8 Steps To Building A Successful Cyber-Security Career- Valutrics
Information security professionals are in high demand, but entering the field can be tricky. Follow these tips to build a successful cyber-security career.
(Image: Merznatalia/iStockphoto)
The information security field is rapidly growing as businesses scramble to hire skilled professionals to protect their data.
IT pros pondering a career switch would be wise to consider cyber-security, where the demand for talent far exceeds the supply. However, an abundance of open roles does not mean a career will come easily.
Information security is different from many fields in that aspiring professionals don’t need a college degree to secure new jobs. “Some employers will ask for one, but if a person can do the job, he’ll get the job, plain and simple,” said computer and network security specialist Dean Webb.
The path to a successful InfoSec career is not paved with expensive degrees but with motivation, practice, and persistence. Those who take the time to develop skills that businesses need, and who take the necessary professional development steps, will be rewarded with interesting and consistent work.
But where to begin? It may be easy to decide on a career switch to InfoSec; after all, the demand for security pros will increase across the economy as cyberattacks become more complex and dangerous. It’s difficult to prepare for this change by gaining the right experience and education.
Here, three professionals discuss the processes they took to build their cyber-security careers, challenges faced along the way, and advice for aspiring InfoSec experts. All three contributed their insight to the Peerlyst e-book The Beginner’s Guide to Information Security, which breaks down the challenge of starting a career in InfoSec.
If you’re hoping to jump into the chaotic, ever-changing world of cyber-security but need some advice, consider these steps to building a successful InfoSec career.
Do you work in cyber-security or aspire to enter the field someday? Is there something holding you back? Which advice would offer to professionals who wants to pursue this type of career? We’d like to keep the conversation going, so please feel free to share your thoughts in the comments section.
Start With Passion
Tracy Maleeff spent 15 years as a librarian and information professional before starting her journey into information security two years ago. She had become discontent with her career, and thinking back to her youth and handling tech hands-on, decided to pursue a career in IT.
Maleeff tried to select an area of IT to focus her career by testing different types of technology and attending various meetup groups. She soon discovered front-end oriented jobs weren’t resonating with her, but information security headlines continued to capture her interest. The processes of defending, spreading awareness, penetration testing, and social engineering resonated with her love of hands-on technology.
“It used to be a weird hobby,” she said, citing an early volunteer experience during which she put together an activity for Cybersecurity Awareness Month. “But after that, I thought, ‘maybe I should make a [career] change.'” Maleeff left the law firm where she was working and started her own business.
Network security specialist Dean Webb emphasized the importance of enjoying one’s work. A former Economics teacher, he referenced a concept called “the fallacy of the declared preference” and explained how it applied to aspiring InfoSec professionals.
“Basically, if you say you want something, you don’t really want it. If you really wanted it, you would already have it, or you would be busy doing something to get it, instead of standing around, saying that you wanted it. I didn’t say I wanted to do security. I simply started learning it and didn’t put the books down until I had finished the certifications.”
Experience Is Key
Experts agree that applying InfoSec concepts in a real environment is core to building a successful InfoSec career. “Experience is all-important, so be open to any opportunity in the field that will have you,” said Webb, who started working in InfoSec during his second IT career.
Kris Rides, InfoSec specialist and CEO of Tiro Security, agrees that experience will always come first for InfoSec pros on the job hunt. Rides has a background in tech recruiting. He argues experience is often considered more important than certifications in the InfoSec hiring process.
For many aspiring cyber-security specialists, gaining this experience can be difficult. As Maleeff explained, it’s often tough to get a job because many employers want different types of experience — but how to gain the experience if you don’t have the qualifications for an entry-level InfoSec career? It’s a question Maleeff struggled with as she was starting her career, so she consulted a recruiter to learn the best ways to practice. The most valuable recommendation? Volunteering.
“If you know someone who has a small company, offer to do a security program, look at their security, find ways to volunteer and get practice,” she said, noting many small businesses and nonprofits lack resources to build their own security teams. You can also volunteer at conferences or if you’re in IT, within your organization. If you get as far as the interview portion of the hiring process, you’ll have the opportunity to explain how your volunteering prepared you for the job.
Another way to gain practical, hands-on experience is through labbing, said Webb. When he was preparing for the Cisco CCNP-Security certification, he read full certification guides and did “tons of labbing” to get ready for the exam.
“Drop experience that isn’t security related and emphasize whatever you’ve done in the light of security,” he said. From there, specialist roles will be easier to obtain.
Get Certified
Gaining experience is often an essential step toward earning cyber-security certifications, which are valuable in securing an InfoSec job. Preparing for certification exams requires a lot of learning and dedication but can make a tremendous difference in getting hired.
