Almost all modern enterprises are networked, which means that the soft underbelly of nearly every business, non-profit, and campaign has been digitally exposed to the sharpened skills of hackers. To embrace the internet is to embrace exposure and to embrace exposure is to risk being gutted by corporate-sponsored, country-supported, and criminal digital crime. If nothing else, the revelation that Russian hacks on Democratic Party email servers may have affected the outcome of an American presidential election has driven the point home for everyone breathing, spending, or hiring in America. That said, the news isn’t exactly news: A 2015 study by PricewaterhouseCoopers found that 79 percent of U.S. businesses, law enforcement, and government agencies had detected a cybersecurity attack in the previous 12 months. That remaining 21 percent was — more than likely — consisted of the small and the ignorant.
No wonder then that the cybersecurity job boom just keeps booming. The cybersecurity job market is growing at triple the speed of the information technology sector and if that isn’t enough to humble your office IT guy, this will be: Cybersecurity employees make 9 percent more annually, with most salaries starting at $75,000 according to a recent study from the job market analytics firm Burning Glass Technology. And even with all that money sloshing around, promising liquidity for anyone with relevant skills, finding well trained individuals remains difficult for hiring managers. Roughly three jobs are posted for every one qualified applicant, which means that people who sign checks are increasingly looking for a reason to say “yes.”
Fortunately, its possible — albeit not easy for non-technical workers — to provide a reason. Transitions into the cybersecurity field are common to demonstrable interest goes very far. For advice on going the rest of the way, Inverse spoke to Marc Menninger, a corporate information security and risk management professional with over twenty years of applied security experience. Menninger is also the man behind the Lynda course IT Security Career Paths and Certifications, which has become a way station for people headed toward cybersecurity careers. His number one recommendation is to get certified in Security+, but he says it’s a bit more complicated than that.
Why are these jobs available now?
In medicine, the HIPPA (Health Insurance Portability and Accountability Act) requires good security. Any company that processes credit cards is supposed to be following the PCI (Payment Card Industry Data Security Standard) and any government agency has FISMA (Federal Information Security Management). And now more people are becoming aware of IT security, with cases in the news, like the Sony and the Target hacks, and in politics right now. A lot of companies are supposed to have good security, even Target is supposed to be following PCI, but they still got hacked.
There is way more demand for security professionals than there is supply.
What’s the easiest way for me to break into the field? Point A is my current job and Point B is me getting paid a lot of money to do this work. Where’s the path?
You want to have strong computer skills, IT network skills, and I recommend people start with Security+, which is going to establish that you have a good foundational understanding of IT security. It is really important to understand firewalls and how firewalls work, understanding network tech and how networks work, and how network traffic works. Also, being able to capture and analyze network traffic would allow you to dig into the packets and see if there was any malicious activity at the packet level.
What do you learn when you are trained in CompTIA Security+?
Security+ proves that you have a good understanding of security technology. Security+ talks about security for IT networks, wireless encryption, and how that works, so it is a really solid technical exam. When you put the Security+ certification on your resume an employer knows you are serious enough about security to study for and pass that exam. A lot of employers will ask for that specifically, but it is also a good foundational certification that I would recommend to anyone that wants to get started in IT security.
After that, I can get a gig?
There is such a need for people to fill these positions, and with the right skills you wouldn’t have any trouble finding a job. There are also a lot of jobs for people who are very skilled in security, and the openings exist because these people are so rare.
What types of companies will hire me if I’m a bit more senior but maybe not the most qualified?
A lot of IT has security in it, so if you can identify the other parts of your job that required security in the past, you can tailor your resume, and highlight what you have done that has been security related.
If you have a technical background, you can get Security+ or some of these other certifications. Even if you dont have a pure security background, a lot of IT has security in it, so if you can identify the other parts of your job that required security in the past, you can tailor your resume, and highlight what you have done that has been security related.
What do employers want to see?
They are definitely looking for solid technical skills so I would expect to be asked a lot of technical questions. They are also looking for experience doing the job they are trying to hire you for. So you should try to think of different ways you can get experience even if you aren’t currently in the security field. You can build a lab in your home and teach yourself security. You can volunteer for organizations to help them with their security, and all of the different training courses count as experience. There are like 60 security certifications out there and it just depends on the job, but Security+ is probably the most commonly recognized.
What should people right out of college do to get into IT security?
Hopefully, they got of college with an IT related degree. Then I would recommend they get the Security + certification, and start looking for entry level positions in areas that they are personally interested in. If they recognize they have skill gaps they can always go out and get extra training. But the best type of training is on-the-job training, so even if you are starting out at a very entry level position, it is a good opportunity to gain in skills. Now there is such a huge demand for security people that organizations are hiring security interns, which is a great opportunity to get experience while you are still in college.
Alright, now I’m a security engineer. What is it that I do for a living?
A security engineer would probably be supporting a network or security application in an organization, and making sure that all the systems and networks are secure. They would apply strong security controls to protect from hacking, malware, or ransomware — when entire systems get encrypted and you have to pay the ransom, to get the decryption key. Security engineers are also responsible for running different systems that help monitor the environment like anti-malware systems, and security event monitoring systems, and watch for events that might have shown up on the firewall logs or other system logs.