Navigating the Cybersecurity Career Path E-Book

Table of Contents

Cover

Title Page

Introduction

PART I: Arriving in Security

Chapter 1: How Do You Become a Security Professional?

Create Your Story

So, You Want to Work in Security

What's Next?

Chapter 2: Why Security?

What Kind of People Do Security?

What Is Your Why?

What's Next?

Chapter 3: Where Can I Begin?

What Does It Mean to Be a Security Professional?

How Can You Make Sense of It All?

What's Next?

Chapter 4: What Training Should I Take?

For the Traditional Student

For the Nontraditional Student

For the Full-Time Nonsecurity Worker

Other Things to Consider

What's Next?

Chapter 5: What Skills Should I Have?

The Entry Point — Technology

Professional Skills

What's Next?

Chapter 6: Is My Résumé Okay?

Linking the Résumé to the Job Posting

Elements of a Résumé

Digital Presence

References

Cover Letters

What's Next?

Chapter 7: Trying with Little Success?

Physical Location

Your Company

Get Specific

Know Your Market

Assess Your Efforts So Far

But I'm Doing All Those Things!

What's Next?

PART II: Thriving in Security

Chapter 8: How Do I Keep Up?

Fitting It Into Your Schedule

Ad Hoc and Planned Learning

Take a Mini-Sabbatical

Where Do I Find the Information?

What's Next?

Chapter 9: How Can I Manage Security Stress?

The Stress of Working in Security

Managing Security Stress

What's Next?

Chapter 10: How Can I Succeed as a Minority?

Making Security Work for You

What's Next?

Chapter 11: How Can I Progress?

The Security Journey

The Opportunist

The Intentional Career Seeker

How to Get Promoted

What's Next?

Chapter 12: Should I Manage People?

Leadership and Management

Preparing for Your Next Role

What's Next?

Chapter 13: How Can I Deal with Impostor Syndrome?

Fact-Check Your Inner Monologue

Know Competence and Incompetence

Know When to Ask for Help

Keep Learning and Know When Enough Is Enough

Keep Track of Your Successes

What's Next?

Chapter 14: How Can I Know If It's Time to Move On?

Are You Happy Where You Are?

Have You Done All You Wanted to Do?

Have You Learned All You Wanted?

What Are Your Long-Term Goals?

Are You Being Pigeonholed?

Do You Fit Into the Culture?

Job Hopping

Are the Other Options Better than Your Current Job?

What's Next?

PART III: Leading Security

Chapter 15: Where Do I Start?

What's on Fire?

What Is Your Timeline to Act?

Who Are Your Partners?

Find the Strengths and Note the Weaknesses

Draw the Business Risk Picture

Do You Have a Mandate?

What's Next?

Chapter 16: How Do I Manage Security Strategically?

Consider Your Industry

Know Your Business Priorities

Be Pragmatic

Address Stakeholder Pain Points

Threats and Vulnerabilities

Rinse and Repeat

Putting It Together

What's Next?

Chapter 17: How Do I Build a Team?

It Is About the How

Things to Consider

Identify Important Things

Identify Areas of Weakness

Discontinuing a Function

Building New Functions

What's Next?

Chapter 18: How Do I Write a Job Posting?

The Challenge of Job Postings

What's Next?

Chapter 19: How Do I Encourage Diversity?

Start with Numbers

Understand Your Cultural Issues

Attracting Diverse Talent

Writing the Job Description and Posting

The Interviewing Process

Retaining Diverse Talent

Promotions and Career Development

Leaving the Team

What's Next?

Chapter 20: How Do I Manage Up?

Who Are Senior Stakeholders?

Help Them Understand Security

When Things Go Wrong

What's Next?

Chapter 21: How Do I Fund My Program?

Funding a Team

Funding a Program

The Big Ask

What's Next?

Chapter 22: How Do I Talk About My Security Program?

What Story Should I Tell?

Telling Stories

What's Next?

Chapter 23: What Is My Legacy?

Making an Impact on the Industry

Making an Impact on Your Company

What's Next?

