How to get the cyber security job you want or to move up in your existing cyber security career
As far as employment opportunities go, experts far and wide agree that the cyber security career field is booming for job seekers. Between rising cybercrime activity and more exacting laws and regulatory standards, the demand for skilled and knowledgeable cybersecurity professionals in 2019 continues to rise.
Cybersecurity Ventures reports that the cost of cybercrime is anticipated to reach unprecedented levels in 2021 — when damages are anticipated to cost the world $6 trillion annually. As such, companies worldwide are upping their game to increase their defenses in this war against cybercriminals — meaning that they need the best cybersecurity experts in place.
But, where does this leave you as a job seeker who is looking for a cyber security career? Whether you’re looking to get a start in the industry or seek to revitalize your existing cyber security career, there are things you’ll need to know to be most successful.
We’ve consulted with several industry experts and picked their brains on what new and established cyber security professionals can do to enhance their cyber security careers:
Let’s hash it out.
9 tips to help you as you seek to start or grow your cyber security career
1. Network and market yourself
Simply put, if you’re a professional with cyber security experience, you’re in high demand. Cybersecurity Ventures reports that the unemployment rate for cyber security professionals is at 0%. Compare this to the national unemployment rate, which the U.S. Bureau of Labor Statistics (BLS) reports was 3.7% in June 2019.
How can there be so many open positions? In part, it’s because the cyber security career field isn’t heavily populated. The field is highly specialized and, as such, has fewer people who are qualified or have the requisite experience for the jobs. However, that doesn’t mean that you shouldn’t put forth any effort because jobs appear to be so available — after all, you want the right job and not just any job.
How to stand out from other cyber security pros
To make yourself stand out, create a compelling LinkedIn profile and a strong CV that highlights your achievements. Share about complex projects or cyber security issues you helped your organization resolve.
However, tooting your horn isn’t enough on its own; you need to get out there to network and meet others in your field. Moving up in many fields — technology included — often can come down to who you know. This is why networking is essential for every IT security professional. Thankfully, there are groups that can help you connect with other cyber security and IT security professionals.
Don Baham, president at Kraft Technology Group, LLC, says the importance of getting involved with industry groups can’t be overstated:
“Whether an individual is brand new to the field, is an IT professional looking to make a move, or someone already working in the space but looking to progress, I recommend getting involved in industry groups and pursuing relevant certifications.
Four groups that have national/international levels as well as local chapters are InfraGard, International Information System Security Certification Consortium (ISC2), Information Systems Security Association (ISSA), and ISACA. Depending on location, one or more of these local chapters may be more active and beneficial to get engaged with.”
2. Know your worth: cyber security careers pay more than the national average
Whenever you’re looking for new jobs or are in the interview process, it’s vital you know what the salary expectations are any careers you’re considering. Unless it’s vital that you take a job immediately (which we get — after all, we all need money to survive), do your research to ensure that you’re receiving pay that is commensurate with the responsibilities and expectations of the job.
The average cyber security professional makes an above-average salary in the U.S. Glassdoor reports that the national average base pay for a cyber security salaries is $91,500 per year. ZipRecruiter lists it even higher at $119,877 per year as the national average. Considering that the BLS reports the national median salary as of Q1 2019 was a little more than $47,000, the difference is obvious.
According to the BLS:
- Computer and information systems managers make a median salary of $142,530 per year. This cyber security job outlook is increasing at a rate of 12%, which is faster than the national average.
- Computer network architects make a median salary of $109,020 per year. This cyber security career is growing at a bit slower rate of 6%, which is on par with the national average.
- Computer systems analysts make a median salary of $88,740 per year. This cyber security job outlook is growing at a rate of 9%, which is about as fast as the national average for jobs.
- Information security analysts make a median salary of $98,350 per year. This cyber security career is growing at a rate of 28%, which is about three times faster than the national average.
It’s important to remember, however, that the salaries of these jobs will be higher or lower depending on a variety of factors, including:
- The job’s location
- The size of the company or organization
- Your experience level, expertise, or specializations
- The roles and responsibilities of the position
5 of the highest-paying cyber security careers
Cybersecurity Ventures reports that there are five cyber security careers that are anticipated to make at least $200,000 annually in 2019. These include:
- Freelance Bug Bounty Hunter
- Chief Information Security Officer (CISO)
- Deputy CISO
- Lead Software Security Engineer
- Cybersecurity Sales Engineer
3. Take advantage of the growing skills gap in the cyber security career field
Cybersecurity Ventures estimates that there will be 3.5 million cyber security jobs open by 2021. The Cybersecurity Workforce Study from (ISC)², an international, nonprofit membership association for information security leaders, reports:
“The gap is having a serious real-world impact around the globe. Asia-Pacific, with its growing economies and brand new privacy regulations, is experiencing the biggest shortage — 2.14 million positions. The massive worldwide shortage not only places organizations affected by the shortage at higher risk of cyber attack, but also affects job satisfaction of current cybersecurity staff.”
