How to Start a Career in Cybersecurity
Overcome The Barriers-to-Entry and Get a High-Paying Job
If you work in Cybersecurity I guarantee you’ll have a job for the next 20 years - at least.
You don’t believe me? Well, you better should.
Cybersecurity has already become a critical priority for organizations across all sectors - and if we look to today’s society there is a strong trend to maintain this priority. If there would be a country called cybercrime-istan, it would the in the top 3 of economic superpowers in the world - right behind the United States and China. Cyber espionage becomes more and more a threat for advanced economies and the geo-political landscape is quickly heating up. Also the more our life's depend on computers and digital assets, the more valuable these assets become for us - and hence the need to protect them reasonably.
Therefore, the demand for skilled cybersecurity professionals has surged, making it an attractive and rewarding career path. So, it’s time to learn how you navigate the journey of starting a career in cybersecurity, covering overviews of the essential skills, certifications, and the most lucrative job opportunities in the field.
Understanding Cybersecurity
Cybersecurity encompasses the practices and technologies designed to protect systems, networks, and data from cyber attacks. It involves safeguarding sensitive information, preventing unauthorized access, and ensuring the integrity and availability of data. Cybersecurity professionals work to identify vulnerabilities, respond to incidents, and implement measures to prevent future threats.
Essential Skills
Many self-acclaimed cybersecurity experts on social media (say hello to LinkedIn!) are telling you that you don’t need technical skills to break into cybersecurity (by purchasing their training, of course).
This is wrong.
If you want to be taken serious in this industry, you need to have as an absolute minimum of technical acumen like networking or authorization concepts. There is simply no shortcut. Period.
So, if you are about to start your journey in this domain, start with the ‘real stuff’:
Networking: Understanding network protocols, client-server architectures and subnetting.
Operating Systems: Focus primarily on Windows and Linux environments since this applies for 95% of the corporate world. Also, you get bonus points if you have some experience with Active Directory.
Programming: I personally consider programming as overrated in the cybersecurity domain. However the recent trend to a shift-left and security-by-design paradigm will require you to be familiar on how software engineering is being done.
Security Tools: A big plus is familiarity with tools like firewalls, intrusion detection/prevention systems, and antivirus software. Also endpoint detection experience is of high value, particularly nowadays where we have way more devices attached to a corporate network than ever before.
Cryptography: Although I wouldn’t say it’s a hard requirement, you should understand basic concepts like symmetric and asymmetric cryptography or you should understand that hashing is not encryption.
On the soft skill side you can certainly stand out from the crowd by demonstrating excellent communication skills. Communication is in my view the most underrated skill you can have as a cybersecurity professional. Explaining complex topics to not well versed stakeholders is still a pain in organizations of any size and the most painful impediment for advancing any corporate cybersecurity program.
Second, you should have a natural interest in continuous learning. As fast as technology advances, the same technology will come along with new vulnerabilities and attack vectors. In order to protect these technologies effectively, you need to understand it.
(In-)Formal Education
There are multiple pathways to enter the cybersecurity field, each catering to different backgrounds and career goals:
Pursuing a Bachelor's or Master's degree in Cybersecurity, Computer Science, or Information Technology can provide a solid foundation. Many universities offer specialized cybersecurity programs that cover essential topics like network security, cryptography, and ethical hacking. It also helps you in building trust towards your stakeholders and co-workers.
In addition to a formal program I highly recommend to you participate in online courses from E-Learning platforms like Udemy or Coursera. Completing these courses shows any potential employer that you are motivated to do more in cybersecurity and beyond your “official duty" and that you’re committing to continuous learning. Also this gives you the opportunity to shape your personal profile further and to apply for higher paying jobs (we’ll talk about that in a minute).
On the other side of the coin, I do not recommend to replace formal degree programs with online courses. Online courses are simply not enough in terms of topic breadth. Don’t trust any expert on the internet who tells you, by completing his or her training, you will land a six-figure job. Although there might be some exceptions, the chance that this will happen is literally zero.
Certifications
Certifications are crucial for validating your skills and enhancing your employability. Some of them are considered as the gold standard, like the CISSP or the CISM. Pursuing at least of them is a big, big plus on any resume. But be aware: The reason why these certifications have such a great impact is because they require a certain amount of professional experience - which results in a chicken-and-egg problem if you are about to enter the industry.
As a beginner though, I recommend to pursue the more “achievable” certifications like the CompTIA Security+. This certification covers foundational concepts in cybersecurity and is specifically designed for beginners in the field.
Another great certification with no previous experience required is the Certified Ethical Hacker, CEH. This is a great start if you are more interested in offensive cybersecurity and gives you a great jump start.
Practical Experience
As I see it, practical experience is invaluable and Trump's everything else in cybersecurity. But where to start?
