It’s never too late to take up a cybersecurity career

We all know cybersecurity is a booming and increasingly-important sector. Demand is sky-high while market skills are in short supply. For as long as these trends don’t change, therefore, a career in a job-rich IT sector would seem to be a smart move.

Many more people are in fact now jumping on the cybersecurity “bandwagon”, whether spurred by an intrinsic vocation or a sense of timeliness. I myself did so nearly 4 years ago. For those of you out there who might be thinking of a cybersecurity career, I’d like to give a few tips based on my own experience, which might help to tip the scales one way or another for someone weighing up this decision.

Many people who are working in other IT sectors (developers, system personnel, etc) could pluck up courage to make the switch at any moment. That’s all well and good. But first some concepts need to be made clear so you can take this decision in a well-informed and therefore clearer-headed way. I’m going to make a few points here that are not meant to be discouraging but rather to ensure the decision is realistic:

– Cybersecurity is not as sexy as it may seem in films. It’s hard work. At times the frustration of not knowing how to tackle a task might severely test your levels of patience and self-discipline. As well as hacking activities (if we’re talking about offensive cybersecurity), there’s a lot of office work that is far less romantic. Paper pushing, long reports to write, project management, meetings, etc. So if your only reason for the switch is the adrenaline rush of hacking something, think again, because such moments are much fewer and further between than you might think.

– Cybersecurity has many branches. If you’re going to change, do you know exactly what you’d like to do in the cybersecurity world? Without doubt the most headline-grabbing, eyecatching and upfront part of the job is hacking. That’s what I do, but we shouldn’t lose sight of the fact that there are other very interesting and no less important branches like forensic work, thread hunting, SIEM system monitoring or other jobs that are also important and very promising, career wise.

– If you don’t like studying, forget cybersecurity. This sector calls for constant top-up training. Certifications (loved or loathed depending on whom you ask) are a constant bugbear but essential as “official” proof you know your stuff. You also have to keep bang up to date with all the breaking news, vulnerabilities, zero-days, etc. All this is vital if you want to be sure of carrying out Red Team type projects successfully. Techniques that work one day may be rendered useless a few days or months later, falling prey to the most modern antivirus solutions. You can never rest on your laurels in this game.

– If you only spend your working day on cybersecurity, you’re not likely to go far. To reach a good level you need to keep abreast of many different facets, and to go deep you need to put in many hours, almost certainly eating into your free time. This is no problem for those of us who are really keen but could be troublesome otherwise.

OK, if you’ve got this far without throwing in the towel, you’re doing fine. Now comes the most difficult bit: taking the plunge …

Youngsters starting from scratch have got it easier. But it’s not so simple for those of us who have discovered our cybersecurity passion later or decided on a mid-career switch. In my case, at the age of 37, I had amassed 17 years’ experience working in other IT branches when I decided to make the change. This might prove a problem in terms of finding a job with a salary in keeping with your experience. In one way you’re a very experienced person, while interviewers may very well see you as asking for too much money as a person without any cybersecurity expertise. The truth is probably half way. Nobody likes a salary cut when changing jobs but if you’re switching horses from one IT job where you’re very experienced to another where you can’t boast similar experience, a salary drop may be inevitable. If you do manage to up your stakes, all well and good but it’s not the likeliest outcome. Whether you can afford this cut will obviously depend on your own particular situation. I could, but now that some time has passed I have to admit my expectations have been more than fulfilled. In other words, at times taking one step back gives you more impetus for moving forward afterwards.

A couple of last tips before you make the big decision. It might be a good idea to study for a cybersecurity certificate, albeit basic like EC-Council’s Certified Ethical Hacker (CEH). This will give you an edge over the rest. It will also give you a chance to find out if you really like it while you learn, before taking the plunge. Moreover, at the moment of the job interview, although you can show no demonstrable cybersecurity experience, at least you can vouch for some knowledge and interest, all of which may help you get the job. Another tip is that while you’re studying, practicing and playing with hacking, you might try your hand at some hacking challenges and competitions (also called CTFs, short for “Capture the Flag”), building up your own experience while having fun. Many CTFs are fairly fanciful but others are much more realistic and useful.

That’s all folks. I hope these tips will help to light up the path for those of you pondering the switch to cybersecurity.

Author: Óscar Alfonso Díaz