How do you start a career in cybersecurity? What qualifications, certifications and skills do you need? Should you spend half the cost of a house on a top-tier degree? Should you try to hack the Pentagon and get a reputation (which actually carries a whole pile of its own issues, so shouldn’t be pursued wholesale) or build your own Python library that helps cure cancer and try to get noticed?
These are some of the questions ESET folks are asked quite frequently. What better time to try and answer them than Cybersecurity Career Awareness Week, a campaign that runs this week and is part of Cybersecurity Awareness Month? The answers will come from two ESET researchers, who will weigh in on what it took in the past to break into security and what seems to be attracting the attention of companies of all stripes hiring today.
RELATED READING: What’s it like to work as a malware researcher? 10 questions answered
Indeed, demand for security professionals continues to outpace supply. The talent gap remains (de)pressing, not least because, you guessed it, security threats aren’t going anywhere. Nary an organization is immune from the myriad risks associated with cyberattacks, as threats escalate in size and frequency and hit ever closer to home, causing untold damage in the process (and in its aftermath). It’s little wonder, then, that many companies will pay top dollar to bring in and retain security talent, and it seems that the stars are aligned for those willing to seize the opportunities.
There’s more to the equation, though. Read on to find out as we sit down with two ESET experts who’ve worked in the trenches of security for decades – Distinguished Researcher Aryeh Goretsky and Specialized Security Researcher Cameron Camp.
First things first, why choose a career in cybersecurity?
Aryeh: There are the usual reasons for entering the cybersecurity field, such as seeking fame or fortune (or both), but a large part of the appeal to me is that it is one of the very few fields where a single person, armed only with their computer, their wits, and their persistence can actually make a difference in a measurable, noticeable way. Being in cybersecurity means that you have an opportunity (not a guarantee, mind you, but an opportunity) to do something that is impactful and helps others.
Keep in mind, though, that not every success is measured in how many CVEs you are credited for, or how much you have been paid from bug bounty programs. Success is ultimately an individual measurement, and the things you find bring you the most gratification may not be the things which bring you, say, the most attention in the media, social or otherwise.
But, with all that said and kept in mind, entering the practice of cybersecurity gives you access to opportunities that few other professions provide, in terms of both knowledge learned and knowledge applied.
Cameron: Get paid to break stuff for the greater good, move out of your mom’s basement. Terminally curious about how things work? Why do things break? How would you fix broken things, if given a chance? Basically, all the things you got in trouble for around your house growing up provide the impetus for a large portion of the researcher populations’ nascent talent and budding careers. All those things you took apart to find out how they work, much to your mom’s chagrin, could be the fodder for your success. While your popularity around home and school may have been regularly called into question, those same qualities are at home in hardware and software security.
How did you start and what drew you to cybersecurity?
Aryeh: There was nothing particularly magical about how I started, nor was it the result of particularly hard work. All it took was a little initiative and, perhaps, a little luck: I knew John McAfee for several years prior to his starting his eponymous antivirus company. He appeared on the local TV news talking about computer viruses, and I thought, “Wow, that’s cool. I know him.”. Then, he appeared a second time, and I realized he might be on to something, business-wise. At the age of 19, with little experience and indeterminate career prospects, I decided to ask him for a job, figuring I could do office work like typing and faxing, which I figured he probably detested and would be happy to farm out. Surprisingly, enough, he hired me on the spot, and that’s how I became the first employee at McAfee Associates. After a few minutes spent explaining to me what computer viruses were, I was ready to take my first technical support phone call.
At the time, I knew I wanted to do something with computers, and was going to community college learning about them, but I wasn’t sure what I wanted to do with them, exactly. At McAfee Associates, I had a chance to learn about the very fast-paced business of computer security, and that allowed me to learn more about the underpinnings of hardware, software, and networking. Every day some new bit of knowledge came to me or some insight occurred. Now, over thirty years later, none of that has changed, except for my continued amazement at how the threats—and the defenses against them—have progressed.
