I am asked probably twice a week to help somebody get a job in the security profession. Unfortunately, I can't help that many people individually, but perhaps this article will allow me to help many people all at once.
I do have some firm thoughts on how to get a job in cybersecurity, and this isn't the first time I've tried to express them in Computerworld. And I'm the first to admit that I bring some strong biases to the subject. First, you need to understand that I look at cybersecurity as a specialization within the computer field. The implication of this is that cybersecurity is a career for those in the computer field to aspire to, and not a trade, with entry-level positions. It is a position that should be earned with significant experience in the computer field.
If you want to just be a tool jockey and perform vulnerability scans, don't read this article. Just look for some basic certifications and try to get a job. There is nothing special I can do to help you. However, if you really want a career in the field, you will hopefully find some value in reading on.
One thing that will make a difference for you is getting a college degree. The article I mentioned earlier was called "Let's scuttle cybersecurity bachelor's degree programs." And, yes, I do believe that cybersecurity degrees are the wrong way to go. But a college degree of some description (your major is really quite irrelevant) is still quite valuable, and here's why.
Most college degrees require that you learn to communicate better. They require you to take writing courses that many of us would never take voluntarily. They require that you take courses that are outside your area of interest, which helps make you well rounded. Business courses, for example, can help you better understand the organizations that you will serve. It isn't always possible to see these things at the time. I thought required writing courses were a complete waste of my time when I was in college, and it wasn't until years later that I learned how valuable they had been.
More importantly, if you want to advance your career, the absence of a college degree will impede promotions and make it more difficult to get the jobs you want. That degree on your résumé is a baseline that recruiters and hiring managers are going to be looking for. If you can't include it on yours, you will need some way to grab their attention and show just how truly exceptional you are at what you do. Good luck with that. Nearly everyone you will compete against is going to have a degree. If you don't, you're hobbled right at the start. You can argue all you want about experience being the better teacher; hiring managers just don't have the time to root around for the person who actually has the best experience for the job. Having a degree serves as shorthand on your résumé, saying, "I have a basic check box that most serious candidates will have."
I want to be very clear that I am not saying that not having a college degree means that you have limited skills. Some of the most talented professionals I know do not have a degree. But despite their abundant talent, they have had an uphill battle in advancing their careers. Few have been able to advance to management roles. This might be perfect for you, but if you want flexibility and mobility, you will be at a disadvantage.
Once you have a degree, the next step toward a career in cybersecurity is to get a job that doesn't involve cybersecurity. Instead, get a job doing general computer work. The logic behind this is that you cannot be expected to protect computers if you don't know how to administer a computer system, you can't secure a system that you can't properly configure on your own, you can't secure a database if you aren't fluent in the database management system, and you certainly can't write secure code if you can't code at all.
Whether you have a job in the computer profession or not, since your goal is to be well rounded in basic computer disciplines, you can do other things that will contribute to your experience. Teach yourself to code, if you don't know how to do so already. There are plenty of free utilities on the Internet that will help you do this. Set up a home network, using cheap computers. Or, for even more experience, build your own computers. If one computer is all you can swing, you can partition the hard drive to run both Linux and Windows. Then practice securing your computers and your network. If you really want to get into penetration testing, you can practice hacking your own computers with different configurations.
Another option -- one that will allow you to be actually useful -- is to donate your time to a charity or other organization. Such organizations often need help with their security, and anything you can do to keep them safe will be invaluable to them and a public service. Put your accomplishments in the nonprofit world on your résumé; it's both impressive and rewarding to secure an organization that has little or no budget.
Moving into security
A lot of people who talk to me about getting into cybersecurity want to get a job doing penetration tests. They think it's sexy. I won't argue the point; I went that route myself. But what you need to realize is that securing an organization is not a matter of just highlighting its insecurities.
Early in my penetration testing career, I felt a rush whenever I compromised a major organization. With time, though, I came to see that the organizations I was compromising were not improving. The vulnerabilities I compromised might get fixed, but it wasn't especially hard to find other vulnerabilities.
Eventually, I started restructuring my reports to focus on the underlying reasons for the vulnerabilities and recommend administration procedures and systems to put in place. Only then did my clients begin to improve their security postures -- they began to look for an environment that made vulnerabilities likely, and not just to close off a known vulnerability. But it's important to understand that I wouldn't have been able to produce comprehensible reports like that if I had not come to penetration testing with a broad background that allowed me to understand the resources required, to create and test baselines, and to understand configuration management. I needed to be familiar with general systems administration procedures.
When I wrote the article denigrating cybersecurity degrees, I said that organizations in need of cybersecurity professionals should look to the people already working for them who have demonstrated talent, and then give them the on-the-job training they need to develop security-relevant skills.
Coming at it from the other side, my message to anyone who wants to be a cybersecurity professional is to stop worrying about security and first become the best computer professional that you can be.
Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. He can be contacted through his Web site, securementem.com.