Your first IT security job: Three things that might surprise you
Every year, a new crop of fresh-faced aspiring information security pros hits the job market—either coming out of college or moving from some other career path. Usually the shiny-new security professionals know the security tech required to handle the job. But they're often surprised when they discover the day-to-day reality of an IT security career goes beyond the technical.
How do you make sure you're ready for what this job entails? What do your colleagues know now that they wish they knew then? We spoke to some IT security professionals with a few years under their belts—and a couple vets who mentor newbies—to find out.
1. The path may be long and winding
The first thing you should know is that your career path may not lead you where you imagined. Corrie Erk, a senior forensic analyst at a large media company and a member of Women in CyberSecurity, thought she had things mapped out when starting in the field. After graduating with a degree in computer and digital forensics, "I wanted to go into government and do investigations—work for the NSA or FBI or some agency," she says. Instead, she was hired full time from her internship at a financial firm and, after only a couple years, followed her manager to her current employer. "I was thrown into the fire as a forensic analyst/security analyst/malware analyst and learned a lot about private sector security and forensics."
In fact, one of the biggest surprises newbies encounter is that cybersecurity jobs as they visualize them are much scarcer on the ground than they imagined. Adam Luck is director of IT solutions delivery at IGS and advises college cybersecurity programs. Luck says many new graduates think, "Hey, I got this great cybersecurity degree; I want to be a pen tester or an ethical hacker." But he cautions, "There's not that many of those jobs available because there's only so many consulting firms. It's also important that to make that type of transition, you need that foundational knowledge and, in some cases, that foundational experience."
By foundational knowledge, Luck means an understanding not just of the principles of cybersecurity but of the systems and networks you're planning to secure. For some, that might mean spending some time working in networking or software development before launching into a cybersecurity career. For others, it might mean that a move into cybersecurity is a potential opening from their current career, which may seem quite removed. As it turns out, a big surprise for some folks coming into cybersecurity is just that their previous experience prepared them for it in ways they didn't expect.
"In learning theory, there is this idea of adjacency," says Brent Huston, CEO of MicroSolved. Huston mentors both new college grads and mid-career pros looking to transition to a security track, and adjacency is important to helping the latter group. "We sit down and one of the first exercises we do is an adjacency mapping exercise: What are the core skills that you use?" he explains. "For example, one of my most recent success stories is a gentleman who was a healthcare stenographer. But he took that data analysis and ability to look at raw data and make sense of it and applied that to threat intelligence instead. And he quickly became very good at picking patterns out of data and paying attention to detail to derive a product. Now, he's on his third placement and is building quite a career around risk analysis and threat intelligence."
Perhaps the key lesson is to follow promising leads even if they don't look exactly like your ideal. "When an opportunity came my way, I took it immediately, which is what I would recommend to anyone," says Erk. "Any experience is a good experience. Just because something doesn't follow a course or path you set for yourself doesn't mean that it won't help you get there one day or open your mind to other possibilities."
2. The destination can be a little dull (at first)
Once you've landed that first cybersecurity gig, you may find that it isn't quite the thrill ride you imagined. Oleh Levytskyi, an analyst for the MacKeeper Anti-malware Lab, who has three and a half years of experience, rattled off a list ways his job is more staid than he expected. "I thought that all I was going to do is look for system vulnerabilities," he says. "In fact, over 50 percent of my daily time is devoted to drafting documentation and reporting. Many young specialists expect that there will be a lot of programming in cybersecurity. In fact, you mostly need to write code only to automate routine tasks. I thought that within a short period of time, any website or a system could be hacked, as it happens in the movies. Instead, it takes a few days just to run reconnaissance, and the whole cycle of an attack may last for many days."
Jamie Cambell, founder of GoBestVPN, says newbies often find themselves handed some of the most menial tasks on a security team—and with good reason. "The work needs to be done, period, no matter how menial it is or how much (or little) effort it requires. You can't have your preferences all the time. When senior team members assign these types of work to newbies, there are several reasons. It makes sense to have the senior member with more knowledge and experience to work on the more important issues. But the work also helps newbies develop their skills— either directly by learning or indirectly by means of picking up more grit and enduring these types of tasks."
Cambell adds, "It's up to the newbies to pick skills up along the way, learn, and develop as a competent professional in their field." People at early career stages often "learn and feel more fulfilled with side projects."
MicroSolved's Huston agrees that you need to be able to sustain your interest in your career path through your own efforts in the early years. "The first three years are really tough because you're doing a lot of the tedious heavy-lifting," he says. "How do you stay engaged there? You need to be able to live in the moment, accept small victories and celebrate them, and realize that there is a larger vision and that at the end of the day, you're helping your team, you're helping your firm, you're helping society through this process. And that sort of passion is what drives people forward."
3. Not everyone thinks like you—and you need to learn to deal with that
There's another reality check new security pros often encounter when they enter the field. Infosec may seem very important to you, the person who chose a career in infosec. But that isn't the case for many others—and some of those doubters may be in the upper echelons of your company. "The reality is that business owners are not really interested in information security issues," says MacKeeper's Levytskyi. "Management becomes concerned only after a corporate network is hacked, important files are encrypted, or money is stolen. Many companies merely declare their willingness to be secured, but in fact, huge reports on security problems are regularly ignored."
Emmi Einstein recently transitioned from software development to a new application security job at a new company. "It's been easy to convince the software engineers and QA/SDET staff to really pay attention to security—and a lot of them have found their interest in it deepening—but product managers and management staff treat it as something they're paid not to think about," she says. "It still blows my mind that I may be the only one who cares as much as I do, or so it feels."
IGS's Luck thinks that attitude is starting to shift at the C-suite level. But overall, he sees these kinds of conflicts as an opportunity for new infosec pros to develop a sense of empathy for those with different incentives within the company. "Any time you're putting in a security control on the place, you're typically making it more difficult for somebody to do their job," he says. "It's always a balance between user experience and security, and I think the folks that are more effective are able to make that business case appropriately and still convey a sense of empathy—'Hey, I understand that you're running a business, but this is what can happen if you don't put these controls into place or make these investments.' It's a mindset, but I think it is something that can be taught and can be learned, and just as long as you're aware of it, it puts you in a much better spot to be successful."
This is definitely a mindset Einstein has been trying to put herself in when dealing with management at her company. "I've become much better at attaching money to intangible events," she says. "They listen to money."
Prove your worth
If there's a common thread in these stories and advice, it's that as you begin your career, many of your colleagues and bosses need to see evidence of what you bring to the table, both as an individual and as a representative of infosec. Can you take on the jobs that others don't want to do? Can you show the less tech-savvy why security is worth the price? And can you explain it in terms they understand?
"When you come into a new job, it's really all about one question: 'How can I maximize the value I'm bringing to the team?'" says Huston. "That one question lays out that first year. And at the end of that first year, the answer to that question—'How did I bring the most value to the team?'—lays out the work for the next two years." Get the right answers to those questions and you're on your way.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.