There is no standard career in cybersecurity. However, people generally work in one of three areas. First, building and/or running an information security program; this could be in a public or private company, or government entity. Second, for service providers, including professional services companies (such as Deloitte, E&Y, KPMG, PwC, etc.), advising clients in the first group as well as Value Added Resellers (VARs) that commonly provide selling combined with advisory services (such as Optiv). Third, for security vendors, companies like Symantec and Cisco, building and/or selling the products needed to protect data and systems.
Professionals may zigzag between these areas or stay in a single lane. There are also career opportunities that are auxiliary to these including Privacy, Internal Audit, Risk Management, Secure Software development (aka Application Security, or AppSec), academic security research, and others.
Most professionals don’t start in cybersecurity, they start in a field that’s close to it. The reason is cybersecurity is specialized and most people don’t have the prerequisites to obtain an entry-level cybersecurity job. For example, in a 2015 report by Burning Glass, one-third of all cybersecurity jobs required certifications, 83% of jobs required three years of experience and 84% required a bachelor’s degree.
What type of experience should the budding cybersecurity expert attain while preparing to enter the field?
It’s useful to have a background in technology support, operations, software development, and project management, as these help you understand the people, process and technology components of cybersecurity. Without that experience, you’re like an architect who’s never touched any raw building materials.
Understanding and testing different technologies (i.e., in cloud computing, virtualization environments, operating systems, web frameworks, etc.) will help acclimatize candidates to the fact that security touches everything and affects everyone. Continuous learning, as well as trial-and-error, is key.
It’s advantageous to get involved in gaining relevant experience early, and opportunities exist at every level, including high school (Cyber Patriot) and college (National Collegiate Cyber Defense Competition, Scholarship for Service CyberCorps).
Here are some helpful tips to implement on your path to a career in cybersecurity:
Find Internships. Research has proven internships are a key predictor of success. You get to experience early on what it’s like to work in a profession, what professionals do, what is important and what is not, and gain access to mentoring and professional career contacts.
Participate in professional associations. Information security has great non-profit groups such as ISACA, Cloud Security Alliance (CSA), Information Systems Security Association (ISSA), Open Web Application Security Project (OWASP) and many others. These are where the passionate people come together and discuss the IT security challenges of today and tomorrow, and share their experience and insights. Join a local chapter, show up, participate, and volunteer. This will help build your knowledge and expand your network. Most of these also have special discounts for full-time students, so start early, while you’re still in school.
Get Certifications. There is continuous large industry debate about the value of certifications. Be data driven. If employers require a certification, it is by definition valuable (and in many cases a prerequisite, especially for government work). Certifications don’t measure everything, for example, soft skills that make professionals effective. However, they do allow you entry into the doors of which you have been locked out.
About Mikhael Felker
Mikhael Felker’s sector experience includes defense, healthcare, nonprofit/education and technology/Internet, seeing firsthand the variance in information security culture and program maturity.