Getting started with a career in cybersecurity
The son of a family friend recently told me he wants to go into cybersecurity as a career, and asked me how to get started. He currently serves with the national guard and is in community college.
I get asked the question a lot, and it's a good question. By 2019, the worldwide need for cybersecurity professionals is expected to reach 6 million jobs -- but companies will likely be able to only find 4.5 million people able to do the work.
That means there is the potential of 1.5 million jobs -- high paying jobs at that -- that can go to anyone with the qualifications. Burning Glass, a job posting site, reports that they had 50,000 postings for candidates with CISSP (Certified Information Systems Security Professional) certification.
So cybersecurity workers are in high demand, the jobs pay well, and they're important and critical to safeguarding our society. That sounds to many like an ideal opportunity. But what does it take to get hired and thrive in such a gig? Here are a few things to consider.
Cybersecurity (and IT in general) are not the same as computer science. Traditional computer science can be helpful, but it's not the full story. If you're going to design unbreakable encryption (or crack unbreakable encryption), you're going to need deep education in computer science and math, because you're dealing with everything from stats to finite automata.
But there's also all the knowledge needed about how current systems work, which computer science doesn't necessarily prepare you for. That's best handled by all the certification classes, particularly the Microsoft-sponsored ones.
Hiring practice is also all over the map. Generally, cybersecurity jobs (like this one for a U.S. Navy Cyberwarfare engineer) require 4-year college degrees. Many others require experience and industry standard certifications.
Before I talk more about this career in particular, we need to discuss the education issue in more depth. Many of the young people I know who want to get into this field do not have four-year degrees, and they want to know if they have a career path as well.
I'm an educator and so I will never tell anyone not to get a four-year college degree. Certainly there are many doors that absolutely will not open without one. But you also need to understand that many middle aged professionals with degrees are now carrying enormous debt from student loans and the cost of college degrees is still increasing. Also, there are more and more "for profit" universities out there peddling degrees, so you need to watch what you're signing up for.
For those of you in the U.S., make sure your school has what is called "regional accreditation" -- not so-called "national accreditation". This seems counter-intuitive, but many institutions that list national accreditation without regional accreditation will not grant degrees that are accepted universally. Read up on accreditation from this set of articles at the U.S. Department of Education.
There's also big business in coding boot camps. These are intensive programs that claim to take in non-programmers, train them up on key skills, and get them jobs. While coding boot camps may work, they're often very, very pricey. You may come out with programming skills, but you still won't have the credential (the degree) that's necessary to get hired for many cybersecurity jobs. Keep in mind that many, if not most companies won't even look at a person who doesn't have a degree as an entry pass.
My advice to young folks wanting a good career is to focus on IT certification and programming skills first. That's because there many more jobs available to IT folk that are often more easily accessible than cybersecurity jobs. Remember, a career in cybersecurity means you're capable of everything a traditional IT person is capable of, and more. You're defending against IT and programming mistakes and using all of your IT skills to push back the bad guys.
So a start in IT will get you some experience and money, and you can grow from that into cybersecurity.
Then, as you develop specialized interests, focus next on cybersecurity. One thing you can do that's completely free is read. There are a ton of good online sites that you can read to follow what's happening. Keeping up on the business will give you strong insights into where to go.
Read voraciously on the topic (news as well as tech stuff). Make yourself knowledgeable, read on daily if you can. The more you know, the more you'll know who to try reaching out to. That's good advice for pretty much anything, but it works here, too. Don't just read technical information, but dive deeply into each individual case and learn about the business ramifications and how the actual breaches and attacks unfolded.
Security
For those currently in the military like my young friend, I have another piece of advice. The military is one of the biggest employers in this field, so make as much use as you possibly can of your service connections.
Tell your senior staff you want to go into this field and to help you meet people who might move your career along. The US is desperate for trained soldiers (by that, I mean people who are disciplined, can wear more than sweatpants, and actually show up on time, unlike most of us geeks), who are also able to handle the tech. So if you can get them to move you along internally, that's by far the most likely path for you.
Keep in mind that somewhere in your branch of service are people who want you. There is a huge shortfall in trained cybersecurity warriors. You have to take the effort to keep after it and find the people who know about the need and can help you train up to fill it. Don't just ask once and let it go. Dig, talk, meet people, socialize, meet more people, and keep up with your reading.
Here's another tip. Get your hands on old, discarded machines and build up Linux installs, practice building networks, learn about SELinux, play with key distros, and do as much hands-on as you can.
Just one word of warning: never, ever hack or crack. Stay away from the criminal and unethical stuff. While a few top hackers have romantic stories, they generally followed long jail sentences and solitary confinement. Few organizations hire ex-cons.
There's a tremendous amount of opportunity out there, but you're going to have to work hard to get into this career.
By the way, I'm doing more updates on Twitter and Facebook than ever before. Be sure to follow me on Twitter at @DavidGewirtz and on Facebook at Facebook.com/DavidGewirtz.