Skip to main content

Chapter 1 — Introduction to Information Security Professionalism

Information security has become a defined profession with its own body of knowledge, codes of ethics, certifications, career paths, and standards of conduct. The technical training across the MSNCS programme provides the substance — cryptography, networks, forensics, audit, cloud, generative AI, and the rest. This subject takes up a different dimension: how the individual practitioner operates as a professional. The roles practitioners fill, the ethical commitments they accept, the certifications that organise their career development, and the standards of behaviour expected by employers, clients, regulators, and peers. The five subtopics of this chapter establish the foundation — cybersecurity as a recognised profession, the roles and responsibilities within it, the codes of ethics that bind practitioners, the certification landscape, and the professional behaviour expected in daily practice.

1.1 Cybersecurity as a profession

What makes something a profession

A profession is an occupation that requires specialised education and training, is governed by an established body of knowledge, operates under a code of ethics, requires ongoing professional development, and typically involves accountability to a professional body or the public — distinguishing it from a trade or general occupation.

The classical professions — medicine, law, engineering — share these features. Newer fields including cybersecurity have grown to acquire them.

The professionalisation of cybersecurity

Cybersecurity emerged from computer science, telecommunications, and information technology operations through the 1980s and 1990s. The trajectory of professionalisation:

1970s-1980s. Computer security as a technical specialty within broader IT. Few dedicated practitioners; expertise distributed across systems administrators, programmers, network engineers.

1990s. Recognition of information security as a distinct discipline. ISACA (founded 1969 originally for EDP audit, broader scope later), (ISC)² founded 1989, SANS Institute founded 1989. Early certifications established.

2000s. Significant growth following high-profile incidents and regulatory developments. Established profession with growing maturity. PCI-DSS, SOX, HIPAA, Basel II driving formal compliance roles. CISSP (1994) and CISM (2002) becoming established credentials.

2010s. Substantial mainstream adoption. Dedicated CISO roles in major organisations. Cybersecurity programmes at universities. Government-level recognition of the profession.

2020s. Mature profession with broad specialisations. Multiple career paths. Ongoing skill shortages globally. Continuous certification proliferation.

Cybersecurity in Nepal

The professional context in Nepal has developed in parallel with global trends but at smaller scale:

  • Early information security work conducted by general IT staff within banks, telecoms, government.
  • Formal CISO roles emerging in larger Nepali banks through the 2010s, mandated more broadly by NRB directives in the late 2010s.
  • npCERT established under NITC providing national-level coordination.
  • Cyber Bureau under Nepal Police for criminal investigations.
  • Educational programmes at IOE Pulchowk (the MSNCS programme), Kathmandu University, and others.
  • Regional cybersecurity conferences and meetups growing.
  • Limited but growing presence of international certifications (CISSP, CISM, CEH, OSCP among Nepali professionals).
  • Career opportunities increasing as enterprise demand grows.

The market has structural features:

  • High demand, limited supply.
  • Salary growth above general IT trends.
  • Significant retention competition with international employers (remote work; migration).
  • Growing focus among university students.

Roles within the profession

The cybersecurity profession is broad. Major role categories:

Technical specialists. Penetration testers, security engineers, forensic analysts, malware analysts, cryptographers.

Operational roles. SOC analysts, incident responders, threat hunters, security operations managers.

Architectural roles. Security architects, cloud security architects, enterprise security architects.

Governance/risk/compliance. Risk managers, compliance analysts, IS auditors, GRC specialists.

Leadership. CISO, CSO, security directors, security managers.

Specialised disciplines. Privacy specialists, identity and access management specialists, application security engineers, security awareness specialists.

Research and academia. Security researchers, academic faculty.

Public sector. Government cybersecurity, law enforcement, regulatory bodies.

The MSc graduate may enter through technical or operational roles and progress through various paths over a career.

The profession's purpose

The fundamental purpose of cybersecurity professionals: protecting information systems and the people who depend on them. The profession exists because:

  • Information systems support critical functions.
  • Adversaries threaten those systems.
  • Specialised knowledge is needed for defence.
  • Society benefits from organised protection capability.

The purpose anchors ethical and professional considerations.

1.2 Roles and responsibilities

The role landscape

A more detailed view of typical roles, their responsibilities, and the boundaries between them.

