Hi!

TL;DR - as a newly appointed security engineer with ambiguous responsibilities, what would be the most valuable training to request from my work?

Background: I am 31 and have worked in the IT industry for about 11 years and have always had a specific interest in cyber security.

Rather than attempting to dive right into cyber security in my earlier career, I opted for taking the long way around to try to get a depth of knowledge in a wide range of disciplines in the IT industry so that I would hopefully be more aware of systems, users, threats, attack surfaces, etc.

I have experienced a range of principles having worked in 1st, 2nd and 3rd line desktop, network & infrastructure support, 3rd line application support, and most recently software engineering roles.

Through this career development I have found myself lucky enough to be involved in a handful of security projects, most recently of which included the hardening of a private companies Kubernetes cluster, a project I am quite professionally proud of.

So much so, in fact, that my manager has noticed and acknowledged my enjoyment from the project by offering a promotion to Security Engineer after Christmas, with the offer of whatever training and salary review befits that role.

The role seems to be up for specification at the moment so it's a little ambiguous as to what my responsibilities may include right now, but with the offer of training I was wondering what you guys would prioritise.

Would you focus on complaince based training like being a certified GDPR officer, as I am UK based, or would you suggest something more hard-skill based like CISSP?

Ultimately, I would prefer a more hands on role, implementing security hardening techniques, performing internal penetration tests, etc. However I do understand and regularly preach the requirement for complaince with regulations like GDPR and would one day hope to implement and maintain the ISO27001 standard.

Thanks!