Too many people are uncertain on how to enter or grow in the cybersecurity industry. While it’s a relatively young field, we still really haven’t done a good job defining what it means to have a career in cyber. For hiring managers worried about finding candidates because of the cybersecurity skills gap, we need to consider what's needed to address the underlying issue, which I like to call the cybersecurity careers gap.
By the careers gap, I mean that it’s hard for people to enter and build a long career in cybersecurity. The shortage of qualified security professionals probably isn’t because of insufficient training options – many free and commercial learning opportunities exist. Instead, it’s finding that first job to apply and expand skills over the first couple of years that people find difficult. It’s also hard to determine how to turn a series of successive jobs into a career. To address the cybersecurity careers gap, established practitioners should consider the following:
- Think outside the box. Develop an approach that lets organizations hire people with non-technical backgrounds for entry-level roles–musicians, hospitality workers, and teachers.
- Do a better job explaining why people should consider a cyber career. Define and communicate paths for progressing in the field, helping individuals get started and progress in their career journeys.
- Offer more defined career counseling to young people already in the field. Help practitioners map their strengths and aspirations to career paths to help ensure their professional journey is fulfilling.
Those just entering the field should put effort into understanding their interests and how they map to various career options. Becoming a chief information security officer (CISO) might not make sense for everyone in the field, and that’s okay. Depending on individual interests and goals, someone might not want to manage a team, and instead, might want to spend their career on the hands-on technical side.
Non-traditional practitioners welcome
We need all types of people in cybersecurity because of the variety of challenges we’re solving. For those who are deeply analytical or uncommonly creative, we can use your help. Whether people excel in human or computer communications, we can use the help. For example, at my former job, we loved hiring former bartenders who had an interest in security and tinkered with IT gadgets as a hobby–they were strong at multitasking and interacting with people.
By allowing non-traditional practitioners to fill entry-level cybersecurity roles, organizations can increase the number of people entering the career funnel. Many of them will develop advanced expertise with the right mentorship and training. This requires adjusting job requirements for entry-level roles, reaching out to people outside the traditional talent pool, and making them feel welcome. Organizations should also build programs that guide new hires through cybersecurity career pathways.
Cybersecurity career pathways
How should people progress in their cybersecurity careers? There are so many different roles, titles, and responsibilities. They differ across companies, geographies, and industries, and confusion regarding the best approaches to climbing the career ladder probably discourages many individuals from attempting to enter the profession in the first place. Moreover, such uncertainty leads to current cybersecurity personnel failing to progress in their professional journey.
Today, resources are starting to appear that can guide new and existing professionals. For example, SANS Institute, which offers cybersecurity training, published a skills roadmap that outlines several possible career paths and associated skills. Various government organizations also offer detailed guidance, including the following:
- The National Initiative for Cybersecurity Education (NICE) Framework, created by the National Institute of Standards and Technology (NIST), defines the lexicon for discussing cybersecurity roles. Candidates and HR managers can explore the framework’s content to understand security roles on the Cybersecurity and Infrastructure Security Agency (CISA) website.
- Cyber Seek Security Career Pathway has an interactive website that lets candidates get details about each role and see how it fits into the appropriate career path. For each role, it shows salary information, related certifications, and associated NICE Framework skills.
- The European Cybersecurity Skills Framework (ECSF) document, published by the European Union Agency for Cybersecurity, details common cybersecurity roles. It’s not as comprehensive as NICE, but it offers more information about each role, including titles, mission, responsibilities, deliverables, skills, etc.
Those new to the industry, or those wondering whether cybersecurity would work for them, will also benefit from the book by Alyssa Miller, Cybersecurity Career Guide. These resources can help new and experienced professionals navigate cybersecurity career paths. They can also help hiring managers and HR professionals recruit and retain talent.
Career guidance and mentorship
Even more experienced professionals can get lost in their career journey without the right support and guidance, given the many types of positions under the cybersecurity umbrella. It’s even more likely for those who are new. How might a person with a network security background get into incident response? What awaits those who get tired of working in a security operations center (SOC)? What paths exist for technical people who don’t want to become managers? These questions are hard to answer alone.
People need to understand their capabilities and strengths to progress in their careers. They also need people around them to whom they can turn for advice. Those seeking guidance can turn to professional security organizations that offer educational and networking opportunities. There are also mentorship initiatives, such as Women in Cybersecurity (WiCyS) and Cyversity, which pair mentors with mentees and facilitate fruitful interactions.
By being open to newcomers, exploring different career paths, and supporting each other, we can grow the number of cybersecurity professionals and chart professional development paths for each other to cover the cybersecurity careers gap.
Lenny Zeltser, CISO, Axonius; Faculty Fellow, SANS Institute