The market for cybersecurity professionals is crying out for new entrants. Reports like those from ESG, who publishes an annual survey on the state of IT, show this quite clearly. In their 2018 report, they identified cybersecurity as the area most in need of skilled personnel.
The report also identified that the need for cybersecurity skills is increasing year on year; in 2014, 25% of respondents had a shortage in skills, while in 2018, 51% stated they needed more staff with cybersecurity skills. In terms of numbers of staff required, a recent (ISC)2 report predicts that there will be a gap of 1.8 million jobs in cybersecurity by 2022.
The market for cybersecurity skills is evident but how to make yourself marketable to a company is still a question in many people’s minds. Can you enter the profession without any prior knowledge, for example? Do you need to do a specialist degree in cybersecurity? Do you have to be able to write software code to become a cybersecurity pro?
These questions are valid, and without an answer, they may prevent some of the best people from entering the profession. This article will hopefully help you to find answers and set you on a path to an interesting and well-paid cybersecurity career.
What Types of Jobs Are There in Cybersecurity?
Cybersecurity as a profession has a wide scope, and it’s good to remember that cyberthreats are based on psychology as much as technology. Human-centered cybersecurity research is being carried out by organizations like The Hague Security Delta, who place emphasis on the approach. Jobs in cybersecurity range from the deeply technical to research to management. With this in mind, here are some jobs to consider when thinking about a career in cybersecurity:
This is well-suited to a person who has both a business and a technical mindset. The role is sometimes called an “ethical hacker” because you are testing an organization’s network for vulnerabilities; thinking like a hacker helps to do this. The role is usually not performed alone: you would work as part of a wider team to cover all of the possible vulnerabilities and aspects of a system. Often, penetration testers will specialize in specific areas of pentesting.
Generally, penetration testers will have an analytical mind, but they work best when they understand the business and the operations of an organization. Communication skills are a must for penetration testers, as you will need to create reports on findings and sometimes be required to communicate these to non-technical audiences.
Security Software Developer
All of the world’s top companies have security departments, and many need developers to work on software. However, even non-security related software needs to be written using secure coding practices. If you already write software code, prepare yourself by getting to grips with OWASP’s secure coding practice guidelines.
Development of security software is a hot area to have skills in, allowing you to offer those skills to the many companies across the world that require them. Check out Cybersecurity Ventures’ top 500 security companies for future reference when looking for a job as a security software developer.
This is a role for someone who is diligent and pays attention to detail. A security auditor is tasked with keeping a record of an organization’s computer security controls and measures. The auditor will create regular reports on the security measures effectiveness and create metrics to demonstrate this. They will also offer suggestions on improving the measures by working with company managers. Compliance is their middle name and they need to have a good working knowledge of relevant data security regulations.
This job will have you working at a technical design level, designing the fundamental architecture of your organization’s systems. As a security architect, you will be responsible for ensuring that the technical specifications of the architecture are secure.
Human behavior also has to be considered when designing a secure architecture. Often the security architect will work with a security auditor to ensure the smooth implementation of a system.
Cybersecurity companies have products that need to be managed. The role of a product manager is one which requires a deep knowledge of the product and its models of use. It also requires strategic vision to help to develop the product’s competitive edge.
Data Governance and Compliance Officers
Most industries have at least one data protection regulation to comply with. In addition, global frameworks and laws such as GDPR are putting pressure on all industries to step up to the plate and apply robust data protection. Larger organizations may have full-time compliance officers that deal with compliance issues and ensure the company meets its regulatory obligations. However, shortages of consultant positions such as Data Protection Officer (DPO) are also an issue since the advent of the GDPR.
Chief Information Security Officer (CISO)
This is a strategic position in an organization which works to minimize cyber threats through smart strategic measures. Increasingly, the CISO acts as a spokesperson for an organization, especially when that firm has had a serious cybersecurity incident. The CISO is where the buck stops in terms of cybersecurity as they act as the head of cybersecurity across the organization.
