So, you want a job in cybersecurity. You have seen the latest hacker movie or Abby on NCIS and want to save the world from all the malicious actors or cyber criminals that are out to get us?? You have drunk the Hollywood Cooley for what a life as a white hat hacker saving the world is like and you must be a part of it. What is it really like working in cybersecurity though?
60-80-hour weeks, endless alerts and logs to review and determine an effective course of action, never-ending training requirements just to keep your head above water with the latest trends and attacks that are being used by malicious actors. More letters after your name than the alphabet just to ensure you mean something and can even get a look in for the most basic of security positions. That is with a skills shortage, what would it be like when there are too many candidates flooding the job market (Although I don’t feel we will have that problem for a while)?
Now don't get me wrong I love working in security, I will outline my general path to get here however, I want to ensure that anyone looking to make a shift over to security doesn't come into the industry with rose coloured glasses on.
I want you to see what it really like and then you can make an educated decision to join us. Okay let’s start with how I got here.I have been in IT (Information Technology) since 2000 after I left high school and have been employed by several different organisations since then with both internal enterprise support roles and IT service provider support and management roles.
I found myself in 2011/2012 seeing a lot more security-related incidents with viruses and other types of incidents. I got the security bug at this time and started to learn as much as I could about anything security to improve my skills as an IT professional (well that's what I thought at the time) and I continued to improve my skills until 2013 when I started my first master's program with CSU and signed up for a digital forensics major. I have been focussing more and more on security as my primary duties since, with a change from an IT role into a security specific role at the start of 2017 (best thing I have ever done).
My entry into the security specific role was not easy though as I had wanted a change for several years but was looked over for security-specific positions because of my lack of specific security role experience and I didn’t have any of the most popular security certifications (CISSP, CISM, OSCP – the list goes on). I have now almost completed a second master’s in information systems security with CSU, as I wanted to expand my qualifications further due to the resistance I experienced even after the first degree. I am growing as a security professional every day with a real passion to continue to learn and be an active member in our industry.
Yes, as a security professional I am still a newcomer to the industry compared to many of my peers but I feel that it is not always how long you have done something that makes you a positive participant and I want anyone who is considering making a move into this industry to truly know that if you want it bad enough you can make it happen. It isn’t going to be easy and you are going to need to work hard to achieve the skill set needed to be a good security professional (I still have lots to learn and will probably never know everything I need to know) but start with the basics and build from there.
You can find many resources online to help with that and don't be afraid to push yourself out of your comfort zone. If university is something that you would like to do then find the course that will interest you the most, passion will help you get through the tough times on that journey (trust me there will be some tough times – Life has a habit of getting in the way). Whichever path you take don’t be disheartened by a rejection, these are inevitable and is just something that you will need to turn into motivation.
The other fact that many of you will need to know most of the time a job in cybersecurity is not flashy or exciting, many jobs on the lower level in security are responding to alerts and reviewing log information. This will not be super exciting and can be quite mundane, but these tasks can make you a better security professional because if you know how to find the abnormalities and how breaches are carried out you will greatly improve your skills. As you develop you can specialise, but I can't say it enough always keep working on the foundational skills – you will thank me later.
Now if continuous learning, mundane long hours is something that still interests you then go for it and enter with your eyes open. Hopefully, we will get to work together someday in this truly interesting security industry.
A quick opinion now for the people doing the hiring, if there is such a big shortage of skilled staff for advertised positions all around the world maybe you should consider hiring people who have the basic skill set you need and train them, they will be grateful for the opportunity and maybe turn out to be the strongest person you have on your team, if you just give them the chance to show you what they are made of. If you invest some of your time in someone and they don’t work out, have you really lost out on that much if you couldn’t fill the position any other way and would still have been short staffed anyway? Just my thoughts.