Entry-level roles

SOC Analyst (Tier 1). Monitor alerts, perform initial triage, escalate or close based on standard procedures. Typical entry point for new graduates.

Junior security engineer. Implement security controls, support security tools, assist with incident response. Focus on technical execution.

Vulnerability assessment analyst. Run scans, analyse results, work with system owners on remediation.

IT auditor (junior). Participate in audit engagements, gather evidence, test controls.

Information security analyst. Generalist supporting various security activities.

Mid-level roles

SOC analyst (Tier 2/3). Complex investigation, threat hunting, detection engineering, incident response leadership.

Security engineer. Design and implement security architectures and controls; tool integration; automation.

Penetration tester. Conduct authorised assessments; produce reports; engage with development teams.

Incident responder. Lead response to security incidents; coordinate technical and communication activities.

Threat intelligence analyst. Collect, analyse, and disseminate threat intelligence.

Security architect. Design enterprise security architecture; review designs; produce standards.

Risk analyst. Conduct risk assessments; develop risk treatment plans; track risk register.

Compliance analyst. Maintain compliance with applicable regulations and standards.

IS auditor. Conduct IS audits per professional standards.

Senior and leadership roles

Security architect (senior/principal). Strategic security architecture; technology direction.

Security manager. Lead specific security functions (SOC, vulnerability management, etc.).

CISO (Chief Information Security Officer). Executive responsibility for information security across the organisation. Reports typically to CEO, COO, CIO, or sometimes board.

Chief Risk Officer (CRO) or Chief Compliance Officer (CCO). Where security is part of broader risk/compliance function.

Board member or advisor. Senior practitioners on boards or advisory capacity.

Common responsibilities across roles

While responsibilities vary by role, certain themes recur:

Confidentiality. Protecting information from unauthorised access.

Integrity. Ensuring information accuracy and reliability.

Availability. Maintaining access for authorised users.

Compliance. Meeting applicable legal and regulatory requirements.

Risk management. Identifying and treating information security risks.

Awareness. Building organisational understanding of security.

Continuous improvement. Maintaining and improving security posture.

Role definition documents

Mature organisations define roles formally:

  • Job descriptions. What the role does.
  • RACI matrices. Responsible, Accountable, Consulted, Informed.
  • Service catalogues. What services security provides.
  • Authority delegations. What decisions the role can make.
  • Performance metrics. How the role's effectiveness is measured.

These documents matter both for individual clarity and for organisational accountability.

Role boundaries

Clarity about boundaries:

Security vs IT operations. Security defines requirements; IT typically operates infrastructure with security oversight.

Security vs application development. Security provides requirements and reviews; development implements.

Security vs business. Security advises on risk; business owns decisions and accepts risk.

Security vs legal. Legal handles legal matters; security provides technical input.

Security vs HR. HR handles personnel matters; security provides security perspective on screening, awareness, sanctions.

Unclear boundaries cause friction and gaps. Mature organisations document boundaries clearly.

Nepal context for roles

The Nepali enterprise security role landscape:

Major banks. Full role hierarchy from analyst to CISO. NRB directives require CISO role at scheduled banks. Compliance with NRB IT directives drives substantial governance roles.

Telecoms. CISO or equivalent at major telecoms; technical teams varying by organisation.

Government. GIDC and NITC have security roles; ministry-level varies; npCERT for national-level coordination.

Major enterprises. Some have dedicated security organisations; many have security responsibilities within broader IT.

Smaller organisations. Security typically responsibility of IT manager or external service provider.

Service providers. MSSPs (Managed Security Service Providers) emerging; some local firms; many regional/international firms with Nepali clients.

For MSc graduates, the most common entry points are SOC analyst roles at banks or MSSPs, junior security engineer at major enterprises, or IT auditor at audit firms with cybersecurity practices.

1.3 Codes of ethics

Why codes of ethics matter

Ethics is foundational to professional practice. Codes of ethics serve several purposes:

  • Articulate the profession's commitments to society.
  • Guide individual decisions when paths are unclear.
  • Establish accountability standards.
  • Build public trust in the profession.
  • Provide a framework for disciplinary action when violated.

Members of professional bodies typically commit to the body's code as a condition of membership.

(ISC)² Code of Ethics

(ISC)² (formerly International Information System Security Certification Consortium) is one of the major cybersecurity professional bodies. Its code applies to all certificants — including CISSP, CCSP, SSCP, and others.