Epilogue

Appendix: Resources

Books

Networking Organizations and Conferences

Certification Organizations

Podcasts

Other Resources

About the Author

Acknowledgments

Index

Copyright

Dedication

Foreword: Navigating the Cybersecurity Career Path

End User License Agreement

List of Illustrations

Chapter 5

FIGURE 5.1 OSI technology stack model

FIGURE 5.2 Skills strategy mindmap

Guide

Cover Page

Title Page

Copyright

Dedication

Foreword: Navigating the Cybersecurity Career Path

Introduction

Table of Contents

Begin Reading

Epilogue

Appendix: Resources

About the Author

Acknowledgments

Index

WILEY END USER LICENSE AGREEMENT

Pages

iii

xvii

xviii

xix

xx

xxi

xxii

xxiii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

41

42

43

44

45

46

47

48

49

50

51

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

175

176

177

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

iv

v

xv

xvi

313

Navigating the Cybersecurity Career Path

Helen E. Patton

Introduction

Every week, I get a call from someone I don't know (or barely know) asking for a meeting so they can get to know me and ask me questions about working in security. Often, the person is thinking about working in security and needs help figuring out where to start. Just as often, the person already works in security and is wrestling with some challenge they can't solve on their own and wants some guidance. Sometimes, the person has taken on a new leadership or management role, and they are overwhelmed with the responsibility and don't know where to start.

They ask questions like these:

How did you get into security?

What would you recommend I do about this problem?

How do you balance your work and home life?

I ask questions like these:

Where do you work now?

What do you want the outcome to be?

Have you read this book/blog/podcast?

Being a mentor, coach, and sounding board is one of my favorite things to do. I love the community of people who work in this profession, and I love helping people navigate their way into and through it. I typically meet with a couple of people each month. Sometimes, meeting a new person results in an ongoing mentoring relationship, with a regular meeting cadence and a specific issue we explore. Sometimes, it results in no further meetings, but we do form a common connection, where I learn more about them. Usually, I also take something away from our meeting, too. I learn something that helps me remember something I had forgotten or something that helps me in my current role. We start a thread that can be picked up later if either of us needs it.

Over the years, I have enjoyed meeting people who are in different stages of their professional journeys. They usually fall into one of three categories:

Someone who is trying to get into security as their first career or who is coming from another profession

Someone who is already in security and navigating some mid-career challenges

Someone who is in a security leadership role and is working out how to be effective

The first meeting is concerned with learning about the other person, making an intellectual and emotional connection, and recognizing where help is needed and where help can be given. Sometimes, I find that I'm the one who needs help, and we realize that regardless of our respective backgrounds or how long each of us has been working, we each have something worth sharing.

I've been in the security industry for a couple of decades, and my own journey has been one of trial and error, good luck, and hard work. I'm now in a place where I have enough experience to provide insight into most questions people ask. I'm also connected to enough really amazing people who will know an answer to a question if I don't. Between blogging, public speaking, and working as a chief information security officer (CISO), I continue to learn about how to be happy and successful in security. I also know that I don't have all the answers and that the path people are on today cannot be the same path I walked. And I have learned that I have a lot to learn!

The security industry is unique. Although the issues have been around for a long time, the industry itself is young compared to other professions. There aren't many established organizational structures or career ladders. The way of doing security varies heavily between different industries and companies. There are no generally accepted security principles or professional standards. Not yet. This makes the security field hard to navigate.

People ask similar questions at each stage of their careers. We all struggle with the same things as we move through this profession. The industry, the company, the manager they work for might be different, but the issues and concerns are common. Often, the person knows what to do or how to find answers, but they need to bounce their ideas off someone else first. They find me or someone like me who can offer wisdom and objectivity. We know enough about the industry to help, but we aren't wrapped up in the day-to-day issues. It helps them confirm that they're not dealing with a unique situation, that someone else has been in the same trench, and that help is available. I play the role of listener, coach, and cheerleader. It is tremendously satisfying.

