Entering Cybersecurity

One of the most common questions posed to cybersecurity professionals is:

“How can I do what you do? How do I get into the cybersecurity profession?”

It would be straightforward to offer the typical advice: go to college, get a degree or certificate in Computer Something, grind at whatever entry-level IT jobs come available, and then hope that you’ll somehow end up in the cybersecurity field.

While well-meaning, this isn’t really useful advice. Let’s instead answer your question with another question:

What kind of cybersecurity do you want to be doing?

Like most industries, cybersecurity is not a monolithic entity. It has numerous specializations, opportunities, and open doors. Instead of offering one path, here is our selection of some (but not all!) of the cybersecurity roles that we think might be worth your attention if you’re serious about getting into this industry.

The Blue Team

What is it:

When someone thinks of “cybersecurity,” this is typically what they think of. The long-suffering, crafty, worldly professional, responsible for patching vulnerabilities, making policies, answering crises, and just generally keeping a business safe from the wild frontier of the Internet. Often referred to as “sheepdogs,” these professionals work tirelessly to secure organizations against the “wolves” of the Internet: hackers, scammers, and state-sponsored malicious actors.

What you need to do it:

Joining the blue team isn’t easy. The path to becoming a sheepdog is long, and usually starts with getting some kind of post-secondary accreditation. Computer Science is the most common field of study, but almost any computer-related STEM degree will carry some weight. After post-secondary, most prospective blue teamers then commit to getting one or more professional cybersecurity certifications (CISM, CISSP, CySA+) – a long and arduous process that often requires up to four additional years of various practical cybersecurity experience.

What can help you get there:

Your education, experience, and certifications will do most of the heavy lifting for you, but you should also be able to demonstrate self-learning. Do you have a home lab for testing cybersecurity configurations? Do you read about cybersecurity breaches and theorize solutions and mitigations? If it’s compelling, document it and add it to your resume.

What you get:

The long journey isn’t without rewards. Certification-holding blue team professionals are often paid handsomely for their capabilities, and expertise. This is further amplified by the fact that there is a chronic shortage of qualified cybersecurity professionals, meaning those willing to stick it out often command a premium from potential employers. The few drawbacks include being on call for crisis response, working longer hours, and being the front line defence against what might seem like the entire world trying to attack your organization.

The Red Team

What is it:

While hackers are commonly thought of as “the bad guys,” there is actually a role to be played by White Hat hackers – ethical individuals who nonetheless have the knowledge and aptitude to break into systems. By rigorously trying to break into systems, Red Teams can highlight vulnerabilities, flaws, or failures before a malicious hacker can exploit them – a process known as penetration testing. This invaluable information can then be used by IT professionals and blue teams to shore up their defences.

What you need to do it:

Unlike blue teams, which are defined by rigorous standards of education and certification, being a red team professional usually starts with little more than a curious, transgressive mindset. It’s no secret that many of the most prolific and successful red team professionals in the world are reformed criminals, with long “careers” of breaking into systems with or without the blessings or knowledge of the lawful owners. That said, those looking to pursue a career in penetration testing can (and probably should) start with more legal means. A post-secondary education in computer-related study can provide a strong theoretical backbone, and now there are several industry-sponsored certifications for ethical hacking (OSCP, CEH). Unlike blue team designations, which can take up to eight years to attain, most ethical hacking designations can be earned in a much shorter time – typically within 2-4 years.

What can help you get there:

A red teamer’s currency is ethical hacking demonstrations and examples. If you wish to pursue this career, your best assets will be: home labs built to test theories and vulnerabilities, evidence of bug bounties you have collected, and examples of vulnerabilities that you have detected and exploited in software and hardware that you own or work with.

What you get:

Ethical hacking is a growing field, and like blue team roles, there is a chronic shortage of qualified professionals. However, unlike blue teams who are usually hired by the company they will be protecting, red teams are usually employed by companies specializing in contracting out penetration testing services. While not as lucrative as the biggest blue team roles, ethical hacking is still a profitable and satisfying career path. The discipline rewards curiosity, ingenuity, and experience. Drawbacks include being solely responsible for your own success (you must go find the work, as it will not come to you), and the chronic mistrust of hackers among laypeople.

Encryption/Cryptographic Expert

What is it:

Encryption is of huge importance to thousands of organizations who conduct their business online. Having robust, trustworthy encryption is absolutely necessary – and it doesn’t just grow on trees. Encryption specialists, engineers, and mathematicians all contribute to the body of systems that underpin modern encryption standards. Likewise, it is sometimes necessary to break down encryption regimes when they are misused in, for example, ransomware.

What you need to do it:

Encryption as a discipline rests at a crossroads between computer science, information technology, software engineering, academic research, and mathematics. Education in any of these fields (and preferably, some exposure to all of them) is necessary to start a career as an encryption expert. Many industry cryptographic experts do not start out as such, but instead work in a related discipline while building up their experience.

