ULTIMATE GUIDE TO STARTING A CYBERSECURITY CAREER
Cyberattacks are happening all the time, meaning that keeping software, hardware, and data safe and secure is more important than ever.And there is a shortage of people with these skills to fill these jobs. In fact, Cybersecurity Ventures predicts there will be 3.5 million cybersecurity job openings by 2021.In this post, we’ll cover what cybersecurity entails, why there is such a massive demand for these skills, what career options are available, how and where to get started, and more.
TABLE OF CONTENTS
WHAT IS CYBERSECURITY?
In short, cybersecurity is exactly what it sounds like. As Chris Coleman, president of Woz U, sums it up, cybersecurity is “the practice of protecting electronic data, networks, computer systems, and other confidential information.”
Specifically, this content needs to be protected from cyberattackers. The goal of cyberattacks is typically to sabotage business processes, extort money from users, or access, steal, or destroy sensitive information.
WHY CYBERSECURITY MATTERS
Cybersecurity matters for everyone from governments and large companies to small business owners, employees, and even individuals at home.
“We live in a world of unprecedented connectedness,” says Josh Feinblum, CSO at DigitalOcean. “Every year we see more everyday devices connected to the Internet. At the same time, nearly every part of our lives are tracked electronically. This includes all of our health records, financial information, power consumption, what we wear, when we get home, where we travel and when etc. With the right data, machines can build profiles that understand us better than we understand ourselves.”
This underlines the importance of individual knowledge and action. “Your data is spread more places than ever, and it’s up to you to protect it,” says Robb Reck, CISO at Ping Identity. “You need to take accountability for knowing where you share your data, understanding the implications of that sharing, and taking every step you can to manage the risks for yourself.”
For companies, cyberattacks are increasingly common and costly. Gartner reports that enterprises are expected to spend upwards of $124 billion globally on cybersecurity in 2019.
“There’s an exploding number of unmanaged and unprotected IoT [Internet of Things] devices in use within companies, so the attack landscape is growing exponentially,” says Nadir Izrael, co-founder & CTO at Armis. “Cybercriminals and nation states are targeting IoT due to the lack of security built into these devices. I’ve seen vending machines doing data exfiltration. We saw IoT attacks up 300% in the first part of 2018.”
Because cyberattacks have the potential to cripple businesses, companies are recognizing the need to make security a priority. “In the past several years, security has transformed from a technical discipline within IT to a business risk management function,” explains Reck. (And it’s warranted, as nearly five million data records are lost or stolen worldwide every single day.)
On a larger scale still, even politics, diplomacy, and social cohesion is at stake. “We see nations stealing untold amounts of secrets and intellectual property from each other, influencing each other's elections, and even our broader social discourse,” Feinblum continues. “Machines can be used at scale to affect nearly every part of our society, all the way down to an individual level. This increases the need to combat security risks.”
However, it’s tough to implement these measures as technology (and hackers means) are always changing. New ways to pose digital threats constantly emerge.
So, the translation of all of this?
Professionals with cybersecurity know-how are more in-demand than ever before.
WORKING IN CYBERSECURITY
Now, let’s turn to cybersecurity careers themselves–starting with why it’s a field that welcomes those from all backgrounds, including non-technical ones. Then, we’ll cover the job outlook and specialties you can explore.
THE VALUE OF TRANSITIONING FROM A NON-TECHNICAL BACKGROUND
“It’s a mistake to think of security as a single career path,” says Reck. “There are dozens of distinct career paths within security, offering opportunities for anyone with a passion for protecting our cyber infrastructure. The need for security professionals is skyrocketing and shows no signs of stopping, so the future is bright for those seeking careers in this field.”
If you think you need a CS degree and ten years of experience in tech to consider the field, think again. “Doing security well, at scale, requires a mix of law, psychology, sociology, technology, and organizational sciences,” adds Feinblum. “Cybersecurity offers a wide variety of opportunities for technical and non-technical people.”
“Most people tend to focus on technical operators and incidence response engineers as the base career paths, but cybersecurity also needs program managers, software developers, professional communicators, data scientists, systems analysts, and more,” adds Andy Ellis, CSO at Akamai. “And that doesn’t cover all of the go-to-market careers in a security company, like product management, marketing, public relations, and sales.”
In this way, a non-technical background can actually be an advantage, which sets you apart and gives you unique perspectives and abilities. “My security team includes people who have been librarians, journalists, lawyers, and control systems engineers,” says Ellis. “We hire them because we need those skill sets in the security career fields.”
For example, says Feinblum, “Security practitioners can cover policy and law, while others can build large-scale distributed systems, find security flaws, or focus on finding evil that's lurking where it doesn't belong.”
