Scarcity creates opportunity – and you’d be hard-pressed to find a sector more abundant in both than cybersecurity. And, it's estimated, 3.5 million security positions across the world will go unfilled this year. Colleges and security trade programs just aren’t churning out qualified graduates fast enough to meet the rising demand, as hackers mount attacks at an increasingly unbelievable pace. The volume of total malware attacks increased by 358% last year, while ransomware rates soared by 435%, according to one report. It’s no wonder why 78% of senior IT and security leaders feel they lack sufficient protection against cyberattacks!
Capable cybersecurity professionals can expect to be spoiled for choice in the job market today and well compensated for their in-demand skillsets. For those considering entering the field, I’d like to lay out the state of security today, explore potential career paths, and provide some guidance on the steps you can take, including skills you can develop to make it happen.
Understanding the Market
Constant change defines the cybersecurity sector. Cybercriminals and security professionals play an infinite game of cat and mouse. The birth of every sophisticated tool or technology sparks a multitude of new attack vectors and tactics, which security teams work tirelessly to identify and block, ad infinitum. At its core, the discipline seeks to protect organizations’ digital assets from theft or exposure. No matter how advanced security services and tools become, organizations will still need skilled cybersecurity administrators to carry out successful implementations and monitoring, and provide the level of creativity and human “it” factor required to achieve a strong security posture.
Ransomware is a perfect illustration of the ever-evolving state of cybersecurity. It has been making headlines for years, but we continue to see new variations and growth in its scale and sophistication. At first, these attacks and the tools used to launch them were typically reserved for sophisticated hacking groups with exceptional skills and resources. Today, the barrier to entry is much lower due to Ransomware-as-a-Service (RaaS) offerings available on the dark web that democratize cyber extortion for a small fee. As a result, novice hackers can launch powerful ransomware attacks and inflict immense damage on major organizations anywhere in the world. Now, security professionals are up against everyone from inexperienced “script kiddies” to state-sponsored attackers and even “cartels” that work together to execute massive ransomware attacks across the world.
Cyber extortion attacks are just one example of the dynamic nature of today’s threat landscape. Hackers are even targeting cybersecurity companies themselves, as we saw with the FireEye breach in which hackers compromised “red team” source code, and more recently with the SolarWinds supply chain attack. There are too many attack techniques to list here, but in short, cybercriminals use a broad range of tactics and constantly update their approach to evade detection and inflict maximum damage. The trick for existing cybersecurity professionals and those hoping to join their ranks is anticipating where they’ll strike next and how best to address it.
Where to Start
You might be hoping for a definitive answer as to the best way to become a cybersecurity professional. The truth is, there’s no standard academic or career path. As with the field itself, the backgrounds of cybersecurity professionals are vast and varied. Some study IT or application development, while many have completely unrelated degrees and didn’t take a single IT or security-related course in college. This is likely due to the fact that years back, security degrees, classes and trainings were exceedingly hard to come by, and most relevant coursework was a minor focus within general IT disciplines. This problem has since evaporated, as data breaches and cyber attacks have taken center stage over the past decade.
So, the obvious answer is to get a security degree from a reputable university. While this will undoubtedly provide a strong foundation and stand out as relevant training on your resume, there are other ways of getting experience too. You can explore co-op or internship opportunities that offer valuable hands-on experience and on-the-job training with specific tools and in real-world cybersecurity scenarios. After all, many organizations hire interns directly out of school to fill the growing need with individuals that already have first-hand experience and in-house training.
Another route would be to identify and earn well-known industry credentials such as the CEH (Certified Ethical Hacker) training, the CSX Cybersecurity Fundamentals Certificate, the CompTIA Security+ certification, and others. These types of bona fides are open to anyone and signal to potential employers that your fundamental security education and knowledge warrant serious consideration.
Apart from formal security education and certifications, you can also find ways to engrain yourself within the cybersecurity community by connecting with others on social media networks such as Twitter and Reddit, or at national or local industry conferences. Networking and engaging with the security community can help build your understanding of the industry and even surface potential employment opportunities. And lastly, consider gaining experience through the DIY route and create a security lab environment at home or in the cloud. Here you can get first-hand exposure to the tools and platforms most organizations use today, explore security disciplines the interest you most, and establish hacker cred that organizations love to see on resumes and in job interviews.
High-Value Security Skills
While there isn’t a one-size-fits-all path to entering the security market, there are some specific skillsets organizations will undoubtedly look for when reviewing candidates. Some examples include:
- Risk Identification and Management – In order to mitigate security risks, you must understand the threats. Identifying business, security, and compliance risks is basic table stakes.
- Technical Fundamentals – DevOps, programming and administration are fundamental skills for modern security professionals.
- Data Management and Analysis – We live in a world of data. The volume of data is increasing exponentially and being able to analyze data in the form of log records and security notifications is the key. Data scientists and data officers are becoming an integral part of Security Operations teams.
- Cloud – Having knowledge of cloud environments and cloud apps is a standard skill for many security professionals now. With the number of cloud services growing every year, organizations need talent that can understand what the apps do and the overall landscape, but also how to manage the access and risk associated with them.
- Automation – It is an essential part of the modern security flow. Learning about the latest automation technology and techniques can be a key driver in reducing friction from the security process.
- Threat Hunting – Early detection can reduce risk, which is why many enterprises highly value threat hunting skills. In a world where it’s not “if” but “when,” having security professionals that can quickly identify and hunt threats is a requirement.
Cybersecurity is one of the most challenging and exciting professions today. There’s a tremendous amount of opportunity for those with the right level of curiosity, skill and work ethic. If you’re considering breaking into the field, I encourage you to start with the above guidance and insights. As security threats continue to grow in sophistication, volume and severity, the new generation of cybersecurity professionals will play an invaluable role in improving our collective security.