Throughout my career as a cybersecurity professor, I often get questions about starting a career in cybersecurity. This question seems simple, but it is not easy to answer. If you are reading this article, it is quite likely you are thinking about cybersecurity as a career option. This article aims to summarise some key points, and provides you with the initial directions — with the aim of overcoming inertia — kickstarting you into the first steps.
(Almost) everyone agrees that cybersecurity should be an interdisciplinary field
Increasingly, cybersecurity programs around the world are starting to introduce non-technical courses such as business communication and legal aspects of cybersecurity, and industry internships into their technical cybersecurity curricula.
In my own experience developing national and international cybersecurity curricula, I am often struck by industry experts suggesting that ‘we need to introduce soft skills into the curriculum because the geeks are unable to articulate their concerns to the management’. This assertion is partly true. To be fair to geeks (and I am one myself), I think there is also a responsibility for management to actively understand cybersecurity risks and remove the culture of leaving techie stuff to techies. Also, ‘soft skills’ should and could also be learned from the home or even from part-time work experience during high school or university days.
To be more precise, graduates of the cybersecurity curricula should perhaps be exposed to diversity of thinking, and be appropriately trained to handle different challenges including communicating serious data security breaches to affected stakeholders and leading incident responses to cyber attacks. Hence, this goes beyond ‘soft skills’ per se, and includes appreciation of a wide range of disciplines including but not limited to criminology, political science, public relations and communications, corporate governance and law.
Cybersecurity careers: Fact versus fiction
As compared to other ‘traditional’ industries like medicine or law, it is hard to define a relatively new and rapidly-changing industry like cybersecurity but it is perhaps easier to define what cybersecurity careers are not:
Cybersecurity careers are not (just) about hacking. I believe that the root of this common misperception about cybersecurity careers being all about hackers is the consistent portrait of a person who is an ostracised loner who loves to sport a hoodie jacket, types quickly, and has a face with digitally-rendered 1’s and 0’s. Look around the stock images used by cybersecurity articles and you can see what I am referring to. The media tends to glorify and sensationalise top hackers, but a cybersecurity career is beyond finding ways to break systems, and in fact, it is not just a technical career path. Just as healthcare systems have several roles such as midwives, nurses, pharmacists and radiographers on top of doctors, cybersecurity careers offer a large spectrum of roles including but not limited to writers, legal experts, cyber insurance professionals, malware researchers, law enforcement and intelligence officers, policy advisors and even soldiers.
Cybersecurity careers do not require a prerequisite computer science degree. Yes, this is coming from a computer science professor. Let me start with a few examples, Graeme Proudler, one of my ex-colleagues at Hewlett-Packard Labs, is a physicist but is one of the most-respected names in the cybersecurity research area of trusted computing. Sai Honig, an ex-board member of (ISC)2 (one of the gold-standard professional certification bodies in cybersecurity) started her career as an aerospace engineer before switching over to a cybersecurity career. My own PhD was in the area of artificial intelligence planning applied to supply chains and collaborative business processes. All of us kind of ‘stumbled upon’ our cybersecurity career. If you ask your friends in the cybersecurity industry about their qualifications, you will likely get the same answers. So the bottomline is, the qualification is not the only way to enter the industry. What matters more is that you focus, and look for the niche in cybersecurity that aligns to your strengths and interests.
Steps to get you started with your cybersecurity career:
So, how do you get started? As with most major things in life, it helps to start with the right mindset.
1. Think about the legacy you wish to achieve and work backwards
What is your purpose in life? This sounds cliché, but it is actually the key to a great career (note the difference between a career and a job). As Mark Twain said, “The two most important days in your life are the day you are born and the day you find out why.” For my friend Sai Honig, I know that she is driven by a desire to help people. This is evidenced by her work outside her job helping the Grameen Foundation. What drives you?
What is your desired cyber security job? After knowing what drives you, it is important to look at the types of jobs. It is important to do your homework, and speak to a wide variety of people. Do not just base your whole life and career decision on the advice of one or two people (who may be disgruntled with their misaligned jobs). Do you like to write and effect change through policies? Perhaps the policy advisor role focusing on cybersecurity affairs would suit you. How about exploring internships? Some firms, especially the big four accounting firms, take in a large percentage of interns and this would be an interesting opportunity to have a toe dip before diving into the field.
2. Understand the relevant qualifications, skills and knowledge required.
(Disclaimer: In this section, I am simply listing the qualifications commonly sought after by employers. The example qualifications in this presentation are not an endorsement, and similarly, those not listed are not to be interpreted as “not endorsed”.)
I often get asked the question “What is the best and value-for-money certification/training for me?” My reply would be “the one which will enhance your reputation”.
With this advice in mind, it would be key to look at the following when choosing qualifications:
What are employers’ perception of the qualification/degree? For example, the Offensive Security Certified Professional (OSCP)’s 24 hour examination proves to employers looking for penetration testers that the candidate is technically competent to perform the jobs they will be assigned to. Another example is the (ISC)2 Certified Information Systems Security Professional (CISSP), which is recognised as an entry requirement according to the U.S. Department of Defense (DoD) Directive 8570.1. Another interesting homework you can do is to look at the qualification requirements of the highest paying jobs in the cybersecurity sector: which are the qualifications commonly sought after? An alternative method is to observe the Linkedin profiles of Chief Information Security Officers (CISO) of companies. What qualifications are they typically holding?
