topic Re: How to start a career in Cybersecurity? in Career Discussions

How to start a career in Cybersecurity?

AndreaMoore — Mon, 09 Oct 2023 10:05:27 GMT

How did you "break into" Cybersecurity as a career? (pun intended! 😀)

How did you get started? Did you begin with a career in military, start in the IT field or change your career from another path? Share your insight with others!

Starting out brand new or changing career paths is overwhelming.

At (ISC)² we want to help close the cybersecurity workforce gap of 2.7 million and establish a clear new pathway for the next generation of professionals to pursue a rewarding career in cybersecurity. (ISC)² has created a new entry-level cybersecurity certification.

Are you looking to start a career in Cybersecurity? Jumpstart your career and register for the entry-level certification that will prove to employers you have the foundational knowledge, skills and abilities necessary for an entry- or junior-level cybersecurity role. It will signal your understanding of fundamental security best practices, policies and procedures, as well as your willingness and ability to learn more and grow on the job.

Do you have advice for job seekers? Share your insight and post below! What else would you add to our page? How to Find a Cybersecurity Job

Re: How to start a career in Cybersecurity?

RRoach — Tue, 25 Jan 2022 13:17:11 GMT

Join LinkedIN and start networking with business and IT professionals (including security).

Seriously.

You don't even need to network. Just search topics. Through LinkedIN, if you are new to IT or looking to get into security there are plenty of topics covering career path (security), free online and affordable training resources ($$$$$), which certification is better (depending on position/return on investment), certification vs education vs experience, this topic (how did you get into IT/security), and these comments are provided by actual professionals up to the CISO and CEO levels. Think about it. You can be getting information from actual professionals where career coaches charge 100s/1000s of dollars and for free.

Otherwise like anything else do some research, as there is plenty of information out there on the internet (including job sites).

Re: How to start a career in Cybersecurity?

WHITE43210 — Sun, 13 Feb 2022 21:03:34 GMT

I echo just about everything RROACH mentioned in response.

Many years ago, it seems like the biggest focus for finding any job was:

having the right education/experience;
having a good personalized cover letter;
having a good representative resume.

You'd send the latter two documents off through email, fax, or post to the HR departments at every employer you were interested in and then some. If you had a direct contact at the company who could drop your CV off on the hiring manager's desk that was gravy! For entry level positions, initiative and the desire or willingness to learn was on of the biggest factors that managers looked at.

I think over the years there has been a substantial shift in the job hunt process, geared largely by the high demand for technical workers but also by technology itself. I think that people who jumped into Cybersecurity 10-15 years ago would absolutely be at a loss if they were trying to do the same today.

In my humble opinion, recruiting, for many companies isn't a personal process anymore. It has become a lot more like gambling - numbers and statistical probabilities. And that's largely because a personalized recruitment process just doesn't effectively scale well. You see this parallel in other areas of industry - especially customer service where interactive voice systems and chat bots have replaced real people.

So in a very similar way many of these companies have thousands of candidates applying for jobs from across the globe. That makes for a hugely diverse candidate pool, but it also means from an applicants perspective - a much bigger pool of competition. The HR departments have also tried to use technology (ATS) to automate processes or outsource them and who can blame them? HR departments from large companies receive 10's of thousands of applications and resumes for jobs/roles/positions that are more or less a complete mystery to them. Who staffs enough people to review resumes from that many people for multiple positions? And even if they had the time/resources, do John or Sally in HR really know what makes a good web application security engineer vs what makes a good cloud identity security architect - probably not. They are loosely aware that there is a job number associated with the cyber security cost center that is titled 'Web Application Security Engineer'. That job description has a lot of familiar HRM framework - probably used as a template for all their job descriptions; general assertions about company benefits; company mission statements; company propaganda; and likely some pop-culture terms like "creativity", "outside the box", "teamwork", "opportunity", "diversity", "equality"; but the actual technical qualifications - are more or less going to be a mystery to John and Sally. (IT acronyms, development languages, security frameworks, etc.) So how do John and Sally cull thousands of resumes down to a stack that the hiring manager has time to review? Automation and technology - Yes you can tell all your grand kids that you lived during the horrible reign of early applicant tracking systems. And you don't have to google very long to find all the horror stories of experienced, qualified applicants having their resumes rejected by these systems. But that's a tale for some other time.