Meeting people one-on-one doesn't scale very well. As my colleagues and I work hard to attract new people to our industry and help people thrive and lead, the number of people who need help navigating their security careers grows. I wrote this book about the common questions I am asked and to make a widely available resource for people who can't meet me in person. I hope this will also help mentors like me, who can't address all the questions all the time and would like to direct people to a useful resource.

I considered creating three different books (getting into security, living in security, and leading security). As I thought more about it, I realized that our careers aren't linear. Sometimes, we are just starting out in a leadership role. Sometimes, we are decades into one security job, but we are thinking of jumping into a new role and need to work out how to break into security all over again. Sometimes, the challenges we have as a mid-career professional are the same ones we have as leaders. I realized that a person might want to read ahead or revisit certain topics, so keeping them all together would make for one easy reference.

I assume that if you want to work in security (or you already do), then your target company is large enough to support dedicated security resources. This can mean a start-up that is moving into the next phase of growth and needs its first-ever security professional, or it could be a large enterprise with many security teams under one security leader. In any case, my advice applies to people in companies who have some organizational culture and structure.

The topics in each chapter can be read from the perspective of the job seeker, the job holder, or the manager — and sometimes all at once. For example, the chapters about writing a résumé, creating a job posting, and building a diverse team are all related, and there is something in each of these chapters for everyone. I encourage you to look at your questions from “the other side.” If you're a job seeker, read the manager chapters to see what they're thinking. If you're a manager, consider the perspective of the job hunter. Security professionals are at their best when they think broadly about a problem. Take the same approach here and explore your questions from all sides.

In each chapter, I begin with a summary section. The summary allows you to quickly find the information you need and to pull out the key themes and resources. You will notice that many themes carry over from chapter to chapter. For the entire book and your entire career, this means you should know yourself, network, stay curious, and communicate well (and often!).

Summary

Know yourself:

Know why you are in security. Know what energizes you, how you like to work and communicate, and what motivates you. Constantly seek out jobs and experiences that play to these qualities. Be authentic.

Network:

Make building your network a core piece of “being at work,” and make room to interact with people in person and online. Use your network for information, for support, and to give back to the community. I can't state how important this is. Being only a person away from almost any answer in cybersecurity is a huge advantage.

Stay curious:

There will never be a time where you can “set it and forget it.” Keep learning about technology, people, and yourself, and apply that learning as fast as you can.

Communicate well and often:

Know how to talk about security and your role in it with as many people as possible. Be clear in your written and spoken communications and be prepared to share widely. Build your relationships with your stories.

You can read this book by just reading the chapters that answer your immediate questions, though advice in one chapter might apply to others, so I would encourage you to read it all. It's helpful to know the answers to questions you have now and also questions you might have in the future. People will be coming to you with these questions at some point, so this is for the future mentor you will be, too. “Be prepared” is a great motto for anyone in security to follow.

You will notice that not many of the questions you will be asked are technology questions. Yes, security is a technology-focused discipline. Yes, you need to have some level of technical expertise to have a role in security. But how to “do” technology is rarely the question people ask mentors about. More often, the questions are about finding resources and navigating organizational structures, personalities, and politics. Security-specific issues must be considered, and I discuss these as they arise, but the presence of technology is a starting point, not the main point.

I didn't write the book in a day — or even a year. When I revisited each chapter during the editing process, I realized that my own ideas about a topic changed with time. As I write this introduction, we are in the middle of the COVID pandemic, and ideas of remote work, inclusion and equity, and career opportunities are changing. I have tried to make my thoughts as time-agnostic as possible and have provided resources that you can use for more information. If any question is interesting to you, I encourage you to do further research. I'm sure there will be more and newer information waiting out there for you to find. I often post questions about security careers and philosophies on LinkedIn (LinkedIn.com/in/helenpatton) or Twitter (@cisoHelen). The answers from the security community are always interesting, often frustrating, and usually thoughtful. I continue to crowdsource my own learning using social media, and you're welcome to follow along. I wish I could include everything I learn in each chapter! Instead, I hope I give you a way of thinking about a question that leads to a solution you can apply to your own path.