Cameron: Celebration of short attention spans. It never felt like ‘real’ work because I was doing things I would’ve probably normally done anyway, and the pace of change is blistering, which makes my caffeine-riddled ADHD heart skip a beat. Really. But also, congealing constellations of seemingly disparate data together with the finest of threads into understanding a system seemed obvious to me, but apparently not to others.
What does your job actually involve? Let’s debunk some stereotypes ...
Aryeh: A large portion of my job involves talking to people. Another large portion, and perhaps even a more important one, involves listening to them. Still more time is spent reading, which could be anything from a technical paper to social media to internal documentation. I also, on occasion, write things as well.
One of the things I like about my job is that is has a lot of variability about it. To give an example of how all this talking and listening works out in the real world, in the past week I have:
- monitored for emerging threats and well as threat actors
- had discussions with a colleague in Europe about the differences in privacy laws and expectations in the US
- answered some questions about our software for a government
- given some feedback to developers on the next version of one of our programs,
- looked into the security of Microsoft’s new operating system, Windows 11
- reported spammers and support scammers to our threat lab
There are some longer-term ongoing activities I am involved in as well, such as a project with Cameron where we proactively hunt for false positive alarms in our threat detections. Having a false positive occur can be a very debilitating event for a business, so ESET works hard on preventing them.
Also, because it seems like once you do technical support for a living that you never really seem to escape the job, I helped a friend upgrade his installation of ESET Smart Security Premium to the newest version.
Cameron: More corporate/HR type stuff than I thought existed. Taking apart things is fine, but working for a company that sells stuff means you have to put things back together too, and deliver reports that are legible to people who don’t speak binary. That means most people. Or hex. You have to basically make sense to someone who will have a hand in selling or buying something hopefully useful. In short, you have to be a translator back into real-people speak so they’ll give you money, otherwise they stop.
What skills and qualifications do I need?
Aryeh: This is something of a harder question for me to answer, because I entered the field long before there were degrees in cybersecurity, and I also spent the first sixteen years of my career mostly focused on the support side of things.
But I would say that for an entry-level position – that is, one which requires zero to one years of experience – having an understanding of the fundamentals of how a computer’s hardware works, what an operating system does (including a high-level understanding of its various components), and how information is transmitted over networks is going to be a good starting point. If you are going to defend something, having a practical understanding of how it works is going to better help you envision what its weak points are, and how to defend those. With a good understanding of those fundamentals in place, you have a solid foundation on which to increase your knowledge, branch out and explore in the areas that interest you, and further educate yourself—hopefully with the help of your employer through additional skills training, tuition reimbursements and the like.
Cameron: As the industry grows and diversifies by actual job title this continues to change. In future installations we will be able to break this down further. Running backend servers (how I started) is very different than reversing malware. They certainly touch each other and work in the same ecosystem, but have very different daily routines. Either way, learn to natively work in the command line, it’s sort of the essence of what’s happening at a low level that ties everything together, the pretty screen is just to the icing on the digital cake. You’ll need to comfortable in these kinds of “stripped down” keyboard only environments, or at least it will put you ahead of others in the field.
Now on to college – should I do it, how much, and is a degree worth it?
Aryeh: Having a college degree can be important as it demonstrates to prospective employers a certain level of academic rigor and commitment, but getting a four-year degree may be impossible for students due to the high cost of secondary education in the United States. One way to ameliorate this is to take your general education courses at a community (two year) college and then transfer to a college or university to finish up your four-year degree. While some candidates worry that this approach may put them at a disadvantage to a hiring manager, it can also demonstrate the ability to execute long-range plans as well as a certain level of fiscal responsibility.
For someone who is mid-career and is looking either to shift careers or for a promotion, getting a master’s or a doctorate can definitely put you on the inside track.
Many employers are offering tuition reimbursement for employees to get a degree in a work-related field, and some offer payback for existing student loans as well. If you are interviewing for a job, be sure to ask about these as well as any other investments your prospective employer makes in their employee’s continuing education and professional development.