CYBERSECURITY JOB OUTLOOK
Given the massive (and increasing) need for digital protection, it’s no surprise that the occupational outlook is more favorable than ever. “The job outlook for cybersecurity professionals is extremely promising, probably more so than any other industry right now,” says Michelle Moore, PhD, Academic Director at the University of San Diego.
Data from the BLS confirms that the job outlook for 2016-26 is much faster than average. While the average growth rate for all occupations is 7%, it’s 28% for information security analysts: four times the average.
Meanwhile, a July 2016 McAfee survey of IT and cybersecurity leaders found that 82% percent of respondents reported a shortage of cybersecurity skills.
And despite this extreme demand, there aren’t enough people stepping up to fill these critical roles. “There are an estimated 350,000 open cybersecurity positions in the US,” says Nadir Izrael. “This scarcity creates a high demand for skilled personnel.”
Looking ahead, this gap only stands to grow. “By 2021 there will be an estimated 3.5 million unfulfilled security positions,” says Casey Ellis, founder and CTO at Bugcrowd. “There simply aren’t enough cybersecurity professionals to go around.”
The implications of this shortage could, unfortunately, be drastic. “As much as we’d like to believe the future will be a safer and brighter one than the one we’re in today, that doesn’t match with recent history,” says Andy Ellis. “The development of new technologies — which bring with them amazing opportunities across the board — almost always include new opportunities for dangerous losses. Protecting against those losses is always going to be a necessary function for enterprises large and small.”
If you’re craving a career where you can truly see the impact of your work, cybersecurity certainly fits the bill.
CYBERSECURITY JOB TYPES
Since cybersecurity is such a wide field, there are many unique roles you can pursue as part of the industry.
And while obviously salaries will vary based on the specific role, as well as your qualifications, negotiation chops, and time in the field, you’re not likely to be eating ramen every meal. “The average salary for a cybersecurity professional is about $115,000 per year,” says Moore.
Keep in mind that exact job titles can vary from company to company, but in general, here are some common roles:
Security generalist: a jack of all trades for smaller companies
Network security engineer: a role found at large companies, these people are involved in managing the security of their company’s network hardware and software, from firewalls to routers to VPNs
Cloud security engineer: as the title indicates, this role involves providing security for cloud-based platforms
Application security: specializing in protecting applications from threats using a mix of hardware and software skills
Identity and Access Management (IAM) engineer: a sub-field of cybersecurity focusing on digital identities and access rights within an organization to ensure correct levels of system access for all employees and prevent unauthorized use
Security architecture: designs, builds, and manages the implementation of network and computer security for a company
Penetration tester: get paid to legally hack into software, systems, etc., in order to identify security vulnerabilities
Malware/forensics analyst: job title could be “cyber forensic malware engineer” or “analyst.” They dig into malware to figure out what it does, where it came from, and so on.
Incident response analyst: first responders to any type of security breach or issue, rapidly addressing threats to find the cause and limit the damage
Cryptographer: builds ways of encrypting sensitive information to ensure individual and corporate privacy
Security trainer: trains employees in security best practices
Security auditor: report on a security system’s effectiveness and suggest ways to improve it; different than penetration tester because a security auditor is more high-level and uses established standards to evaluate a system
Governance, Risk and Compliance professional: a more senior role with oversight of regulatory and legal compliance and overall business practicesAnd there are more! Plus, even those in careers that aren’t security-focused on the surface can still benefit from some knowledge of the field.
CYBERSECURITY AS A SIDE GIG
Aside from full-time roles, there are also ways you can flex cybersecurity skills in part-time or non-traditional roles. (There are lots of benefits to side gigs!)
Casey Ellis says that “to stay ahead of adversaries, companies will need to depend more and more on crowdsourced security programs, such as bug bounty, vulnerability disclosure and next-gen penetration testing, to identify vulnerabilities before the bad guys do. In our latest survey, we found that 30% of CISOs that down already run these programs plan on implementing crowdsourced security in the next year.”
Bug bounties are essentially where you test a company’s application or software from the outside. If you find any security vulnerabilities, you can report them to the company for their teams to fix before someone malicious finds the same gap. You’ll quite often be rewarded for this. Here’s a comprehensive list of companies that offer bug bounty programs.
It also provides a fun and productive way to use and hone your skills on the side. “Bug bounty programs are a method to funnel your creative energy and develop new skills,” says Ellis. “You have the opportunity to hack some of the biggest brands in the world and earn money for it. While there are full-time hunters, many participants do this as a way to continue their ongoing security education and test themselves. There is a vast and growing community out there that is more than happy to offer guidance as well as a growing number of resources to help you along the way.”
Aside from that, if you’re interested in cybersecurity but not ready for a career change, rest assured that educating yourself won’t be a waste. Chris Coleman believes employees outside the tech department need to be educated, too.
