Working life
An introduction to this specialism
Cryptography and Communications Security roles vary, but all are technical, requiring a high level of mathematical ability. Even for roles which do not include these kinds of skill, there needs to be a good understanding of the fundamentals of cryptography, communications standards and technologies, and other elements of information technology.
There are two strands in this specialism, but a role may combine elements of both – there are few roles as a pure cryptographer.
Cryptography involves developing, testing, and improving cryptographic elements: algorithms, key handling procedures and security protocols. The more common responsibilities in cryptography involve building, maintaining and testing existing security protocols, sometimes in hardware, but more often in software.
Communications Security focuses on implementing and maintaining crypto services as part of a larger systems. If the systems are public facing, particularly through websites, this may involve the management of digital certificates. This may also focus on managing the distribution and retirement of keys, as a crypto custodian. This activity normally proceeds at a steady pace, although in some organisations, this may be a ‘shift’ rota.
With more experience in Cryptography and Communications Security, there may be an exploration of how cryptographic techniques and related cyber security controls could be used to secure the organisation’s products and services across a wide range of application areas. This requires a broad view of the organisation’s business.
Given the significant role in cryptography in most network communications, almost any work in this specialism will need to align with industry or government standards.
Responsibilities
What will your responsibilities include? What are your tasks likely to include?
Cryptography and Communications involves protecting information, either communicated internally or exchanged with individuals or other organisations, against accidental exposure and malicious attacks.
As a Cryptographer, you may:
- design security protocols, including key management rules
- assess the threats posed by changes in technology
- investigate how emerging technologies can be used to increase both agility and security
- produce analyses, reports and presentations
With more experience in Cryptography, you may:
- supervise the manufacture and management of cryptographic keys
- develop new cryptographic primitives, such as algorithms (this is a very rare requirement)
In Communications Security, you may:
- advise systems developers or implementers on suitable communications security components
- build or support the integration of communications security elements in new systems
- support public key infrastructure (PKI) systems, including by managing digital certificates
- create and maintain meticulous records of PKI certificate details, especially when they expire
- operate and maintain secure communications systems
- ensure that the processing of individual messages adheres to the handling requirements of classification levels (particularly in government and military roles)
- manage alternative communication channels for special classes of messages
With more experience in Communications Security, you may:
- assure the effectiveness of communications security systems, including through regular and rigorous audits
- oversee the strategic alignment and delivery of cluster-specific Cryptographic materials
- manage a cryptographic programme, including the proper control of commercial or Governmental key material
- support, supervise and manage more junior colleagues
Job Titles
For Cryptography and Communications roles, titles include:
- Cryptography Analyst
- Cryptography Systems Consultant
- Cryptosecurity Engineer
- Information Security Specialist
- Network & Security Prototyping Architect
- Platform Solution Engineer
- Research Engineer
- Quantum Researcher
- Secure Communications Engineer
- Security Engineer
- Security Consultant
- Space/C4ISTAR Systems Engineer
For more experienced Cryptography and Communications roles, titles include:
- Senior Security Engineer
- Senior Security Research Engineer
- Senior Principal Cryptosecurity Engineer
- Senior Cryptography Security Analyst
- Senior IT Assessor/Trainer in Cyber Security & Networking
- Head of Communications Security & Assurance
Salaries
A Communications Security role might earn between £35,500 and £51,115 a year. The median figure in March 2021 was £43,500.
A Cryptography role might earn between £47,500 and £86,250 a year. The median figure in March 2021 was £62,500.
There is insufficient data to provide either a valid salary range or a median figure for more experienced professionals in Cryptography and Communications.
The salary ranges are based on job vacancy advertisem*nts published online in March 2021. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk.
Knowledge
What core, related and wider knowledge is important for working in this specialism?
Each of the 16 specialisms are based on knowledge areas within CyBOK.
More information on CyBOK knowledge areas can be found here.
Here are the knowledge areas associated with Cyber Security Governance & Risk Management
Core knowledge – you will need a very good understanding of these areas
Security aspects of networking and telecommunication protocols, including the security of routing, network security elements and specific cryptographic protocols used for network security.
Security mechanisms relating to larger-scale coordinated distributed systems, including aspects of secure consensus, time, event systems, peer-to-peer systems, clouds, multitenant data centres and distributed ledgers.
For a Cryptographer only:
Core primitives of cryptography as presently practised and emerging algorithms, techniques for analysis of these, and the protocols that use them.
Related knowledge – you will need a solid understanding of these areas
Physical Layer & Telecommunications Security
Security concerns and limitations of the physical layer including aspects of radio frequency encodings and transmission techniques, unintended radiation, and interference.
