Navigating the cybersecurity career maze

Cybersecurity is not just a career choice; it's a mission critical to the functioning of nations, businesses, consumers, individuals, and society at large. With the digital landscape expanding rapidly, the need for cybersecurity professionals has never been more urgent.

There is a growing need for cyber security professionals at all levels within all industries. The current demand doesn’t address the supply due to the growing number of hacks on organizations, government, private, profit, non-profit in every industry as well as the decrease in enrollment in formal 4 year colleges (Research PEW). There are many reports and studies out there that show the relevant metrics. According to Cyber Seek, on average, cybersecurity roles take 21% longer to fill than other IT jobs. The Supply/demand Ratio is 82%, meaning the national average, that there are only enough cybersecurity workers in the United States to fill 82% of the cybersecurity jobs that employers demand. There are 448,000 cybersecurity national job openings where 1.1 Million cybersecurity professionals are employed. Based on Cyber Seek data Feb 2023- Jan 2024.

But how does one embark on this journey? What pathways exist, and why is cybersecurity so crucial?

Understanding the significance of cybersecurity

Importance for nations/governments

In an era where cyber warfare is a reality, the protection of national infrastructure, sensitive data, and citizen privacy is paramount. Governments invest heavily in cybersecurity to safeguard against cyber threats, espionage, and attacks on critical systems.

Vital for businesses

Businesses face constant cyber threats that can disrupt operations, compromise sensitive information, and damage reputation. Cybersecurity measures are essential for protecting intellectual property, customer data, and financial assets, ensuring business continuity and trust.

Crucial for consumers

With the rise of digital transactions and online interactions, consumers are increasingly vulnerable to identity theft, fraud, and privacy breaches. Strong cybersecurity safeguards are necessary to protect personal information and digital assets.

Indispensable for individuals

Individuals rely on digital devices and platforms for communication, financial transactions, and entertainment. Cybersecurity awareness and practices are essential for safeguarding personal data, privacy, and digital identities.

Essential for society

Secure cyberspace underpins the functioning of modern society, enabling communication, commerce, and innovation. Cybersecurity promotes trust, stability, and resilience in digital ecosystems, fostering social progress and development.

Addressing the workforce shortage and future demand

Despite the growing demand for cybersecurity professionals, there's a persistent shortage of skilled talent. As technology evolves and cyber threats become more sophisticated, the gap between supply and demand widens. Organizations struggle to fill cybersecurity roles, creating lucrative opportunities for aspiring professionals.

Where to start

Cybersecurity is ultimately not about hacking and contrary to what most believe is not a purely technical domain. It is about learning how things work in a business environment, technical and non-technical. With this knowledge, it is about how you can contribute to business outcomes, mitigating the associated risks inherent in the interdependent systems (people, process, technology) that business rely on. Cyber after all at the end of the day is a business risk issue.

Is cybersecurity right for me?

Regardless of your background or degree, you bring unique skills and experiences that cybersecurity desperately needs! Many of the best security professionals have non-technical backgrounds. Maybe you have good communication or people skills, or you know the industry you are in very well, e.g., healthcare, higher education, retail, manufacturing, or you have very specialized skillset and good at what you do within the business functions, data analytics, audit, accounting, marketing, legal, HR, procurement, finance. All these are needed for cybersecurity professionals. You can be that Cyber expert in that one area of your organization.

Regardless of your background and education cybersecurity is for you if you have; an interest in technology, problem-solving skills, attention to details, an ethical mindset in relation to data privacy and cyber practices, desire to stay up to date with latest trends via ongoing learning, social/people/communication skills and focus on team collaboration, adaptability skills for changing technologies, a resilient mindset to handle high pressure situations.   

What can you do with minimal investment?

Though you don’t need a technical background, you might like technical aspects of cybersecurity. You can start learning at your own pace at home without spending too much money. A simple physical home lab setup would allow you to learn and experience cybersecurity and its basic application, network, data components. You can alternatively set up virtual labs, interact with them and learn on the cloud using freely available tools from Amazon AWS, Microsoft Azure or Google. Fail and learn approach is the best part. All you need is time, and you can rebuild and start from scratch again and not make the same mistakes.

It is the non-technical aspects of cyber that matter the most. So, connecting with people who are in cyber, especially in those areas/industries you are interested in would allow you to find out and learn more. Virtual and in-person events, conferences, meetups organized by professional organizations, most of which are free, would be also a great opportunity to engage with the right people and learn about Cyber.  Once you attend one or two events, and connect with other people, it becomes easier to grow your network and your overall knowledge. Of course there are plenty of free online materials. YouTube videos is your best learning source, along with podcasts, and free platforms where they make the webinars available. You have many options to learn about cybersecurity, time is what you need.

