How to build career expertise in cybersecurity and data protection

In recent years, international development has been rocked by high-profile cyberattacks on organizations such as the United States Agency for International Development and the International Committee of the Red Cross. As more organizations turn to technology to improve their operations, more vulnerabilities to cyberthreats are being exposed. This is because historically, digital infrastructure has been a lower priority for many NGOs, which has led to underinvestment and smaller technology teams to deal with these issues, James Eaton-Lee, NetHope’s chief information security officer told Devex. “Most NGOs are driving around in antiquated vehicles with fewer safety features and old systems that no longer benefit from modern security safeguards,” Eaton-Lee said. According to a survey by the Institute for Critical Infrastructure Technology, or ICIT, over 50% of nongovernmental organizations report being targeted by cyberattacks. Moreover, conflicts and political instability have created a need for cybersecurity to protect critical infrastructure, intellectual property, and personal data for global security and stability. For instance, in 2020, USAID launched a $38 million initiative to help Ukraine strengthen its cybersecurity-enabling environment, with up to $60 million of additional funding earlier this year. As the world becomes increasingly digitized, international development is recognizing the need for greater defense capabilities. However, the continued scarcity of skilled cybersecurity professionals is a significant challenge. “Cybersecurity is a critical priority, but there’s a shortage of cybersecurity professionals — and not just in global development,” said Maurice Kent, deputy lead of the cybersecurity team at USAID. According to a 2021 study, the global cybersecurity workforce needs to grow 65 percent to adequately protect critical assets. Nonetheless, the sector is seeing a surge in cybersecurity career opportunities, offering professionals an avenue to combine their interest in technology with a desire to create positive change. We spoke with information security and development experts about the role of cybersecurity professionals in securing a digital future and the necessary skill sets to do so. Technical and transferable skills Most NGOs use the same technology platforms as the private sector. Vendors such as Microsoft, Cisco, IBM, and Palo Alto are in widespread use. “This means that if you are certified in a security platform for a bank, you can probably apply those skills in an NGO,” Eaton-Lee said. However, in terms of more technical positions, Kent explained that “there are no unique or development-specific requirements.” While “the cybersecurity industry has an image of a Hollywood screen text and black background,” said Eaton-Lee, it is a broad field and the necessary skills will likely depend on the role. As cybersecurity professionals look to enter the global development sector, they must recognize that the skills they possess are transferable, but their application can vary significantly. As a result, there's just as much need for soft skills as there is for highly technical skills. “[We need] people who can re-contextualize problems well with a variety of audiences in different languages and backgrounds, or who can understand how a population might be affected in the event,” he explained, with USAID’s initiative in Ukraine as one example. As is the case for cybersecurity professionals in every field, communications skills are essential to convey security risks to nontechnical colleagues and articulate cybersecurity requirements to external stakeholders. You have to be able to bridge the divide between the technology teams and the program teams. Thus, “being able to build trust through effective communication and collaboration is often the highest priority, as so many of USAID’s partners are working with sensitive data and populations — unfamiliar, Western cybersecurity experts coming in to talk about security and data protection, potentially asking to look at protocols and systems, can create a lot of suspicion and opportunities to cause unintended harm,” Kent said. Understanding how to adjust traditional cyberpractices and expectations to realities on the ground is equally important, said Kent, and is “key to ensuring that partner organizations feel invested in their security journeys and understand and embrace change,” he said. Professional background, experience, and how to transition The good news is that cybersecurity professionals in global development come from various backgrounds. “We have people who are from government and who have done very technical cybersecurity things, but we also have people with backgrounds in anthropology and sociology,” Eaton-Lee explained. And because capacity building is a relatively young field of work in international development, "it’s not uncommon for people to come from other IT and risk or compliance spaces,” said Kent. With the reverse also being true, he said. “People who work in cybersecurity may come to development from other sectors." For individuals already working in cybersecurity and looking to transition into global development, all hands-on experience in the industry is valuable. Experience with intrusion detection, incident response, and vulnerability management can all be helpful on a résumé. It’s also worth keeping in mind that NGOs have smaller budgets and technology teams than private sector organizations. Eaton-Lee said that “the technology teams are an order of magnitude smaller than similar-sized organizations in the private sector.” Thus, “experience working with small or under-resourced organizations on cybersecurity issues is of great value,” Kent added. Eaton-Lee also points out that NGOs can differ significantly from the private sector in terms of their organizational structure and the external partners they work with. “They tend to be relatively non-hierarchical organizations that work with a lot of external partners … [and] in a huge variety of different country contexts.” As such, to enter this field one should learn about the organizations they want to work for and understand the contexts in which these organizations operate. If on the other hand, you are a development practitioner interested in working in cybersecurity, “think about why effective cybersecurity practice and cyber hygiene are relevant to your current work. Why might an adversary be interested in the data you collect or create or in your business processes and operations? [And] what are the potential vulnerabilities that might be exploited?” Kent suggested. Where to begin? For those that are new to the field and looking to get started, one option is to take advantage of the many free and online courses in cybersecurity available through universities, Coursera, or LinkedIn Learning. However, earning a degree in a related field such as computer science, cybersecurity, or information technology can also provide a solid foundation for a career in cybersecurity. Specialized certifications can also be an excellent way to stand out in this field. Certifications such as Certified Information Systems Security Professional, or CISSP; CompTIA Security+; CompTIA Cybersecurity Analyst, or CySA+; and Certified Ethical Hacker, or CEH, are all highly valued in the sector. Additionally, seeking out specialized training programs, such as those offered by organizations like SANS Institute or CompTIA, can be helpful for acquiring specialized skills. For anyone interested in working at USAID, Kent invited individuals to learn more about USAID’s cybersecurity work and to check out their Cybersecurity Primer, “which is a valuable resource to understand the impact of cybersecurity on development programming, including a review of cyber threat trends by sector and how to integrate cybersecurity throughout the program cycle,” he said. Once you have the certifications, it’s essential to then develop an understanding of how cybersecurity concepts and techniques apply to real-world situations. “In our sector, it’s important that individuals are not only technically grounded in the software and systems, but also understand the policy and regulatory environment in which they’re operating,” Kent explained. This includes an understanding of global politics, culture, and development work — which is unique to this field. Ready to stand out from the crowd and get noticed by the recruiters who matter most? Update your Devex profile and start connecting with top global development recruiters now.