Last year, the world’s largest non-profit membership association of certified cybersecurity professionals, (ISC)², announced the findings of its Cybersecurity Workforce Study. For the first time, they estimated that the cybersecurity workforce was almost 3 million, and a growth of 145% (just over 4 million) was needed to close the skills gap and better defend organisations worldwide.
The latest figures depict a shortage of cybersecurity professionals at a time when protecting the world’s operating systems has never been as important. Now, if you’re anything like me, I’m sure you’re wondering how has this shortfall happened? And, why have efforts to plug the skills gap not worked?
Whenever I talk about what’s occurred, people are dismayed, so I often use an analogy. It’s as if we (in cybersecurity) have been paddling in the ocean when the tide was out. We were up to our ankles, enjoying the view and smelling the fresh sea air. Then, all of a sudden, the tide has come in, risen quickly, and we’ve found ourselves up to our necks in water.
Choosing to swim, means working on the root cause, and I believe the problem behind these statistics may be the perception of cybersecurity, specifically that there’s only one role in cybersecurity and for only one type of person. So, with so many myths surrounding the industry, especially when it comes to starting a career in cybersecurity or attracting more women into the field, let’s bust the myths I regularly come across.
If you’d like to know more about how to kick start your career in cybersecurity, or are a parent who thinks your child might enjoy it, please visit these exciting apprenticeship opportunities https://bit.ly/QACyberApprenticeships.
Myth #1. You’ve got to have specific cybersecurity qualifications, experience, or be a genius.
When it comes to specific qualifications and experience, typical misconceptions are that you need cybersecurity qualifications, a STEM degree, or have military, law enforcement, or tech experience. Additionally, that you’re super clever or a genius. The truth of the matter is this. Within cybersecurity, there are a significant number of professional qualifications, or certifications that are globally recognised and in demand. These are:
- Certified Information Security Professional (CISSP),
- Certified Information Systems Auditor (CISA),
- Certified Information Security Manager (CISM),
- Systems Security Certified Practitioner (SSCP), and
- GIAC Security Essentials.
Data from recruitment agencies, such as Burning Glass, show that over 35% of all cybersecurity jobs require at least one of these five globally recognised certifications and that more than 80% of cybersecurity related job postings want a bachelor’s level or higher college degree plus a minimum of three years’ experience.
As most of these certifications require years of industry experience, don’t be deterred if you don’t have them, or exams aren’t your forte. Whilst many hiring managers specifically require certain expertise, all jobs require far more than academic knowledge or proof that you can pass an exam. Although meeting any one of these criteria would be advantageous to you, in reality, you can start a career in cybersecurity without any of them.
With growing cyberattacks and a huge shortage of qualified cybersecurity talent, companies and government agencies are united in their message:
‘If you don’t have a Computer Science degree, don’t write off a career in cybersecurity. If you’re lacking qualifications but are interested in cybersecurity, then you can still get a job.’
Qualifications certainly don’t make a hacker, consultant or practitioner and there are so many positions within the cybersecurity ecosystem that are available to you—from cryptographics, mobile device forensic analysis and incident response to penetration testing (hacking), endpoint security, or security awareness, and so on. It all comes down to your starting point, i.e. what skills you have, what career route you want, what pay you’ll accept, and what your future employer’s investment will be.
A great example of a starting point is an apprenticeship. Take the UK Government Security Profession’s scheme, which is currently available. They are looking for candidates with an understanding of basic IT principles to join the cybersecurity apprenticeship scheme and they want to attract a broad spectrum of applicants from diverse backgrounds, who’ll be 18-years old by November 2020, not in full-time education by November 2020 and are either UK nationals or have lived in the UK and/or EU for 3 years prior to November 2020.
The National Institute of Standards and Technology (NIST) is a great place to start when you’re researching what type of job you want and finding out more, as it’s listed all the different jobs and opportunities in cybersecurity.
Certainly, over the 22-years I’ve worked in cybersecurity, I’ve witnessed many cybersecurity professionals getting into the industry with Arts and Humanities degrees, or from other non-technical routes, such as law, marketing, accounting, advertising, journalism, and HR. In fact, when it comes to degrees, there’s evidence that the second most popular degree for recruiting cybersecurity professionals is English (Language).
Continuing, I’ve also seen astrophysicists, PAs, nurses, hairdressers, florists, dry cleaners, singers, actors, teachers, artists, and builders get in. These people are capable, have a self-starting open mindset, and have done well. However, none are genius’.
So please understand. Cybersecurity is crying out for men and women who come from different walks of life. The industry is well aware that just having the same types of people within it is limiting its effectiveness. It knows that as cyberattacks are becoming more creative, and hackers are becoming more collaborative and business-like in their approach, it needs to modify its approach. It needs people who can see things in non-binary ways and to help it be not so blindsided.
Myth #2: You’ve got to be a techie and have a passion for cybersecurity.
