How Much Coding is Involved in Cyber Security?
I frequently see this debate on social media, especially in the “100-day cybersecurity challenges”. There’s always a battle in security, between operational and strategic, non-techs and techs, hacking vs risk, and so on. It’s a topic that is full of controversy, with one side proclaiming it isn’t necessary at all and the other claiming that you won’t achieve anything without it.
So the question of the day is how much should you anticipate to be coding as a Cyber Security professional? In this post, we’ll go through all of the particulars of the field and try to shed light on this matter, as well as assist newcomers in determining which role is best for them based on how much they intend to be coding, Security is big and there are room for all types of people, backgrounds and aspirations.
It’s a difficult question to answer because there are so many different job titles within the field. It all depends on the role you’re looking for, but let me put it another way: Information Security or Cyber Security, if you make the distinction both are very broad disciplines still. There were reportedly 52 distinct roles (including senior leadership and executives) in a market research when I checked last time (here is an example). As you advance through the ranks, you’ll likely get further away from your tools, requiring less and less affinity with coding.
You might split it down a little further by partitioning the field into two categories: technical and non-technical. Non-technical roles such as Antifraud or GRC (Governance, Risk, and Compliance) don’t necessarily need to understand how to code and probably will never use on their jobs, but if they do, it’s great because they can automate their tasks or build tools that may help them deliver more effectively.
And there are technical jobs, but technical does not always equal coding.
For engineering jobs and other technical hands-on positions, a basic understanding of coding is necessary. To run their daily operations, Security Engineers usually require a notion of programming languages like Python or Shell script. On the infrastructure side, you can see also automation stuff (that can be argued not being ‘programming’ intrinsically) like Ansible, Terraform, CloudFormation (AWS), the policy as code, containers and its manifests (docker files, helm, Kubernetes config files), etc. You do not necessarily need to know programming but programming logic will help you to navigate in this area, greatly improving your flexibility and productivity.
On the development side, however, the bar for programming expertise is considerably higher. The security engineer in an app sec team may not be the one who creates the code, but he or she will test it or review it for that purpose, and he or she will need to understand the programming language intimately, as well as secure coding practices.
In addition, there are some very unique occupations in the field, such as pentesting, malware analysis, bug hunting, and research. Because it is at the heart of daily work, solid programming knowledge is essential for these tasks.
The moral of the story is although programming might not be required, having a programming mindset will always be beneficial for your career in Cyber Security and the same goes for playing with tools and scripts.
The industry and the field are moving towards more automation, IaC (Infrastructure as Code), Security as Code, and so on. So regardless of what role you choose in this domain, if you want to get ahead it would be good to start learning some programming. It will pay dividends eventually even if you do not plan to use it daily, at least might teach you to think logically and break down bigger tasks into smaller manageable tasks.
If you already have coding skills then identify what else you can automate in your tasks or day-to-day to make your life easier. This was a very high-level overview, but I hope it gives you some insights.