So, grab the beverage of your choice and join me as I consider these common questions. There are no right answers, only better questions, which can lead you to solutions. Let's begin.

PART IArriving in Security

This part is for people who are thinking about working in security or trying to assist a job seeker. Each chapter in this section covers the questions job seekers most often ask.

Chapter 1, “How Do You Become a Security Professional?”

We explore ways for you to determine what kind of security job you want and how to find paths to that kind of work.

Chapter 2, “Why Security?”

Here, we think about why security is important to you and what strengths and skills you bring to a security role.

Chapter 3, “Where Can I Begin?”

We learn more about the different kinds of security roles and consider how your own background applies.

Chapter 4, “What Training Should I Take?”

We discuss traditional and nontraditional learning paths, including degrees, boot camps, certifications, and internships.

Chapter 5, “What Skills Should I Have?”

Security professionals need technical skills. They also need professional skills like communications, emotional intelligence, and organization.

Chapter 6, “Is My Résumé OK?”

This is a primer on what to include in a résumé and cover letter.

Chapter 7, “Trying With Little Success?”

When you're not landing the job you want, we discuss how to troubleshoot your process.

CHAPTER 1How Do You Become a Security Professional?

Summary

How do you write your own security story?

Know your why:

Understand your strengths and likes and values, and be able to articulate why security aligns with those things.

Stay open to opportunity:

The security path will be unexpected. Be prepared to take on projects and roles that you might not have originally anticipated. Be open to roles that might not be an exact match for your expectations or skillset.

You don't need to be perfect:

No one will have all the skills at exactly the right time. Consider taking opportunities as a way of learning new things.

Stay curious:

To be successful in security, there will always be something new to learn. Actively seek knowledge and apply it quickly. Stay in roles long enough to learn all you need to know, and don't skip from role to role too quickly.

Find out how others made it into security:

Your path will be different; take what works for you and leave the rest.

Network:

Finding the next role will be easier if you have a wide range of people helping you.

Asking someone how they got to their current security job    is a great way to break the ice and build a relationship. It is interesting to know how someone made their way through the maze of security functions, corporate politics, and human error to land in their current role. The thing to remember is that a person's story is just that — their story — and is not something that you can copy for yourself. My story started in Australia in the late 1980s. I started doing information technology (IT) in the United States in the early 1990s. Think about that for a second: different country, different culture, and different technology. Knowing how I got from being an Australian high school student to being a chief information security officer (CISO) in Columbus, Ohio, makes for an interesting story, but knowing the details of my journey leaves little to take away for someone who is just starting out.

So, should you ask how someone made it into security and how they continue on their security path? Yes. Absolutely. But don't just ask one person; ask anyone you get to meet in security. And don't just ask how they got to be a [fill-in-the-blank] security person. Conduct your own research and look for themes of success. Ask them how they started and how they got to where they are now. What is common about the people who are in roles you want? How do they think? What training did they do? Did they have a mentor to help them? Were they able to stay in one geographic place, or did they have to move around a lot? What kind of family structure did they have? Did they get help, and if so, where did they get that help? And what kind of help did they get?

If you don't know many security people (yet), you might want to read Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World by Marcus J. Carey and Jennifer Jin. This book contains great advice from a range of well-known and successful security practitioners for people looking to enter the cybersecurity field.

Once you have the answers to these questions, compare them to your own circumstances. What might you be able to replicate? What things are nice to know but don't apply to your particular situation? What opportunities do you have that they didn't? The goal here is to find strategies that work for you now, not things that worked for someone else a decade or more ago.

Think of it this way: you are writing your own story. Right now, you are at a starting point. That might be as a high school or college student who is wondering what classes to take. It might be as a mid-career professional who is looking at security as a next career. It might be someone who really doesn't know much about security but wonders if knowing more would help. Regardless of where you start, you need to clear a path to where you want to go. Asking security people how they made their way will give you some ideas and ways of thinking about how to move forward. Writing a story about your own journey will help you know if you are on the right path — even if the story has unplanned twists and turns.

