and, in some cases, reduces the number of years of required work experience.
Some graduate degree programs are more job-centric than others, providing a curriculum that emphasizes application of knowledge, intensive hands-on labs, internships and mentoring, all of which contribute to gaining the technical chops needed to be successful from the start in risk management and cybersecurity.

If the projected number holds, there will be 1.5 million opportunities for job seekers who want to move in to cybersecurity or move up within a security career. Why not make 2017 the year you get started?

Cyber Security Career Readiness Survey