The (ISC)² Code of Ethics has four canons:

Canon I. Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Canon II. Act honourably, honestly, justly, responsibly, and legally.

Canon III. Provide diligent and competent service to principals.

Canon IV. Advance and protect the profession.

The canons are short but consequential. They establish priorities — society first, then honourable conduct, then service, then the profession. The ordering matters; conflicts between canons resolve toward the higher.

Detailed guidance interprets the canons. Violations can result in certification revocation.

ISACA Code of Professional Ethics

ISACA (formerly Information Systems Audit and Control Association) has its own code applying to its certifications — CISA, CISM, CRISC, CGEIT, others.

Key elements of the ISACA code:

  • Support the implementation of, and encourage compliance with, appropriate standards and procedures.
  • Perform duties with objectivity, due diligence, and professional care.
  • Serve in the interest of stakeholders in a lawful and honest manner.
  • Maintain privacy and confidentiality of information.
  • Maintain competency in respective fields.
  • Inform appropriate parties of the results of work performed.
  • Support professional education.

ISACA's code complements (ISC)² with similar themes adapted to audit and governance focus.

SANS / GIAC Code of Ethics

GIAC (Global Information Assurance Certification) certifications administered through SANS Institute have their own code.

Key principles:

  • Respect for the profession.
  • Respect for others.
  • Respect for the certification (no cheating, sharing).
  • Continuing maintenance of skills.

EC-Council Code of Ethics

EC-Council certifications (CEH and others) have a code particularly addressing ethical hacking.

Key elements:

  • Authorisation required for testing.
  • Confidentiality of client information.
  • No malicious activity.
  • Avoiding conflicts of interest.
  • Continuous learning.

Common ethical principles across codes

Despite specific differences, common themes appear:

Honesty and integrity. Not deceiving; doing what is right.

Competence. Maintaining current capability; not undertaking work beyond ability.

Confidentiality. Protecting information entrusted by clients and employers.

Conflicts of interest. Avoiding or disclosing.

Objectivity. Especially important for audit and assessment work.

Public interest. Considering broader impact beyond client/employer.

Legal compliance. Operating within applicable laws.

Profession's reputation. Not bringing the profession into disrepute.

Continuing development. Maintaining and improving capability.

Respect. For peers, clients, the public.

Practical application of ethics

Codes provide guidance but not specific answers. Professional judgement applies them to situations.

Examples of ethical questions:

A penetration tester discovers a serious vulnerability beyond the engagement scope. Disclose? How?

An auditor discovers material fraud that management hides. Report externally?

A SOC analyst sees a colleague's name involved in suspicious activity. Investigate? Disclose to whom?

A developer is asked to implement controls that arguably violate user privacy. Refuse? Escalate?

A security consultant works with two competitors. Manage conflict how?

A security professional is offered employment by a known adversary nation-state for "research". Refuse? Report?

Real situations rarely match training examples. Judgement, mentorship, and willingness to consult are essential.

Ethics in Nepali context

For Nepali security practitioners:

  • International ethics codes apply through certifications held.
  • Nepali professional bodies have local context.
  • Cultural considerations sometimes complicate (relationships, hierarchy).
  • Legal framework provides some guidance (Privacy Act, ETA, sectoral).
  • Limited formal disciplinary process for ethics violations specific to Nepal.
  • Community and reputational considerations significant in small market.

Building ethical practice from the beginning of career is essential — habits formed early persist.

1.4 Professional certifications

The certification landscape

Cybersecurity has an extensive certification ecosystem. Certifications serve multiple purposes:

  • Demonstrate knowledge.
  • Provide entry-screening for employers.
  • Structure career development.
  • Maintain ongoing competence.
  • Build professional credibility.

The downsides include cost, time investment, and risk of "certification collection" without practical capability. Certifications complement rather than replace experience.

Certifying bodies

(ISC)². CISSP, SSCP, CCSP, CSSLP, CCFP, HCISPP, CISSP-ISSAP/ISSEP/ISSMP. Foundation, professional, and management certifications.

ISACA. CISA, CISM, CRISC, CGEIT, CDPSE, CSX-P. Audit, governance, and risk focus.