Research from Cyber Seek, a project supported by the National Institute of Standards and Technology’s (NIST’s) National Initiative for Cybersecurity Education (NICE) program, shows that cybersecurity skills gaps exist across the U.S. The cybersecurity workforce supply/demand ratio for cyber security jobs (2.3) is less than half of the national average for all jobs (5.8).
Aside from prior experience, what else do cyber security recruiters and hiring managers look for in candidates?
Wil Buchanan, president of Philantech3 Consulting Group, shares some of the challenges and traits his company seeks:
“As an employer in the cyber security industry, it’s difficult to find people with the type of experience that we are looking for (3-5 years of dedicated cyber security work). Without experience, the next thing that we look for is desire and certifications. We feel that for a team member to be effective, they must love what they do, or at least have a deep passion for the work.”
This creates a prime opportunity for you as a cyber security professional: If you don’t have an applicable degree, you can work on industry certifications or do other things that demonstrate your passion for the field.
4. Understand the job’s expectations: Learn what each cyber security job entails
You know there’s a demand for cybersecurity professionals, but what you might not know is what individual cyber security careers are and what each one specifically entails. After all, “cyber security professionals” is a very broad, catch-all term that encompasses many unique roles with varying skill sets. Although the titles and responsibilities will vary from company to company, there are some general shared responsibilities and expectations for those positions.
Five of the most in-demand cyber security jobs Cyber Seek reports include:
- Cyber security analyst /engineer —planning, monitoring, implementing or upgrading security measures that safeguard computer networks, electronic infrastructure, and digital files.
- Cyber security consultant — assessing computer systems, networks, and software for vulnerabilities, as well as outlining the best cyber security solutions for implementation.
- Systems administrator — technical support, daily system monitoring, backing up data, administering IT security infrastructure, and other responsibilities.
- Systems engineer — ensuring the highest levels of infrastructure and systems availability by managing, monitoring, testing, and maintaining them through a variety of tools.
- Vulnerability analyst / penetration tester — poking, prodding, and trying to break through a network or system’s defenses to identify vulnerabilities that cybercriminals can exploit.
With all of this in mind, the next step is to figure out whether you have the training and experience that you need for the cyber security career you want. If not, there’s training available that can help you get there.
5. Get training: Identify trainings or certifications you’ll need to complete
A cyber security career path doesn’t have to be a straight line; some professionals will transition from one specialization to another depending on their interests or to bridge the cybersecurity skills gap within their organizations.
Once you figure out which job that you’re interested in working, you’ll need to see what qualifications you’d need to meet to reach that goal in the future and start working backward from there. If you’re already working in the field, it’s likely that you already hold at least one degree or certificate in your area of expertise. If not, now is the time to earn those certifications to bring your paycheck to the next level.
Certifications not only show that you are taking the time to learn new material but you’re completing certifications that require you to demonstrate competence in your area of expertise. Some of the top certifications that can take your career (and paycheck) to the next level include:
- Certified Authorization Professional (CAP)
- Certified Cloud Security Professional (CCSP)
- Certified Information Systems Security Professional (CISSP) — there are additional, more specified concentrations for information systems security architecture, engineering, and management professionals
- Certified Secure Software Lifecycle Professional (CSSLP)
- Systems Security Certified Practitioner (SSCP)
- Certified Information Security Manager (CISM)
- Certified Information Systems Auditor (CISA)
- Cisco Certifications:
- Cisco Certified Network Associate (CCNA Security)
- Cisco Certified Network Professional Security (CCNP Security)
- Cisco Certified Internetwork Expert Security (CCIE Security)
- CompTIA Advanced Security Practitioner (CASP)
For someone with little (or no) cybersecurity experience, start by learning IT fundamentals. You’ll need that foundation in IT to be effective in your career. Consider earning some of the following beginner-level certifications:
- CompTIA IT Fundamentals (ITF+)
- CompTIA A+
- CompTIA Network+
- CompTIA Linux+
- CompTIA Security+
- Microsoft Technology Associate (MTA) Security Fundamentals
Will Ellis, a security analyst at the privacy advocacy group Privacy Australia, says he recommends the CompTIA Security+ certification to individuals who are early in their cyber security careers in particular:
“The reason I recommend it is because it covers all of the basics and is well-respected while being vendor neutral. It really lays the groundwork for all the IT infrastructure and cybersecurity career paths available.”
Some of the benefits of earning different certifications is that while they often focus on their particular area of concentration, they also cover other areas of cyber security as well to help you become a more well-rounded and informed professional.
Choose the right certification
Not just any cyber security certification will do. Christopher Gerg, CISO and vice president of cyber risk management at Gillware, emphasizes the importance of choosing the right certification(s) to help meet your goals:
“In general, the value of the certification is based upon the current phase in your career. For example, if you are new to an industry holding a certification will establish a baseline of capability and knowledge. If you’re a consultant or a public speaker, a certification can do the same thing – establish a baseline of capability and knowledge. I’ve found that as my career has progressed, my resume has provided the same value, and the need for certifications has diminished. There is also obvious value in targeting the certification to the type of work you are trying to do – the Certified Ethical Hacker and Offensive Security Certified professional certifications would be of limited value if I am trying to hire an analyst for a CISO office to perform risk assessment work.”