What is the quality control of the curriculum and how do they manage their common body of knowledge (CBK)? A keen cybersecurity student would ask questions about the way the organisations regulate the qualifications’ CBK? Is it refreshed regularly and how is it developed? For example, when I was involved as one of the experts developing the first Certified Cloud Security Professional (CCSP), I was thoroughly impressed with the way (ISC)2 worked with Pearson VUE psychometricians to develop the CCSP curriculum through several consultative stages — from understanding the job tasks expected of the certified professional, to designing of the examination questions, and testing the questions, etc. This development process can also be found with other organisations such as COMPTIA, ISACA and so on.
How are the exams proctored? Some certification organisations do not handle this well, and do not manage the examination proctoring well — leading to reputation implications for genuine holders of their qualifications. You would need to look out for qualifications with excellent proctoring to prevent cheating. Examples include examinations run by professional test taking centres combining CCTV recording, biometric and facial ID verification.
Are there black markets ‘selling’ the qualifications, affecting the brand of your qualification? Unfortunately, with an increased demand for qualifications, some rogue suppliers and training centres (predominantly in South Asia) ‘sell’ qualifications such as the Certified Ethical Hacker (CEH). The provider’s website was also previously defaced by hackers. From my experience interacting with industry partners in Australia and New Zealand, these incidents leave a nasty taste with employers, resulting in some employers I know of shun CV’s with the affected qualifications — since they can be perceived to be ‘buyable’ and may affect their company’s reputation. It is very sad as it affects the genuine holders of the professional certifications. I strongly recommend you to do a bit of homework and observe some heighten sense of caution before deciding to invest in affected qualifications, or even to the extent of thinking twice before including the affected certifications into your CVs.
3. Find the best environment for learning cybersecurity
After deciding on the right training and qualifications, it is important to look into the learning environment consisting of a good combination of (1) facilities and equipment, (2) mentors and the (3) wider ecosystem. An ideal situation would be the access to cutting-edge equipment, and device testing laboratories which will give you valuable hands-on experience. The hands-on experience builds into a portfolio which will enable you to articulate your experience at your first cybersecurity job interview.
Having access to mentors who will not only provide you with advice or access to networks and opportunities, but have the bandwidth to catch up with you at least every six months would be great to steer you in the right directions. Even if you do not know anyone or cannot access a physical network of mentors, you always have the option to join your local computing peak bodies (e.g. the ACM, IEEE, IET) as a student member if you are a student, or cybersecurity interest groups which may have meet-ups or virtual gatherings.
Beyond mentor networks, you would aim for an environment which spurs you on to greater heights. For example, you should have access to some regular cybersecurity events, or capture-the-flag competitions (both online and in-person) and test your newly-acquired skills against like-minded folks. It is often at these events or competitions that potential employers lurk around looking for their next batch of talented employees. I use the word ‘lurk’ as they often do not reveal that they are hiring, but are actually participating as industry partners with the hidden intention to spot talent. When I was running the New Zealand Cyber Security Challenge (2014–2018), I was consistently approached by hiring managers from both public and private sectors asking me to (silently) pinpoint the top competitors to them. I witnessed a few job offers made to competitors and organisers, some of whom were my students.
4. Focus on your brand and reputation
In this profession which requires a high level of integrity and code of ethics, your brand and reputation determines your opportunities. Guard it with your life! It is also important to view this career as a life-long learning process, and as a profession just like other occupations (e.g. doctors, accountants, engineers, etc.) Several professional certification bodies encourage their members to clock continuous professional development (CPD) and their emphasis on CPD is a hallmark of their institution quality. When you are starting your learning journey in cybersecurity, be sure to aim for tangible milestones such as real-life experience conducting security tests, leading cyber awareness programs, or even bug bounty programs. Show up at industry networking events, and observe how the most successful do their craft. You may also wish to approach these role models and ask if they could be your mentor. It is key to remember that they are usually time-poor so it will be important to advise the prospective mentor that you only seek their occasional advice and would not be taking too much of their time.
5. Remember to pass it forward
Over time, if you follow the steps above, I am confident that you will achieve an amazing and rewarding cybersecurity career. When/If you are blessed to have the amazing career in cybersecurity, and have achieved some significant milestones, it is time to pass on the blessing to others. Find time to think about how you can help others who need the extra help in cybersecurity. For example, you could volunteer to create cybersecurity awareness programs for not-for-profits, schools, or organisations representing disadvantaged sectors of society. Also, try to be on the lookout for opportunities to mentor someone. It may turn out to be the best investment of your time.
Resources to get started
This article is a summary of a 1-hour free webinar I gave to an Australian audience through the Australian Computer Society (ACS), and it was the really encouraging feedback from the webinar that inspired me to pen this article down — with an aim of reaching a wider and global audience. This is also a way for me to do step 5 in the above tips.
Besides my article, you may wish to look at the following free resources:
If you are a visual person, try playing and exploring with the Career Pathway sections of the Cyberseek.org website. While the jobs listed are USA-centric, it gives a good overview of the possibilities and relative salary ranges of the different types of cybersecurity jobs.
If you are in Australia, you can try this great and free resource, ASD CyberEXP, by the Australian Signals Directorate designed for high school students (and teachers) to experience what it’s like to work in some of the cybersecurity roles.
I wish you all the best with your cybersecurity career, and if this is useful to you, I encourage you to pass this information to others, and if time permits, write to me with feedback or suggestions.