How to Start a Career in Cybersecurity and Become an Expert

CyberSecurity Illustration

Cybersecurity is a continuously growing industry. Every year, thousands of people decide they should pick up the field, either as a transition from another IT field, as new graduates, or even as high school seniors looking for a career path with growth opportunities.

The Bureau of Labor Statistics estimates information security analysts – one of the more common entry-level cybersecurity roles – is growing at the above-average rate of 31% per year. Forbes estimates that there will be a global shortage of over two million cybersecurity professionals, if not more, in the upcoming future.

Top Paying Analyst Jobs

Moreover, the global pandemic has proven to be more than just COVID-19: cyber-attacks are taking advantage of weaknesses in work from home infrastructure, while increasingly targeting healthcare providers in their time of need.

In short: cybersecurity is a booming industry, and there’s no better time to get into it than now. The only question is, how do you do it?

Starting a Cybersecurity Career

There are a lot of different ways to break into the cybersecurity realm as part of your career path. You can go with something informal or formalized, something with an emphasis on security from the outset, or something entirely different. Let’s look at some various career possibilities.

The self-starter. The self-starter is a student who, rather than pursuing formal education, simply reads books, takes tests, and leads with hands-on experimentation. You may have heard stories of people who grew up learning to program their Apple ][, or more modern versions, playing with Arduinos and Raspberry Pis. This is the kind of self-motivated person who learns because they’re truly interested in the subject and grows their knowledge based on what they encounter as they learn.

These people buy and read books. They take classes through sites like Udemy. They set up experimental environments just to play around with them and see what makes them tick. They take courses and earn certifications more to see if they can do it than to leverage them specifically.

CEH Example Certificate

These people enter into a cybersecurity career in one of two ways. Either they leverage their interest to earn a few certifications and use those to get a job, or they hunt for bug bounties. Bug hunters are often picked up as “white hat” hackers and cybersecurity specialists, or as penetration testers working for independent firms.

The IT generalist. The IT generalist is someone who loves computers, software, hardware, networking; all of it. They learn anything and everything they can about IT, but they don’t necessarily know where they want to go. IT generalists often go through formalized schooling, whether it’s a traditional four-year degree, a business-focused Computer Information Systems degree, or a specialized degree path.

Generalists often earn degrees in IT and use those to get them an entry-level job, though they don’t always get the degree first, so long as they can demonstrate their abilities in practical skills tests. They might start as systems administrators, IT support workers, web administrators, or network specialists. Once they’ve obtained employment in IT, it’s easy to pivot; they earn their certifications and leverage those to move into a more security-focused role.

IT Specialist

The cybersecurity student. The cybersecurity student is someone who knows from the outset that they want to get into security. They love the cat-and-mouse game – the arms race between malicious actors and defensive developers, and the idea of being responsible for the security of an entire organization. They might pursue a specialized degree path, or they might simply focus on earning as many relevant certifications as possible. Either way, they know what they want to do, and they pursue it. They aim for a cybersecurity job from the outset and grow within the role from there.

The developer. Developers take a slightly different path. They know they like computers, software in particular, and they work to learn how programming languages work. They might be web developers, front-end developers, or full-stack developers.

Once they’ve established themselves in a developer role, this IT worker might decide they want to do something a little more dynamic or security-focused. Maybe they realize they’ve always been concerned about the security of the apps they develop. Maybe they take a test or a course and decide they really like it. Maybe they’re just fascinated by complex problems with deep implications for security as a whole.

Example Python Script

These are just some of the many possible entry points into a security career. The important thing to realize is that it’s not about your security skills, your development abilities, or your knowledge. Instead, it’s all about your willingness to dig in and learn, your ability to adapt to rapidly changing circumstances, and your motivation to grow.

Picking a Goal in Cybersecurity

“Cybersecurity” as a whole is a large and varied industry. There are just as many career paths within it as there are other realms of information technology. Also like other forms of IT, the skills you learn in one can transition to another, if you decide you change your mind along the way and want to pivot. Nothing you learn will be wasted.

