How to get a job in computer security

The secret to the security profession is to develop all the computer experience you can before you even begin to think about a career in cybersecurity.

I am asked probably twice a week to help somebody get a job in the security profession. Unfortunately, I can't help that many people individually, but perhaps this article will allow me to help many people all at once.

I do have some firm thoughts on how to get a job in cybersecurity, and this isn't the first time I've tried to express them in Computerworld. And I'm the first to admit that I bring some strong biases to the subject. First, you need to understand that I look at cybersecurity as a specialization within the computer field. The implication of this is that cybersecurity is a career for those in the computer field to aspire to, and not a trade, with entry-level positions. It is a position that should be earned with significant experience in the computer field.

If you want to just be a tool jockey and perform vulnerability scans, don't read this article. Just look for some basic certifications and try to get a job. There is nothing special I can do to help you. However, if you really want a career in the field, you will hopefully find some value in reading on.

One thing that will make a difference for you is getting a college degree. The article I mentioned earlier was called "Let's scuttle cybersecurity bachelor's degree programs." And, yes, I do believe that cybersecurity degrees are the wrong way to go. But a college degree of some description (your major is really quite irrelevant) is still quite valuable, and here's why.

Most college degrees require that you learn to communicate better. They require you to take writing courses that many of us would never take voluntarily. They require that you take courses that are outside your area of interest, which helps make you well rounded. Business courses, for example, can help you better understand the organizations that you will serve. It isn't always possible to see these things at the time. I thought required writing courses were a complete waste of my time when I was in college, and it wasn't until years later that I learned how valuable they had been.

More importantly, if you want to advance your career, the absence of a college degree will impede promotions and make it more difficult to get the jobs you want. That degree on your résumé is a baseline that recruiters and hiring managers are going to be looking for. If you can't include it on yours, you will need some way to grab their attention and show just how truly exceptional you are at what you do. Good luck with that. Nearly everyone you will compete against is going to have a degree. If you don't, you're hobbled right at the start. You can argue all you want about experience being the better teacher; hiring managers just don't have the time to root around for the person who actually has the best experience for the job. Having a degree serves as shorthand on your résumé, saying, "I have a basic check box that most serious candidates will have."

I want to be very clear that I am not saying that not having a college degree means that you have limited skills. Some of the most talented professionals I know do not have a degree. But despite their abundant talent, they have had an uphill battle in advancing their careers. Few have been able to advance to management roles. This might be perfect for you, but if you want flexibility and mobility, you will be at a disadvantage.

Once you have a degree, the next step toward a career in cybersecurity is to get a job that doesn't involve cybersecurity. Instead, get a job doing general computer work. The logic behind this is that you cannot be expected to protect computers if you don't know how to administer a computer system, you can't secure a system that you can't properly configure on your own, you can't secure a database if you aren't fluent in the database management system, and you certainly can't write secure code if you can't code at all.

Whether you have a job in the computer profession or not, since your goal is to be well rounded in basic computer disciplines, you can do other things that will contribute to your experience. Teach yourself to code, if you don't know how to do so already. There are plenty of free utilities on the Internet that will help you do this. Set up a home network, using cheap computers. Or, for even more experience, build your own computers. If one computer is all you can swing, you can partition the hard drive to run both Linux and Windows. Then practice securing your computers and your network. If you really want to get into penetration testing, you can practice hacking your own computers with different configurations.

Another option -- one that will allow you to be actually useful -- is to donate your time to a charity or other organization. Such organizations often need help with their security, and anything you can do to keep them safe will be invaluable to them and a public service. Put your accomplishments in the nonprofit world on your résumé; it's both impressive and rewarding to secure an organization that has little or no budget.

Moving into security

A lot of people who talk to me about getting into cybersecurity want to get a job doing penetration tests. They think it's sexy. I won't argue the point; I went that route myself. But what you need to realize is that securing an organization is not a matter of just highlighting its insecurities.

Early in my penetration testing career, I felt a rush whenever I compromised a major organization. With time, though, I came to see that the organizations I was compromising were not improving. The vulnerabilities I compromised might get fixed, but it wasn't especially hard to find other vulnerabilities.

Eventually, I started restructuring my reports to focus on the underlying reasons for the vulnerabilities and recommend administration procedures and systems to put in place. Only then did my clients begin to improve their security postures -- they began to look for an environment that made vulnerabilities likely, and not just to close off a known vulnerability. But it's important to understand that I wouldn't have been able to produce comprehensible reports like that if I had not come to penetration testing with a broad background that allowed me to understand the resources required, to create and test baselines, and to understand configuration management. I needed to be familiar with general systems administration procedures.

When I wrote the article denigrating cybersecurity degrees, I said that organizations in need of cybersecurity professionals should look to the people already working for them who have demonstrated talent, and then give them the on-the-job training they need to develop security-relevant skills.

Coming at it from the other side, my message to anyone who wants to be a cybersecurity professional is to stop worrying about security and first become the best computer professional that you can be.

Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. He can be contacted through his Web site,

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycomputerworld

More about Linux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts