Building a career in cybersecurity takes perseverance, a hyper-awareness of the changing threat landscape, and a willingness to constantly learn new skills. Whether you want to become a white-hat hacker, a cybersecurity analyst, or something else entirely, there are also lots of roles within cybersecurity to fit your career goals.
Even if you don’t want to work a full-time cybersecurity job, many other technologist positions (such as software engineer and network architect) increasingly demand some level of cybersecurity knowledge. Here’s how some cybersecurity experts developed their skills and launched their careers—and they have some advice for anyone aspiring to enter the industry.
Education and Certification
Morgan Mango, a recent college graduate who works in cybersecurity research, grew up in a military family. She says that cybersecurity was always around while she was growing up. “My high school had a program where I got to work part-time in a cybersecurity startup,” she said, and that’s where she learned the ropes on what cybersecurity careers entail, with some web dev and software development to boot. This led to her doing cybersecurity on her college campus, which then led to work as a government contractor afterwards.
For those who don’t have a STEM and cybersecurity background, Mango recommends certifications such as CompTIA Security+. “Having a certification will be such an easy introduction to cyber, even if you don’t have the classes available at your high school or college. Having a certification is a great way to actually get into the career path,” she said. And while she’s noticed that government jobs and the big giants require a college degree, if you have the skillset and certifications, you may not need a degree to work at a startup.
Omar Sangurima, Information Security Analyst at Memorial Sloan Kettering Cancer Center, agrees that certifications will help people get further, quicker in their careers. He also took CompTIA’s Security+ certification when he was thinking of crossing over into information security. He transitioned from insurance sales to pen testing, then worked as a general analyst and security awareness in a law firm, and now does security awareness training at the hospital.
Sangurima says that certifications will accelerate you to the point where you are ready for hands-on experience. He recommends both Sec+ and SANS GIAC’s Security Essentials. While HR departments sometimes look for the CEH certification, interviewers seem less impressed, he said. For junior pen testers, he recommends eCCPT (eLearnSecurity Certified Professional Penetration Tester) certification.
That said, both Mango and Sangurima are quick to point out that certifications are not all you need. “One of the pitfalls is thinking that you can get a certification and then you’re going to get a job,” Sangurima said.
Instead, view certifications as a gateway to experience. “They will get you a good theoretical base and might get your foot in the door,” Sangurima added, but will not get you the practical knowledge you need. For honesty with regard to the market, he recommends looking at Reddit and InfoSec Twitter.
For advanced cybersecurity workers, the CISSP certification is held in high regard. Rankin says it’s always important to keep practicing fundamentals and testing things out on your own, whether through downloading resources, playing Capture the Flag, or just looking around. “Back in the day, it was people poking around and probably hacking things they shouldn’t from someone else, but now there’s all kinds of resources in addition to the fact that your home is probably full of all kinds of easily hackable things,” he said. Rankin has even created internal CTF tournaments as a fun training exercise for his team.
“The cloud is huge, and it’s one of those things that’s starting to grow less and less niche and more and more, you just need to flat out have it,” said Sangurima. He recommends jumping feet-first into AWS, Google Cloud and Azure.
Beyond that, an inquisitive nature is important, as is the tenacity to deal with gatekeeping in the industry and the adaptability and energy to keep staying on the cutting edge as technologies change and evolve.
Rankin started his career doing pure sysadmin work 20 years ago, which he did for the first decade of his career. While in charge of a sysadmin team and building infrastructure, he started leaning into server and infrastructure hardening and the cloud. He then transitioned to a Director of Systems role, where he was also managing PCI audits and security for the company, before switching jobs to a Director of Security role where he was also responsible for building infrastructure.
“Every next position, I would transition my title and responsibilities into the direction I wanted to go. And then from there, I moved onto Purism, where I’m now Chief Security Officer,” he said.
Kyle Rankin, Chief Security Officer at Purism and author of Linux Hardening in Hostile Networks, suggests that starting out as a sysadmin or in DevOps can help people transition to a career in security, because building infrastructure helps you understand its constraints, as well as the shortcuts that dev teams are likely to take to hit deadlines. This can help pen testers figure out areas to exploit, and those in charge of security to know how to harden the infrastructure.
He’d also recommend working for security consulting firms. “Those places are generally willing to bring someone in who can demonstrate they’re willing to learn and capable of learning. It puts them on the job where they’re switching from company to company every couple of weeks, seeing all kinds of different ways that people can set things up and all the different ways you can attack it,” he said. “I’ve seen a lot of people get into security from that path.”
Cybersecurity Career Pitfalls
Mango also warns that it’s very easy to accidentally get pigeonholed. For example, someone working in PKI infrastructure in their first job might be seen as the PKI person for the next 15 years of their career. “I would always suggest people to find a job in cybersecurity that’s very flexible and very broad in terms of job description and tasks,” Mango said. “That way, once you leave, you’re not going to be the PKI person or the firewall person or the IDS person. You’re going to be the cybersecurity professional.”
Another pitfall is not being taken seriously, and transitioning the skills you’ve learned in theory to doing it in practice. “There are only so many hack the boxes and capture the flags that you can do until you’re actually on the job and see if you can apply something that you learned outside of it,” she said. Dealing with the technical vigor is an uphill battle.
Mango is quick to let people know when she’s shadowed them; she’s also done buddy coding. She’s not shy about asking questions and, when learning how to do something, is willing to slowly inch her way into the inner circle of a project, building trust along the way.
Sangurima points to gatekeeping and sexism in the industry as big macro challenges. Both Sangurima and Rankin emphasized the ability to work well with people, collaborate with others, listen well and communicate clearly as important skills both to differentiate yourself and to help you work your way up the ranks. “There was a point in time in the past where the job of security work was essentially to sit behind a desk and tell people ‘no’ all day long,” Rankin said. “That never really worked very well, but it was how it was done. If you want to be effective in security, you have to default to yes.”
And as industries begin to realize the importance of cybersecurity professionals and hiring quickly, Rankin believes it can be challenging for someone coming in at a junior level to get up to speed without a strong mentor.
Although it can sometimes be embarrassing to admit you don’t know something, Rankin insists that honesty is crucial: “Especially as you get to get higher and higher positions, it’s dangerous to make it seem like you know things that you don’t. If you act like you know everything about everything, and you don’t, then people won’t necessarily be able to trust the calls you make.”