My Story

I never planned to work in security or become a CISO, partly because of when and where I was born. Growing up in the Australian country during the 1970s and 1980s didn't exactly surround me with computer security. I thought I might want to be an English teacher or a landscape architect. But computers? My public high school got their first computers when I was in the 9th grade. Friends played around with Commodore 64s, and I was singularly unimpressed and unaware of the potential of computing.

I wasn't looking to work in technology; technology found me. In my early 20s, after I had moved to the Columbus, Ohio, area, I stumbled into an administrative job. That employer had an old IBM36 mini mainframe and wanted to convert its information to the new client-server software. As the only person in the office under the age of 30, I was thought to be the perfect person to work with the small consulting company hired to do the implementation. Later, the owner of that company offered me my first technology job.

I took the opportunity to learn something new. It turns out that I'm good at technology. I spent a great deal of the 1990s building PCs, servers, and networks — a traditional “infrastructure” role. I took a job running help desks and infrastructure for a software development company and got to work helping people learn to use computing technology in their business lives.

I was still not thinking about security. Slowly and subtly, things started to change. The late 1990s introduced me to Y2K issues. The Melissa virus hit while we were struggling to implement Y2K fixes, and then shortly afterward, the Slammer virus became a thing. Even then, I still wasn't thinking about security, but I was getting pretty tired of having to chase down bad machines and failing networks. I was getting good at making sure backups worked, having spare parts ready to go, and knowing how to call emergency numbers for support. I didn't know it at the time, but I was starting to do “security.”

The pivotal point in my journey happened in the early 2000s. In quick succession, we experienced 9/11 and the North East Power Outage. My CIO asked me to establish a disaster recovery program for the company. Turns out, my personal need for predictability lined up perfectly with being a business continuity and disaster recovery planner. I finally finished college and took these skills to a bank. I was officially working in the world of technology risk. I learned a lot about control frameworks, risk management, and executive leadership. The world was changing, too. Nation-state actors were more cyber active, technology was becoming more ubiquitous at work and at home, and data breaches were starting to become a thing.

After almost 10 years, it was time to find something new. Thanks to my network, I became the CISO at the Ohio State University. There, I learned what it is like to lead a growing security team in a crazy industry. And I learned that I love being a security leader.

But why? It turns out, I like vanilla ice cream. That is, I like things to be dependable, predictable, and reliable. Running a security program allows me to help an organization ensure that things run according to plan, that they can be depended upon, and that there are no surprises. Being the CISO means that I can have meaningful conversations with senior leaders about why they do what they do and how securing their systems will support their work. Most of all, I can work with security colleagues who value the same things. It's hugely satisfying work.

Create Your Story

There are some high-level truths to keep in mind as you write your security story. These themes will help you be flexible and be able to pivot quickly when a new opportunity arises. If your goal is to find work in the security profession or even continue working in security for years, consider the advice in this chapter.

Align Skills and Strengths

Start by knowing your own “why.” (We talk about this later in the book.) Knowing yourself — why you like security, what kind of skills you have, and what culture you want to work in — is the most important thing to have before you start applying for jobs. Nothing will set you up for failure faster than trying to cram your misaligned skills and values into a security role.

When you talk to other people and ask them how they got to where they are, focus on learning their “why.” Why do they do security? What do they value about it? What do they not like about it? Reflect on your own values — are they similar? Based on what you know to be important to you, can you see yourself in their role?

Doing security well takes patience, tenacity, and a belief in the purpose of your role. If you can't back that up with your own skills and values, it will be a very hard profession in which to work. Take time to know yourself and have a clear-eyed evaluation of whether this profession is truly for you.

Stay Open to Opportunities

There is no right path for a security career. Even in companies large enough to have defined role-based career ladders, a security practitioner can move up, over, down, and up again in remarkable ways. Often, you will get your next role through who you know and through random opportunities, rather than through a planned career progression.

Getting your first security job is about playing the numbers game — the more positions you know about and apply for, the more likely it is that you will find a role that works for you.

When you are learning other people's stories, pay attention to how they moved from role to role. Did they intentionally seek a particular job, or did they land in it by accident? Were they comfortable in their choice, or did they have to experience discomfort to move from position to position?