“Cyber threats continue to evolve, and expertise in this category will not be isolated to a single department,” he says. “Software engineers, product designers and C-suite executives will all need to be knowledgeable about cybersecurity for organizations to operate effectively. It will be important for employees company-wide to have a baseline knowledge of cybersecurity and fully understand the practices and procedures in place by the company.”
With all that in mind, what are you waiting for!?
HOW TO GET STARTED IN CYBERSECURITY
So, are you mulling over a career change, or just want new skills in your arsenal? Let’s go through the process of what transitioning to cybersecurity might look like, from the idea and planning phases to the skills you need to learn and resources to help you learn them.
QUESTIONS TO CONSIDER BEFORE PURSUING THE FIELD
Leonard Simon, one of Springboard’s cybersecurity program mentors, recommends asking and researching the following questions to gauge how to proceed with learning cybersecurity:
Do I have any previous experience or certifications related to the IT or Cybersecurity field?
Is there technology I should learn first?
What skills would I need for a career in this field?
How will I get experience in this field?
Is there a lot of traveling involved in this field?
Are there entry-level/internship opportunities available?
How are the career advancement opportunities?
I’ll answer a few of these below, like skills and technologies — but others will be dependent on your goals and the demand from employers where you live.
IS A COLLEGE DEGREE NECESSARY?
The short answer: not necessarily. “Our industry was pioneered by people without college degrees,” says Josh Feinblum. “Work hard to get involved in the community, contribute to open source projects, try to speak at conferences about cool research — these are all things the original pioneers did and can provide opportunities for smart, hard-working individuals to enter the industry.”
Kristen Kozinski, who is now an Information Security Trainer at the New York Times, has seen (and personally experienced) the same trend.
“Most of the people I’ve met in the field are self-taught,” she says. “I have a very non-traditional path myself. A few years ago, I was working at MailChimp and our Information Security team opened up an apprenticeship position to work with the security engineers. It felt like the perfect opportunity. I did a little studying on The Open Web Application Security Project and got the job. I went on to work with that team as a Junior Security Engineer.” Now, Kozinski also runs her own security awareness business, Don’t Click on That.
However, if you do have a computer science or related degree, it will likely expand your options. As Feinblum notes, “College degrees are frequently a checkbox expected by many large companies, so not having a degree may limit some opportunities.” It’s not a deal-breaker, just another factor to consider!
PICK A CYBERSECURITY PATH
One of the most exciting things about cybersecurity is that there are a ton of paths you can choose. And, as I talked about above, you don’t need a tech background to pursue them.
The first step to choosing a path is to identify your strengths based on your unique background. “I recommend that your first step is to take an honest evaluation of your own skills and interests,” says Robb Reck. “Are you a people person? An application developer? A policy wonk? A networking guru?”
Listing out your preferences and skills will help you pinpoint the type of security position that’s the best fit for you. “Some popular areas are penetration testing, security engineering, and incident response,” says Kristen Kozinski.
Once you’ve started to narrow it down, begin deeper research on the fields of interest you’ve selected and learn the lingo. “Look for books that dive into that area,” recommends Kozinski. “No Starch Press has a lot of great security books. I also recommend looking at the Awesome Infosec Github page, which is a crowd-sourced collection of educational resources.”
Also, it will help to get in touch with others in the industry, to build connections and reach out for advice. “Get on Twitter,” Kozinski recommends. “The cybersecurity community there is very open and a lot of people give great advice on how to find work and where to find learning resources in your area of interest.”
In-person groups are invaluable too. “Get connected with groups like Information Systems Security Association (ISSA), Open Web Application Security Project (OWASP), Cloud Security Alliance (CSA) or ISACA, all of which likely have regional chapters somewhere near you,” advises Robb Reck. “Start volunteering with these groups, get plugged in with Open Source projects on the internet. You don’t need a job to get experience in security. The connections you make in those groups will likely be the vehicle to finding your next career.”
KEY SECURITY TECHNOLOGIES AND SKILLS TO LEARN
As with any tech field, it’s useful to start by gaining programming fundamentals. “Being able to understand a programming language will give you a good start in cybersecurity,” says Kristen Kozinski. “You don’t need to be an expert, but being able to read and understand a language is a good skill to have.”
Successful cybersecurity professionals are also able to think like a cybercriminal, says Chris Coleman. “It’s only with a firm understanding of the vulnerabilities of systems that someone can predict and prevent cyberattacks.”
Other specific technical skills you need will vary based on the area you choose to focus on. However, here are some general security skills that Coleman recommends:
Security and networking foundations
Logging and monitoring procedures
Network defense tactics
Cryptography and access management practices
Web application security techniques
No matter what you specialize in, the key to most security work is understanding systems. “When encountering new technology or processes, learn to take a systems view first,” advises Andy Ellis. “Ask questions like, ‘What is happening in this system that I can’t directly see? What goals do the system owner or designer have? What sort of unavoidable loss could be there? How could it happen?’”
