As Cybersecurity Novices, What We Could Do to Break into the Promising Cybersecurity Industry
1. Background
Nowadays, the development of the cybersecurity industry is more and more rapid. Whether it is the growth of industry opportunities, the growth of wages, or the growth of security companies, it is an amazing number. Especially when we see the relevant data of cybersecurity attacks, the type of attack and the frequency of attack are both growing very fast. This has also led to a shortage of cybersecurity professionals. However, although more and more universities have set up information security teaching programs, and there are more and more online information security training programs, the number of information security professionals in the world is very insufficient all the time. Especially for novices in the field of information security, it is too difficult to enter the information security industry, which is a very contradictory phenomenon.
2. Purpose of the study
This research topic is mainly discussed from two aspects. First, from a macro point of view, through access to some articles and much data to analyze the prospect of the information security industry, the reasons for the shortage of Cybersecurity professionals, the problems for novices to break into the cybersecurity industry, and the demands of different companies for Cybersecurity professionals. The other is from the micro point of view, through some of the suggestions from articles and my personal experience to analyze, as novices, how to improve our technical skill and soft skill, and how to find and finally get the job opportunities in the Cybersecurity industry.
3. Literature Review
Article 1: How to Get into Cybersecurity, Regardless of Your Background
This article first introduces the cybersecurity industry has a very good prospect. Then the author talks about how to enter the cybersecurity industry from two perspectives. The first part is “Getting into Cybersecurity from a Technical Background”. The author explains the relationship between the work of a software engineer and a security engineer. The author also gives a few more technical cybersecurity occupations, like security engineer, cryptographer, virus technician, and penetration tester. Then the author introduces the skills needed for these occupations and how to acquire them. The second part is “Getting Started in Cybersecurity with a Non-Technical Background”. The author mentions the soft skills and security-related professional certificates to prove that people without technical background also have the opportunity to enter the network security industry. Then, the author also gives a few cybersecurity occupations that are suitable for non-technical background people, like network administrator, SOC analyst, and cyber policy analyst. Finally, the author introduces the skills needed for these occupations and how to acquire them.
I think this article is extremely valuable for my research. It not only analyzes different kinds of cybersecurity occupations but also gives the route of how to improve related skills.
Article 2: Cybersecurity Talent Crunch To Create 3.5 Million Unfilled Jobs Globally By 2021
This article mainly discusses the prospects of the cybersecurity industry and gives the prediction data from a lot of authorities to prove that the cybersecurity industry is extremely short of talents, from government enterprises to private enterprises, from the United States to the world. This article provides a lot of useful findings from authoritative institutions. like “The New York Times reports that a stunning statistic is reverberating in cybersecurity: Cybersecurity Ventures’ prediction that there will be 3.5 million unfilled cybersecurity jobs globally by 2021, up from one million positions in 2014.”, and “New data from Scout Exchange indicates that of all IT jobs, cybersecurity engineers — with an average annual salary of $140,000 — were the highest paying and most recruited heading into 2019”.
This article provides sufficient support for many parts of the paper I am going to write, like the “The prospect of Cybersecurity industry” part, the “The Shortage of Cybersecurity professionals” part, and the “Cybersecurity related certificates” part. So it is very useful.
Article 3: Cybersecurity pros name their price as data hacking attacks swell
This article lists some major cybercrimes in recent years to reflect the huge demand of the current society for cybersecurity professionals. It provides some specific cases, like “In 2019, Capital One Financial Corp. disclosed that the personal data of about 100 million customers had been illegally accessed by a Seattle woman, possibly one of the largest breaches affecting a U.S. bank. The firm’s shares have fallen 8.9% since the intrusion was revealed.”. Compared with article #2, this article could provide some specific cases of cybercrime, which are very useful.
4. How to improve the competitiveness
4.1 Determine the interest and learning path
The first step to enter the information security industry is to determine our interest in this field. The first reason is that the meaning of information security is very broad, there are many branches, including web security, network security, cloud security, system security, security software development, related security services, and so on. For different branches, we need to learn and master different key skills and knowledge, so we must first make clear our interest and learning direction. We could consult senior students, professors, or industry predecessors, but also combined with the current development trend of the whole industry and our interests to make a comprehensive choice. Another reason is that information security is a very difficult field. We need the passion on it to continue to learn. Some people in this world may choose jobs they do not like for their lives. But if you are not interested in information security, you cannot really master the relevant skills and knowledge.
4.2 Enhance technical skills
Although information security work requires a lot of experience, which causes it too difficult for novices to enter this very promising field. We still have many ways to prove our professional ability beyond the work experience, including obtaining cybersecurity-related certificates, participating in cybersecurity-related competitions, practicing on online training platforms, and contributing to the security community.