The certification you choose depends on your skills, background, and desired position. Rides, who has worked in tech recruiting for 18 years, recommends professionals with five years of experience pursue the CISSP certification. This is the most common certification listed on job requirements among his clients, he said.
Maleeff, who is newer to the industry, is studying for the CompTIA Network+ certification but admitted the challenge of lacking experience to become CISSP certified. Finding work is difficult because not having the CISSP is often a barrier to entry, she said. HR departments often look for those letters and disregard applicants who don’t have them, regardless of their other skills or experience.
Webb found himself in a tough situation when he was reentering IT after taking a break from the field to teach economics. He needed a mid-level job to maintain his level of income but lacked recent experience on his resume. This is why he chose to pursue the Cisco CCNP cert.
“I had spoken with a recruiter and he did me a great favor by being honest with me about my chances in the field,” he said. “If I wanted a prayer of having a mid-range role, I needed a mid-range certification.
Build Your InfoSec Network
When asked to share her most valuable advice for aspiring security pros, Maleeff immediately responded with networking. “The first thing you need to do is get out there and meet people — virtually on LinkedIn or Twitter, or in person,” she said. To familiarize with industry experts, Maleeff joined MeetUp groups, discovered groups for women in tech, and took security workshops. In doing so, she started to get to know the cyber-security community.
There are several benefits to immersing yourself in the InfoSec industry, which has a “really strong community feeling,” she explained. You’ll gain a sense of where you want to focus your security career, receive feedback from seasoned experts, and determine if this is an industry where you truly want to be.
For tech pros who want to work in a different area of IT, this professional network can be invaluable, said Rides. For example, if you’re in one area of IT but want to jump into InfoSec, your network can help you gain experience and find new professional opportunities.
Practice Professional Development
It’s not enough to acquire the right skills, build enough experience, and earn a certification. InfoSec pros must be able to sufficiently convey their expertise during the job application process.
“Anyone that will learn, lab, get certified and then let someone tell them how to fix up their resume and how to interview will be able to eventually get a very good job in IT, and information security in particular,” said Webb.
In crafting a resume, it’s important to emphasize security skills relevant to the job at hand. “People have a general resume and think they can send it out to every job,” said Rides, noting this is a big mistake.
Master ‘Soft’ Skills
It’s important for InfoSec specialists to build their technical expertise, but it’s equally important for them to practice “soft skills” that often challenge tech pros. Applicants with a good mixture of social and technical skills are more likely to get multiple job offers, said Rides.
“One of the biggest challenge in information security is a big element of the job is to work with others and communicate well,” he explained. Because cyber-security spans all areas of an organization, InfoSec pros have to collaborate with people across the company, including executive staff and employees from different IT teams.
Working in a cyber-security division is tough because it’s the team that always says “no,” said Rides. InfoSec pros must know how to get other employees to understand why something might be a potential threat, even though an explanation may involve more work.
“That’s a big area where people struggle,” he noted. A great security employee knows how to bring people together within the business and explain risk so they can understand it. The biggest weakness to an organization’s security is generally people, said Rides.
To practice building these “soft skills,” Rides suggests expanding your professional network and finding mentors who can coach you in best practices. He recommends investigating local chapters of security associations like the ISSA and Cloud Security Alliance. Attend meetings, and if you feel you have time and can add value, volunteer to build your social skills.
Search With Confidence
There may be a high demand for cyber-security skills, but that doesn’t guarantee you’ll succeed in your first interview, or your second, or your third. The key to building a career in InfoSec is to remain patient and persistent in sending out applications and demonstrating your value.
“Be confident in your job search, because nobody will throw a job at you,” said Webb. “You will need to find the jobs, but they are there. Allow two months or so for your resume to percolate through the system and follow down every lead you have,” he advised.
“You will hear ‘no’ abut ten thousand times, but it’s all worthwhile when you finally hear that ‘yes’ and you have that job,” said Webb.
Don’t Settle
It’s exciting to get a job offer, especially in a new field, but carefully consider the nature of the opportunity and the organization before you accept.
Webb noted how one of the biggest challenges to IT pros is finding an employer where progression is properly rewarded. In his personal experience, he often worked for employers that could beat his current salary by a huge margin, but didn’t give a raise of more than 2% per year.
“That just made no sense,” he said. “Like most of my colleagues, I’d be at a place for a year or two and then go somewhere else for more money.” Sometimes, employees would return to former employers for a pay bump, which would exceed the amount they would have earned if they had stayed with their current company for two years.
While it’s important to work for an organization where you are fairly compensated, it’s also worthwhile to consider the non-monetary benefits of your job. Working with a strong, cohesive team is invaluable.
“Whenever I found a place that had good managers and great coworkers, I knew that was a keeper,” said Webb. “The people I work with are worth a premium to me, and taking more money to work at a less friendly or less well-managed place is not a trade-off I feel comfortable making.”