Be curious about new roles, and be open to exploring new opportunities as they come to you. Get to know security people in your immediate team, your company, your location, and your industry. The wider your circle, the more likely you will see when an opportunity arises.

Don't Be Perfect

Be prepared and willing to learn.

The truth is most hiring managers and recruiters write awful job postings for security positions. They require a weird combination of skills and look for educational backgrounds that don't match what the position really requires. Consider the skills they ask for to be aspirational, not required. Until the profession gets better at writing job descriptions, be less concerned about meeting every requirement they ask for and be more concerned about whether you think you can do the job. Later in the book, we will discuss how to form your résumé to get through recruiting filters and catch the eye of hiring managers, so you can get to an interview where you can sell your strengths.

When you meet other people to learn about their path, ask about their skill level when they took a new role. Had they done the role before? Did they consider themselves ready for the new role? Did they have to convince a hiring manager that they were qualified? Learn from their experiences.

Have a general tool kit of skills that can be applied to a variety of potential roles. Hint: Most of the skills are not technical; instead, they are professional skills such as teamwork, accountability, and reliability. Your curiosity about security can be used to learn the fundamentals of security functions. Then you can turn that into a credible job application, even if it does not perfectly match the requirements of the job posting.

Stay Curious

Constant reading, watching, and listening to security thought leaders will help you land a role and help you keep it. There is never a time when you will have “arrived” and you can stop learning. There will be no time where you will feel like you know everything (or even enough of anything). There will always be new technologies, new tactics, and new tools.

Be willing to continue spending time outside of work learning about security things, or it will be easy to fall behind. The good news is there are lots of ways to learn things: conferences, blogs, podcasts, and books. Be prepared to invest your time in them.

Talk to other people about where they get their information. New sources are emerging all the time. When you do hear/read/learn about something new, take time to process it. If possible, find a way to incorporate it into the job you have now.

If you don't enjoy geeking out on security-related things, this might not be the profession for you. It is not necessary to spend your entire waking life immersed in security — work-life balance is so important — but having a growth/learning mindset is critical.

Network!

Fostering security partners and staying in touch with those colleagues opens more doors than you can count. It's as important a skill as any. Learn how to meet people, establish a connection, and form a mutually beneficial bond. Many times, this will lead to finding true friends. When you're speaking to other security folks, ask them if there is someone they know who you should meet. Ask for an introduction.

Finding your first, second, or next security role will always depend on the strength of your network, as will keeping your job. Networking is not something that is an optional part of being in security; it is critical. Your network will act as mentors, teammates, partners, and confidants. There isn't a section of this book that doesn't refer you to a network for guidance and input.

Note that networking does not have to mean in-person schmoozing. You can network on social media, through one-on-one meetings, and by email. In-person networking is the most impactful, but for those who would rather do anything else than mingle, there are other options! If you are looking to get into security, start by finding a local network of people and build outward from there. I make some recommendations for networking groups in the “Resources” appendix at the end of this book.

Pay Your Dues

Working in technology — or any job at all — is invaluable training before you take a role in security. Just because you have a degree or a certification doesn't make you ready for a security job.

A security professional needs to understand how technology and an organization relate before they can apply security skills and principles to it.

To get a security job, you might need to work elsewhere first. For example, you could've been part of an application development team or a help desk, or you might've worked in compliance or been a business analyst. For many security job seekers, this is the “chicken-and-egg” problem. You need a job to get security skills, and you need skills to get a security job. One way around this is to get a job or internship in areas adjacent to security, such as general IT, business continuity, privacy, audit, or compliance. Once you have those skills, applying for a security role is much easier.

Once you're in a security role, don't be in a hurry to jump around too fast. There is learning to be had in being part of the business cycle for a couple of years. Typically, junior-level people are interested in moving quickly up the career ladder, and in security, there are plenty of opportunities to do just that by jumping from company to company. I suggest taking a more holistic approach so that you fully understand the role. That means staying there for at least a couple of business cycles, which is often a year or two (possibly a bit less if you're at a start-up company). If you are in more of a senior-level position (particularly in a staff management role), this time frame might be even longer. Taking time to truly live in your role will make you a better professional with much deeper skills and experience. Don't overlook the value of this time.

