Cybersecurity expert and PCI Security Standards advisor John Elliott shares how you can successfully enter the industry as someone brand new to the field.
John Elliott is a veteran cybersecurity and data protection specialist, author, and consultant. He’s represented both Visa Europe and Mastercard on the PCI Security Standards Council, and contributed to many of the PCI standards including PCI DSS. He is an instructor for the National Cybersecurity Alliance, Security Advisor at JScrambler, and Pluralsight author.
So, you’re thinking of starting a career in cybersecurity. It’s a wonderful and highly rewarding field to be part of, which is why I’ve been working in it for almost two decades. A question I’m sometimes asked is how you can actually kick that career off.
In this article, I’m going to share some advice that has worked for me and others, so you can get your start in the field.
1. Pick up some recognized cybersecurity certifications
One of the first things you’ll hear when it comes to getting into cybersecurity is “you need to go and get some certifications.” This is sound advice for a few reasons:
- It gives you a good taste of what being in cybersecurity is like, so you can decide if it’s right for you before you spend any more time pursuing it
- You get to sample all the areas in cybersecurity and you will find the one(s) that excite you
- Studying for industry certifications teaches you the fundamentals (which you obviously need to succeed at the job)
- It shows prospective employers that you’ve gone out of your way to learn the basics
If you’re completely new to cybersecurity, I’d suggest taking the CompTIA Security+. Pluralsight offers a great learning pathway on it done by Christopher Rees, which provides a great introduction to the area.
2. Start thinking cybersecurity in your everyday life
You should start to actively make yourself curious about cybersecurity, and in fact all forms of security. If you’re going into a venue, start to look at where the security cameras are, and the guards are placed—just don’t be too obvious about it! Ask yourself all the time “How would I break that?” or “How would that fail effectively?” You can do this anywhere, such as with your work or home systems. If a website asks you to set up an authenticator app along with your password, look at how it’s doing it and the language it uses. Did it work for you, and if not, why?
This might sound like a funny exercise, but it’s actually the first step towards thinking like a cybersecurity professional, since you’re playing “red team vs blue team” in your mind. I can guarantee you that bad actors are doing the exact same thing, and it’s often our job to put ourselves in their shoes and put in defensive strategies before they exploit that weakness.
3. Don’t be worried about not knowing everything
The best words I ever learned in my entire cybersecurity career were “I’m sorry, I don’t know.” Why? One of two things will happen when you utter them. Either someone will tell you the answer—and you’ll be smarter for it—or you’ll realize you need to go away to find out the answer.
Whenever I’ve recruited people in the past for cybersecurity roles, these were the five words I wanted to hear in an interview. People who can recognize what they don’t know, admit it, and seek to know the answers—curious, life-long learners—are the kind of people who thrive in cybersecurity.
4. Find a mentor to help you out
Keeping with the theme of constant learning, it helps to find a mentor, someone who can help you get into security who you can ask lots of questions like “Someone was saying this, and I didn’t understand it.” There are a lot of people out there, particularly in industry associations such as your local ISSA or ISC2 chapter, who have a lot of time to help you develop your career and skills.
5. Start mining the web for cybersecurity knowledge
You’ve got so much knowledge at your fingertips with just a google search. For instance, you don’t need to travel halfway around the world to attend a big cybersecurity conference like RSAC—many of the keynotes are on the internet, as well as the previous year’s content. There is so much free learning out there you can do.
Also, because cybersecurity is such a really wide topic, you’ll find something you get really excited about. It might be threat hunting, penetration testing, ethical hacking, writing secure systems, or security governance. It helps to find that area of cybersecurity that really fires up your interest, and see where that rabbit hole goes.
6. If you’re starting out, consider working on a help desk
I started my career on an IT help desk, where I discovered my love of working with computers. Often security teams will recruit internally from a help desk. Kevin Beaumont, a well known cybersecurity blogger, advocates starting on a help desk because a lot of cybersecurity is knowing about things like Active Directory, creating user accounts, and regular user behavior. Of course, normally people move on after one or two years on a help desk, because it’s a taxing environment.
I can’t emphasize enough how seeing technology from the regular user’s perspective develops your empathy as a member of the security team, approaching employee requests with a “Yes, and how can we secure this?” rather than the dreaded “No”.
6. If you’re mid-career, try incorporating cybersecurity into your role
If you’re midway through your career, stepping into an entry-level position at a help desk just to get into cybersecurity isn’t that appealing. Maybe your soft skills are amazing, or you work in an area that already has dealings with cybersecurity—such as being a developer or another business environment. In that case, it’s possible to break sideways without going the help desk route.
One way to do this is to show the cybersecurity team that you’re interested in cybersecurity. If you’re a developer, start asking how to write secure code, and demonstrate to the team that you’re interested in working with them on that. See if you can kick start some developer training around secure coding practices. Bring security into your existing role, and build those bridges.
A good horizontal role is as a business information security officer, where you’re still in the business but you’re thinking about security. It’s sort of like wearing two hats at the same time, keeping your existing role as the larger of the two so you’re still focused on what the organization wants to achieve, but also getting experience for your future career.
To be honest, it’s hard to move horizontally from one company to another company, shifting from a non-cyber role to a cyber role. You’re better off trying to move sideways in your own organization.
7. Join a cybersecurity member association
In most areas, you’ll have a branch of a cybersecurity association, such as the ISSA (Information Systems Security Association). ISSA isn’t tied to any certification body, and it’s a not-for-profit organization. They organize meetings where people love to talk about security and bring in guest speakers.
Joining these organizations is a really great way of building your network. If you go to a meeting and say “I’m a senior project manager, and I’ve been working on security tasks and want to get more experience in the area”, people will be happy to talk to you. You can build your network that way, and sooner or later, someone might say “Hey, there’s a vacancy in our project management security team, is that something that would appeal to you?”
I can’t overstate how important it is to build a network. I’ve found opportunities through people I know, where someone has said “John does this sort of thing, let me introduce you to him.”
Unsure how to go about networking? Check out this article: “How to network in tech and land jobs (An introvert-friendly guide).”
Conclusion: There’s no one silver bullet to getting in
You’re best off trying a lot of different things to try and get your foot in the door, and all of them will make you better off through the process. A lot of this advice—getting certifications, joining associations, networking—are good to do regardless of where you are in your cyber career.
Again, don’t be daunted by all the things you don’t know. Being in cybersecurity is like drinking from the firehose, so you’ll always be learning, no matter how many years you’ve been in the field.
My best advice is to find an area that you’re really into. If a particular area really interests you, that will come through in all your interactions. Cybersecurity is such a wide discipline that there’s bound to be one aspect that really gets you going, and don’t pay attention to people who say “You have to have been a developer” or “You need to understand networking” – sure a broad IT knowledge base is helpful, but the field is so wide you can find your niche.