Do I Need a Degree in a Cybersecurity-Related Field?
The short answer to this question is “not usually,” but it depends on the job and the employer. You definitely don’t need a specific degree in cybersecurity to get into the field, but if you want to study for one, it certain won’t hurt you and might result in a higher starting salary.
A general computer science or information technology degree can help you to get a grounding in various aspects of computing and ease your first steps into the industry. You can then take certifications to focus on more security-related aspects of computing. Other degrees, such as science subjects or mathematics, are also useful to have because they train you in analytical thinking.
Many STEM courses will also have business or management modules, useful for certain computer security positions. But it is important to remember that many people who work in the sector have come in without a degree or with non-computing degrees.
What Types of Certifications Do Cybersecurity Professionals Have?
A study by McAfee found that organizations rate experience and certifications over formal qualifications like degrees. The report stated that, “most respondents believe that experience, hacking competitions, and professional certifications are better ways to acquire cybersecurity skills than is earning a degree.”
Arguably the most prestigious of all certifications is the International Information Systems Security Certifications Consortium (ISC2) Certified Information Systems Security Professional (CISSP). This certificate is comprehensive, covering many areas of cybersecurity. You do need to have some work experience in relevant areas to sit the exam. However, if you are just starting out, some of the more foundational certifications include:
- Certified Secure Computer User (CSCU): A basic certificate to begin building your knowledge by becoming security-aware.
- CompTIA Security+: An entry-level exam to prepare you for a career in information security.
- Certified Information Security Manager (CISM): Ideal for IT professionals wanting to retrain in cybersecurity.
- Certified Encryption Specialist (ECES) which gives you the basics of applying encryption.
Once you have some experience of working in cybersecurity under your belt, you can progress your career by sitting more advanced certifications offered by bodies such as:
- International Information Systems Security Certifications Consortium (ISC2)
- International Association of Privacy Professionals (IAPP)
Where Can I Network with Cybersecurity Professionals?
Degrees, certifications and experience are all useful things to have to begin and progress a career in cybersecurity, but networking is also useful too. There are many organizations, both formal and informal, that bring cybersecurity professionals together. Conferences are also great places to network and to build knowledge. Here are a few to check out, but also look for local “Meetups” too.
- LinkedIn has many security-focused groups — find one that suits your interest area
- Insecurity is an organization that brings cybersecurity pros together
- RSA Conference
- Infosec Europe
- RANT — another networking organization for those in security
- BlackHat USA
Who is a Useful Cyber Security Pro to Follow on Twitter?
If you can’t make it in person to conferences and networking events, keep up to date with the information security industry by following folks like:
- Sandra Ragg @SandraRagg
Works for the Australian government and focuses on building a secure online society.
- Troy Hunt @troyhunt
Troy is the person behind HaveIBeenPwned.com, which lets you know if your online accounts have been hacked.
- Brian Krebs @briankrebs
Journalist specializing in cybersecurity and always on top of the latest security breaches.
- Bruce Schneier @schneierblog
The godfather of cybersecurity, well-respected and highly knowledgeable.
- Mikko Hypponen @mikko
A top cybersecurity researcher.
Conclusion: The Time is Now to Move into Cybersecurity
Don’t allow your lack of experience or qualifications put you off a career in cybersecurity. The industry is crying out for people from all walks of life to enter this exciting area. If you are good at problem-solving and you like a challenge you should definitely think about transitioning into the information security industry. You may need to polish up some of your computing skills by taking certifications, but many of these can be done online and in your own time; it is totally possible to move sideways into cybersecurity by building a portfolio of certifications. The experience will follow, and soon you’ll be calling yourself a cybersecurity professional.
Cybersecurity 500, Cybersecurity Ventures
Hacking the Skills Shortage, McAfee
Global Information Security Workplace Study, Center for Cyber Safety and Education