Today's cybersecurity professionals fulfil a wide range of job roles—some are technical, and others are more business-focused so you really need to think about what area you enjoy and want to specialise in. Nowadays, it’s widely accepted that one of the greatest threats comes from the human aspect—the insider threat, and that’s why knowledge of human behaviour, culture, ethics, and language, or specialisms in psychology, geopolitics, and economics are so readily sought.
As for having a passion for cybersecurity, this is utter nonsense, and it makes me mad whenever I come across this. It’s just not needed. Curiosity, interest, a willingness to learn, and an understanding of why you’re committed to doing this job are. If you’ve got a burning passion for cybersecurity, then that’s great—a bonus—but there’s really no need for a “strong and barely controllable emotion.” Let’s leave that for teenage love! 😉
Myth #3. You’ve got to be young to work in cybersecurity.
The perception is that you’ve got to be young, male, geeky, and wear a hoodie to work in the industry, but this couldn’t be further from the truth. People with all manners of dress codes—punk, gothic, new age, high fashion, etc work in cybersecurity, and with 90% of the industry’s employees being over thirty years old, there’s certainly no correlation between age and cybersecurity practices. Cybersecurity—like all other industries—requires diversity to thrive. Being successful in it requires a multitude of skills and creative thinking abilities from people of all ages. The industry only cares if you can spot problems (typically vulnerabilities and compliance failures), get to the root cause, fix them, and communicate the issues along with corrective measures. And, when it comes to women entering the field, statistics have repeatedly shown that women typically enter cybersecurity beyond the age of thirty.
Myth #4. The hours and pay aren't good in cybersecurity.
The demand for cybersecurity experts is increasing exponentially as the world becomes more digitally connected, data becomes the new currency, and cybercrimes grow. It’s why city analysts predict cybersecurity jobs growing between 32% to 37% between now and 2028, which is a higher percentage growth than the average for all other occupations.
This is good news for those in the industry. It signals it’s an applicant’s market and rising salaries, especially in specialist roles, when moving companies, or geolocations. Looking at the UK alone, the Department for Digital, Culture, Media and Sport identified 393,257 cybersecurity-related job postings over the past 3 years, with 105,194 being labelled as cybersecurity jobs. Their research further highlighted:
- Geographic hotspots of activity in London, Edinburgh and Belfast, as well as parts of the West Midlands and the South West, (e.g. Bristol, Cheltenham and Gloucestershire).
- The most in demand roles being security engineers (18%), security analysts (13%), security architects (10%), security managers (9%) and security consultants (8%).
- The sectors who most wanted cybersecurity talent being finance and insurance, information and communications, and professional services.
- The most in demand technical skills areas being network engineering, risk management and technical controls, operating systems and virtualisation, cryptography and programming.
- Approximately 653,000 businesses (48%) with a basic skills gap, i.e. people in charge of cybersecurity in businesses who lacked the confidence to carry out the kinds of basic tasks laid out in the UK Government’s endorsed Cyber Essentials scheme, for example the setting up configured firewalls, storing or transferring personal data, and detecting and removing malware.
When it comes to the hours cybersecurity professionals work, occasionally these may vary, as it’s regularly viewed as an emergency service. So, you may need to work non-traditional hours, nights, or weekends when a data breach or cyberattack occurs, or during systems updates, security upgrades, and certification implementations.
As for future-proof work, cybersecurity is well placed. Thanks to cybercriminals and employee mishaps, data breaches can occur at any time as threats are continually evolving. It’s one of the reasons 93% of women who work in cybersecurity say they feel safe in their job. In fact, its longevity is so well placed The Balance Careers lists cybersecurity, specifically information security analysts, as being one of the highest of the seven fastest-growing tech jobs, with a projected growth of 28% through to 2026.
When it comes to pay, those in cybersecurity can quickly earn more than other professionals, such as doctors, lawyers, accountants and engineers. Salaries for apprenticeships such as the UK government range from £22,700 to £25,997 and according to the 2020 Cybersecurity Salary Survey, 50% of cybersecurity professionals are currently earning more than $50,000 and 1% are earning up to $190,000, excluding bonuses. In North America, the average salary is $90,000 and in the UK it’s £54,644.
Myth #5. Cybersecurity is a desk job with limited opportunities.
You might think cybersecurity is a desk job with limited opportunities, but this isn’t the case. Cybersecurity professionals are occupied at all levels of business, and their influence extends so much further than the IT department. Many different roles are available when it comes to your career progression and often you get to travel and see much of the world. With digital disruption, risk mitigation and the skills shortage being three of the biggest topics facing business leaders today, if you want to climb the career ladder then a C-level, VP, MD, CEO, Partner, or NED role is well within your reach.
Myth #6: Your existing skills won’t be useful.