Yellow Orange and Red Team

That said, it can be helpful to have a specialty in mind. Here are some of the options you might consider:

  • Security Operations. Members of the security and operations team for a company are the active defenders. They’re the guards that patrol the walls, the detectives that trace threats and intrusions, and the developers who engineer solutions and harden systems against further attack. They’re the front line of defense against malicious actors across the board and are responsible for the safety and security of the employees and customers of the organization they work for.
  • Threat Managers , or “Orange Team”. Threat managers for an organization may be employees or they may be contractors and consultants. These specialists have an informational and educational role. They spend their time reading up and learning about the most cutting-edge threats, monitoring security advisories, watching the news, and joining mailing lists. They help inform companies of the current threats they face and issue advisories of their own to their organizations. This can also be considered the “Orange Team”.
  • Offensive Security, or “Red Team”. The “red team” is the array of roles in cybersecurity that simulate attacks without being malicious. They include organizations that develop phishing attacks to train companies about security. They also include ethical hackers who search for exploits and bugs to penetrate systems, so they can instruct a company on how to fix them. They attempt to crack systems in a safe way, to illustrate a threat and demonstrate a solution, before malicious groups can do it and damage a company.
  • Security Assurance. The security assurance team is an associated cybersecurity team that doesn’t get its hands dirty with the code, firewalls, and software necessary to secure a company. Rather, they focus on the human element, with company policies, compliance, regulation, and enforcement. They’re the liaison between the cybersecurity team and the business managers who make company decisions, and they have an important role in getting companies to take their security seriously.
  • Security Researcher. Researchers are sometimes employed by a company, sometimes freelancers, or sometimes self-employed. They position themselves on the front lines of the security fight, using honeypots to capture malicious actors and study them. They identify new threats and figure out how to prevent them from happening. In a way, they’re similar to both Operations and Red Teams, in their role in securing an organization. These people may also be whistleblowers against companies who are informed of vulnerabilities but do not address them.

Again, these are just a few of the available career paths and the list is more a collection of categories than particular careers. Each one offers a different emphasis, a different skill set, and a different array of knowledge, but they’re all interrelated in the vast field of cybersecurity.

How to Grow from Novice to Expert

Let’s say you’re already starting your cybersecurity career, and you already have ambitions. You want to be an expert. You want to be the person that other people turn to when they have a question. You want to be the person cited on Twitter or the security blog network for your expertise. You want to be a mover and shaker in the security sphere. How do you do it?

Growth in cybersecurity is both formal and informal. On the formal side of things, you have two aspects to consider.

First, you have to consider certifications. You’ve probably seen or earned some of the entry-level certifications like the CEH or the CompTIA Security+. That’s basic stuff. Next, you need to start looking for the more advanced certificates, like the CASP+ (CompTIA Advanced Security Practitioner). Certifications are signs of knowledge issued from an authority that tests for that knowledge, so they’re important for gaining recognition in the industry.

CEH Test

Second, you need to advance your career position. Within your career and your organization, you likely see a career path ahead of you. Look at what your boss does, and identify the steps you may need to take to take over for them or to take their position in another company. Don’t be afraid to move from one organization to another, when the job title and responsibilities increase.

Informally, you have to focus on building a reputation. You don’t want to be defined by your certificates; you want to be defined by who you are.

To this end, many of the most self-motivated cybersecurity specialists frequently attend security conferences and hack-a-thons. Conventions like DEFCON are excellent for growing connections, networking, competing against others in your space, and even experiencing some gray-hat hacking along the way. Attending TED to watch security-focused presentations, joining mailing lists like Krebs or US-CERT, they’re all great ways to tap into the community at large.

Defcon Conference

Many experts in cybersecurity do not follow a traditional career path. They reach a mid-level role, or they’re self-starters who never quite fit in with the corporate culture, so they strike out to make a name for themselves. They might start working with organizations that hire unorthodox freelancers. They might start their own consulting firms so they can guide their own paths. This is common, especially amongst red teams and researchers.

It also helps to have a specific end goal in mind.

  • Do you want to be a security director or a Chief Security Officer for a company? The executive and management paths are more for you, and you can benefit from extensive experience, networking with other professionals, and growing your managerial skills.
  • Do you want to own your own company and guide your own path? Building experience in both cybersecurity and in business management is important. Your “day job” is, to an extent, a means to gain this experience and the connections you need to gain your first set of clients.
  • Do you want to work for the government? Whether you join a civilian contractor or a military security arm, the government has its own realm of concern, including foreign state actors and high-level threats not seen much of anywhere else. It’s a high pressure but rewarding career path.
  • Do you want to be an independent researcher? Building your online presence and reputation is a must; the experts in the space don’t care about your certifications, they care about your results. Learn, grow, and do. Your results speak for themselves.

Regardless of your end goal, there is one thing that drives cybersecurity workers more than anything else, and that’s a fascination with modern internet security itself. Learning all about it, whether it’s the math of random numbers, the details of quantum cryptography, or the cutting-edge vectors threats use to attack systems, curiosity is the key to success.

Start with your education, whether it’s formal or informal. Earn your certifications and prove yourself in entry-level positions. Learn, grow, and experiment in different realms of cybersecurity to find a specialty that suits your interests. From there, it’s the wild west; you can carve out your own place in the world, join existing organizations, or strike out on your own to become a figure that others use as inspiration. It’s all there within your grasp; you only need to take the first steps.