Aspiring professionals

Aspiring professionals in cybersecurity face a tough choice when it comes to investing in their education and training. There are many tradeoffs to consider before committing to a certain path.  Though there are many options that’ll make the transition to Cybersecurity easier, it is the selection and the fit of those to one’s own context, and future goals that is important. Each of these paths has something to offer. Some prefer formal education from an accredited program where the program undergoes rigorous vetting to ensure the content is accurate and relevant. Some prefer industry certifications. Some of these certifications are technology specific and often changes. Some similar to formal programs, focus on theory. Hands-on experience is also important, but theory gained stays relevant regardless of the current technology that might change tomorrow. One thing for sure, none of the paths alone is a silver bullet. It takes time, effort, and ongoing learning to be a cyber professional.

The investment required for these programs can also be a hurdle.  While credentials don't guarantee success, knowledge is essential. For those interested in advancing their knowledge, skills, and practice, , increasing opportunities for success.  f you have the time and budget to invest in your future. I understand that classes can be expensive, and people have other financial obligations.

Structured approach

Frameworks like SFIA (Skills Framework for the Information Age) provide a structured approach to defining and developing cybersecurity skills. By mapping competencies to job roles and proficiency levels, SFIA enables individuals to assess their skills, identify gaps, and plan career progression effectively.

There are also various government supported programs focused on supporting the country's ability to address current and future cybersecurity education and workforce challenges through standards and best practices. The National Initiative for Cybersecurity Education (NICE) program is a partnership between government, academia, and the private sector. The mission of NICE is to energize, promote, and coordinate a robust community working together to advance an integrated ecosystem of cybersecurity education, training, and workforce development.

Online vs in-person

There are different advantages and disadvantages of the format of many of these programs. 

The choice between an online and in-person cybersecurity program can greatly impact your learning experience, based on factors like your learning style, schedule flexibility, and career goals.

Online programs are more cost effective and flexible. Working professionals usually benefit more from these programs.  Some of the online programs are merely video recordings, of asynchronous learning where there is not much interaction with the instructor. Some are synchronous and more flexible and provide interaction and engagement with the instructors as well as the various networking opportunities.   

Pathways to cybersecurity expertise

Hands-on work experience

Hands-on experience is invaluable in cybersecurity, allowing individuals to apply theoretical knowledge to real-world scenarios. Entry-level positions such as security analysts, incident responders, or network administrators provide opportunities for practical learning and skill development.

Formal education and degrees

Academic programs in cybersecurity, computer science, or information technology offer a solid foundation for aspiring professionals. A bachelor's or master's degree equips individuals with technical expertise, analytical skills, and critical thinking abilities essential for cybersecurity roles. Though there are different formats, cost structures, generally speaking a formal education provides; expert instruction taught by seasoned industry leaders or academic faculty, relevant curriculum via an accreditation program ensuring curriculum is aligned with industry, interactive learning via synchronous learning and real time interaction with instructors, flexibility of online/in person learning, networking opportunities with faculty, advisory boards, other students in the cohort, career advancement and professional development, and also industry recognition viewed favorably by employers.

Industry certifications

Certifications validate specialized skills and knowledge in specific areas of cybersecurity, both technical and non-technical or even specific industries such as healthcare. Credentials like CRISC (Certified in Risk and Information Systems Control), CISM (Certified Information Security Manager), CISA(Certified Information Systems Auditor), CCSP (Certified Cloud Security Professional) CompTIA Security+, CISSP (Certified Information Systems Security Professional), CEH (Certified Ethical Hacker), or CCNA (Cisco Certified Network Associate) enhance credibility and employability in the job market. There are also industry specific cybersecurity certifications such as HCISPP (HealthCare Information Security and Privacy Practitioner).  All certifications also require ongoing commitment in the form Continued Professional Education to keep the certifications active as well as annual renewal fees.

Cybersecurity is a continuously evolving field, and you need to stay updated to remain relevant.

Certificate programs and training

Short-term certificate programs and training courses provided by universities, institutions, or nonprofit organizations offer focused learning on cybersecurity topics. These programs cater to professionals seeking to upskill or specialize in niche areas like penetration testing, digital forensics, or cloud security.

Internships and apprenticeships

Internships and apprenticeships provide practical exposure to cybersecurity environments, allowing individuals to gain hands-on experience under the guidance of industry mentors. These experiential learning opportunities often lead to full-time employment and serve as stepping stones for career advancement.

Government (supported) programs and initiatives

National Cyber Strategy - National Cyber Workforce and Education Strategy  (might be perceived political) Government-supported/sponsored programs at the local, state, and federal levels promote cybersecurity education, training, and workforce development partnering with universities. Initiatives like CyberCorps Scholarship for Service (SFS) in the U.S. offer scholarships and stipends to students pursuing cybersecurity degrees in exchange for government service.

Cybersecurity Clinics is another initiative supported by CISA Cybersecurity and Infrastructure Security Agency. Consortium of Cybersecurity Clinics serves as a forum for clinicians, trainers, students, and advocates to share knowledge, expand the reach of cybersecurity clinics, and lower the barriers for other institutions to establish their own clinics. The clinic recruits students with interdisciplinary backgrounds, trains them with both technical and non-technical skills, and sponsors industrial certifications. The Consortium’s ambition is to dramatically grow the number of universities and students engaged in clinics, with attention to increasing the representation of women and minorities that have traditionally been under-represented in the cybersecurity field.

