Skip Navigation
BlackBerry Blog

What Kind of Cybersecurity Professional Are You?

FEATURE / 09.12.18 / Pete Herzog

So, you want a cybersecurity job. But where do you fit in? What role in cybersecurity is right for you? Well, you’re in luck! I’ve got just the way for you to find out.

The word on the street is that there will be millions of unfilled cybersecurity jobs in the near future. Millions. Which, to me, actually seems kind of a low estimate. But I digress.

Cybersecurity is a huge field that encompasses everything from offense to defense and highly technical to highly annoying. But your subconscious knows what kind of cybersecurity professional you really are, so use this simple test to show you:

1. What’s your best quality?

A. My strongly worded policies.
B. My robust yet complicated passwords.
C. My receding attack surface.
D. My advanced, persistent threat analysis.

2. A truck over turns on the highway, and although nobody is injured, hundreds of rare, show-quality raccoons are freed from their cages. What do you do?

A. Start chasing down raccoons and caging them before they can get hurt.
B. Start chasing raccoons off the road and away so nobody else gets hurt.
C. Go on Twitter and blame Russia.
D. Lock the doors and call the police.

3. You’re getting ready to attend a conference. What will you not leave the office without?

A. An extra phone charger.
B. My personal, encrypted USB key with all my “important” stuff.
C. WiFi cracking software.
D. My VPN.

4. If you had no priorities, how often would you patch your systems?

A. As required in the compliance policy.
B. Monthly so I can test each patch as I install it.
C. As soon as the patch is released.
D. Probably never unless there’s some feature or update I want.

5. In a perfect world where there are no criminals, which security product would you still use?

B. Smart firewall with built-in deep-packet threat detection.
C. Anti-malware software on my endpoints.
D. Adblocker on my browser.

6. Which of these social media channels do you spend the most time on?

A. LinkedIn.
B. Facebook.
C. IRC or Signal groups.
D. Twitter.

7. You’re surfing the Internet and your browser tells you a site is blocked for your protection. What do you do?

A. Check out something else instead.
B. Check the Google cached version of the site.
C. Override and go anyways.
D. Override and go anyway, but now just to see if you can find the reason it was blocked.

8. The best kind of security for you is…?

A. A strong policy with regular, consistent, employee security training.
B. Seamless and invisible.
C. Highly configurable with the ability to override.
D. Smart, always learning and adapting.

9. How do you prefer to work?

A. On the road. Love me some business class flights and fancy hotels!
B. Alone, quietly, in an office or at least a cubicle.
C. Remotely, sometimes from home and sometimes in my underwear.
D. In an open office or as part of a team.

10. When it comes to hardening systems, which do you do first?

A. Run a vulnerability scanner.
B. Install antivirus and a firewall.
C. Remove and disable services.
D. Configure all the events for the logs to capture and export.

11. You receive notice of a new kind of malware threat making the rounds. What do you do next?

A. Send out an alert to everyone you know to inform them about this threat and then post it on social media.
B. Manually force an update to everyone’s antivirus.
C. Manually force an automatic breach test with that particular threat to see if you’re protected.
D. Fire up TOR and try to get a copy of it.

12. Employees are…

A. Power users in the making.
B. Assets to be protected.
C. The weakest link in your company’s security.
D. A potential liability for the company.

Now let’s see how you did! Go back and give yourself points according to the following values:

A = 1
B = 3
C = 5
D = 10

As you do this, don’t be fooled by the scoring system - bigger numbers aren’t better. In this case it’s a means of differentiating roles. So don’t try to score high, just be honest with yourself.

If you scored:

12 – 32: InfoSec and Risk Management
You’re best suited to working in information security, especially in an overlap with business. You may want a role in security administration or risk management. Other jobs similar to this are CISO, security manager, VP security-anything, anything security strategy, vulnerability management, security marketing, cyber insurance, cybersecurity law enforcement, or some form of security awareness and training.

33 – 60: Defensive Security
You’re best suited for a role in defensive security including human security. Seems like you may like to flex your technical skills in networking, systems, or development with a focus on cybersecurity. But there are some of you who prefer to do that same thing, but with strong people skills like helping people adapt to processes and procedures to be more secure. Other similar jobs here are firewall or IDS admin, vulnerability remediation, blue teaming, cryptography, change control, fraud prevention, security usability, and system hardening.

61 – 75: Offensive Security
You’re best suited for a job in offensive security. You will do well in penetration testing, ethical hacking, breach simulation, bug bounty hunting, vulnerability testing, and red teaming. Other places where you may fit are product security and safety testing, a soldier in cyberwarfare, industrial espionage, social engineering, security advocacy, and security sales.

76 – 120: Security Analysis and Incident Response
You’re in a strange place where you value defensive security, respect offensive security, and have no trust in much of anything. You will do well in security analysis, incident response, and forensics. Other areas where you may fit are malware analysis, security product development, competitive intelligence, and SOC analysis.


What’s very normal is to land in the middle of two roles, such as scoring a 61 and knowing you like working in Defense with just a little bit of Offensive. Or, to score a 35 and still think of yourself as risk management despite the fact that you also like to help change processes to secure people.

Lucky for you though, there’s a huge overlap of roles in most security jobs, so you’ll definitely find something to make you happy even if this quiz makes it seem like you’re squarely in the middle of some role.

So, use this as a starting point and go make security happen somewhere!

Pete Herzog

About Pete Herzog

Guest Research Contributor at BlackBerry

Pete Herzog knows how to solve very complex security problems. He's the co-founder of the non-profit research organization, the Institute for Security and Open Methodologies (ISECOM). He co-created the OSSTMM, the international standard in security testing and analysis, and Hacker High School, a free cybersecurity curriculum for teens. He's an active security researcher, investigator, and threat analyst, specializing in artificial intelligence (AI), threat analysis, security awareness, and electronic investigation.