Now, with all of that said, I will point out that there are many candidates for whom the traditional four-year college approach is not an option. There are many free and low-cost courses you can take, as well as certifications available that show mastery of a subject. Depending upon whether the position you are interested in is an entry-level one, this might be a faster and less expensive way of getting your foot in the door than a degree.
Cameron: It’s not a bad thing to have, it gives would-be hiring companies some sort of baseline expectation, especially if it’s a brand name institution (you know I’m not going to name them, but you should be able to), assuring them potentially that you have the capacity to grasp the technology at hand and can help them make it better.
But it’s no guarantee. I’ve been in interviews with recently-minted computer science grads who I didn’t believe knew how to do much more than open a laptop. It was embarrassing. For the school and former student. And technology. Just bad. Also, I’ve been around folks who never driven past a college, but I believe they would the envy of any tech hiring panel. So it’s no guarantee. But it probably increases the likelihood you’d seem qualified to get you past the first round of the hiring process. But not guaranteed to get you hired.
Is there any best path? What should I study for a career in cybersecurity?
Aryeh: If there’s one thing I hope that I have made clear, there is no one single way that one gets into cybersecurity. I always encourage people who have some knowledge in another area to start by looking at what they are familiar with, and then try thinking about that area in terms of cybersecurity. What are the problems it uniquely faces? How might you solve those problems? Taking what you are already familiar with, and then thinking about how to secure it is a great way to begin bridging your career from its existing path into cybersecurity. And keep in mind, cybersecurity is a very broad field, there’s no one who is an expert in all of it. You want to find a niche that interests you, and focus on that aspect of the field. If you’re not sure exactly what interests you the most, start with your general education around cybersecurity concepts and try everything. Eventually, you will find a portion that is interesting to you, and that is where you should focus your studies.
As I mentioned previously, you need to start with an understanding of what it is you need to protect. Having a general understanding of computers and networking, or even more specialized training in IT support and systems or network administration, is going to make you a much better cybersecurity practitioner.
Not all jobs in cybersecurity involve programming, but if you are going to be writing code, having a working knowledge of several different programming languages is a great start, because it lets you think about how you could solve a problem in different ways.
Keep in mind, though, that soft skills and skills that are tangential to your role are very important, too. While you may want to learn all about attacking and defending computers, having an understanding of psychology can help understand an attacker’s motivations. Likewise, being able to communicate clearly, concisely and effectively to both individuals and groups of people is very important, whether it’s justifying the purchase of a new firewall, explaining the impact of a data breach to your C-suite, or asking for a raise. And, regardless of whether you plan on having your own business or working for someone else, having an understanding of how a business operates can make a big difference, especially if you need to explain things according to the bottom line (e.g., money).
Cameron: It’s almost more important to meet the right people, otherwise you’re a collection of text for HR keyword search. Luckily, there are lots of free (or close) security events where you can reverse engineer what others are using to get jobs. One good way is to find an open-source project and figure out how to contribute to it. This means you have to figure out what projects are popular and widely used, how to get along with others who are working on the project and seem valuable enough for them to think you’re useful, then follow through and do the hard work of contributing something people use. Come to think of it, that’s kind of how a job works. So consider it practice, but without a 401K.
How do I start with little-to-no experience?
Aryeh: I would suggest doing two different things. The first is to focus on learning and building your skills. This can be done by reading, listening to podcasts, watching videos, and asking questions on social media. As you learn, take notes, write sample code (if that’s the direction you are moving in) and publish this information in your own personal website(s), such as a blog, wiki, code repository, and so forth. These do not have to be shared publicly, at least initially, but you should create a written record of what you are doing. You can even participate in open-source projects, which are also good for networking (the social kind) from a job’s perspective.