So a security manager or lead was likely the one that typed up the technical section of the job requirements that someone in HR advertises. IT and Cybersecurity Managers always tend to feel like they are short handed, so when they type up the technical job requirements they often do so with very broad brush strokes. And when they are creating that job description they are likely thinking about what kind of candidate it would be nice to have in a perfect world - hmmm maybe someone with development experience, hardware experience, security experience, risk & compliance experience, technical writing experience, cloud experience, etc., etc. Sometimes in really good organizations the manager's peers may slap him/her back into reality after reading the description and realizing that such a candidate would be way outside the positions budgeted pay grade. Even so, such a position is hardly ever entry level, but this is also a reason that you hear a lot of advice to apply for jobs that you only match 75% of the qualifications. So the manager's got limited resources and they're responsible for hiring people to maintain/design/monitor security controls and you can bet that the pressure is high to stay off the front page news as tomorrow's latest breach. To get those people hired they have to wade through resumes that HR forwards them - or they can get candidates "pre-screened" from a third party talent source.

I say a lot of these things because I think we have major issues with Cybersecurity recruiting and I think its across all of STEM to be honest. But I mention all of this to highlight the one thing that can tip the scales in your favor if you are looking for an entry into Cybersecurity. Personal interaction with a person - preferably someone that works in the department you want to work in. And I didn't say in-person, but rather personal interaction. Some people use the term networking, but I try to avoid it since it can cause confusion when talking to other people in IT. Try to focus on building professional relationships or connections with people in Cybersecurity - and I hate to sound like a product sponsor but LinkedIn is one of the best inroads for introducing yourself to people, participating in cyber discussions, asking questions etc. Even ISC2 forums may lead to such relationships - but its probably not going to see as much traffic as LinkedIn. It's akin to the old days when you knew someone working at the company who could drop off your CV and maybe say a few positive words about you to the hiring manager. Try to get to know folks who are doing things you are interested in.

So I know everyone wants to work their first entry level cybersecurity job at Meta, Amazon, Netflix, and Google - but just remember that "everyone wants to work their first entry level _*_ job at Meta, Amazon, Netflix, and Google". If you really want to just get your foot in the door to build some experience in cyber look at other potential employers that don't receive a billion applications everyday. Just remember that entry level cyber is just that - its often menial, non-csi, non-hacking work in unexciting operational roles being paid low amounts of money to train your mind in the foundations of cybersecurity so that someday you will be prepared to transition to a more senior roles.

W.C. White

Re: How to start a career in Cybersecurity?

James_Cyberiasm — Tue, 10 May 2022 22:57:27 GMT

The best way to start is with certifications first. The ones to start with are CEH- certified ethical hacker and CEN- certified network defender it will give you the base knowledge and hands-on experience you need to know as a cyber professional before moving into other fields.

I would recommend EC-Council University an accredited and 100% online university that provides cybersecurity degree at the graduate and undergraduate levels.

Hope it helps!

Regards

James

Re: How to start a career in Cybersecurity?

AndreaMoore — Mon, 23 May 2022 20:38:02 GMT

We interviewed a few members for advice and here are their stories as they got started in the cybersecurity industry:

Journey Into Cybersecurity - Conversations with Cyber Newcomers, Part 1

Stay tuned as we continue this conversation with additional blog posts in the future!

Re: How to start a career in Cybersecurity?

jitu786 — Wed, 12 Oct 2022 14:39:24 GMT

Thanks for the advice. what you recommend for personnel with more than 20 years of IT experience and recently got CISSP and holding PMP for 9 years. how should I look for security job.

Thanks for advice in advance.

Regards,

Re: How to start a career in Cybersecurity?

mateusvipp — Mon, 12 Dec 2022 07:52:04 GMT

Oi como faço para ter acesso ao treinamento gratuito? Já estou com exame marcado.

