There is little doubt that Cybersecurity is a hot career field at the moment. The cultural zeitgeist is firmly interested in keeping our networks (and everything that relies on them) secure from threats. Whether the threat comes from a sophisticated nation state hacking/espionage program or random script kiddies looking to demonstrate their abilities, the ability to defend against these kinds of threats is of increasing importance.
But how do you go about building a career in cybersecurity? Do you need a degree, and if so what level of degree do you need? What about certifications? How about experience?
For anyone interested in this area, The Cyberwire put out a great special podcast in November 2017 which features conversations with recruiters and hiring managers in the cybersecurity sphere on just these kinds of issues. In Building Your Cybersecurity Career, podcast host Dave Bitner interviews Kathleen Smith, CMO of Clearedjobs.net and CyberSecJobs.com, as well as Robert M. Lee, CEO of cybersecurity company Dragos about the challenges faced both by both sides of the hiring divide in cybersecurity.
As a life long learner and someone with a more than passing interest in areas of cybersecurity, I found the advice from the podcast to be a typical mixture of helpful and unhelpful. But it does give a good lay of the land, as well as highlight some areas where immediate improvement could be made.
In truth we aren’t leveraging the people we have correctly. And we’re oftentimes not asking the right questions to get the people we need. It’s always a common joke that there is a common technology that is only three years old, but the hiring requirement is looking for an expert with ten years experience on it.
Robert M. Lee, Dragos
There is a reason that this is an open joke within the field. In all fairness, this is an issue across the technology realm, not just within cybersecurity. I’ve seen many job descriptions that read more like an order for a create-your-own-perfect-employee rather than anything based in reality. One company I frequently see job postings for has job descriptions that are listed as wanting only Recent College Graduates (business speak for “We want cheap hires”) who also have 5-10 years experience in Enterprise level networks!
Robert is completely on point here. The broken hiring system in place throughout much of the business world not only directly leads to the skills shortage many companies complain about, it also stymies career ambitions for anyone currently in the field who wishes to advance. My only wish is that the podcast had discussed more ways to address this problem, rather than pointing out its existence and recognizing it was a challenge.
Cybersecurity as a Monolith
Kathleen shared an interesting story from a contact she made at the 2017 Women in Cybersecurity conference, where students who were attending were asked what area of cybersecurity they were interested in. The students responded with “All areas”. As Kathleen correctly pointed out, cybersecurity as a whole has done a great job of making itself visible to the public, but an unfortunate side effect is that the aspects of cybersecurity have gotten lost.
Cybersecurity is not a monolith. You need lawyers. You need compliance specialists. You need malware researchers. You need computer forensics specialists. You need penetration testers. You need coders. You need network architects. You need medical specialists and financial specialists and business analysts and policy analysts and on and on and on.
Ironically, I view this as another output of the broken hiring system. People with special skills in areas that are not seen as traditional cybersecurity (such as lawyers or compliance or business specialists) are often screened out of contention by poorly written job requirements and/or poorly executed hiring practices. As Kathleen put it, “You can train someone in cybersecurity practices, but you can’t train someone to be inquisitive or creative or innovative.” But hiring for those skills is a major challenge if you are just checking boxes off a list.
Education vs. Certifications vs. Experience
The value of all of these items is important when it comes to maintaining and building your cybersecurity career. Overall, the feeling seemed to place the hierarchy of importance of these items like this:
Formal Education – This is a required baseline for jobs, especially federal jobs. A Bachelors degree is required, and Masters doesn’t hurt. If you want a career, you will need a degree.
Certifications – This is seen as more important that general degrees for a couple of reasons. First, it shows that the candidate has the most up-to-date knowledge in a field that is quickly evolving. Second, it demonstrates that the candidate has the inquisitive nature and dedication to the field that is required.
Both Formal Education and Certifications function as a “barrier for entry” in the words of Lee. This presents major issues in a world where fewer and fewer employers are willing to train their employees as some of these certifications require years of previous experience and can cost several thousand dollars to obtain.
Experience – This remains the gold standard in building your career, but Kathleen also pointed out that this is where professionals within the field can find themselves with challenges. She points out that many experienced professionals aren’t given anything in the way of career management advice, or practical advice for how to translate cybersecurity needs to the business to advance through the ranks. This can lead to job hopping, which is bad for the businesses and the employees. It is on employers, she emphasizes, to create career paths for their talent.
Overall, it was a podcast that is worth your time and should help fuel some necessary conversation.