Nontraditional pathways to a cybersecurity career
Surely you've seen the tantalizing headlines:
- CSO: Cybersecurity job market to suffer severe workforce shortage
- Harvard Business Review: Cybersecurity Has a Serious Talent Shortage
And the list goes on and on. So do the frantic cries for help in these days of debilitating, Equifax-size breaches and businesses getting caught like flies in the spider web of ransomware: "Unprecedented shortage of cybersecurity workers!" "Global shortage of 2 million cybersecurity professionals by 2019!" "Fewer than 1 in 4 job candidates have the qualifications employers need to keep companies secure!"
The opportunity for an infosec career is still growing, even as cybersecurity salaries, computer security budgets, and job satisfaction rates increase, according to (ISC)², a certifying body for cyber, information, software, and infrastructure security professionals.
One of the main reasons for the shortage is that businesses tend to look for four-year college degrees in computer science when they hire, according to Harvard Business Review. OK. Well. Nothing against the sheepskin, mind you, but many professionals wind up in the field after coming from extraordinarily diverse backgrounds that do not necessarily include Sigma Delta Compsci. Comic book artist? Yup, I know one. Somebody with a degree in accounting? Check. A guy who put himself through college partly by writing computer games? Yes indeed.
A message to both employers and those who like the idea of joining the good fight to keep data secure: Degrees don't hurt, but they aren't necessary. Skills are.
That becomes glaringly obvious when you ask current cybersecurity professionals how they got into the field. So that's what I did. A new year bonus: I also asked what advice these cybersecurity professionals would offer somebody who's thinking about becoming a security wonk, and what they wish they knew when first starting out. Here's what they had to say.
How did you get into this field? Was it intentional?
Security wonk No. 1. Aaron Kraus is a CISSP (Certified Information Systems Security Professional, the Holy Grail of cybersecurity certifications), a CCSP (Certified Cloud Security Professional), and head of governance, risk, and compliance (GRC) and infosec at Reciprocity, which develops consumerized enterprise software for the GRC market.
This was all "absolutely not intentional," Kraus says. "I took an accounting degree shortly after the major corporate scandals like Enron, so there was a big focus on audit. I started out in information assurance auditing based on my academic background because I wasn’t sure I wanted to pursue a CPA, and 12 years later, I haven’t looked back."
Security wonk No. 2. As his Wikipedia entry notes, security blogger Graham Cluley—author of Grahamcluley.com, a daily blog on the latest computer security news, opinion, and advice—started his career as a programmer at what became known as Dr. Solomon's Software, where he wrote the first Windows version of Dr. Solomon's Antivirus Toolkit.
The backstory was a "happy accident," Cluley says. He funded his college education in the early 1990s by writing computer games he gave away for free. In those innocent days, he invited people to show their appreciation by sending a check, in the pre-PayPal snail mail.
The games were a hit. They wound up on the covers of several home computing magazines. Before long, Cluley was getting 10 to 20 checks every day. Not bad for "a poor, impoverished student," he admits, but he kept getting turned down for software engineering jobs—until one day, when he found a parcel on his doorstep. In it was a generous check for £20, a packet of cheesie biscuits, and a copy of Dr. Solomon's Antivirus Toolkit for DOS.
The parcel was from Dr. Alan Solomon himself, Britain's famous (and slightly less flamboyant) equivalent to John McAfee. "Alan's kids liked my games, and Alan could see that I could program...so he offered me a job as his first Windows programmer," Cluley says.
Security wonk No. 3. John Woods is a CISSP, a CISM (Certified Information Security Manager), and vice president of information security at PDX, a pharmacy software company. He "kind of accidentally" got into security, he says.
Woods was a systems administrator, working as a consultant at Bell Helicopter. One project involved replacing firewalls across the enterprise. He got paired up with a CISSP from the firewall company, and he was smitten. The guy had originally been in the Navy, went on to work for the CIA, and then on to consulting and IT. "That was the first time I'd ever talked to a CISSP. I got very interested," Woods says. He did infosec kind of ad hoc for another 10 years at Bell Helicopter before he got serious in the 2000s: classes, infosec boot camp, and then the Holy Grail: CISSP certification in 2008.
Security wonk No. 4. It wasn't intentional, says Paul Henry; it simply became necessary to learn how to secure things. Now the CTO at Bayside Solutions in Tampa and senior instructor and course author at SANS Institute, Henry started in process control. Those controls evolved, from pneumatic to analog and eventually to digital, where "we had to learn to secure it," he says.
Security wonk No. 5. Pete Finnigan, CEO of PeteFinnigan.com, is an Oracle database security expert. He "kind of stumbled" into security, he says. Before the turn of the century, he says, "literally no one else was doing…Oracle security, and there were no books, papers, or much at all on the subject." Finnigan was an Oracle developer and occassional database administrator. After he got interested in data security, he created some free tools and scripts to help. The Oracle security world is big and complex. “To do it seriously, you must know Oracle first and then security,” he says. “If you come from the security world and then wish to learn the intricacies of Oracle, it's not impossible but harder to do. You must understand Oracle to hope to secure it."
