How to Get Started in a Cyber Security Career
According to recent reports on cyber security job growth in 2016, “More than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74% over the past five years”. This news offers hope for those interested in a cyber security career. But knowing where to start and what to learn about cyber security is a nebulous endeavor.
Recently, a Redditor needed this type of direction when asking, “How to get into cybersecurity?” with the description:
“I am starting a CS degree in the fall, and I am really interested in cybersecurity. The thing is my university only offers one course in crypto. So how do I get into it? I don’t know any programming languages right now, but when I do, what steps do I need to take to get into cybersecurity? Any help is appreciated.”
This simple question requires a larger, more detailed answer.
Technical vs. Managerial Careers, Programming, Forensics, and the Most Important Skill You Need
We asked Jonathan Jenkins, a cyber security instructor, for his advice. He says:
“Cyber Security is a broad field that has many elements, which can be very specialized in advanced environments. There are two starting points for cyber security; technical and/or managerial.
If you decided to go to most universities for cyber security, there will be a vast amount of academics you’ll be exposed to. It’s easy to tell what route that school is taking you down based on the classes required for the degree.
Technical approaches typically focus on computer science. You learn networking, programming, implementing cryptography, server configuration, different operating systems, etc. Most of the time these courses run parallel to certifications, such as CompTIA’s Network+, Security + and EC-Council’s CEH. Likely there will be strong exposure to policies and laws common for a technician to be exposed to, such as ISO 27001/27002, HIPAA, Privacy Act, SOX, GLBA, and the list would go on. The purpose of your classes would be to have a well-rounded understanding of information systems, so one day you could implement and configure these systems properly to mitigate intrusions.
Managerial/policy degree paths do not focus as much on technical skills. Students on the management/policy track focus on theory. They need to understand what policies and laws to bring to organizations. They need to focus on the ethics and psychology involved in cyber security. They understand how to draw up plans for risk management and business continuity for enterprises. This isn’t to say a person wouldn’t receive some “hands-on” courses, but the idea is for you to be capable of understanding cyber security enough so you can help write and enforce policy.
So what about programming skills in cyber security? Well that’s another broad field. Programming definitely ties into cyber security. However the methods and relevance can be somewhat confusing. Understand that if you love programming, building apps, or scripting to make your daily tasks simpler, then focusing on cyber security with programming isn’t for you. There is a heavy need for programmers in cyber security to review other programmer’s code to help secure it. Malware detection and analysis, along with potentially developing your own Malware to run against a testing environment, would be good reasons to learn programming.
None of this is static and if you have mixed and matched skills, that’s a good thing. Many job titles are going to require a mixture of skills.
If you want to pursue a career in computer forensics, then you’ll need all the above plus additional training for whatever forensics toolset you’ll be required to use. Or perhaps you wish to be a penetration tester and you want to specialize in malware analysis, but you only know Java. It would be essential that you learn C++ as most Malware is written or compiled in C.
Of all the skills expected of a cyber security professional, the most important is critical thinking. There are infinite attack vectors against information systems today. If you defending a network, then you’ll follow the best practices to mitigate known attacks. However, attempting to be proactive against new attacks as your network grows and technology changes, requires critical thinking skills.
No matter where you want to end up, networking is the core of your journey. Learning how systems talk to each other, programs speak out to the Internet, and how hackers speak to your system, will be the first step.”
Understanding the depth of the cyber security landscape, as explained by Jonathan above, is essential for establishing realistic timelines and expectations for your career.
Common Misconceptions about a Career in Cyber Security
The demand for cyber security jobs is high, but employers don’t hire just anybody, especially college graduates or individuals who just earned a security certification, but have no demonstrated work experience. This topic is a caveat for IT pros excited about the job growth, but unrealistic about their experience.
The Redditor Greg1221 provides a great answer for the college student referenced above by elucidating realistic expectations and common misconceptions facing professionals looking to get into cybersecurity and make a career out of it. He starts off stating,
“The Cybersecurity industry is not friendly to people who are fresh college graduates. All the time people talk about how there is negative unemployment etc., but after spending a few days actually looking for jobs, you will quickly see that 90-99% of those jobs require 1-3 years experience. There is a small avenue for going straight into the industry, but you need to spend a considerable amount of time outside of school working on this before you graduate. “
Then he proceeds to explain the various specialities you can pursue within the field, including Information Security Analyst, SOC Analyst, and WebApp Pentester/Security Consultant. These specialists help guide and dictate the specific skills you want to develop, but this should in no way deter you from learning a broad range of skills initially.
Learn a broad set of Cyber Security Skills Before Specializing
Before you even begin thinking about potential jobs and your career trajectory, you need to establish a broad foundation of different skills. This process, although annoying at times, lends insight into what you may or may not want to specialize in.
Various Redditors offer advice on where to learn, what accreditations to pursue, and resources (online and offline) to utilize for beginners to build their skillsets. For example, one commenter believes that “companies value certifications more” than degrees at times. Earning a security certification (CompTIA Security+, CEH, CISSP) or degree (undergraduate or graduate) is a good step forward, but it’s not enough.
You may learn the skills and knowledge enough to pass exams, but you must continue your education further. Also, you should constantly network and build your professional reach among the greater local community.
Join Cyber Security and Hacking Clubs and Meetups
Join cyber security or hacking clubs at universities, Meetups, attending conferences, and taking advantage of every available resource. The connections you make could open doors to gain a job opportunity.
Ask professors for additional practice, projects, and further learning resources. Perhaps your school (even high school), doesn’t have courses or clubs for students interested in cyber security. Then encourage teachers to help develop courses, clubs, or study groups that reflect student demand. If there’s a strong enough demand, teachers and administration may demonstrate motivation to meet it. Progressive professors and schools listen to students. So, speak up. Let’s point out one more benefit of speaking up.
The story goes that you spoke up, joined forces with a professor and other students to start a cyber security club and even completed unique projects furthering the development of your skills and knowledge. This tells a compelling story to future employers who may undervalue your resume due to lack of experience. If you tell the right story, then perhaps the right employer may give you a shot.
This is another reason why we encourage all readers, especially those in the IT and cyber security workforce to blog about their learning experiences, challenges, failures, and successes.
The question and answers that inspired and contributed to this blog post originally appeared on this Reddit thread:
Subscribe to the TechRoots Blog