The easiest way is to do internships while you are studying. Many companies offer these that provide hands-on experience and exposure to real-world security challenges. Also platforms like Hack The Box or TryHackMe offer virtual labs and challenges to practice your skills. Contributing to open source security projects on platforms like GitHub is also a great lever to showcase your skills to potential employers.
And finally participating in bug bounty programs allows you to find and report vulnerabilities in real-world applications and earn rewards. While this is certainly an unique selling point for your personality, this requires the most effort and time while it’s not guaranteed that you get proper results in the end.
Highest Paying Job Roles
Let’s talk real numbers now. Where do I earn the most in cybersecurity?
The domain offers a wide range of job roles, each with its own focus and responsibilities. Some of the common job roles include:
Security Analyst: Monitors and analyzes security events, identifies threats, and implements protective measures.
Penetration Tester (Ethical Hacker): Conducts authorized simulated attacks to identify and address vulnerabilities.
Security Engineer: Designs and implements security solutions to protect systems and networks.
Incident Responder: Handles and investigates security incidents, mitigating damage and restoring systems.
Security Consultant: Provides expert advice and solutions to organizations to improve their security posture.
Chief Information Security Officer (CISO): Oversees an organization's entire security strategy and operations.
Since you are likely at the begin of your career with limited experience about what cybersecurity in the corporate world really means, the role of a CISO might look very appealing to you. The shiny title, the responsibility and salary are quite attractive.
The more you work in this domain however, the more you realize, the glory of this role comes with a heavy burden in terms of stress and anxiety.
So, which role should you pursue?
If you really strive for a maximum salary then you should focus on a career in a management-near position, like Governance, Risk Management or Compliance. The reason is simple: The more exposure you have towards the management, the easier it gets for you to adopt important management skills and you can recommend yourself for the next promotion round.
In the May edition of the Cybersecurity Logbook it is also explained what you can earn on average per role.
On the other side, if you choose a more technical role, it becomes way harder for you to advance in your career due to the missing exposure towards the management - unless you are working in a Big Tech company in the Silicon Valley.
But the greatest lever for getting a high-paying job is not the role you chose, it’s the company you work for.
Or to be more precise: The company size matters.
The bigger a company is, the more you will likely earn for the any role compared to smaller companies. A Cyber Threat Hunter in a Fortune 500 company easily outperforms a CISO of a local drugstore in terms of salary.
So what's the conclusion? If you want to earn as much as possible, then go for a GRC role in a Fortune 500 company and you will have a happy life.
But my advice to you is not to plan your career solely on the salary aspect. If there a more technical topics of interest, pursue them. If you don’t like the regulations in a large company and you like the chaos of a startup, go for it. No salary will come up for your happiness and eventually your job eats up at least 8 hours a day.
Make sure it’s worth it.
Networking and Professional Development
Another great lever is building a network of professionals in the cybersecurity field. It can open up new opportunities and provide valuable insights and, who knows, might open doors for you which otherwise wouldn’t be reachable to you. The most relevant associations for this purpose is the (ISC)² which offers certifications (e.g. CISSP), events, and a global community of cybersecurity professionals. The other major association is ISACA (e.g. CISM, CISA). They provide resources and networking opportunities for IT governance and security professionals. The EC-Council is known for its certifications and conferences focused on ethical hacking and security. All of them are great opportunities for you to expand your horizon in this regard.
If you prefer a more independent approach in building your professional network, you might try attending conferences like Black Hat, DEF CON, and RSA Conference to help you stay updated on industry trends and connect with experts.
Continuous Learning
I can not underline this enough: Cybersecurity is a game of continuous learning. The landscape is constantly evolving, with new threats and technologies emerging regularly. To stay updated (or even better: ahead), continuous learning and adaptation are crucial:
Stay Informed: Follow industry news, blogs, and podcasts to keep up with the latest developments. Feedly is a great news aggregator where you can retrieve latest news and updates from reputable sources like Dark Reading or The Hacker News.
Advanced Courses and Certifications: Pursue advanced certifications and specialized courses to deepen your expertise. I personally did some training from the Said School of Business (Oxford University) and Stanford University to hone my technical acumen but also my business skills relating to cybersecurity - well invested time!
Research and Development: Engage in research and contribute to the development of new security tools and techniques. The OWASP foundation is a great starting point for this. There you can join different working groups and set your own pace in contributing to the cybersecurity domain.
Wrapping it up
Starting a career in cybersecurity might look intimidating in the beginning. Following a structured and multi-faceted approach is key to overcome the barriers to entry. By knowing where you want to work, acquiring the necessary skills, obtaining relevant certifications, gaining practical experience, and networking with professionals in the field, you can build a successful and fulfilling career in cybersecurity.
The journey may be challenging, but the rewards – both in terms of career growth and the satisfaction of protecting the digital world bit by bit – are well worth the effort.
I’d love to hear from you how your personal journey goes and what experiences you made.
Until then, see you next time!