Let's dispel some myths about cybersecurity careers
So you wanna be a cybersecurity engineer...
I spoke to a few people and realized this could be a good topic for a couple of posts. So without further ado, let’s dispel some myths about cybersecurity careers.
Myth: You don’t need a tech background. Anybody can start a career in cybersecurity.
Reality: You need to have an aptitude for computers and/or technology and you need to have an understanding of how computers and applications work and communicate over the network.
This seems to be a myth propagated by institutions milking the talent gap and the allure of high-paying cyber jobs. Reality is, most people who made a jump from a non-tech job to a cyber job had some kind of tech experience and aptitude. It’s important to gauge your own talent when it come to cybersecurity. A cybersecurity professional has to think from a scientific data-driven and analytical perspective and also have an out-of-box and intuitive approach to problem solving. Take a look at the interactive chart for career pathways on CyberSeek.org (snapshot shown below) and you can see that the common feeder roles to entry level cyber positions all have some level of technical background. It is also important to remember that to qualify for some of the recommended cybersecurity certifications like CISSP or CISM require 5yrs of experience in two or more of the cybersecurity domains.
Having said that, there are certainly non-technical careers in cybersecurity such as “Cybersecurity Education and Awareness”, “Project Management” and to some extent, “Governance, Risk and Compliance (GRC)”. These still require an understand of Information Technology, but allow a person who may not have done hands-on development or implementation to enter the field.
Myth: It’s easy to find a job in cybersecurity because there is a severe lack of cybersecurity talent in the industry.
Reality: While the talent gap is very much true, the harsh reality is organizations are looking for unicorns.
One would expect looking at the talent gap numbers that it’s easy to find a job in cybersecurity. Unfortunately, most organizations seem to struggle with the relatively high payscale of cybersecurity professionals even at the entry level. Hence they end up creating a job profile that severely narrows down the candidate pool. That combined with the proliferation of ATS and the instant-gratification needs of organizations to hire resource, the talent gap does not actually equate to an increase in hiring.
I also believe that the modern AI based ATS (Application Tracking Systems) are often misconfigured and filter out desirable candidates. If you stop to think about it, the fact is that on one end of the hiring process you have an automated system evaluating resumes and filtering out “non-ATS-friendly resumes” and on the other end you have candidates using paid AI systems to make their resumes ATS friendly. Between these two machine processes, there have to be desirable candidates getting dropped off the radar.
Myth: Cybersecurity is easy money.
Reality: While some cyber jobs do pay very well compared to other fields, there are plenty of IT jobs that are at par with cybersecurity. In addition, most likely you will need to maintain certifications, participate in conferences/events and such, which means you need to allocate some funds for your profession.
First off, for anyone just entering the field, there is a quite a bit of ramp-up required to get to those mythincal pay packages. Unless your are hired by the big dogs (or reddog as the case may be), chances are that the initial packages will not be higher than similar IT entry level positions unless you are bringing something unique to the table (open source projects/toolsets, published papers etc). To top it off, you will most likely need to invest in a few certifications like CISSP and manage continued membership fees and education requirements. Once you are in the field, competition remains high and if you are not bringing your A-game everyday, you are not going to progress up that steep ramp.
The good news is, it does get significantly better with experience and salaries of $200K and above are achievable once you cross the 5-7 yr mark in cybersecurity, provided you’ve been maintaining your edge and becoming recognized in the industry. My advise is, if you are contemplating cybersecurity because of the promising salaries in the field, and are open to other careers as well, also check out DevOps engineering, full stack development, reliability engineering as other high-paying alternatives and chose whatever best fits your ambitions.
Myth: Cybersecurity is a tough career.
Reality: I don’t believe it’s a tough career. However, the issue many people face is that teams are smaller compared to the workload (see the previous point).
Cybersecurity, for those who are passionate about it, is a very rewarding career. There are constant updates happening in whichever cyber domain you pick and the world is waking up to the dangers posed by hacking groups and APT (Advanced Persistent Threat) groups. There is a ton of funding being pored into research and development of cybersecurity initiatives. Cybersecurity is a challenging and entertaining field. You will need to continually keep up-to-date with developments in the digital world, emerging threats and develop a knack for correlating what may be seemingly unrelated events.
Unfortunately, the talent crunch does tend to cause added workloads on cybersecurity teams. Not to mention, if you are a SOC (Security Operations Center) analyst, long weekends seem to be the favorite times for hackers to become active. Cyber professionals also help other IT teams in non-cybersecurity tasks due to their insight and visibility into how IT works. Hence, the burnout and attrition rate of cybersecurity professionals tends to be high.
Myth: So and so certification will help me land a job.
Reality: Cyber certifications will certainly help you get a foot in the door, but acing an interview requires hands-on knowledge and demonstrable research and out-of-box thinking.
Cyber certificates are great tools and qualifiers. However, considering the current market, it would be fair to say that everyone and their uncle is pursuing some form of free or paid cybersecurity certification. From a hiring manager’s perspective, a certificate on a resume is a timesaver for them. This means there is a reasonable amount of assurance that the candidate will clear the basic requirements and may be onboarded to their job faster.
However, it is only a qualifier. Having 5 more certifications than the next person does not make a better candidate. It will eventually be your interview skills, your hands-on work and research, any papers or open-source projects you have worked on and your ability to think on yor feet and handle pressure that will land you the job.
In conclusion…
As I mentioned earlier, cybersecurity is a very rewarding career, both from a monetary perspective, as well as a self-actualization perspective. Some key points I can offer are:
- Treat the certifications as an opportunity to have disciplined study of the topics at hand, and always demonstrate the hunger to learn and adapt to changing scenarios in cybersecurity.
- Use platforms like Github, LinkedIn or a personal blog site to demonstrate your knowledge that goes beyond what you will be able to showcase in the 45-60 minute interviews you may have.
- Find and latch on to a mentor or two in the field. Good mentors offer perspectives that are like snapshots of their career. They can be mistakes to learn from or key decision points to emulate.
- Keep your finger on the pulse of cybersecurity by following some well known sites like the ones listed below.
Useful resources
- Cyberseek.org - An excellent resource to track the current cybersecurity job market as well as get guidance on charting a career pathway and finding out about upcoming skills and certifications that are in demand
- NIST CyberSecurity Framework - Pretty much the bible that a lot of cybersecurity professional follow. The NIST CSF is a solid foundation on which to build cybersecurity concepts and designs.
- The Bleeping Computer - A very reliable and active source for the latest in cyber events. Often the first to break major news or have better insights compared to other publications.