For instance, if you’re thinking about vulnerabilities in a payroll system, you’d start by considering questions like:
How does an employee get paid?
Where is their data?
How can that fail?
“Asking yourself these questions, and learning the answers, is a great way to get started on a journey to helping secure the future,” Ellis continues.
Soft skills, meanwhile, include a willingness to learn — as the field is constantly changing — as well as the ability to work well on a team.
CYBERSECURITY COURSES AND ONLINE TRAINING
Because of the current cybersecurity shortages, self-teaching, practicing, and networking is often enough to land you in a job. “The skill gap is so high currently that employers are less concerned with the traditional education path and are looking for demonstrable competencies,” says Coleman.
Of course, which resources will be most valuable to you depends on exactly which direction you want to pursue and how time-intensive you want to get. That said, here are some places to look for online cybersecurity training and details about the courses they offer.
LEARN CYBERSECURITY ON SPRINGBOARD
Looking for something more intensive, with a mentorship component? Then we suggest Springboard’s Introduction to Cybersecurity Course.
Throughout the course, you can start at the beginner level and explore the various cybersecurity career paths available.
According to Simon, one of the Springboard mentors, here’s what makes Springboard’s program ideal for students:
Participate in hands-on labs that mimic real-world scenarios in the field to gain from practical experience.
Engage in 1-on-1 weekly Skype video calls with a cybersecurity subject matter expert to ask questions about the course, gain insight into various cybersecurity topics, and get feedback on your work.
Learn about the core concepts of cybersecurity as well as specialized topics like risk management and incident response — which are critical pieces for any organization.
Interact with other classmates and alumni in a private community (ask questions and gain additional insight).
By the end of the program, you’ll learn the cybersecurity fundamentals needed to pass the CompTIA Security+ certification and land your first job. In this course, no prerequisites are required, making it great for beginners. The program is priced at $299/month and it typically takes people three months to complete. However, you can cancel at any time.
Update: Springboard now have a free trial for their Introduction to Cybersecurity Course. Click here to get access.
LEARN CYBERSECURITY ON PLURALSIGHT
Pluralsight has many specific courses related to information and cybersecurity. You can check out the topic page here. They have courses for beginners to advanced individuals who are already in the field. You can access Pluralsight’s course library for $35/month and take advantage of all their course offerings.
Here are a few security-specific courses we suggest on Pluralsight:
Introduction to Information Security: Beginner level course that teaches about information security programs used by organizations. You will learn foundational principles of information security, like confidentiality, governance, risk management, and compliance. You’ll also explore organizational assets and how they are protected through the use of security controls and how auditing, monitoring, and testing is used to review and evaluate the effectiveness of those security controls.
Ethical Hacking: Understanding Ethical Hacking: Beginner-level course with over 1,000 positive reviews. Here you’ll learn to start thinking and looking at your network through the eyes of malicious attackers as well as understand the motivation of an attacker.
Malware Analysis Fundamentals: Beginner-level course with high ratings where you’ll learn the skills required to properly, quickly, and safely analyze malware by examining both its characteristics and behavior.
Cybersecurity Threats: Ransomware: Intermediate level course. In this course, you’ll learn to identify ransomware infection points, recover files without paying a ransom, defend against and respond to attacks, and pitfalls if you do pay.
Aside from one-off cybersecurity courses, Pluralsight also offers paths, which combine multiple courses with a particular end-goal. For instance, they offer an SSCP® path (Systems Security Certified Practitioner) which is an entry-level (ISC)² certification that helps newcomers enter the information security space.
If you’re thinking of going back to college instead of learning online, be aware that formal cybersecurity training is in short supply. “There aren’t enough paths carved out for students learning cybersecurity,” says Nadir Izrael. “While we discuss computer science educational tracks, we have an equal need for security professionals, but not enough formal training in higher education.”
Want to take advantage of free resources first? We get it! You can turn to our list of free places to learn tech skills, which has a dedicated section just for cybersecurity.
FINAL THOUGHTS
“There has never been a better time to get started in security,” concludes Robb Reck. “Finding that first job can be a challenge, but it is well worth the effort. Volunteer work, internships and working on projects on your own can take the place of professional experience, and will make landing that first job so much easier.”
And for anyone who values rewarding work, it’s a great job to have. In the words of Brian Witten, Vice President & Product Security Officer at United Technologies Corporation, “Waking up every morning, knowing that you’ll help make the world a better place, and then knowing, every time you go to sleep, that today you’ve helped protect millions, maybe billions of people…I wish that kind of happiness for everyone.
No comments:
Post a Comment