EC-Council. CEH (Certified Ethical Hacker), CHFI, CCISO, ECSA, LPT, CASE, and many others. Practical-focused often.

Offensive Security. OSCP, OSEP, OSEE, OSWE, others. Performance-based examinations.

SANS / GIAC. GSEC, GCIH, GCIA, GPEN, GREM, GSE (Global Security Expert — most senior), and many specialised.

CompTIA. Security+, CySA+, PenTest+, CASP+. Vendor-neutral foundational.

Cisco. CCNA Security, CCNP Security, CCIE Security.

Microsoft. Various security certifications (SC-200, SC-300, SC-400, AZ-500, others).

AWS. AWS Certified Security – Specialty.

Google. Google Cloud Professional Security Engineer.

Vendor-specific. Many vendors offer security certifications.

The major certifications

CISSP (Certified Information Systems Security Professional). (ISC)². The most widely-recognised general security certification. Eight domains covering security and risk management, asset security, security architecture, communications and network security, identity and access management, security assessment and testing, security operations, and software development security. Requires 5 years of relevant experience (or 4 with degree). Continuing professional education to maintain.

CISM (Certified Information Security Manager). ISACA. Management-focused. Four domains: governance, risk management, programme development and management, incident management. 5 years of experience required.

CISA (Certified Information Systems Auditor). ISACA. Audit-focused. Most-recognised IS audit certification. 5 years of experience.

CEH (Certified Ethical Hacker). EC-Council. Practical-oriented penetration-testing certification. Widely-known though varies in industry respect.

OSCP (Offensive Security Certified Professional). Offensive Security. Substantially respected for hands-on penetration testing. 24-hour practical examination.

CCSP (Certified Cloud Security Professional). (ISC)². Cloud-specific.

Security+. CompTIA. Entry-level vendor-neutral.

GSE (GIAC Security Expert). GIAC. Among the most demanding; small number of holders.

Choosing certifications

Considerations for the MSc graduate:

Career stage. Entry-level → Security+, possibly OSCP if pentesting interest; mid-career → CISSP, CISM, CISA; senior → CISSP plus specialisation.

Career direction. Technical → OSCP, SANS/GIAC specialised; management → CISM, CCISO; audit/governance → CISA, CRISC; cloud → CCSP, cloud-vendor specific.

Employer preferences. Some employers prefer specific certifications.

Geographic factors. Some certifications more recognised in specific regions.

Cost considerations. Substantial — exam fees, materials, annual maintenance.

Time investment. Months of study typically; ongoing CPE.

Certification in Nepal

The Nepali context:

Common certifications held. CISSP (Nepal has perhaps 100-200 CISSP holders), CISM, CISA, CEH, OSCP, various specialised.

Cost considerations. Foreign currency exam fees significant in NPR terms. Some employers reimburse; many do not.

Training resources. Limited local instructors; many study online or with international training providers. Self-study common.

Examination logistics. Pearson VUE and similar centres in Kathmandu provide testing for many certifications.

Career value. Significant. Certifications expand opportunities both domestically and internationally.

Professional bodies. ISACA Kathmandu Chapter exists. (ISC)² has Nepali members; formal local chapter status varies. Other professional bodies have smaller presence.

For MSc graduates, the typical certification pathway:

  1. Security+ or CompTIA equivalent during studies or early career.
  2. CEH for awareness of attack landscape.
  3. OSCP if pursuing offensive security.
  4. CISSP once 5 years experience accrued.
  5. Specialisation certifications based on career path.

The certifications complement the MSc; they don't replace it.

1.5 Professional behaviour and governance

Professional behaviour

Professional behaviour is the set of conduct expectations that characterise members of a profession in their day-to-day work — including reliability, communication quality, respect for others, intellectual honesty, accountability, continuous learning, and recognition of one's limitations — distinct from but supporting the formal ethical commitments codified in codes of ethics.

Professional behaviour is what colleagues, clients, and employers observe day-to-day. Reputation is built through patterns of behaviour over time.

Elements of professional behaviour

Reliability. Delivering what was promised when promised. Where commitments cannot be met, communicating early.

Communication quality. Clear written and verbal communication appropriate to audience. Technical detail for technical audiences; business framing for executive audiences.

Listening. Actually hearing what others say rather than waiting to speak.

Respect. Treating colleagues, subordinates, clients with respect regardless of disagreements.

