The 10 Domains of Cybersecurity

Cybersecurity Industries and Domains

What, you might ask, are industries and domains within the field of cybersecurity?  Simply put, industries are groups of companies that are related based upon their primary business activities. Domains are specified spheres of knowledge and activity within a discipline.

Why is it important for those who are interested in a career in cybersecurity to know the top industries and domains? Well, one reason is, when you are seeking a job within cybersecurity, it’s always good to know which industries are hiring the most professionals. Domains within cybersecurity are also crucial to know so that you know what knowledge is expected of you if you enter into the field of cybersecurity.

Industries in Cybersecurity

The U.S. Bureau of Labor Statistics (BLS) notes that, as of May 2019, the annual mean wage for information security analysts/cybersecurity professionals working in the U.S. was $104,201. The industries with the highest levels of employment for information security analysts/cybersecurity professionals are:

  • Computer Systems Design and Related Services
  • Management of Companies and Enterprises
  • Credit Intermediation and Related Activities
  • Management, Scientific and Technical Consulting Services
  • Insurance Carriers

Industries with the highest concentration of employment for information security analysts are:

  • Monetary Authorities – Central Bank
  • Computer Systems Design and Related Services
  • Data Processing, Hosting and Related Services
  • Telecommunications
  • Management of Companies and Enterprises

But what most people want to know is, what are the highest-paying industries for the information security occupations? According to the BLS, they are:

  • Residential Building Construction, where information security analysts earned an annual mean wage of $130,400
  • Semiconductor and Other Electronic Component Manufacturing, where they earned an annual mean wage of $127,360
  • Legal services, where the annual mean wage was $125,230
  • Automotive Repair and Maintenance, where the annual mean wage was $123,720
  • Securities, Commodity Contracts and other Financial Investments and related activities, where their annual mean wage was $121,230

As you can see, these industries all pay well more than the average annual salary for cybersecurity professionals.

Another interesting consideration that has been undertaken by the Infosec Institute is, which industries are the biggest targets for cybercriminals? These industries would be especially in need of cybersecurity professionals, it would seem, as they are more likely to experience cyber breaches and attacks than other industries. According to Infosec, they include:

  • Healthcare – In 2015, the healthcare industry experienced the highest number of data breaches of all industries. The consequences of each health care breach can cost healthcare institutions as much as $200 per patient record. Preventing these breaches, however, costs just $8 per record.
  • Manufacturing– This includes automotive, electronics and pharmaceutical companies, and is quite vulnerable to cybercrime. Cyberattackers think that this is a rich industry, and therefore, if they attack it, they expect larger payouts. Security compliance and risk management needs much improvement within this industry sector.
  • Financial services– In 2014, the financial services industry experienced the most cyberattacks. They have since made greater investments in cybercrime security awareness and prevention. However, this industry still experiences many attacks due to the ease of compromising their security systems.
  • Government agencies– Cyberattacks against government agencies receive a large amount of media coverage, making attacks on this industry quite high profile. This is one draw to hackers to attack cyber systems of government agencies. Government agencies are now engaging in more employee security awareness training, but more needs to be done.
  • Education—Hackers see the education industry as quite lucrative, containing much personal information, financial information, and contact information. Educational records can also be hacked to change identities and to obtain employment opportunities. Cybercrime has declined some in the education industry, but it does continue to happen.

Domains in Cybersecurity

The International Information System Security Certification Consortium, otherwise known as (ISC)2, is a nonprofit organization which offers some of the leading trainings and industry certifications in cybersecurity. For years, the domains that they cover within their Certified Information Systems Security Professional (CISSP) examination have been considered to be the definitive cybersecurity domains. When they updated the CISSP certificate structure in 2015, the domains were changed from 10 to eight. These eight domains, which have been widely accepted within the cybersecurity community, are:

  • Security & Risk Management
  • Asset Security
  • Security Engineering
  • Communications & Network Security
  • Identity & Access Management
  • Security Assessment & Testing
  • Security Operations
  • Software Development Security

Let’s examine each of these domains in greater detail:

Security and Risk Management

Security and risk management is the largest domain in CISSP, accounting for 15 percent of the certification examination. This domain provides an overview of information systems security management, and covers:

  • The availability, integrity, and confidentiality of information
  • Principles of security governance
  • Compliance requirements
  • Legal and regulatory issues in information security
  • Information technology procedures and policies
  • Risk-based management concepts

Asset Security

Accounting for ten percent of the CISSP exam, the domain of asset security includes the physical requirements of information security. Involved within this is:

  • Handling requirements
  • Data security controls
  • Retention periods
  • Privacy
  • Classification/ownership of information and assets

Security Engineering

Making up 13 percent of the CISSP exam, the domain of security engineering covers the following concepts:

  • Designing and implementing physical security
  • Cryptography
  • Assessing and mitigating system vulnerabilities
  • Security capabilities within information systems
  • Fundamental concepts of security models
  • Engineering processes using secure design principles

Communications & Network Security

Accounting for 14 percent of the CISSP exam, the domain of communications and network security covers how an organization’s networks are designed and protected. It includes:

  • Secure communication channels
  • Secure network components
  • Secure design principles for network architecture

Identity & Access Management

Comprising 13 percent of the CISSP exam, the domain of identity and access management involves controlling the way users can access data. Included within this domain are the following concepts:

  • Identity and access provisioning lifecycle
  • Authorization mechanisms
  • Integrating identity as a service
  • Third-party identity services
  • Identification and authentication
  • Physical and logical access to assets

Security Assessment & Testing

Making up 12 percent of the CISSP exam, the domain of security assessment and testing focuses on the performance, design and analysis of security testing, and includes:

  • Internal and third-party security audits
  • Test outputs
  • Collecting security process data
  • Security control testing
  • Designing and validating assessment and test strategies

Security Operations

This domain accounts for 13 percent of the CISSP exam, and addresses how plans are put into action. Concepts covered here include:

  • Business continuity
  • Managing physical security
  • Disaster recovery
  • Incident management
  • Applying resource protection techniques
  • Foundational security operations concepts
  • Securing the provision of resources
  • Logging and monitoring activities
  • Requirements for investigation types
  • Understanding and supporting investigations

Software Development Securityaa

This final domain comprises 10 percent of the CISSP exam, and helps cybersecurity professionals understand, apply and enforce software security. Included within this domain are these concepts:

  • Secure coding guidelines and standards
  • Effectiveness of software security
  • Security controls in development environments
  • Security in the software development life cycle