Gerg says that the CCNA certificate (and other Cisco certifications) have proven highly beneficial to him both personally and professionally. “I learned a lot of fundamental knowledge about networking and IPV4 in general – which has paid great dividends in my career.”
6. Have broad expertise: Don’t make security your only focus or specialization
While having an area of expertise is definitely a plus, it shouldn’t be the only ace up your sleeve. The most effective cyber security professionals are those whose tech work experience is well rounded and who demonstrate other skills and expertise. This means that for some IT sec pros, you should try to have other knowledge such as project management or business processes. This may mean branching outside your area of specialization and explore other areas of cyber security.
As Benjamin Roussey of TechGenix.com puts it:
“Build a well-rounded skill set with skills ranging from penetration testing, IOT security, network security, identity, and access management, to other cyber-governance related soft-skills. This enables the security experts to build upon their foundation and branch out even further, into leadership roles.”
7. Explore related opportunities: Get into the industry without prior tech experience
Don’t have prior IT experience? That’s okay — there are other ways that you can start a cyber security career with no prior experience. For example, you could join the military or work at a smaller tech company where they can train you from the ground up.
Lauren Hasson, a full-time software engineer and founder of DevelopHer, a career development platform for tech women, says there’s another way. Hasson says it often comes down to finding an open door at a company that values security:
“I found a company where security matters (by day, I work at a Bay Area payments company – i.e. security is very important) and got my foot in the door through my area of expertise which was application development. Once I established a positive reputation and had ‘paid my dues,’ I began to express interest in adding security. The great news is that security professionals are hard to find so often times companies find high-performing employees internally and train them on the skills that they need to be cybersecurity professionals.”
If performing cyber security tasks isn’t for you, or if you have other skills you want to put to use in the field, you can always look at other related jobs. For example, if you’re a strong communicator or have a head for sales, you may want to work in cyber security sales. If you’re a strong communicator and have a knack for technical things but don’t want to get involved in the day-to-day work of cyber security, then you could become a tech writer or a technology content marketing writer. I can say from experience — if you like to read and learn, it makes for a pretty sweet, challenging, and fun career.
8. Be engaged: Show initiative and engage in industry activities
It should come as no surprise that someone who is driven, engaged, and continually striving to improve professionally often find themselves on an upward trajectory in their cyber security career path. Thankfully, there are things you can do to show initiative.
Dave Hatter, an Intrust IT cyber security consultant with more than 25 years in IT, says that cyber security professionals (and aspiring ones as well) should engage in activities that enable them to keep learning — even outside traditional certification opportunities. For those who are still new to their cyber security careers, this could entail participating in seminars and conferences. For more experienced pros, teaching at those events could also be incredibly beneficial and educational — both to themselves and the people they’re teaching.
One activity Hatter suggests for high school and college-age professionals is to participate in the National Cyber League’s Capture the Flag exercises. These puzzle-based cybersecurity competitions serve as a virtual training ground for challenges they will likely face in the workforce. They can also help to open doors to future cyber security careers.
Hatter shares that there is a growing need for ongoing learning through outside-the-box training methods:
“Cyberattacks are increasing in frequency and complexity. Additionally, the physical world is increasingly connected to and reliant upon the cyber world meaning that cyberattacks can cause injury and chaos in the real world. The bad guys are devious and relentless, so It’s imperative for cyber security professionals to adopt the philosophy of life-long learning and to get experiential training whenever possible.”
9. Don’t overdo it: Take practical steps to avoid burnout
The advice some cyber security experts give is to take on side projects and to always be engaged — even outside work hours — by taking on side projects and continuing to expand their portfolios. While some cyber security leaders promote the benefits of professionals burning their candles at both ends, others are more cautious and see the value of work-life balance in every cyber security career.
Allan Buxton, director of forensics at Secure Forensics, says that to be successful, it’s vital to not overextend yourself:
“Cybersecurity attracts people with an extreme interest in technology – not just using it, but taking it apart, breaking it, or putting it back together differently. That’s a useful interest, but the temptation to continue one’s research well after working hours will ultimately only accelerate burnout. It can be useful, no doubt, but find a balance early and stick to it. Find a hobby outside of tech to pursue some nights or weekends, or make sure your home research doesn’t overlap with work requirements too often (build a home arcade instead of breaking Slack clients, for example). In the long run, you’ll find yourself more creative and committed to your craft.”
The cyber security industry is one with many open doors for those who either have the experience or the drive to gain it. However, as you’ve read, it’s not just about just traditional training and education — being successful in the field also often involves:
- Being passionate and willing to learn;
- Marketing yourself;
- Being connected with other industry professionals and associations;
- Being specialized without being too singularly focused;
- Seeking alternative forms of training and engagement; and
- Embracing your non-technical skills and finding ways to put them to use.
What other helpful tips are you willing to share?
As always, leave any comments or questions below…