For a Secure Communications operator:
Core primitives of cryptography as presently practised and emerging algorithms, techniques for analysis of these, and the protocols that use them.
Wider knowledge – these areas will help to provide context for your work
Authentication, Authorisation & Accountability
All aspects of identity management and authentication technologies, and architectures and tools to support authorisation and accountability in both isolated and distributed systems.
Operating Systems & Virtualisation Security
Operating systems protection mechanisms, implementing secure abstraction of hardware, and sharing of resources, including isolation in multiuser systems, secure virtualisation, and security in database systems.
International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare.
Techniques for protecting personal information, including communications, applications, and inferences from databases and data processing. It also includes other systems supporting online rights touching on censorship and circumvention, covertness, electronic elections, and privacy in payment and identity systems.
Skills
What personal attributes might you need? What specialist skills are important?
Skills
Personal attributes
- logical thinking
- methodical approach to problem solving
- rigorous adherence to standards
- written and verbal communication skills with the ability to present complex technical information to a variety of audiences
- self-management
- evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action
Specialist skills
- application of Identity and Access Management Protocols (e.g., OAuth2, SAML2, LDAP, OpenID, Kerberos)
- Communications Security (COMSEC) accounting, with experience of conducting COMSEC inspections
- application of COMSEC custodian controls
- installing, maintaining and troubleshooting communication devices and networks
- creating drivers and encryption and decryption programs for commercial and bespoke communications security devices
- incident handling to assist investigations
- application of security paradigms (secure boot, chain-of-trust, etc.) and assessment of related security threats, exploits and prevention
- application of cryptographic security protocols and techniques (encryption at rest, TLS, hashing, etc.)
- vulnerability management experience specifically for the analysis of cryptographic algorithms
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)
C3 – Secure Development
Principles:
- implements and updates secure systems, products and components using an appropriate methodology
- defines and/or implements secure development standards and practices including, where relevant, formal methods
- selects and/or implements appropriate test strategies
- defines and/or implements appropriate secure change and fault management processes
- verifies that a developed component, product or system meets its security criteria (requirements and/or policy, standards and procedures)
- specifies and/or implements processes that maintain the required level of security of a component, product, or system through its lifecycle
- manages a system or component through a formal security assessment
E2 – Secure Operations & Service Delivery
Principles:
- securely configures and maintains information, control and communications equipment in accordance with relevant security policies, standards and guidelines; this includes the configuration of Information Security devices (e.g., firewalls) and protective monitoring tools (e.g., SIEM)
- implements security policy (e.g., patching policies) and Security Operating Procedures in respect of system and/or network management
- undertakes routine technical vulnerability assessments
- maintains security records and documentation in accordance with Security Operating Procedures
- administers logical and physical user access rights
- monitors processes for violations of relevant security policies (e.g., acceptable use, security, etc.)
I2 – Applied Research (for a small number of roles in this specialism)
Principles:
- vulnerability research and discovery, leading to the development of exploits, reverse engineering and researching mitigation bypasses
- cryptographic research leading to the assessment of existing algorithms
- in the Information Security field, uses existing knowledge in experimental development to produce new or substantially improved devices, products and processes
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
Experience
Cryptography roles require very special knowledge and skills which can be acquired only through advanced academic studies or, for a few people, puzzle-solving. It's therefore unlikely that someone could demonstrate transferable skills from another job for such a role.
However, a Communications Security Specialist might draw on a range of experience from previous jobs, including:
- police services: secure communications
- Armed Forces: communications systems operator, technician, engineer or manager
- intelligence services: secure communications
- governmental secure communications
- commercial communications/network security
Moving on
What other cyber security or IT role might you progress to from this specialism?
Linked Specialisms (when clicking on the route map)
- Cyber Security Generalist
- Identity and Access Management
- Secure Operations
- Data Protection and Privacy
Moving On
From a job in this specialism, you might move into one of these other cyber security specialisms:
- Vulnerability Management
- Security Testing
- Secure Operations
- Digital Forensics
- Cyber Threat Intelligence
- Cyber Security Governance & Risk Management
- Network Monitoring & Intrusion Detection
You might earn a more senior role in Cryptography and Communications Security, perhaps managing a team of cryptographic /communications security specialists.
With more experience and higher-level qualifications, you might move into cryptographic research.
Qualifications
Which certifications and qualifications are relevant to roles in this specialism?
Our certification framework can be accessed here. This framework allows you to see which certifications may be useful to you, within the different specialisms and at which point of your career.
Entry route information can be found here.
You can also visit the National Cyber Security Centre website at the links below: