Cybersecurity Professional

So You Want to be a Cybersecurity Professional?

Like almost everything else in my life (e.g. marriage, fatherhood), I became a cybersecurity professional with little to no planning. I was happily plodding along with zero direction, and even less qualifications, when an employer required me to get an MCSE in Windows NT.

In a very short time I realised that if I was looking at a computer my boss thought I was working, so being lazy, IT was the career for me! However, I did get bored, so when I received a call about my resume on from a start-up cybersecurity company, I jumped at the chance. A little homework showed that security was the place to be in IT, even then, especially when the company consisted almost entirely of incredibly smart ex-NSA types.

This was in 2000.

In the 16 subsequent years I have gone from firewall admin, to managed service manager, to consultant, to manager of consultants, to self-employed. I have loved [almost] every minute of it. The funny thing is though, I have no passion for security per se, I just love helping others fix broken stuff. Especially processes.

There is a LOT of work out there.

So my first piece of advice; decide why you want to be a cybersecurity professional in the first place. If it’s just for the money, move on to something else, you’re not welcome here. Having performed the Keirsey Temperament test on 30-odd security consultants across the globe, it was clear that certain characteristics are dominant in their type (ESTJ). Bottom line; they actually care, and they are:

  • Highly social and community minded;
  • Generous with their time and energy;
  • Hard working; and
  • Friendly and talk easily to others.

That’s not to say others can’t do well (I’m an INTJ for example), but you have to know yourself before you know what aspect of security would suit you best. Follow the money, or choose something for which you are not suited, and you will likely fail.

Then Bear These Things in Mind…

  1. Qualifications: A degree in cybersecurity should not be seen as a pre-requisite, as certifications are almost as much good, and neither of these things can trump experience. Regardless of your qualifications, you will start at the bottom, and there is no better place to learn. Make the most of it.
  2. Specialise or Generalise: You’ll need to decide very quickly which you’re going to be; Specialist, or Generalist. You cannot be both, there are just too many aspects of cybersecurity. Medicine, law, engineering, and a whole host of other careers are the same, you must find what suits you best.
  3. Learn the Basics: Jumping straight into a career in User and Entity Behavior Analytics (UEBA) or Intelligence-Driven Security Operations Center Orchestration Solutions (whatever the hell that is) may be tempting, but you are not doing your career, or more importantly, your clients, any favours. From Confidentiality, Integrity & Availability, to Risk Assessment, Asset Management, to Policy & Procedure, the basics have never, and will never change. Whenever you find yourself stuck, only the basics can give you a clear way forward.
  4. Choose a Camp: Unfortunately most cybersecurity professionals tend to fall into one of two camps; 1) those focused primarily on Technology, and 2) those focused primarily on People and Process. These are two distinct skill-sets, so know which you are, and make sure you pair up with a counterpart.
  5. Ask for Help: I got where I am without a mentor as such, but I most certainly didn’t get here without a LOT of help. Nor would I be able to stay here without the constant support of my peers. If there’s one thing I love about cybersecurity professionals it’s their generosity and desire to help. So join your local chapter of ISC2, ISACA and / or ISSA and start talking to people.
    Use mentors too if you can, as while I have few regrets in my career path, not having mentor is one of them.

Without question, a career in cybersecurity can be very rewarding, both in personal achievement and financial terms. It can also chew you up and spit you out if you’re not careful.

In the end, cybersecurity will give as much back as you put in, there are no shortcuts.

[If you liked this article, please share! Want more like it, subscribe!]

10 thoughts on “So You Want to be a Cybersecurity Professional?

  1. There has to be a pre-requisite of having excelled in some field of IT for at least 5 years, and the security wannabe has to have shown evidence of flexibility (e.g. Windows bod is not averse to unix/linux). Just my opinion, and am yet to hear an _objective_ argument against it. Bear in mind that field of IT that I was talking about _can_ be secops – but then the candidate has to understand that when they’re in secops they’re in ops, not security.
    Specialisations – agree – even old gits like Dan Geer advocate this these days, its just that the modern specialisations are not wide enough. SIEM for example – this is not a specialisation really. The old fashioned specialisations still make more sense than anything i’ve seen in job ads in recent years.

  2. Hi

    This is a very interesting article as I am in that position now that you were in, in 2000. I have 11 years of SAP Security (for what that is worth) but fascinated in tech security and love what I do in SAP, but I need a fresh challenge and want to move into Cyber Security, so thank you for all your information. Very helpful


    Mark Willoughby

  3. Fully agree,

    I have been in countless discussions with college graduates, who think they should earn more just because they have a degree. My response is always the same, “show me you can do the work, then we’ll see how much you’re really worth”.
    Now, a degree is good, and you may be more tech savvy than the average consultant, but if you don’t understand the underlying reason for a particular security control then it’s not worth diddly.
    I, like you, got to where I am by happenstance, I have a knack for finding flaws (to the annoyance of others), understanding the cause and work out a solution. This brought me naturally into security, and I’m like to be stuck in this field.
    I don’t have a college degree, which I can regret at times, but I don’t think it would’ve have affected my career path as, at least from my point of view, talent and experience trumps everything else.

    • Johan,
      I am finding the analytical talents I developed in a different career work well in Cybersecurity. I got my degree simply because I have not had the opportunity for experience but I could care less about starting pay.

  4. I find this article really informative and timely for security aspirants like me! I am on my way to applying for admission into Temples PMS in Cyber Security and Defense program.

    I have always maintained that the core of the CIA triad revolves around people and processes and even highlighted this idea as my research interest area in my goal statement. Whether my consideration is a fact, is something I have yet to prove through research study.

  5. Yes I agree with you. In my case I pursued an A.S in cyber security, became CCNA Security/Voice/R&S/COMPTIA A+/Sec+ but couls not find a job because I had no experience. Finally my son was tutoring a CEO fir his CCNA and told hom about me and he interviewed me and hired me. I am doing NGFW POV installation and tests, I been lucky enough to sell the next generation firewall, Cisco Routers and switches along with all the licensing. I am one of the few that will find a high paying job but the traininmg being solo. For those of you that just graduated and passed your certs I wish you luck since most of the responses to your resumes will be no, but do not get discourage keep aplying.

    • Very many thanks for sharing Eric!

      With the decentralisation of identity management (from DBs to mobile devices) and the Internet of Things, security skill-sets will only become more and more valuable. And necessary. While I absolutely agree that breaking into security is a definitive chicken-and-egg scenario, it is well worth the effort.

  6. I’m in a rather unique position coming into the field. I was disabled after 35 years in printing and publishing and decided to change careers. I have no work-related IT experience but I just finished an MSIT in Cybersecurity from a top school (at the age of 66 with a 3.97 GPA) and am getting my Security + certification.
    While I’m getting some responses to my job applications, I find that two things really are barriers to entering the field:
    1. Age discrimination is alive and well
    2. Many companies will only take applications from individuals with live clearances.
    This is a great article; I’ve identified areas from my previous experience I can bring into the field. In my point of view, I’m going to get paid for doing something I love.

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.