Security wonk No. 6. Alex Gonzalez simply got tired of technology breaking and no one knowing how to fix it. So he looked into technical schools that could get him started. He wound up attending Coleman University, where the course sequence was flipped: Technical skills were taught first, and then general education courses followed. That worked for him, Gonzalez says. One of the degrees he earned was in network security, which laid a foundation for systems thinking in relation to how data is processed and secured from inception to process to its various desired outputs.
Starting at age 19, Gonzalez moved from desktop support to systems administrator to his current position: technology program manager at San Diego Health Sciences High and Middle College, an educational agency. It houses a middle and high school that offer technology students a five-week course to explore cybersecurity careers. In other words, Gonzalez is directly grappling with the shortage of infosec skills by planting the seeds as early as high school. He's also a cybersecurity pro himself; he works to maintain secure environments that house the agency's data and data access.
Was his path intentional? Yes, actually, it was. "I wanted to learn and to empower others with skills to sustain their own procedures," Gonzalez says.
Security wonk No. 7. The "stumbled into it" background doesn't necessarily apply to all. Louay Saleh, information security manager at National Bank of Egypt, says it was his dream to work in infosec since he was a junior at university. That doesn't mean it came easy, though. "At some point, I thought I would never be able to make it. I was persistent, though, and in spite of entering the field a little bit late, I feel somehow happy that I was able to fulfill something that I always wanted to do," Saleh explains.
Any advice for somebody thinking about becoming a security wonk?
Paul Henry: "Training and certification [are] often valued more than a degree. Never stop learning. I try to add another certification every year."
Pete Finnigan: "Get the basics right first. Understand the technology that you are trying to secure. It's all well and good to know the buzzwords of security and the principles, but I am deeply rooted in the real world. Training is important to know what to look for and what to do. Tools are important. Oracle provides some great security offerings, such as Label Security, Transparent Data Encryption, or Database Vault, amongst many solutions. But it's really important to know that these are simply products/applications that must be deployed, configured, and set up correctly. So get the free basics right first and then look at the cost options. And then when you do buy them, secure those as well as the core system."
Alex Gonzalez: " Stay hungry. There’s always more to learn, and knowing one perspective is not enough. Connect with others in the field, both novice and experts, as they each have knowledge and perspectives worth hearing."
Louay Saleh: "You have to love the field first before deciding to get into it. Do not just work in it because you want to join a favorite organization, earn a fair amount of money, or because there is a current demand in cybersecurity jobs. In order to be a good cybersecurity professional, one has to like the idea of learning something new every day, read a lot, practice a lot, analyze, meet with other professionals and learn from them, be up to date, and always be an ambitious person. A good balance between technical cybersecurity knowledge and business skills is required."
What do you wish you knew when you first got into the field?
Paul Henry: "Never depend on only one tool to arrive at a conclusion. You always need to verify with a second tool."
Alex Gonzalez: "The importance of people skills. Clear communication, listening, and understanding skills are so important. Also, having a good bedside manner. Oftentimes, IT people are seen as unapproachable. This is a perception I have worked to change. IT, security, development—these are all service-based industries. We need to remember that we are here to help others and that in doing so, we need to have good people skills. In the long run, relationships are key in furthering a career, and a long-standing career is dependent on good relationships."
Louay Saleh: "I wish I could know more on the technical side of both network security and application security (especially web applications), because it could have given me an advantage in advancing my cybersecurity career faster. This does not mean I cannot learn more; on the contrary, I am still learning because a cybersecurity professional has to keep learning. What I am saying is that the level of knowledge at that time could have given me more advantage and things would have moved faster within my career plan. Compared to the foreign markets like the U.S. and the U.K., the demand [for infosec pros] in my country is very low. The strongest market in the Middle East is the UAE. [But] for sure both the application and network security skills are required, and will even be required more in the next five to 10 years, since we are entering the era of the Internet of Things, whose security requirements cover everything: application, operating systems, network, hardware, firmware, cloud, etc."
Time to stop thinking about it and do it!
What's that smell wafting from your screen? It's the sweet smell of opportunity, that's what. Don't let the lack of a degree in computer science stop you. You can see, from all these stories and untold thousands more, that there are many cybersecurity workers who absolutely did not know from Day 1 of their professional lives that, yup, web application security/network security/auditing/fill in the blank was the field they were meant to be in.
Think you're ready to fall in love with cybersecurity? To settle down and have its babies? Or at least to settle with a decent salary and bright job prospects for the foreseeable future?
Godspeed, future cybersecurity wonks. May the CISSP force be with you!
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.