What will help you get there:

Curiosity, experience, and the demonstrated ability to understand, create, and break down encryption systems. Having strong math and problem-solving abilities are definite assets in this field, as is the willingness to work and train more broadly in related disciplines.

What you get:

Cryptographic experts enjoy the opportunity for broader learning and work experience in the cybersecurity industry. Opportunities for income are usually tied to a combination of education, experience, and reputation. Income can vary widely – those just entering the field may not see the most lucrative offers, but those with long careers specializing in encryption may be tapped for rare and extremely lucrative consulting roles.

Cloud/Network Security Specialist

What is it:

Cybersecurity’s newest frontier is the cloud, which invites many new opportunities and risks. An extension of network technology, cloud computing is the largest growing technology segment within the cybersecurity industry. Cloud and network security specialists share many overlapping concerns, including securing infrastructure that, by definition, must be open and accessible to a specific degree.

What you need to do it:

Post-secondary education in computer science, and/or a certification specifically in a network-related field (CCSP). Network and cloud security specialists have one of the more straightforward routes into their field, as there is unsurprisingly a shortage of qualified professionals. One could realistically qualify for this role with approximately four years of study or an equivalent certification.

What can help you get there:

Having a demonstrated ability to apply your learning, manage complexity, and work with a team is key. Network infrastructure is typically, by its nature, physically and conceptually large enough that it will only ever be serviced by a team. Being able to show your successes with a team will ensure that you get noticed by potential employers.

What you get:

Network and Cloud security specialists are in demand world-wide, and often enjoy competitive wages and the opportunity to be the innovators and implementers of some of the newest technologies. Drawbacks include being on call for crisis response, and the inevitable pains in dealing with complex, new, and growing systems.

Technical Writers, Copywriters, and Communicators

What is it:

Cybersecurity doesn’t exist in a vacuum, and the industry often must interface with businesses, communities, the wider public, and even different parts of itself. Having professionals that are able to write and communicate plain language about cybersecurity to different audiences is usually critical to success, both in terms of securing assets and generating business.

What you need to do it:

Unlike most cybersecurity roles, being a specialized writer depends almost entirely on demonstration of previous ability. Having some combination of post-secondary studies, either in language-centric fields like English or Communications, or technology-centric fields, like Information and Communications Technology (ICT), Computer Science, or Software Engineering, can all be assets (especially if one has combined experience in both humanities and technology roles). But central to the role is the ability to communicate clearly on technical topics.

What can help you get there:

Akin to more “creative” roles, having a portfolio of your work is a powerful asset for pursuing employment, as it will unequivocally demonstrate that you can do the job of communicating technical information. Likewise, choosing to go either “wide,” by having a variety of experience in different fields and industries, or “tall,” by working and writing on one topic exclusively, can have an impact on which aspects of cybersecurity you may be qualified to write about. Writers also depend on networking for most of their career prospects, which means it’s necessary to foster relationships with cybersecurity experts throughout the industry.

What you get:

Writers aren’t in as much apparent demand as most cybersecurity professionals, and accordingly, don’t command the same incomes. Good communicators are, however, extremely desirable among their fellow cybersecurity professionals, as they provide the vital bridge to company leadership, clients, and the public at large. Those who excel in these roles may not hit six figure salaries but will rarely suffer from lack of work. Drawbacks include demanding deadlines and occasional disposability.

Compliance/Policy Experts

What is it:

Compliance is where the cybersecurity industry intersects with the legal and regulatory frameworks of a given country. Compliance professionals ensure that cybersecurity and company practices are sufficient to meet jurisdiction requirements, with regards to privacy and data handling.

What you need to do it:

To become a compliance specialist, one must have the rare combination of both technical aptitude and the ability to interpret whether practices and systems stack up to legal expectations. Naturally, this means that compliance roles are generally senior positions, reserved for veteran professionals who have broad experiences working with technology, while also having an elevated understanding of the legal frameworks that govern its use and deployment.

What can help you get there:

Those who thrive in compliance roles often have extremely diverse interests, encompassing technology, law, regulations, and everything in between. The role is, at its heart, risk management, and so an understanding of risk mitigation techniques will complement whatever background you have in technology and policy. As the role often offers a healthy contrarianism to the ambitions of a business, the ability to communicate effectively with executives and stakeholders is important as well.

What you get:

Compliance specialists are usually well-compensated for their role, especially once they have experience. Successful individuals in this role are often instrumental in steering a business away from trouble and may advance to management or executive positions. Drawbacks include difficulty building social relationships with colleagues, and the frustration of dealing with not one but two dynamic fields: technology, and the laws that govern it.

These are just a few of the specializations available to those seeking to build a career in cybersecurity. There are, of course, some that were not listed here, such as software developers – a discipline intricate and deep enough that we will probably make a separate post about it. Additionally, it’s worth noting that none of the roles above are exclusive. It is very common for a long-term cybersecurity professional to branch out into different aspects of the discipline, attaining multiple certifications in a variety of specializations.