As the cyber security landscape continues to transform before our eyes, it’s becoming increasingly evident that we can no longer just depend on legacy cyber security solutions to protect organizations and employees. The more we rely on technology in the future, the more we need to think about the human being at the center of everything that we do. This realization is also changing the requirements and desired qualifications for new security hires.
Here are some key things to keep in mind as you evaluate avenues to take control of your cyber security career in 2022:
Practical experience outweighs formal training
There is no doubt that formal training teaches many invaluable skills in cyber security—analytical thinking, writing and communication, time management, independence, and self-management/motivation. That said, obtaining an undergraduate degree in a subject unrelated to cyber security shouldn’t be discounted in the same way that achieving a CERT instead of a degree shouldn’t be discounted. This multidisciplinary approach provides individuals with a competitive edge, especially as we continue to witness a paradigm shift towards greater value being placed on cyber security skills underpinned by Behavioral Science (psychology to insider threat, law to GRC, business to risk management).
While there is value in formal training, there is nothing better than practical experience. In fact, in recent years leading cyber security businesses have become less interested in hiring cyber folks with lots of experience, including graduates from two or three-year cyber courses. In most of these cases, this is due to outdated training that provides candidates with skills that are no longer sought after (i.e., pen-testing!). In these instances, we often need these candidates to unlearn this training and think outside the box again.
Apprenticeships aren’t the only avenue for career growth
If you’re able to secure a good apprenticeship, it can drive your career forward offering in-depth experience in the industry and organization, and in some cases result in a full-time job offer. However, these can be difficult to find and often range in quality. Alternatively, CTFs and bug bounty programs are popular avenues for individuals looking to go down the technical route. The only caveat to these programs is that they are unlikely to attract the general population of employers looking for cyber consultants/analysts as much as DFIR/Engineering/Red Team organizations.
In lieu of the above avenues, industry projects a great way of gaining cyber security skills. Completing a project for an organization and taking it end-to-end will offer first-hand insight into what it would be like to pursue a career in that field/workplace while simultaneously providing an opportunity to produce something tangible that you can showcase when applying or interviewing for future roles. In particular, industry projects with small organizations offer the best opportunities for individuals to break out of the traditional models and drive innovation whilst exploring all of their options.
If you’re trying to get into the cyber security industry from a standing start, the best route would be to seek internships with leading cyber security providers and innovators. Oftentimes this needs to be done voluntarily, as many cyber businesses work around the clock providing endless options for those interested in developing their skills to land a job faster. Whether it’s shift work on the SOC, or vendor organizations that work very long hours…there is always an option to accelerate skill development if you’re motivated to find it!
Choose fellowships and boot camps that align with your learning goals
There are a lot of specific boot camps like OSINT, IR, or coding with a focus on cyber, but cyber security-focused boot camps tend to be very high level and broad, attracting a range of participants. It’s not uncommon to see an executive join one of these programs to get a “base knowledge” of cyber alongside a first-year undergraduate student looking to start their learning journey. Boot camps work best when they are specific and targeted so that the material is relevant for those consuming it. There are a lot of boot camps run by vendors and some universities have short course/boot camp style offerings, so before signing up for a program, make sure you do your research to see if the material aligns with your learning goals and is at the level you are looking for.
In a recent panel discussion from Next-Gen Cyber Talent, I joined industry leaders from MITRE, Uber, and Verizon to discuss the importance of embedding behavioral science skills in the cyber security industry. Check out the recording here to learn more about their journeys and the cyber security skills that are most-desired in today’s Work-From-Anywhere era.