There are two perspectives on the question “What Skills Are Needed For Cybersecurity” depending on who you ask. If you ask a company that hires cybersecurity professionals, they can come up with a list of requirements based on what they need, not based on what the professional requires. On the other hand, if you ask cyber professionals, like us, with years of experience across all fields and sectors, we will be honest with you and tell you things that you might not want to hear, but you should.
Like many cybersecurity professionals who have been working in the IT field for over 20 years, and in my case with most of those in management positions, I can say for certain that one mistake colleges and Ivy Universities make with students who want to study an undergraduate or Master’s degree in Cybersecurity is to teach them the subject without the hands-on experience on the basics of Information Technology.
I’ve seen first hand how an undergraduate student who has recently graduated from college with a degree in cybersecurity can’t even put together the required tools to set up a virtual lab for cybersecurity research. I’ve also interviewed candidates with a Master’s degree in Cybersecurity, but without the competencies to perform the job.
Read “Should I Get a Cybersecurity Degree or Certification?” for more information.
I don’t think this degree should be offered to people without the basic hands-on experience in the IT field. Knowing how to make and break a system takes time and experience and is the job of a cybersecurity specialist to know how to protect that system, so the question that arises is how to protect something you have no experience on? Makes no sense.
You might say, “but these colleges offer laboratories to practice what they are learning”. True, but is it enough to know what to do when you are facing a problem which in fact would require you already had the experience on it?
Guess what, community colleges are learning fast and catching up. They not only offer two years or a full four years undergraduate degree but also they form alliances with local companies that requires personnel trained with specialized skills and these companies even accept these students and promise to train them giving them that exposure I was talking about.
I know this because I was one of those companies who accepted these students and gave them the exposure they needed.
You ask for what you want, and I give you what you need…
Before you can understand what skills are required for this field, you have to know where to get them from and there is a reason for this. The way you can get the hands-on experience is by getting exposure to the Help Desk first. The Help Desk is the place where you can get access to all sorts of incidents and problems, if not all of them.
By working at the Help Desk, you will learn what are the most common incidents, what are the resolution to such incidents and properly document them in the incident report. This is known as Level 1 support.
After verifying and gathering the symptomatology of the affected system, if the Help Desk is unable to solve it, then they reassign the incident report, or ticket, to a Level 2 support specialist.
Level 2 personnel are more experienced as they are the certified technicians with the knowledge and hands-on experience to bring a resolution to the incident assigned to them. They are usually known as the Desktop Support.
These are the specialists certified on at least the A+ certification and trained to deal with anything related to this level.
Help Desk + Desktop Support = Hands-on Experience
This is how I trained my interns when they were looking to work with me. I gave them the exposure to all sorts of issues so that they can get their hands dirty and follow procedure on how to get the resolution. After I knew they were ready, then I re-assigned them to work with the level 2 personnel.
They might have learned some of the tools of the trade while in college, but they saw first hand all the tools that we were using and applying in real life. Also, this exposure helped them prepare to study for the required certifications such as A+.
The fact that they were getting good at what they were doing, gave me a satisfaction as a manager which made me feel proud of them. Also, the fact that I was managing a division within the pharmaceutical industry, it was required from the personnel working with me to have a level of specialization that I couldn’t find anywhere. To solve this problem I leveraged from the internship program to train these students in the required skills to become specialists in this industry and usually, I ended up retaining them and offering them full-time jobs.
As a manager, I knew who were the candidates I wanted to retain. I observed their behavior with my clients (daily users), they asked me the technical questions and how to improve on those. Others requested to participate on projects that I was working on to learn more, but the one common denominator that I observed on all successful candidates was curiosity and willingness to learn.
What is the market asking for
If you read the market statistics and reports for what skills the companies are looking for, they will vary according to their sector, but in the conglomerate, the market has a necessity for essential skills. These are skills that are applied anywhere you go, no matter the sector.
For example, these are the top three requested skills:
- Over 90% of interviewed companies indicated that knowing Core Security Concepts is the most important skill.
- Network & Host Vectors Attacks came up at 70%
- User Authentication & Access Control came at a little over 60%.
Other important skills that were mentioned with over a 50% scale were Basic Shell Scripting & Regex with little over 60%, OS Hardening with a little over 55%, and Web App Attack Vectors (OWASP Top 10) with a little over 55%. (This market information was obtained from Shawn Davis, Director of Digital Forensics at Edelson PC)
Internships vs Poaching from other companies
I know that companies prefer poaching from others, mostly their competition, (I know because I had some of mine poached) as these candidates already have the necessary experience to do what is necessary. In my case, I chose to promote the internship program instead of the other alternative as it allowed me to mold the candidate from the very beginning according to what was needed in the time, and provided them with skills that they couldn’t get anywhere else, plus they got in as an entry-level technician.
Please, stop me if you heard this one before, but everywhere you go and search for “cybersecurity”, or “What Skills Are Required For Cybersecurity”, there will be at least a couple of results commenting about the “shortage of cybersecurity professionals”, or that there are and will be “thousands” or “millions” of positions waiting to be filled.
Well, if you happen to be one of the many people who graduated from college with a degree in cybersecurity, or recently received a certification you heard or read in a forum that it was a must to have and add to this equation the comments that these positions are there literally waiting to be filled and you go for an interview to be part of the workforce, then why they rejected you?
Time for an introspection
Usually, companies reject candidates based on the lack of hands-on experience in required areas. When you get rejected, don’t just stop there. Ask to speak with the interviewer and ask them what was it that they were looking for and you couldn’t provide. What set of skills they need.
Remember when I said before “You ask for what you want, and I give you what you need…”. What you want is a job, but what you need is to see what skills you have and you can only acquire skills with hands-on experience.
Don’t wait for anyone to get this experience. Start building your own Cybersecurity Lab.
For more information, read “How To Setup Your Own Cybersecurity Lab”
Get your hands-on experience and start practicing your skills today!
by Edgar Vera, MS Cybersecurity