California and Florida have similar initiatives to address the cyber workforce shortage at the state level by partnering with universities. The California Cybersecurity Task Force, Workforce Development and Education initiative and Cyber Florida initiative both share similar goals. They aim to address the critical shortage of cybersecurity professionals throughout the state and the nation through education, research, and outreach and prepare at-risk students and low-income residents for careers in IT-cybersecurity. The goal is to create a technology and career education pipeline and pathway from elementary school to college and help people and organizations better understand cyber threats and what they can do to stay safer in cyberspace.

There are many non-profit organizations also supporting cybersecurity awareness and education efforts.

The 502 Project is a non-profit that partners with educational institutions, community groups, and industry leaders to provide a more inclusive and accessible gateway to the cybersecurity community through national virtual events, community-developed challenges, and access to subject matter experts from teenage whiz-kids to Chief Security Officers.

Girls Who Hack, a non-profit committed to bringing more diversity to the cybersecurity workforce, commits to educating over 500 girls over the next two years with free online and in-person classes that teach girls hacking skills so that they can change the future.

The mission of Raices Cyber is to encourage and support the Hispanic and Latino Cyber and Technology Community to achieve greater representation in the world. They rely on the four main pillars; Continued Support and Encouragement to and from the Community, Education for all career levels, Access to valuable resources, Constructive Networking and the forming of STRONG bonds (“Roots”). They support early education outreach to middle schools/ high schools and community colleges to support the entry into the field.

Women in Cybersecurity (WiCyS) is a non-profit global community of over 9,000 women and allies in cybersecurity with 68 professional affiliates and 270 student chapters. Through its Security Training Scholarship, WiCyS is able to find hidden cybersecurity talent, upskill, and equip women with training and career placement services.

Continuous learning and professional pevelopment

Cybersecurity is a dynamic field with evolving threats and technologies. Ongoing learning through platforms like LinkedIn Learning, internet resources, YouTube tutorials, and online communities enables professionals to stay updated, explore new trends, and acquire advanced skills.

Engagement in events and conferences

Participation in cybersecurity events, conferences, webinars, and podcasts facilitates knowledge sharing, networking, and collaboration within the industry. Events like RSA Conference, Black Hat, DEF CON, or OWASP Global AppSec Conference provide opportunities for learning, skill enhancement, and career advancement.

Membership in professional organizations

Membership in professional associations like ISACA (Information Systems Audit and Control Association), ISC2 (International Information System Security Certification Consortium), ACM (Association for Computing Machinery), or IEEE (Institute of Electrical and Electronics Engineers) offers access to resources, training, and networking opportunities.

Exploring cybersecurity career opportunities

Cybersecurity offers a diverse range of career paths (traditional and nontraditional), each requiring specific skills, expertise, and responsibilities. Some common examples of cybersecurity roles cover cybersecurity management and strategy, security Operations and Monitoring, network security, application security, identity access management, cloud security, risk and compliance, cybersecurity education and training, legal and policy, emerging areas, incident response, and recovery, threat hunting and analysis, and cyber business functions.

Some of the specific roles include:

The critical role of cybersecurity

The importance of cybersecurity cannot be overstated in today's digital age. Cyber attacks have far-reaching consequences, ranging from financial losses and reputational damage to national security threats and societal disruption. As organizations embrace digital transformation, cybersecurity becomes a foundational element for mitigating risks, ensuring resilience, and enabling innovation.

Addressing the skills gap and future challenges

The shortage of cybersecurity professionals presents both challenges and opportunities for aspiring individuals. While the demand for skilled talent continues to outstrip supply, advancements in technology, such as artificial intelligence (AI) and automation, have the potential to augment cybersecurity capabilities and alleviate workforce shortages. However, the evolving nature of cyber threats necessitates continuous learning, adaptation, and upskilling to stay ahead of adversaries.

Embarking on the cybersecurity journey

Getting started in cybersecurity requires a combination of education, training, practical experience, and commitment to lifelong learning. Whether you're transitioning from another field or starting fresh out of school, there are numerous pathways available to enter the cybersecurity domain. By acquiring relevant skills, pursuing certifications, gaining hands-on experience, and staying abreast of industry trends, you can build a successful career in cybersecurity and contribute to a safer digital future.

Conclusion

Cybersecurity is not just a profession; it's a calling to protect and defend against digital threats that permeate every aspect of our lives. As the digital landscape continues to evolve, the demand for cybersecurity professionals will only intensify. By understanding the importance of cybersecurity, exploring diverse pathways for skill development and career advancement, and embracing a mindset of continuous learning, individuals can embark on a rewarding journey in this dynamic and essential field.

Key take aways