Cybersecurity is a growing and increasingly popular career field. By some estimates, there will be 3.5 million unfilled cybersecurity jobs by 2025. As more of the daily lives of billions of people is conducted online, adversaries find more and more ways to attack online commerce, identity, critical infrastructure, and every facet of daily e-living. As the adversaries go online, we need an increase in the number of defenders to help protect life online, creating opportunities for people in other career fields to seize the moment and leap feet first into a new career field.
What could possibly go wrong?
If you’re a well-known security professional, you probably have an inbox full of notes that go something like this:
“Hi, I’m a 30/40/50-something year old XXXX professional who wants to make the switch into cybersecurity. I went and got my YYYY certification, but I’ve been looking for six months and I can’t find a job. Can you help me? Who is hiring?”
That’s problem number one for mid-career transitioners (and, honestly, a lot of entry-level applicants): despite a lot of open positions, it seems like no one is hiring (well, some are hiring, but only if you have 13 years of Kubernetes experience, personally designed a sandboxing environment for a public cloud infrastructure, and are willing to be on-call 24/7 for minimum wage). I can’t solve the “employers haven’t yet figured out how to advertise a reasonable job” problem, but let’s tackle how you can make a mid-career switch. In this blog post, I’ll cover six key steps you can take to land a job in the ever-growing cybersecurity industry.
Step One: Assess Your Transferable Skills
Whether or not you have cybersecurity skills yet, you’ve likely amassed a set of fantastic competencies across your career. Those competencies are skills you’re going to carry forward into your next career step, and you’re going to want to understand them, but also know how to communicate them to a prospective employer. You’ll want to take out any jargon from your specific career field as you do this. Are you an investigative reporter? “Research complex technical topics and communicate them to non-technical audiences” becomes a transferable skill – you might have a future assembling security reports from research a security company conducts.
Step Two: Career Field Assessment
Now that you’ve documented what you can do, it’s time to look at what sort of positions are available in the job market. Contrary to popular belief, not every cybersecurity job is an “eyes on glass” position, responding to alerts in an ops center. The cybersecurity career field is filled with positions ranging from what many would consider “core” cybersecurity functions – operations, architecture, compliance, engineering – to supporting functions in cybersecurity companies – product management, marketing, customer success, solutions engineering, sales. Which ones best align with the skills you already have? It may be helpful to play a “six degrees of cybersecurity” game; identify the shortest path of obvious but simple lateral moves you could make to get into cybersecurity. Are you an educator? Consider the path from classroom instructor to syllabus designer to technical trainer… and now you’re a short hop to a training function in cybersecurity.
Step Three: Gain Real-World Experience
You probably don’t yet have all of the skills you need to present a credible case for a cybersecurity position, but now that you know the core skills you already bring, look for the differences between where you are and where you need to be. As you identify competencies you’ll want to develop, look to fill them in three ways: academic instruction, hands-on practice in a freeform environment, and real-world applications. The first two steps are relatively straightforward. Certification and training programs are everywhere to provide you with academic instruction, and you can gain hands-on experience setting up systems in various cloud environments (e.g., try setting up a blog on AWS, and navigate the nuances of integrating a CDN to it). Gaining real-world applications – where you’re solving someone else’s problems – may be the hardest opportunity to find (after all, isn’t that your end goal?), but take a look at the non-profit and community organizations around you. Often, they are starved for IT and cybersecurity support, and you can gain great real-world skills helping lock down their infrastructure in a user-friendly way. You may not have as much flexibility in choosing the specific technologies you’ll use, but the experience is invaluable.
Step Four: Network, Network, Network!
Job seekers often think of networking as “asking all the people you know for a job.” While that can work – and you should certainly advertise that you’re open to work – networking is most effective when you approach it less transactionally. Seek out communities (meetups, conferences) where you can learn and make connections. Consider that you’re always in a job interview when you’re out and about – how you engage and the work ethic you display may be the stimulus that opens a door for you. Ask people questions about their job, and what is hard about it – not to make yourself look smart, but to look willing to learn. Volunteer to help at events, and make connections with the organizers (who are often the best-connected people in your area).
Step Five: Embrace a Learning Mindset
Stay up to date on what’s going on in the industry. You can follow research blogs, or use social media to keep up with the latest news. When something new is going on – maybe there is a new type of attack on cloud infrastructure, or someone just released a report on common mistakes companies make in cloud security – don’t just skim the news. Practice internalizing it, and summarize it to a less technical family member. One of the best ways to learn any topic is to teach it! If new tools come out, experiment with them. Figure out what each tool is good for, and what its limitations are.
Step Six: Take the Leap and Apply
Here’s a dirty little secret of the recruiting industry: despite common beliefs, almost no one is fully qualified for an open position. You’re going to have to apply for jobs that you’re only marginally qualified for, and you have two goals: get past the recruiter, and convince the hiring manager that you can learn what you’re missing. To get past the recruiter, you often have to play the buzzword game: if a job wants three years of experience with AWS, you have to at least mention AWS on your resume. Don’t lie and claim experience you don’t have, but feel free to put any AWS training classes you’ve taken, or that you have a cloud lab with AWS instances. Be honest with the manager when they ask – “I’m still learning AWS, because there is so much, but I’m familiar with the UI and running workloads, and I’ve started playing with Guard Duty” – but make sure you’re checking the box for the recruiter.
Find Your Place in the Cybersecurity Industry
I leave you with a final farewell: Good luck! Making the switch into cybersecurity can be an exciting and terrifying proposition. There is a lot to learn, but you don’t need to learn it all up front. Your first cybersecurity position doesn’t have to define you, and there is always more to learn.
Looking to get a jumpstart on finding open positions? See what’s available over at Orca Security, or over in the YL Ventures portfolio.
This post first appeared on the Orca Security CISO Corner.