According to data by Norwich University, despite cyber-threats increasing rapidly year after year, the skill gap is monumental. In fact, Cisco reports a shortage of over 1,000,000 cyber professionals. The lack of qualified cybersecurity professionals is one of the main reasons why we are yet unable to get a handle on cybercrimes. By having more cybersecurity professionals, we can enhance security.
Unfortunately, and this very fact is very alarming, even though cyber security and IT management in general are some of the fastest-growing and well-paying fields, they are not attracting the talent they need primarily because most graduates do not want to go into employment; they want to create the next Facebook, Snapchat, Twitter, or Microsoft. Compounding this is the fact that most cybersecurity graduates are millennials who want to create something of their own.
A Global Information Security Workforce Study conducted by ISC showed that out of all the cybersecurity experts surveyed, only 7% are below the age of 29, and only 13% are below the age of 30-34. The survey concluded that 42 is the average age of a cybersecurity professional.
What does this mean?
It means that the skill gap is real because on top of not attracting the millennial talent it needs, cybersecurity is in jeopardy as more and more cybersecurity professionals near retirement age and as fewer millennials get into the field primarily because of lack of awareness, advanced educational requirements, and preconceived notions.
Thanks in part to the continued need for cybersecurity experts and the scarcity of cybersecurity experts, and because according to CNBC, salaries for degree level cybersecurity professionals stands at $116,000 per year with the salary doubling for positions that require a Master’s degree, Cybersecurity is one of the most lucrative fields you can enter.
We are going to discuss everything you need to have in place to build a lucrative and successful career in cybersecurity:
Step 1: Education and Certifications
Thanks to the very intricate nature of cybercrimes and the fact that as technology develops rapidly, new hacking tools hit the market, cybersecurity is a field that requires very skilled and adept professionals.
To start your foray into this field, the first thing you should do is get the proper education. Cybersecurity is a normally a specialized field that often requires those that get into it have specialized knowledge in information security.
Since the general work of a cybersecurity specialist is to ensure that computer systems and networks are secure—essentially meaning cybersecurity experts are in charge of the electronic security of an organization—they must be knowledgeable.
Becoming a Cybersecurity Expert: What To Study
In general, to get started on this career path, you need a bachelor’s degree in any of the following fields: computer engineering, programming, computer science, or information science. In some instances, you will also need to be a qualified statistician and mathematician. The U.S. Bureau of Labor Statistics also says you need certification and relevant work experience. You can get this education from the various universities across the country/world.
As mentioned earlier, cybersecurity is a specialization/advanced field of study, which is why getting started on the career path often demands that you be good in another InfoSec area. In fact, those in InfoSec often come from fields such as development, system administration, and networking in that order. If you get a bachelor’s degree in any of these fields, you can poise yourself for a career in cybersecurity.
Some universities will allow you to specialize in cybersecurity by offering certificate programs in cybersecurity. These universities offer specialization certification in network defense, operating systems, advanced security, CompTia Security+ certification, and Biometrics concepts.
Associate degree programs in this field will cover subjects such as computer forensics, network security application, operating system security, fundamentals of InfoSec, and encryption. On the other hand, bachelor degree programs will cover advanced topics such as advanced operating system and computer security, mathematics, etc.
From a core skills perspective, you need three core skills:
- Attention to detail,
- Analytical thinking and a zeal for knowledge in the field,
- And effective communication skills.
Now that we are talking about certification:
About Certification: Which Certifications Matter Most
To answer your question, certification matters just as much as education and experience. When you are getting started on this career path, they will matter especially because they will buff up your skill portfolio.
When you are just getting started, the most important certifications include the following:
The value of these certifications will depend on the requirements of the job you want to apply for; some employers will ask for specific certification while some will ask for all first 3. While your degree level education will prove invaluable, having these four certs will make you intimately familiar with InfoSec concepts and their application in the real world.
In my experience as an IT Manager, the best thing you should do to acquire the required knowledge that will provide you with a strong foundation to take the certifications is to enroll in Pluralsight. This is a website that will provide you with training resources to help you understand in detail the certifications you are looking for and will guide you on how to understand and pass the test for the certification you are looking for. Enroll into Pluralsight to be trained for the certifications that companies are looking for.
