Unless you're oblivious to the news, you're well aware that the information security industry is getting a lot of attention. Be it the headline-grabbing breaches taking place on a seemingly frequent basis, or the fact that the number of digital internet-connected devices per capita is increasing constantly.
Just taking these two things into account, it’s easy to understand why organizations are in search of qualified security professionals to add to their current or non-existent IT departments. But why aren’t there droves of people lined up ready to break into a field where salaries average between $90,000 and $100,000?
From 2015 to 2016, the IT position that witnessed the highest increase in compensation were information security managers. Given the security initiatives that many businesses are implementing, IT professionals can expect starting salaries to increase 3.8 percent in 2017.
Now, take all of that into account, and again, it’s baffling why the supply of talent would not far outweigh the demand. But alas, that’s far from the case.
The cybersecurity market is expected to grow from $75 billion in 2015 to a whopping $170 billion in 2020, which would indicate that more opportunities can present themselves to those interested in becoming information security professionals. A 2015 study by Stanford University’s Peninsula Press indicates that the demand for security practitioners is expected to grow by 53 percent through 2018.
For anyone looking to change careers, or perhaps look into a particular field of study, it’s clear as day that this apple is ripe for the picking. But breaking into the field isn’t as easy as going to a four-year university, visiting the career center, and magically being brought into the security and risk department of a Fortune 50 organization. More importantly, if you base this decision on the salary, chances are you won’t go very far.
Security practitioners put hours of blood, sweat, and tears into their work, and that’s mostly because they’re passionate about what they do, something that Zach Lanier, Director of Research at Cylance, says is an integral part of the equation.
Lanier began his career while still in high school and has achieved quite a bit in his 15-year stint in the infosec world. Over the years he’s conducted some notable research, became a contributing author on the Android Hacker’s Handbook, and has spoken at conferences such as Black Hat USA, DEFCON, the RSA Conference, and MISTI’s own InfoSec World. Not a bad career for someone still in his early 30s.
Needless to say, Lanier is aware of the current talent shortage in the industry. During a recent interview with InfoSec Insider, he offered up some tips on what security rookies need to know before joining the infosec community.
Mingle and learn at industry events
We’re all familiar with the slew of industry events. From major industry gatherings like the RSA Conference to more intimate and knowledge-driven events like the , there are plenty of opportunities for novice information security practitioners to continue to learn. Rather than blow some of off, Lanier suggests taking advantage of these opportunities. He thinks you’re “basically required” to attend these. “I’m not suggesting that everyone needs to go to every conference or event, but it’s one of the [many] ways practitioners can stay on top of what’s happening, learn new stuff, and network with peers,” he says.
Learn…then learn…and then learn some more
When it comes to education, one should never rest on their laurels. There are endless ways to continue to learn more and bolster your value in your organization’s IT department. Education, be it universities or training programs, are what Lanier feels is a “huge boon” for the industry and could help with the current talent shortage, and the “talent gap” he feels is prevalent as well. “While there are qualified professionals working in the infosec industry, in a variety of roles there are still a lot of gaps between the skills people have and the skills that are appropriate for their roles,” he says. “I was lucky – I came up in the industry mostly selftaught, but it’s awesome that there are so many opportunities for training and formal education.”
Fix and secure…don’t just break
While certain aspects of the job are entertaining (especially if you’re tasked with reverse-engineering/breaking a device), it’s important to focus on the real task at hand which is security. “Breaking stuff is certainly a lot of fun, [but] the breakneck increase in our reliance on technology brings with it an equal – if not great – increase in the impact of a breach or compromise,” Lanier says. “More than just financial and reputational impact, [areas such as] critical infrastructure, medical and automotive space, for example, have real-world implications. Lives can be lost.” Lanier believes that incoming candidates must realize that “fixing” and securing “stuff” is paramount.
Be passionate, but watch your ego
With the incredible amount of intelligence and strong opinions in the space, there are bound to be some egos, something that Lanier says there’s already enough of in the industry. To really make it in the industry you have to be passionate about your work and strive to find answers. “Learn. Test. Play. Lather, rinse, repeat,” Lanier says. “Try to be passionate about all of this, but don’t be afraid to be wrong or unsure, either.”
As students continue to flock to schools and find their career path, it's important to know that it's also never too late to join the industry. Given the amount of educational and training materials that are readily available, Lanier believes that "just about anyone" can break into the field. There are endless opportunities and plenty of programs to solve. What's missing is the interest and the talent. Attending a conference or an introductory seminar could be the spark that leads to a successful career in the information security field. Who knows, when you reach the pinnacle of infosec superstardom, you may finally have a chance to be the scapegoat for a Fortune 50 corporation.