Punctuality. Meeting commitments around timing.

Intellectual honesty. Acknowledging what one does not know; not overstating capability.

Accountability. Owning mistakes; not blaming others; learning from errors.

Continuous learning. Maintaining and developing capability.

Constructive engagement. Offering solutions, not just problems.

Discretion. Confidentiality of sensitive information.

Boundary maintenance. Recognising boundaries of role and authority.

Specific situations

Disagreement with management. Express concerns through appropriate channels; document; ultimately follow legitimate decisions even when disagreeing — unless they are unethical or illegal.

Errors and incidents. Acknowledge; understand; correct; learn; share lessons; not hide.

Conflicts of interest. Disclose; recuse where appropriate; manage carefully.

Public communications. Reflect on organisation; speak only on matters one is authorised and qualified to address.

Social media. Recognise that personal posts reflect on profession and employer.

Peer interactions. Maintain professional relationships even where disagreement exists.

Confidentiality of client data. Protect with care; even casual mentions can be problematic.

Whistleblowing. Last resort; formal channels first; understand legal protections and risks.

Governance perspectives

Information security governance is the framework of policies, procedures, accountability structures, and oversight mechanisms by which an organisation directs and controls its information security function, ensuring security activities support business objectives, manage risks appropriately, and comply with applicable obligations.

Governance perspectives covered extensively in ENCTNS552 (Information Systems Audit). For the professional, the key points:

Board and executive oversight. Security receives appropriate attention at top levels.

Risk-based prioritisation. Resources allocated based on risk.

Clear accountability. Who is responsible for what.

Policy framework. Documented expectations.

Performance metrics. Measurable indicators of security effectiveness.

Independent assurance. Audit and assessment.

Continuous improvement. Lessons learned applied.

Professional contribution to governance

Security professionals support governance:

Providing accurate information. Decision-makers need accurate, timely information.

Translating risk. Technical findings translated into business risk language.

Recommending controls. Suggesting proportionate responses to risks.

Implementing decisions. Operationalising governance decisions.

Monitoring effectiveness. Tracking control performance.

Reporting. Regular reports on security posture.

Independent perspective. Sometimes pushing back on decisions perceived as accepting unwarranted risk.

The CISO role

The Chief Information Security Officer deserves specific attention as the senior professional role.

Typical responsibilities:

  • Setting security strategy and direction.
  • Building and managing the security organisation.
  • Engaging executive leadership and board.
  • Managing security risk.
  • Ensuring regulatory compliance.
  • Responding to incidents.
  • Building security culture.
  • Representing security in business decisions.

Skills required:

  • Technical depth (or appropriate technical reports).
  • Business understanding.
  • Risk management.
  • Communication at executive level.
  • Leadership.
  • Crisis management.
  • Strategic thinking.

Common pressures:

  • Resource constraints.
  • Conflicting priorities.
  • Incident pressure.
  • Career risk after major incidents.
  • Burnout.

The CISO role is demanding. Recent surveys consistently report high CISO turnover and burnout. The Nepali CISO market has these pressures alongside specific local considerations — emerging market expectations, regulatory evolution, talent retention challenges.

Building toward leadership

For the MSc graduate aspiring to senior roles:

Build technical foundation. Strong technical capability builds credibility.

Broaden experience. Multiple functions; multiple organisations.

Develop communication. Especially executive-level communication.

Acquire credentials. Certifications appropriate to career stage.

Build network. Professional relationships across the field.

Mentor and be mentored. Both directions valuable.

Contribute publicly. Speaking, writing, professional bodies.

Maintain learning. The field evolves continuously.

The progression from new graduate to senior leader is typically 15-20 years. Each step builds on previous; consistent professional growth matters more than any single move.

Professional behaviour as foundation

The cumulative effect of professional behaviour over a career is reputation. Reputation determines:

  • Opportunities offered.
  • Trust extended.
  • Collaboration sought.
  • Influence achieved.
  • Impact possible.

For the MSc graduate beginning a security career, attention to professional behaviour from the start pays compounding dividends over decades. The technical skills will continue to develop; the foundation of professional behaviour, built early, supports everything that follows.

The next chapter takes up the legal, ethical, and regulatory frameworks within which the security professional operates — the rules and norms that shape the profession's practice across jurisdictions.

· min read