Re: How to start a career in Cybersecurity?

mateusvipp — Mon, 12 Dec 2022 08:03:29 GMT

Continuo sem acesso

Re: How to start a career in Cybersecurity?

bliss5k — Wed, 21 Dec 2022 03:29:23 GMT

WoW...this was scrumptious, W.C. White! Super informative and helpful. Thank you!
Kat

Re: How to start a career in Cybersecurity?

AndreaMoore — Mon, 27 Feb 2023 16:34:50 GMT

Looking to get into the Cybersecurity career? Hear what others said in part two of this blog series where we interviewed professionals with four-six years of experience: Journey Into Cybersecurity, Part 2

In case you missed the first part, we interviewed professionals with less than three years of experience and heard their experiences and how they got their first role, etc.: Journey Into Cybersecurity, Part 1.

Re: How to start a career in Cybersecurity?

CISOScott — Wed, 22 Mar 2023 18:07:27 GMT

I got my start into cybersecurity while performing computer operator work. Computer Operators were not highly thought of in the IT world as most people just assumed that you "Pushed a series of buttons and reports printed out. Then you distributed the reports." While that WAS true, it did not encompass all of my duties. While it was not that difficult, I wanted more. I asked what jobs I could do extra, I looked for jobs not being done and volunteered to do them for free. I saw plenty of people around me say "When they pay me, THEN I'll do them." I quickly surpassed all of them as I was obtaining experience and resume building actions, while they waited to get paid first. Soon my resume was a lot better than theirs and I was promoted. Cybersecurity is all around you and I'm willing to bet there are things that are not being done in your organization that you could volunteer for to get experience. By volunteering to do these tasks, in addition to my normal tasks, I was able to get good experience and earn the trust of my bosses. This allowed me to take on progressively tougher tasks and earn even more experience. It took me 12 years to go from a computer operator to the CIO position.

Now I also had to move around in order to get promoted. My kids probably thought we were a military family as much as we moved around. I went where the jobs were and where the promotions were. This allowed for quick ascension up the career ladder. I still kept on looking for the undone tasks and took them on. I took on projects no one wanted. I led projects where no one wanted to lead. Doing this allowed me to have lots of experience to put on my resume.

I also learned on my own. I set up home networks. I bought used computers and did a lot of 120-day trial software. I learned to hack my own networks. I got a library card which gave me access to technology books online. I took responsibility for my learning. If work offered training, I took it. I asked around. If what I wanted to learn was in a different department, I asked if I could come down and practice with their tools. Most times they said yes.

A long post to say this. Absorb any learning you can and seek it out constantly. Do not worry about getting paid for it now. It will pay off for you in the future. I make 5 times what that original entry level job paid and only took me 19 years to do it. And I was taken off track for 5 of those years due to a family illness.

Re: How to start a career in Cybersecurity?

JoePete — Thu, 23 Mar 2023 12:15:40 GMT

@CISOScott wrote:
Absorb any learning you can and seek it out constantly. Do not worry about getting paid for it now. It will pay off for you in the future.

Very good advice. I'd also put this out there:

It is very hard to enter security cold. In some ways asking "how do you I start in security?" is like asking "how do I start being karate instructor?" I don't see security as a distinct field of study or even job skill. We don't have "system administration" separate from "secure system administration" for example. If you want to be a security professional, you first need to be a "student" in the sense of being willing to be taught by managers and also learn every chance you can. A lot of that gets back to @CISOScott's advice - forget job titles and salaries, focus on experience even if it is on your own or in a volunteer setting. Then at some stage, you start transitioning from student to teacher - you'll always be learning, but you are really not a "security professional" until you can teach others how to do things right and be able to communicate such things in a business environment.

In that regard, I almost look at "entry level security" as an oxymoron at best. Sure, I hire people for those job descriptions, but they're the same job that 20 years ago we may have called "systems assistant" or "IT analyst." Again, it's not the title; it's the experience.