A Career in Cybersecurity

Anyone who is considering their career choices will have noticed that there's a lot of job openings in the cybersecurity space. Every week someone, somewhere, is trying to hire a cybersecurity professional of some particular skill set or other. The job ads are full of openings and anyone with 'cybersecurity' on their Linkedin profile or online resume, is probably getting connection requests from recruiters like they just won a large sum of money and offered to give it all away.

According to the Cisco Annual Cybersecurity Report there has been a consistent 12x demand over supply for qualified, certified or experienced, security professionals for the past 5 years. That means that there's currently 12 open security jobs for every person able to fill that role. With statistics like that, cybersecurity professionals will never be out of a job for long.

But what does it take to get into the field of cybersecurity? How do you get a foot in the door? How do you gain the experience that everyone is asking for to get the job in the first place?

Sometimes it can be a bit of a Catch 22 - and that's a bit of an understatement. Just read some of job postings requiring 3-5 years experience for an entry level position plus a current CISSP certification. However, those who may have looked into sitting their 6 hour long CISSP exam will have noticed that you need 5 years of experience to get the certification that is required for the job in the first place! (Or 4 years and a Masters Degree in a related field).

The truth is that job postings are written by HR professionals, most of whom have very little understanding of what the actual job they are hiring for involves. Someone should make a movie about it and call it "Recruiters are from Mars" because they might as well be. A classic example of this was a job posting I saw last week that wanted someone with ten years experience of Kubernetes and a whole laundry list of other skills and experience. This was noticed by many others as well as myself, who quickly pointed out that Kubernetes is only five years old as a technology, so no one could have more than five. Not only did it make a mockery of the job posting and the reputable company that had posted it, but it highlighted the problem of unrealistic job posting requirements. 

Whether the problem ultimately lies with HR, recruiters or hiring managers, there is an unreal expectation in the cybersecurity space. This is a highly, highly, competitive space for scarce security resources so whether this comes down to company salary scales that are out of touch with market rates, and the need to use approved more senior job requirements to hire in junior staff at a rate they will consider, I don't know. But cybersecurity professionals are currently making 25 to 30 percent more than their peers in IT with the same experience and levels of qualifications.

Some of the job postings that demand all kinds of experience would probably command a salary package of at least a million dollars a year if someone had all of those skills, certifications and experience. While I would like to believe that security professionals in their 30s are making seven figure salary packages, that probably isn't the case for most. In other words, JOB REQUIREMENTS are nothing more than a WISH LIST.
But it's not just experience, the same is true for security certifications and academic qualifications. 

Any recruiter claiming that 'x' security experience, plus 'y' certifications, plus 'z' masters or doctoral degrees is a MUST HAVE simply couldn't afford to hire the perfect candidate if he or she walked through the door today. 

In other words, you should apply anyway. It might not work all of the time but you only need it to work once to get your foot in the door. It is after all, getting more competitive each year as more and more companies attempt to hire the few security resources that might be looking. Increasingly, companies are having to re-think who they hire, at what level, and what skills are really necessary. They are taking what they can get and providing on-the-job training instead in order to fill vacancies and get bums in seats. 

Companies looking for security certifications will usually pay for the training, the materials and the examination if they want you to obtain one. While the Catch22 nature of the CISSP might be out of reach for entry level candidates, get yourself certified in an easier credential such as the CompTIA Security+ or some of the SANS GIAC foundational courses. That combined with a desire to work towards a higher more widely recognized certification or qualification, might be enough to get you past a cert required in the job posting and on to the next level with a video interview.

The same is true with academic certificates and degrees. Most universities are now running courses on-line thanks to COVID and many have solid cybersecurity programs at the Associates, Bachelors and Masters level. There are many government grants, and university stipends available each year and companies will often pay for you to study for degree or certificate programs so take advantage of this. It may take you a couple of years of part time evening or weekend study but a degree will boost your career opportunities and salary expectations so is most definitely worth your time. It may also exempt you from having to keep up with professional certifications like the CISSP, and pay these commercial bodies annual membership fees which can be expensive. 

But you as a candidate need to start somewhere.

In the following 90 minute video, I outline:
  • What is cybersecurity and why is it front and center as we adopt increasing levels of automation and digitalization?
  • Who are the main perpetrators of cyber attacks and what are their motivations?
  • Why is cybersecurity so important today?
  • What are the security frameworks being used to secure organizations?
  • Why you should consider a career in cybersecurity
  • What are those opportunities?
  • How to develop a cybersecurity career strategy
  • What security certifications and qualifications should you consider?
A PDF of this presentation can be downloaded or viewed here: 

Useful References and Further Information

Subscribe to our periodic posts via email to periodic new posts so you don't miss them.

Original stories and articles may be republished without charge provided that attribution is provided to the source and author. Articles written for, and published first elsewhere, are subject to the republishing terms and conditions of the host site.


Post a Comment

Thanks for your message. We'll be in touch.