How to Plan a Career Path in Cybersecurity
- Date: 01 January, 0001
The field of cybersecurity is proliferating so quickly that there are a plethora of positions sitting open waiting to be filled by qualified individuals.
Cybersecurity is the arena of technology, methodology, and practice that focuses on protecting electronic information and the systems supporting it against compromise and attack. Cybersecurity encompasses standalone and networked computers, local networks and the internet, hardware and software, private and public organizations, online and offline concerns, internal and external threats, domestic and international relations, intentional and accidental events, all forms of attack (including electronic, physical, and social), and much, much more.
As a society, we have become heavily dependent on computers, networking, data stores, and cloud services. This dependency, in turn, has exposed us to the risk of loss or compromise of those data systems. As a result, the need for personnel knowledgeable and experienced in security implementation and management has never been greater, and the demand is growing at an alarming rate.
Areas of Competency
Cybersecurity has been formally defined by ISO/IEC 27001 and 27002 to include:
- Security policy
- Organization of information security
- Human resource security (i.e., employment practices)
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development, and maintenance
- Supplier relationships
- Information security incident management
- Business continuity management
- Policy and regulatory compliance
As you can see, there is an astounding breadth of concern for the cybersecurity professional. For smaller organizations with less staff, cybersecurity job positions will require competence across all of these areas of concern. For larger organizations with considerable staffing abilities, a team of cybersecurity professionals may be assembled, with each member being a skilled practitioner in one primary topic. Are you interested in being a generalist with moderate knowledge and skills in many areas, or would you prefer being a knowledge expert in one primary field where you know and can do more than anyone else? Either of these choices has both beneficial and detrimental consequences.
Requested Knowledge Areas
Many of the cybersecurity positions available today are requesting knowledge and experience in one or more of several specific areas, such as:
- Information and data security
- Firewall management
- IDS/IPS administration
- Network and networking security
- O/S security
- Protocol security
- Secure and defensive programming
- System configuration
- Audit log analysis
- Machine learning (ML) and generative adversarial networks (GAN)
- Cloud services
- Incident response
However, realize that these areas of interest and concern are for job applications filled today. If you spend six months or six years building up your knowledge and skills, those areas of interest may shift.
Discover What Is Hot in the Marketplace
As with anyone seeking a new job, researching a career path, or a career change, the first step is to discover what opportunities exist in the marketplace. Performing an initial assessment of offerings will provide you with a better understanding of what positions are available and the minimum requirements for each job type.
Start with a job search site, such as indeed.com (a search engine of "all" job sites), and use keywords such as "cybersecurity," "cyber security," or "security."
Take the time to look through many of the job listings uncovered by this search. After some review, pick a position or title that seems appealing to you, such as cybersecurity manager, database security administrator, security policy chief, security trainer, or security systems quality assurance.
Then, search again with your selected title or position. Find different organizations requesting applicants for that position and then take note of several items:
- Required certifications
- Required specialty education
- Required experience
- Starting and potential salary and benefits
What Certifications Do I Need?
As an instructor, many students ask me what certifications are required to get a specific job. Unfortunately, that is a question that does not have a universal answer.
At first, many students seem to think the answer is a single certification on their resume to get them the job of their dreams. Unfortunately, that is seldom the case. Most individual certifications are just part of the overall picture of what a company is seeking in a new applicant. Thus, performing a real-world position survey will give your expectations a solid dose of reality.
Every organization will have its requirements when selecting a potential new hire. You need to know what the marketplace is requesting to develop an overall sense of what is expected and reasonable to qualify for a specific job.
In your survey of available security positions, you may see several certifications commonly requested.
These might include:
- Security+ (CompTIA)
- PenTest+ (CompTIA)
- CompTIA Advanced Security Practitioner (CASP+) (CompTIA)
- Cybersecurity Analyst (CySA+) (CompTIA)
- Certified Ethical Hacker (CEH) (EC Council)
- Certified Hacking Forensic Investigator (CHFI) EC Council's
- Certified Information Systems Security Professional (CISSP) (ISC)2
These are some of the most widely requested certifications in the security industry today. What these certifications have in common is they are all vendor-neutral or vendor-independent certifications. In other words, they do not focus on a specific operating system or software product.
However, there are also many vendor and product-specific certifications. These include Amazon Web Services, Cisco, Avaya, Dell EMC, HP, Juniper, Microsoft, Red Hat, VMware, RSA, Oracle, and SAP. The more specialized the organization on a specific product or the more focused a job position, the more likely vendor- or product-specific certifications may be requested.
Vendor-neutral certifications have broad appeal and will apply to most job offerings. However, be cautious about investing in vendor-specific certifications until you are positive you wish to stay in job positions that focus on that vendor.
Long Shelf Life
Most security certifications offer solid and directly usable knowledge that can apply to every cybersecurity job position. While other certifications are more popular for a few years, they can be surpassed by another trending certification concept.
Be sure to re-assess the marketplace to see any shifts in hiring practices and invest time and energy into those certifications that apply most to what you choose to pursue. Constantly weigh the benefits of different certifications, including those that are vendor-specific and those that are not. In most cases, a long shelf life will benefit you more than one that’s short-lived.