Once your skills level up, you can get the following advanced certifications as a matter of importance if you want to excel in InfoSec:
- CISSP, which is the most basic
- CISA/CISM, which is ideal for well-rounded InfoSec experts with managerial aspirations
- SANS (GSEC/GPEN/GWAPT), which is ideal for those with an affinity for the technical bits of InfoSec
- OSCP, which is ideal for penetration testing
You should aim to have your CISSP certification, the most standard baseline in InfoSec after you get at least 4 years of experience in any information security field. After that should come your CISA or CISM, which is what we call audit space; and after that, you should get the technical certifications—start with GSEC and then branch into either GCIA, GPEN, or GWAPT.
NOTE: If you intend to concentrate in Pen testing, get the OSCP certification
Step 2: Experience
Like most careers, your level of experience in InfoSec shall determine your pay and the position you hold. Those with an Undergraduate degree or diploma in any of the fields mentioned above should not expect to hold high-level positions no matter how smart they are.
To start gaining some experience (once you complete your undergraduate or diploma in any of the related fields), you can intern under a mentor or start working as a Tier-I security analyst—the latter is the most ideal for those straight out of school. Also, you need to have the required certifications.
The hands-on experience you are likely to get from being in an entry-level position—especially if you are a less experienced graduate—is especially important because one of the things most InfoSec experts agree on is that applying InfoSec concepts in a work environment could very well be the key to success in this field.
Unfortunately, gaining this experience is often a difficult task because of the industry changing needs and the experience specificity of the advertised position. As implied, you may need to start with interning or taking Tier-I entry-level jobs. The tradeoff is that even though these jobs do not pay very well and you will be doing a lot of grunt for your supervisors, the experience (the most important element) will be invaluable.
If you lack qualifications that make you an ideal candidate for entry-level jobs in InfoSec, your most invaluable strategy is to volunteer as you seek certification. Volunteering has an element of networking to it—which is the third step—because ideally, you will have to look to your network for InfoSec work-related opportunities.
For instance, if someone in your network has a small or mid-sized company/business, you can offer to look at the security systems adopted by the business and fortify them if needed. By doing this—assuming you are a skilled cybersecurity analyst in your own right (in the modern world we live in, you can teach yourself just about anything)—you will make yourself invaluable (and learn a lot) since most small businesses lack the funds to build in-house cybersecurity teams. This was how I got started in my career and business path.
Another great way to gain practical InfoSec experience is through is by having your own Cybersecurity Lab. This provides the grounds from which you’ll learn. It requires that you have a personal lab or network that you can use to practice what you learn.
When setting up your lab, you have several options:
- You can setup VMware on a desktop or laptop
- You can setup VMware on a laptop or desktop you have turned into a sever
- You can have a real server with VMware or similar installed
- You can have an online VPS system.
With the lab, you can do things such as run a personal DNS or DHCP server from an active directory or create multiple network zones in your home etc.
Step 3: Network Widely
Networking is how you go from low Tier-I jobs to mid and then to high Tier jobs. Essentially, networking is about ensuring that you market yourself and ensure that the right people know about you and your work.
The first thing you do is seek a mentor, someone who can teach and guide you. The person should have a personal style you like and feel you can emulate. With the ease of interaction provided by websites (as an InfoSec expert, you should create a website from where you can share your projects) and social media (you should also have an active social media profile—especially Twitter), finding a mentor is not too difficult a task. Once you find an ideal mentor, simply call or email the person and make your communication (what you want) clear from the very start.
Another great way to network is to intern at companies you would like to work in sometime in the future. This strategy is especially potent because it allows you to create inside contacts that will prove invaluable as your InfoSec career progresses and you gain more experience and certification.
Like most other careers, conferences are another great way to network. They (conferences) allow you to interact with like-minded individuals and a rare chance to learn what is new in the industry as well as to present your ideas and thoughts on various aspects of the business.
Conferences, especially ones that have keynote speeches, are an especially great way to learn and gain some experience. ENIGMA, DEFCON, DERBYCON, THOTCON, SHMOOCON, and CACTUSCON are some of the options available to you.
Contributing to worthwhile projects is another great way to network and enhance your career in InfoSec. Programming projects are the obvious choice here. Find some that speak to you personally and contribute if you can. GitHub is an especially useful platform where you can contribute to tools and platforms you like or use. For instance, if you notice bugs in tools you use and like, you can email the developer—if the tool is not open-source—or contribute a fix if it is.
Building a career in InfoSec is not very different from excelling in any other field. The main difference is that with InfoSec, thanks in part to the fact that the field is very specialized, you need very specific knowledge and certification. You also need to be a great programmer in your own right, which requires tons of experimentation. The great thing is that a career in this field can be very rewarding and lucrative.
by Edgar Vera, MS Cybersecurity