4.2.1 Cybersecurity related certificates
In the field of information security, many valuable certificates can prove our ability. According to the article “A guide for understanding cybersecurity certifications” , written by Aireal Liddle in 2021, we could know there are two main types of certificates: “Today’s cybersecurity certification programs can be broken down into two main categories: Professional cybersecurity certification programs and academic cybersecurity certification programs.”.
Professional certificates could prove our ability. Examples of popular professional certifications include Certified Ethical Hacker (CEH), GIAC Security Essentials (GIAC), Certified Information Security Manager (CISM), Comp TIA Security+, Certified Information Systems Security Professional (CISSP), and Offensive Security Certified Professional (OSCP). Unfortunately, many certifications require experience as well. For example, to get the very popular certificate, CISSP, we will be required to have at least five years of paid, full-time experience in at least two of the eight (ISC)2 domains or four years paid, full-time experience in at least two of the eight (ISC)2 domains and a college degree. This also proves that the information security industry has a very high demand for professional experience. However, there are also many certificates some novices could go for, like Security+ and OSCP. In addition, some certificates do not mean that we can pass the exam just by answering some questions. Some certificates have very high requirements for hands-on ability. At the same time, such certificates can also prove our ability, even if we do not have actual cybersecurity work experience. For instance, the OSCP certification has become one of the more coveted certificates for hands-on, offensive-minded security professionals. Students must prepare by going through the prep courses and practicing skills in the labs. The OSCP exam has a 24-hour time limit and consists of a hands-on pen test in Offensive Security’s isolated VPN network. Many certificates are difficult even for people who have worked in the cybersecurity industry for several years. So, if the novice gets the certificate with his efforts, how can he not be chosen by the company?
Academic certifications take less time to complete — sometimes they might be courses that last several weeks to a year or more. They also do not require as many prerequisites like traditional undergraduate courses (like SAT or ACT scores, for example). They are great options for students that might have already completed a degree in a related field and are looking to make a career switch, or for students that want to explore what preparing for a cybersecurity career might be like before committing to a lengthier academic program.
4.2.2 Cybersecurity related competitions
There are a lot of information security competitions around the world, and the most common is the “Capture the flag” (CTF) competition. “flags” are secrets hidden in purposefully vulnerable programs or websites. Competitors steal flags either from other competitors or from the organizers. The person who has CTF experience will be the most favorite talent in the enterprise. First of all, the difficulty of CTF competition is very high, which can prove our professional level. In addition, even though the content of the CTF competition may be different from the actual work, a good CTF ranking is enough to prove our love for information security and our ability to study.
4.2.3 Online training platforms
The iterative speed of Internet technology is accelerating, which leads to the risk that the knowledge learned in textbooks will soon be out of date. This requires us to master new skills through continuous practice. For cybersecurity personnel, we should find some suitable online practice platforms to learn and update our skills. For instance, I really like the TryHackMe platform. Because this platform not only provides some conceptual knowledge but also provides a lot of free labs for us to practice. In addition, we can learn some basic principles of computer science on it, which is very important for learning information security.
4.2.4 Contributing to the security community
Finally, we can enrich our experience by contributing to the open-source community, participating in the research and development of open-source software, writing security-related blogs, and submitting CVE vulnerabilities.
4.3 Enhance soft skills
When recruiting security team members, soft skills are an important consideration, and soft skills are typically intangible and difficult to quantify. For example, the ability to communicate technical topics to a non-technical person is an important soft skill. Others include the ability to work as part of a team and having a positive work ethic and attitude. The trend of security becoming a common responsibility is becoming more and more obvious, even those who do not have any technical network security experience will also participate in it. Employees from other functional departments can work with the security team to help them look at problems from different perspectives, further broaden the understanding of network security in the enterprise, and help to implement best security practices throughout the enterprise.
5. How to apply for Cybersecurity jobs
5. 1 How to get more interview opportunities
5.1.1 Understand the demands of different companies
Businesses and government agencies of all shapes, sizes, and missions need cybersecurity professionals. This is good news for information security practitioners, but it also means that we have to understand different demands from different companies or organizations.
First of all, we should try our best to obtain resources, especially in the information technology developed now, we can obtain a lot of useful network resources, like the article “Cybersecurity jobs are everywhere. Here’s how to find them” . From this article, we can find the needs of different types of cybersecurity work in different regions.
In addition, we should classify different companies according to their maturity and their investment in information security. The more mature the company is, the more it invests in security. Because the more mature a company is, the more it knows how to predict security risks.