Many certifications are based on your experience and knowledge but only test you with standardized exam questions, such as multiple choice and fill-in-the-blank. However, a growing number of certifications now include more practical or hands-on forms of testing, such as solving complex problems, applying knowledge to a scenario, or performing functions or commands in a system simulator.
In addition, some certifications require work experience to qualify to take an examination. For example, the CISSP certification requires five years of relevant security experience (however, that experience can be obtained prior to or after taking the exam).
A significant number of cybersecurity positions require a college degree; some even require an advanced degree, such as a master's degree or Ph.D. Therefore, lacking the proper education could be an automatic disqualification. However, if you have significant real-world experience (such as 10+ years), some companies will adjust their degree requirements.
How Much Experience Do I Need?
0-3 Years of Experience
To land a job in cybersecurity, some organization require little to no professional experience. They hire recent graduates or those with minimal experience, and they try to mold the candidate to their specific culture, workflows and more.
This comes with good and bad. The good? It gives entry-level candidates opportunities to build their resumes, gain valuable experience, and put their knowledge into practice.
The bad? It varies. In some cases, recent graduates might not make a lot of money, especially if they lack volunteer or internship experience, and the like. What’s more, if an organization teaches a new cybersecurity professional a very specific practice or process, it could hinder and limit the employee’s education and training to a narrow focus. This could make it harder to transfer skills to other jobs down the line. But at this stage of your career, it’s likely best to get a job and start gaining experience.
4+ Years of Experience
If you have a modest level of experience, you may need to seek out job offerings requiring experience. This will move you into job areas with fewer applicants but which will have more strict compliance requirements. In such cases, certifications will ensure that you meet the minimum qualifications, but, ultimately, your experience and abilities will determine whether or not you are a good fit for the company to hire you.
Some say that experience is everything. While that is not always true, most of the job positions you seek will have some level of experience requirements. While you education yourself and obtain certifications, don't overlook opportunities to earn experience.
It may be worthwhile to take a more entry-level position to get experience time on your resume. If you can afford to live lean while you take a lower-paying position or internship to gain experience, then you might be making the proper sacrifice in the short term that will allow you to achieve your long-term career goal.
Also, don't overlook opportunities to volunteer, especially when you can donate your time and knowledge to an organization or cause of interest to you, which can also improve the depth of your resume.
Military and Government
One of the cybersecurity industries or sectors that is growing the fastest is that of government and the military. Government and military cybersecurity positions often include specialized training and experience that cannot be obtained in the private sector. A government or military job position could be your chosen career path, or a means to develop relevant experience for a future private-sector career.
Many jobs require education, certification, and experience, while others may offer on-the-job training as part of the position. You might find that working for your government or being a part of the military is in line with your career goals. There is also likely ample room for advancement within the public sector far beyond what you might experience in the private sector.
You might even purposely pursue a government or military position for only a few years to land a more preferred private-sector job in the future. Many companies will offer higher compensation packages to those who are ex-military or former federal employees, based on the unique and proprietary training and experience they may have received.
Testing the Waters
Suppose you are unsure whether or not your current experience, education, and certifications are sufficient for a particular position. In that case, you can always contact the organization with the job opening and ask for a phone or in-person consultation.
Not every HR manager will be willing to talk with someone that might not be qualified for a position, but others are happy to discuss their requirements and your qualifications. Therefore, you may need to inquire about several organizations before finding someone willing to talk with you.
Keep in mind that while you’re seeking information from an organization, it’s still a meeting (a.k.a., an interview), so it’s important to leave a good impression and remain professional.
If you are a student at a college or university, there are often career counselors available. Don't forget about the professors or instructors of your security and technology courses; they can often provide career insight into their respective fields. You might find that spending some time in a focused career consultation session can be a solid starting point for mapping out your career path.
Take Action to Achieve Your Goal
Before taking a job, consider how that job will assist or hinder you from obtaining your long-term goal. If you are looking to get hired by a smaller organization, is there sufficient room for career advancement, or will you need to leapfrog to another company when you are ready to move ahead? If you are interested in getting hired at a large organization, will there be a lot of competition for job openings, and how will you stand out from the crowd?
Take every opportunity availed to you to obtain education and certification, as long as it is in line with your career path. Global Knowledge offers a wide range of training courses that focus on both job skills and certification achievement, especially in the growing field of cybersecurity.
Global Knowledge offers a wealth of online resources such as this article and other online materials. Global Knowledge is also a world leader in training, both live and on-demand courses. To find out more about the educational opportunities from Global Knowledge, contact us at Info@globalknowledge.ie or call +353-1-814 8200 to speak with a Global Knowledge training advisor.
Before booking your first class, take a few moments to step back and look at the big picture. Many new workers of the next 10 to 20 years will be in positions that don't even exist yet. Be cautious about picking a career path based on only historical concepts of work opportunities. Instead, look around for new technologies and growing industries. Some exciting areas include biotechnology, genetics, social networking, wearable technology, virtual experiences, mobile, cloud, AI/ML, and distributed data management. Think big. Look to the future. Then, take the first step towards your new career in the expanding world of cybersecurity.