So, You Want to Work in Security

There are a lot of people — young students or mid-career professionals — who are thinking about a career in security. Often, they are overwhelmed by the scope, diversity, and possibility of the profession. Even the people who work in the industry are confused. Is it “information security” or “cybersecurity” or only plain-old “security”? What is included? Is privacy part of security, or is it something separate? What is not included? Is patching part of security, or is it an IT function? It would be reasonable for anyone thinking about joining this profession to have lots of questions.

“Security” is not just one thing any more than “IT,” law,” or “teaching” are just one thing. It is a broad group of disciplines and specialties that are filled with a diverse set of roles, which span any number of functions. It is based on technology, but it touches on legal, ethics, risk, process, and many more related ideas. It lives in big companies and small ones. It applies to every country and industry — private and public sectors and for-profit and not-for-profit organizations. It bleeds from professional work to our personal lives.

Deciding to work in security brings a plethora of choices, and people considering this field often stumble when working out how and where they want to begin. There are so many questions:

Should they go to school to learn and then look for a job?

Should they get a certification first?

Should they learn on the job and then pursue a formal education or credentials later?

Should they consider an internship, paid or unpaid, before applying for their first job?

Should they get a related job like marketing, sales, or help desk and then move into security after that?

There are many potential ways to get into a security role, but few of them are obvious or easy.

It should be easy, though. We are constantly told that there are more jobs than people to fill them. Despite the acknowledged huge numbers of openings, there is also a huge shortage of security professionals. You might think it would be easy to get a security job, yes? Unfortunately, it is not so simple. For the security job seeker, the opportunities to break into the profession are circumstantial and capricious. Consider the following:

There are few truly entry-level, “no experience required” roles in security. When roles like this are available, there are lots of people who apply for them. The competition for any of these entry-level roles is high.

Most entry-level roles tend to be quite specific, focused on one part of the profession, and are not generalist roles. Hiring managers will want a “network security engineer with knowledge of networks” or an “identity management analyst with experience in identity systems.” They aren't just looking for someone who is “interested in security.” Often, security roles are not considered entry level at all. Hiring managers assume you have some other background, usually technical, before you are ready for an entry-level security job. Without those specific skills, it is difficult for a candidate to break into the profession. Without work experience in those areas, many job seekers will not even try to apply for an entry-level role. Job seekers learn that “entry level” often means at least two to three years of work experience — either in security or a related field.

Many jobs take a long time to fill, if they can be filled at all. Companies and their recruiters might not understand what security is or does, so they post job advertisements that ask for an unrealistic combination of skills and experience (the mythical “unicorn”). If candidates apply at all, they do so knowing that they don't qualify for the stated needs of the role, and for everyone else, there is a missed opportunity to find a role in the industry. This is as true of entry-level roles as it is for mid-level and senior roles.

Mid-level roles requiring five to ten years of security experience are almost always closed to people already in another part of the workforce who want to transfer over to security. Those kinds of transfers most often happen at companies where the hiring manager knows the transferring candidate. Being able to transfer mid-career without years of security experience is rare (but not impossible!).

Mid-level and senior security jobs are hot, and candidates expect higher salaries and benefits than other information technology jobs. Companies, however, do not value security roles the same way and don't pay what job seekers are expecting. As a result, the time to fill a position (and the time to find a job that pays appropriately) is long, and there are many instances of job-hopping for higher pay.

Senior security leadership roles are high-burnout positions. The average tenure of a CISO is roughly two years. Not only does this make finding good senior talent hard to find, but it also makes the stability of the rest of the security organization less dependable. This impacts the frequency and quality of all open positions being advertised.

Despite many security jobs being posted, it is a challenge for the job seeker to find the right kind of job in the right place at the right time. To deal with this, you need to be ready for any potential opportunity that arises. It can be done! Once you have a security job, it is easier to move around to other roles. Getting a foot in the security door is the hardest step.

