In recent months, I have met many people who are interested in working in Cybersecurity. This is wonderful, especially given the amount of available employment opportunities in this field.
Like any ambitious person, the people who approach me to ask about getting into the field want to fully immerse themselves in “all things security”. This is admirable, but I often advise them to slow down a bit, and not quit their day job.
Often, my advice is:
Don’t focus on security 100% of the time.
A good security person is formed from a well-rounded, diverse set of experiences. When you think of the early pioneers in security, many practically stumbled into the field as an offshoot from a separate discipline, some of which were not computer-based at all. Think of all the mathematicians who became cryptography experts. Computer security probably never factored into their grand scheme when they were pondering advanced math.
Most of the folks who ask me about getting into security are already working in technology, yet many do not make the connections about how what they are doing now can relate to their security-based future. Those who are not already working in technology may not see how non-technical paths can also add to their success in the security profession.
For example, a project that involves quality assurance, or something similar, is going to give you exposure to the discipline of following a process that is the core of a lot of security testing.
Some other aspects of the daily grind can be extremely beneficial as well. Think about your work with project managers. So many security folks are really bad at time management and follow up. Project managers may seem like a royal pain with their spreadsheets and constant “follow-up” questions, but if you pay attention, you will benefit greatly from that approach as well, and your future security employer will appreciate that.
One of the greatest problems the security space has seen in recent years is that too many researchers have found themselves on the wrong side of the law. Whether intentional, or due to ignorance (which is no defense), the understanding of the legal landscape is very important in cybersecurity. I always advise high school and college students to take a few of the law classes that are offered, even if they do not want to become attorneys. I never thought that my limited legal training would come in handy, and all of a sudden, I found myself presenting the nuances of the New York State Cybersecurity regulation to an Executive Board. It has also helped with understanding the General Data Protection Regulation that was enacted in the UK.
As I posited in an earlier set of pieces, your InfoSec path will probably not consist of you crawling through a network for the entirety of your career. As you gain experience, you will be exposed to greater opportunities.
I also highly recommend psychology training, which can have immeasurable impact on your ability to explain technical concepts to a non-technical audience, and it certainly helps with Social Engineering.
If you are looking to get into cybersecurity, and you are either a student, or already a working professional, stay the course, keep your patience, and just think about the security implications of everything you do and touch. That is all part of the learning experience. Add the important technical security training into the mixture, and you will become a more attractive candidate to an employer when you make the final leap into a full-time security position.