If there was ever a time to break into the cybersecurity industry, it is now. With cyber threats and attacks increasing in both frequency and sophistication, the demand for cybersecurity professionals is far outpacing the supply. This means that for qualified cybersecurity specialists, job security is practically guaranteed.
The New York Times reports that a stunning statistic is reverberating in the industry: Cybersecurity Ventures’ prediction that there will be 3.5 million unfilled cybersecurity jobs globally by 2021, up from one million positions in 2014.
“The cybersecurity job market is on fire. Our candidates are facing competing offers from multiple companies with salary increases averaging over 30%.” Veronica Mollica, the founder, and executive information security recruiter at Indigo Partners, told Forbes.com
Are you among those enthusiasts looking to get into cybersecurity? The field of cybersecurity is largely mysterious to those outside of it. In this article, I will try my best to help you figure out what the CyberSec field actually is and more importantly what it is not.
CyberSecurity is Not All About Hacking
What instantly comes to your mind when you think about the term ‘CyberSecurity’? Well, what pops into the majority of people’s head is a guy with a black hoodie sitting in front of two 32″ monitors with a bunch of Linux terminals opened in green-black theme and stroking the keyboard stormily like in Mr. Robot series.
It is only partially true for what this field actually is because cybersecurity is not limited to finding vulnerabilities in the victim’s machine, running exploits, and gaining access. These things we are discussing comes under the Red Team (offensive) side of the industry whose sole purpose is to hack into other’s devices for good.
There is also what we call a Blue Team who protects and defends organizations from probable attacks working continuously to find the security holes and patch them before the bad guys have a chance to exploit them.
These teams also have got branches and sub-branches inside them. While it’ll take me forever to mention the complete list, here are the top roles(job titles) we will hear frequently in this industry.
Top Cybersecurity Roles
- Chief Information Security Officer: a high-level management position responsible for the entire information security division and staff. The position may include hands-on technical work.
- Security Analyst: analyzes and assesses vulnerabilities in the infrastructure (software, hardware, networks), investigates available tools, and countermeasures to remedy the detected vulnerabilities and recommend solutions and best practices. Tests for compliance with security policies and procedures. May assist in the creation, implementation, and management of security solutions.
- Penetration Tester/Ethical Hacker: not only scans for and identifies vulnerabilities, but exploits them to provide hard evidence that they are holes in the organization’s security so that quick remedies should be implemented. They are also called White Hat hackers and are a part of the Red Team.
- Security Software Developer: develops security software, including tools for monitoring, traffic analysis, intrusion detection, virus/spyware/malware detection, anti-virus software, and so on. Also integrates security into application software.
- Security Architect: Designs a security system or major components of a security system, and may head a security design team building a new security system.
- Malware Analyst, Intrusion Detection Specialist, Vulnerability Assessor, and many more
Is a College Degree Must?
The short answer is: NO
Though you will see a lot of hiring managers seeking a college degree in computer science, IT security, or equivalent as a requirement for the job, it is not obligatory. As long as you possess the skills required in the industry through self-study or continuing education, you’re good to go.
I have heard many stories before of people, young and old, who transitioned into a cyber career without a college degree of some sort. Sure, they had to get a certification or two, but they surely did not need a four-year degree for the transition.
These points will make the above view more clear:
- The market is in the employee’s favor: First, keep in mind that what an employer wants doesn’t exactly mean what an employer gets. The cybersecurity industry is growing so quickly that employers are having trouble filling positions, so they are in a situation where they have to consider hiring candidates with less college or work experience and training them up in the house.
- Certifications hold great value here: The field of cybersecurity is blessed with lots of alternative qualification options, namely certifications. Because of certifications, you and I in the cybersecurity field aren’t stuck in a situation where only a degree can serve as an option to prove our knowledge. This fact has helped thousands of technology professionals over the years build a career without college commitment.
- A myriad of learning options: There are a lot of alternative learning options for us now. Looking at a medical school as an example, I’m pretty sure the only way to legitimately learn medicine is through a university program. But that’s not true for cybersecurity. Cybersecurity offers many learning options outside of a college setting including trade schools, technical schools, and online learning programs. Online programs, such as O’Reilly’s Safari Books Online, Cybrary, Coursera, Udemy, and Pluralsight are great examples. And these options are cheaper than college for the most part and more convenient.
- Diversity is always good: The cybersecurity threat landscape is continuously evolving, meaning that hackers are coming up with a variety of new malicious ideas exploiting not only hardware/software but also humans and different non-technical aspects. So folks transitioning from other careers are heartily welcomed here because people from diverse backgrounds scratching their heads to find upon a solution will always give the best results.
Now I am not here discouraging you from getting a college degree over certification programs. College degrees are totally worth it. You’ll learn about various programming knowledge and skills, research methodologies, project management ideas, and soft skills which are also the major qualities for this field. My suggestion is that, if you can combine your college degree along with some demanding entry-level industry certifications, it will definitely add fragrance to the gold.
Passion For Computers and Techs is a Must
Of course, you don’t need to be a tech-geek. An individual considering a career in cybersecurity must have an interest and passion for computers and new emerging technologies.
Passion fuels the inner drive to achieve and accomplish a task to completion. As stated before, a system cannot be known as “half-way secure.” Security needs to be a must, not addition or “upgrade.” Considering this thought, passion is what will drive one to success. Sure, he or she may encounter continuous problems and have to face a massive challenge, but with a passion, he or she will be able to persevere.
Do you have a passion for technology? Are you interested in developing and working in the technology industry? Have you explored the cyber industry?
The answers to these questions are critical. If you have no interest in technology (the idea of cybersecurity specifically), then you will be dragged behind for sure.