Cybersecurity is a dynamic field, and whether you’re entering it with strong communication skills, technical know-how, military experience or business wisdom, you’ll soon discover the relevancy for your existing skills. Like problems in any other profession, you’ll soon discover some that are similar and others that will be unique. In cybersecurity, it all depends on the environment—the technology that’s involved, the resources that are available, and the risk (attacks or compliance failures). Whatever the case, you won’t be dumped in it and left to figure things out for yourself. The stakes are too high. Your manager or team will direct you when it comes to how to accomplish your specific cybersecurity duties.
Myth #7: The career path is too hard, takes too long.
Although becoming a cybersecurity practitioner or consultant doesn’t happen overnight, you can be working much sooner than you think. It all depends on your way in. For example, if you’re hired by an organisation without tech skills, cybersecurity qualifications, or a degree, they’ll typically help you get the cybersecurity certifications that are necessary for their specific work and get you shadowing another cybersecurity professional’s work. Depending on your experience and how fast you learn, you may get up-to-date on the latest trends and technology and be adding real value within a few weeks or several months. Apprenticeship schemes, like the UK Government Security Profession, referred to earlier and which is detailed here, plus larger consultancies, tech giants, and system integrators do this really well.
If your route in is via a training accelerator, chances are you’ll get access to foundational courses, extensive hands-on skill building, guided product training and possibly security clearance. Being full-time or part-time, and taking on average 12-weeks, these accelerators will either match you to an employer at the start of their programme or once you’ve successfully completed it. Typical job roles include tier 1+ SOC analysts, threat intel analysts, security consultants, compliance analysts, security engineers, technical analysts or penetration testers (hackers).
You can always self-learn, too, and if so one of the best entry-level certifications to get is CompTIA Security+. You can then build upon your skills via free, self-learning platforms like Cybrary, Immersive Labs, and of course YouTube. Then, connect with mentors or sponsors who’ll help you to network your way in.
Myth #8: Everyone in cybersecurity is aggressive and unwelcoming.
Cybersecurity has a unique culture. It has people whose job it is to be on the attack—the offensive, and those whose job it is to protect—the defensive. As a result, you’ll see some conflicting behaviour within it. Despite this, I promise you, when you join, you’ll find your niche, will fit in, and be warmly welcomed. The people make this industry fun, challenging and progressive. It’s why I’ve remained in cybersecurity for so long.
Myth #9: Cybersecurity is not for women.
Women are a perfect fit for cybersecurity as countless studies have shown how they see risk in a different way to men. Women excel, too, as they score highly when it comes to emotional intelligence (EQ), which is a key ingredient in relationship building, and often a better determinant for success in the workplace, leadership, and personal excellence than intelligence (IQ). In fact, a study found that women’s EQ can be, on average, four points higher than men’s, and they generally score higher on self-management, social awareness, and relationship management.
Women spot changing patterns of behaviour easily, especially when something doesn’t intuitively feel right. They tend not to fall for attacks that are being created just for men, and being compliant with rules, they’ve been found to embrace organisational controls and technology much more than men. It doesn’t make women better than men, but it does make the industry stronger when both genders work together, and the numbers are more balanced. It’s one of the reasons why there’s a drive to get more women working in cybersecurity.
Today, women in cybersecurity are growing in numbers. According to reports, there are between 15-24% of women performing cybersecurity duties, worldwide. More and more are joining the industry, adding value and becoming visible role models for other women.
As I repeatedly advocate, cybersecurity is an exciting career choice with so many opportunities. Closing the skill and gender gap in cybersecurity would impact the world’s economy tremendously. For example, if the number of women working in cybersecurity rose to equal that of men, it would add $30.4 billion to the industry’s economic contribution in the US and £12.6 billion in the UK. Just imagine what good could come from that—more innovation, peace, stability, distributed wealth, and care for the environment. People being happier, healthier and more productive than ever before.
Now I want to hear from you…
- If you work in cybersecurity, help me bust some more myths. Which ones have you come across that aren’t mentioned? What’s the perception of cybersecurity but in your view just not true? Tell me in the comments below.
- If you’d like to know more about how to kick start your career in cybersecurity, or are a parent who thinks your child might enjoy it, please visit these exciting apprenticeship opportunities https://bit.ly/QACyberApprenticeships.
These apprenticeships present exciting, challenging and stimulating jobs in some of the key Government departments and agencies managing digital networks and information security risks impacting on all aspects of life in the UK. You’ll receive excellent on-the-job experience and training which will enable you to develop the advanced technical skills needed to prevent cybercrime, decrypt data, and clarify and resolve malware issues. The apprenticeship will also help you build a foundation level of knowledge in critical areas of cybersecurity, setting you up for a successful and rewarding career.
Here’s the link again https://bit.ly/QACyberApprenticeships.
Finally, in the spirit of full disclosure, once more, please be aware that I’ve received compensation for promoting this #ad for QA, a specialist technology provider of learning and talent services.