The second part of this is to look for entry-level jobs. This can be by visiting the careers section of companies that you want to work for, searching the listings of local companies for entry-level positions, or, if you are in school, asking for assistance with career placement. Your professor may even have some contacts with former students.
Once you submit your résumé or have your first interview, be sure to include links to your personal websites, as these can often show a prospective employer your thought processes, such as how you approach problems, and how you look for solutions.
Cameron: See my open-source comment above.
Certifications – who are they for and do they matter?
Aryeh: Certifications are important in that they are a rubric for what you know, but I am also a proponent of experience. In the past decade, we have had a profusion of certs. While many of them are useful from a measurement perspective, some of them are dubious in value. They can also be rather expensive, which I feel is a large financial burden to ask from entry-level prospects. All too often, hiring organizations use degrees and certs as a gating mechanism for prospective hires. I am not fond of this, because you can end up hiring someone who went to a cram school or who tests well, but has no practical experience and understanding of how things actually work.
While you may want to explore getting some of the least-expensive certs yourself, and they can help set you aside over other candidates for entry level positions, they are probably more useful to look at when hiring mid-range to senior employees, especially when a professional certification may be required for compliance reasons. Requiring a CISSP, which is a certification for senior-level positions, as a pre-requisite for entry- or junior-level positions is a clear sign that an organization has structural failures, cybersecurity being only one of them.
Cameron: The usual suspects will certainly get you past the initial text scans so common amongst HR department searches. Things like CISSP are certainly near the top of the heap, but you have to match the cert with the intended target. CISSP, for example, is more about security management, whereas some certs are technical like CEH, which is much more focused in scope. So, unless you know your specific audience well, getting certs may mean you’ll just be collecting letters that may or may not result in a job, or at least the one you want. Target well.
To wrap up, how have remote and hybrid work impacted the security talent market? Where do you think we’re headed?
Aryeh: Remote and hybrid work have increased the talent pool in that companies no longer have to hire locally, or offer relocation packages. But it also means the number of applicants for a position have skyrocketed as well, because every job is potentially national or international in the scope of hiring.
A couple of final thoughts I would like to leave people with:
Firstly, that despite what we have heard, we do not necessarily have a huge number of cybersecurity jobs going unfulfilled. While it is easy to talk of a talent gap, it’s also important to understand the salary side of thing as well: If there are fewer candidates to draw from, salaries have to go up. What we might have are employers that simply do not want to have to compete by paying high salaries.
And speaking of salaries, your desire may be to do the most technical thing there is to do in whatever part of the cybersecurity field that interests you. But there’s a good chance that the people in sales or legal are going to make far more money. If amassing a large fortune is what’s important to you, consider wisely what you want to spend your time doing for the next forty years.
Cameron: You still have to build the brand of “You.” But you should be trying to do that anyway. Since you’re essentially selling your skills you allege you possess and getting others to agree. Think about online reviews, no one trusts the author of the software near as much as five other random people recommending it. Even if that methodology is weirdly flawed and open to gaming, so will yours be, and that “online score” of You will most certainly be called into the mix when trying to land a job. Also, don’t do Jell-O shots while dancing in a ring of fire on a bar and use that as your picture on LinkedIn. Long after that seemed like a good idea you’ll be paying for it. Even if you did dance in fire with Jell-O and you consider that a relevant skill highlighting your adaptability in a potential challenging potential work environment. It’s just not good form and will suggest you lack a certain sensibility. Also, you might be hung over during the interview, which is typically to be avoided unless you work during the early days of certain of our competitors. It’s your work to figure out which one(s).
In either case, curate your brand, whether that’s in real life or on the Internet, the two for you will become increasingly one, so choose carefully.
Thank you for your input!
Further resources:
Getting into cybersecurity: Self‑taught vs. university‑educated?
5 reasons to consider a career in cybersecurity
A career in cybersecurity: Is it for you?
Cybersecurity careers: Which one is right for you?
How to improve hiring practices in cybersecurity
Women in cybersecurity: Slowly but surely, change is coming