A Myriad of Industry-level Certifications
As in other industries, gaining certifications in cybersecurity can help upgrade your career to greater levels. As a matter of fact, certifications are the preferred method for information security professionals to demonstrate to the world that they are competent in the field and possess the knowledge to be a success in the role.
While there are many certifications available for the entry-level information security professional, it’s your job to have the right pick for you according to your interests and domains you want to work on. Some of the popular certification vendors out there along with their offered programs are listed below.
- Cisco: Cisco Certified Network Associate(CCNA), Cisco Certified Network Professional(CCNP), Cisco Certified Internetwork Expert(CCIE), Cisco DevNet, and many more
- CompTIA: popular entry-level certifications like A+, Network+ and Security+ (collectively called CompTIA Trifecta). Other worth-mentioning certs include Pentest+, Cybersecurity Analyst(CySA+), Linux+ and many more
- EC-Council: Certified Ethical Hacker is the leading one. Certified Network Defender(CND), Licensed Penetration Tester(LPT), Certified Threat Intelligence Analyst(CTIA) are just a few to mention.
- Offensive Security: assess Red Team skills. The most popular one is the Offensive Security Certified Professional(OSCP) for beginners. More specific ones include OSWP, OSCE, OSWE, and OSEE.
- (ISC)2: In total, they offer six core security credentials. Certified Information Systems Security Professional (CISSP) is the most celebrated one.
Acquire these technical skills under your belt
What technical skills do Cybersec Nerds need? That question is a bit vague to answer, as there are many sub-disciplines within the cybersecurity field. That being said, many such jobs share a common technical foundation.
I usually like to break down the skills into four categories:
- System Administration: While Windows and macOS are widely used as consumer-level operating systems, they are not well-suited here. If you want to be a pro, grab hands-on skills with Linux. I repeat, Learn Linux! Because Linux is open-source, tool developers (and you) have a level of access that is unsurpassed. Linux is transparent, and that means you can learn to manipulate it in ways that are not possible with most OSes. Also (and undoubtedly for the reason just mentioned), most cybersecurity tools are written to run on Linux.
- Networking: You must be able to understand how these devices and IoTs are communicating with each other across the Internet. Have sound ideas on basic networking terminologies like IP address, the transmission of packets, LANs, routing, VPNs, and related.
- Scripting/Programming basics: This is not mandatory for all types of cybersecurity job roles unless they are technical in nature. For example, an application security engineer, security analyst, ethical hacker, penetration tester, etc. would require these skills.
- Security Fundamentals: You should develop knowledge on basic IT security terms like CIA (Confidentiality, Integrity and Availability) Triad, AAA (Authentication, Authorization and Accounting) Triad, firewalls, IDS/IPS, security logs,etc. You will gradually grab hands-on experience with these terms once you start working in this field.
Yeah! Soft Skills Matter
Remember, security professionals often need to communicate complicated subjects to people who might not have much of technical background (such as C-Suite Executives). With that in mind, comprehending the following is usually a prerequisite for climbing to more advanced positions on the cybersecurity ladder:
- Excellent presentation and communication skills to effectively communicate with management and customers.
- Ability to clearly express complex concepts (both written and verbally).
- Ability, understanding, and usage of active listening skills (especially with customers!).
From a cybersecurity perspective, soft skills will also allow you to identify examples of, and explain Social Engineering, which is a pervasive issue within the security community. You can put all kinds of hardware and software security measures in place, but hackers can still use social engineering to convince employees to give them passwords, credentials, and access to otherwise-secure systems inadvertently.
This is an Ever-Changing Landscape
The dawn of cybersecurity dates back to 1983 when the release of the movie ‘War Games’ in which a teenager unwittingly accesses War Operation Plan Response (WOPR), (a US military supercomputer) triggers the former President Ronald Regan if that could happen in reality. After that, he issued the first IT security policy called ‘National Policy NSDD155’.
Let’s have a peek at the stats of cybersecurity threats of last five years.
- In 2016, twice as much money was lost to cybersecurity exploits as was made in all auto sales worldwide.
- The average data breach costs a company $3.86 million. For small to medium-sized businesses, this can often threaten the entire organization.
- Large corporations in the United States are the most common targets of cybersecurity attacks. And 51% of large American corporations have been rated as unprepared for a cyber attack by security experts.
- There was a 300% increase in the number of reported cyberattacks in 2016 over 2015.
- Polymorphic malware is dynamically generated, leading 94% of malware with unique signatures.
- “Resource skimming” has been one of the largest cybersecurity threats of 2019. In this form of an exploit, the resources of an infected device are used by the hacker to mine cryptocurrency or for computing power.
So, What’s in Demand?
“Threats have evolved to include advanced actors such as Advanced Persistent Threats(APTs) and nation state-sponsored espionage”
As threats to information resources evolve, so must the cybersecurity community’s defense approach. Gone are the days of implementing IT solutions solely on the network boundaries to circumvent attackers.
There is a constant tension between these attackers and the security keepers. Defenders have to be right every single time but these cybercriminals only have to be right a single time in order to take down a whole conglomerate.
So we are now in a condition where available analysts and required knowledge is constantly decreasing in relative to the increasing threats and cybercrimes.
- If you want to continue in this field, you must have a thorough motivation and passion to learn more.
- You must have a constant hunger to digest new technologies and tools. Otherwise, you are gonna get left behind.
- Never be complacent. I repeat again, once you are complacent, you are not going any further up!
- Perseverance is required. With new malware and threats emerging every other day, you must constantly work to defend them.
Founder of cybersecnerds.com. Electronics Engineer by profession, Security Practitioner by passion.
I am a Linux Enthusiast and highly interested in the offensive side of the CyberSec industry. You will find me reading InfoSec blogs most of the time.