For example, influencers are information security leaders who see their security organizations as mature and progressive, have business influence, and a strategic voice. I think Microsoft is an influencer because it is a leader in cybersecurity. It has too many products for customers and organizations so it must ensure the security of its products. But to some companies as a responder, they focus on the tactical response mode and does not have the influence or resources to drive significant change. For example, many very small companies are responders. Their own business is still underdeveloped, so they will not pay enough attention to security.
We should also care about whether the company has a special CISO and the position of CISO in the company. If the position of the security department is higher, CISO’s decision-making power will certainly be bigger. CISO will also have wider responsibility, for example, CISO will be more accountable to the business. In addition, CISO needs to change some priorities, for instance, CISO needs to think more about policies.
5.1.2 Network with Cybersecurity professionals
It would be more effective if we could get in touch with recruiters and hiring managers. They will point us in the right direction. Besides, alumni are always the best resource. They will be more willing to help novices enter the industry. We can contact people who may help us through school resources or some special recruitment websites, such as LinkedIn and Glassdoor.
5.2 How to prepare for Cybersecurity job interviews
The related technical ability is not discussed here, because how to practice the technical ability has been mentioned in the previous part, like obtaining security certificates, participating in security competitions, and so on.
To prepare for cybersecurity job interviews, we need to know how to demonstrate our logical thinking ability. Cybersecurity is a constantly changing field. Hackers and attack methods have been evolving all the time. As a result, cyber threats are also developing, such as malware, blackmail software, misuse of privileges, and so on. The ability to objectively analyze each problem and constantly dig into the root of the problem is an important skill for success in the field of cybersecurity.
Besides, in the interview, behavior question also accounts for a large proportion. In addition to some very routine behavior questions, such as “describe a difficulty you have encountered and your solution”, or “describe how you resolve a disagreement with your teammates.”. Three questions are often asked in an information security interview: “Please tell me why you choose information security”, “Please tell me about the information security field that you are most interested in”, and “Please tell me the latest interesting information security news you know”. These problems also prove that interest and enthusiasm are crucial for an information security practitioner. Even if we cannot answer some technical questions very well because we are still novices. If we can prove our great love for information security, our chances of passing the interview will also be improved.
6. Conclude
I think there are three main reasons for the high entry threshold of information security jobs. The first is that information security is too difficult. Information security is a very difficult field in computer science. It requires people to have a very deep understanding of the underlying principles of computer operation to figure out how to do a good job in security protection. The second point is that information security work is too critical for a company. Even though the company is very short of information security talents now, it is difficult for the company to trust a novice to be responsible for the company’s information security, because once an incident happens, the consequences are very serious. The third point is that information security practitioners need to master a wide range of knowledge. Attackers only need to find a weak point to achieve their goal. But on the defensive side, information security engineers must do a good job in every part of the protection. This leads to the need for information security talents with high skills in the industry. So it is too difficult for novices to break into the promising cybersecurity industry.
However, getting our first job in cybersecurity is the hardest. We can get our first job in cybersecurity in many ways, including getting a cybersecurity certificate, participating in a high-level cybersecurity competition, contributing to the open-source community, or contacting recruiters and hiring managers directly. After we get our first job in cybersecurity and work for a period of time, the rewards we get will be extremely rich. We will get a very high salary. Recruiters will also come to us with good positions. Therefore, we should continue to maintain the learning enthusiasm for information security, and constantly develop our career path.
7. References
[1] J. Robert, “How to Get Into Cybersecurity, Regardless of Your Background”, Springboard Blog, 2021. [Online]. Available: . [Accessed: 06- Apr- 2021].
[2] S. Calif and S. Morgan, “Cybersecurity Talent Crunch To Create 3.5 Million Unfilled Jobs Globally By 2021”, Cybercrime Magazine, 2021. [Online]. Available: https://cybersecurityventures.com/jobs/. [Accessed: 06- Apr- 2021].
[3] A. MELIN, “Cybersecurity pros name their price as data hacking attacks swell”, Los Angeles Times, 2021. [Online]. Available: https://www.latimes.com/business/story/2019-08-07/cybersecurity-pros-name-their-price-as-hacker-attacks-swell. [Accessed: 06- Apr- 2021].
[4] Liddle, A., 2021. Guide to the Best Cybersecurity Certifications for 2021. [online] Cybersecurity Guide. Available at: https://cybersecurityguide.org/programs/cybersecurity-certifications/ [Accessed 4 May 2021].
[5] Parke, M., 2021. Cybersecurity jobs are everywhere. Here’s how to find them | WorkingNation. [online] WorkingNation. Available at: https://workingnation.com/cybersecurity-jobs-everywhere-heres-find/ [Accessed 4 May 2021].