The task of being prepared can seem overwhelming, but there are many resources available to help you, and there are many examples of people successfully finding their way into security.

What's Next?

Spend some time thinking about why you are interested in security. Be honest with yourself. Do you like playing with technology? Does the role of defender appeal to you? Maybe someone you admire is a security professional, and you would like to emulate them. Perhaps the potential earnings and job security are attractive. Jot down your answers, and then take some time to reflect on them. Do they feel right?

Find people on social media who are doing jobs you are interested in. Check out their backgrounds and experience. Connect with and engage them in a meet-and-greet. Ask your network for introductions.

Look at job postings for the kinds of jobs you want. Take note of the skills and experience they are seeking. Do you have those skills and experience? Do you

want

to have those skills and experience? Consider ways of filling in the gaps in your experience and skills.

Look for networking groups and security meetups in your area. Attend a meeting. Introduce yourself to at least one person while you are there. Make a list of questions to ask anyone you meet. Be prepared to engage someone in meaningful conversation at a networking event or function.

Read

Confident Cyber Security: How to Get Started in Cyber Security and Future Proof Your Career

by Dr. Jessica Barker, for more ideas for breaking into security.

CHAPTER 2Why Security?

Summary

Know yourself:

It's important to know why you value security, know your strengths and values, and then find connections between them.

Learn about security:

There are cultures within security — protectors, puzzlers, moral crusaders, and change agents. Do any of these resonate with you?

Do some research:

Understand your strengths. Talk to friends, family, and colleagues, and ask for their thoughts on what you are good at and what you struggle with. Compare this to the security roles you are interested in, and make sure there is an overlap between the skills needed and your strengths.

Be clear:

Be clear about why security matters and why it matters to other people. Put yourself in others' shoes to understand how they perceive security.

“I can't believe anyone would want to do security.” —Interviewer

In the late 2000s, I interviewed for a security role in an imposing office overlooking Park Avenue in New York. The interview was with a senior technology officer with a sharp suit and a great reputation. I was nervous! Imagine my surprise when the first statement from the interviewer cast doubt on the whole premise for my job and career.

I would love to tell you that this opinion was an anomaly. It wasn't. The attitude reflected their ignorance of security and the lack of value they placed on the security function. They were not alone in sharing this opinion — not then and not now. One of the biggest causes of conflict and stress when working in security is when others misunderstand what security is or why security people make the decisions they make. They think we are recalcitrant, obstinate, or downright annoying. We think we are helping them avoid something they cannot see, preparing them to achieve their objectives without an unanticipated security incident, and helping them to be better. In all cases, these instances of disagreement arise because we don't understand the others' “why.”

We security people think the purpose of security is obvious and that any semi-intelligent life form would understand why security is important. The truth is that security is a profession that is misunderstood by technologists and nontechnologists alike.

If you're going to be part of or lead a security team, you need to be very clear about why you do it, what value it brings, and how security is a good thing.

If you don't believe this with the core of your being, you will likely burn out well before you can be successful.

For someone starting out in this profession, finding a “why” can be difficult. It's hard to find a “why” when you don't know the “what” or the “how.” One place to start is by reading Simon Sinek's book Start with Why. It is not a security book, but it will help you think about what drives you, what is important, and how security might fit into your life. For now, your “why” answer might simply be “because I'm curious to learn more” or “I like what I see so far.”

What Kind of People Do Security?

Work in security long enough, and you will notice particular security cultures and subcultures. Being able to align your values with the culture you work in is important. It is too hard to go to work every day if you must flex your personality to fit in. So, consider the kind of security personas who already work in security and see if your values and style align with any of them.

There are four types of security personas.

Security Personas

Protector

Puzzler

Moral Crusader

Change Agent

Cares About

Community service

Intellectual pursuit

Ethics and fairness

New challenges

Leadership Style

National defense

Strategic planner

Values-driven

Fixer

Junior Roles

Blue team/incident response

Red team/security analyst

Governance, risk, and policy

All roles but not for long

The Protector