I’ve been fortunate to work in a wide diversity of cybersecurity roles over my two decades in the field – from operations, services, consulting, vendors, managed service providers (MSPs) and more. I’ve hired hundreds of professionals from senior, experienced leaders to green new recruits. Here are some tips I have for those looking to select, build, land and grow their cybersecurity careers.
It’s not one job, it’s 50.
I often get asked about specific, detailed technical requirements – certifications like CISM and CISSP, SANS training, specific vendor technologies, degree programs, programming skills. When I ask people what type of role they are interested in, I often get confused answers – people who don’t really know what type of role they want. There’s such a huge diversity of jobs – technical, operational, governance, leadership, support, dev, red team, blue team – that there is no one set of skills or experience that leads to success.
Start by identifying the type of job you want or are suited for based on previous experience or skillset. If you come from IT or appdev, it may be a technical role. If you come from project management or business, it may be governance. Talk to professionals at events to get a sense of what they do in their jobs day to day, and then select a career track that appeals to you. Once you know the track, you can dive into the specific qualifications that will help you be successful.
That being said, there are three characteristics I’ve seen again and again in successful professionals:
- A hunger to learn. You might have heard of the “cybersecurity is an ever-changing landscape” cliché. We always hear it simply for one reason: It is true. As a cybersecurity professional, it is our responsibility to be on top of the security trends and ever-changing technology. Every day, we have access to a wide variety of cybersecurity resources: webinars, blogs, analyst reports, online training and podcasts are just a few examples. Perhaps, you have already taken the first step of your learning journey by visiting ISACA and reading this blog. Congratulations – continue exploring and enriching your knowledge. Know that this learning will never stop.
- Make mistakes and learn from them. If you aren’t making mistakes, you probably aren’t feeding your hunger to learn. When it comes to cybersecurity – no matter if the mistake you made was big or small – it is crucial to embrace it and apply what you’ve learned from the experience to projects you are working on. Otherwise, you run into unnecessary risks. Learning from mistakes sounds easy. It’s not. You need to fully understand what went wrong and how to fix it next time you’re in the same situation. Follow these steps when you do your “post-incident” analysis:
- Acknowledge your errors: Accept full responsibility for your role in the outcome.
- Reflect on what went wrong: Look at the bigger picture. What could you have done differently? What drove you to make the wrong decision?
- Avoid making the same mistake again and again: Increase your chances of success by writing out a plan that identifies the correct approach you should take next time.
- Adaptive communication. Problem-solving is a significant part of cybersecurity. Often, cybersecurity professionals need to work collaboratively with their team members to brainstorm solutions and strategies. No matter what your role is in security, it is important to communicate well with both team members and clients to succeed.
Among the clients I have talked to, many of them felt intimidated and overwhelmed by cybersecurity. A good security professional is able to serve with empathy, have the ability to clearly address security issues, as well as develop an approach to help businesses stay secure. If you are able to do this, stakeholders will feel fully supported and trust you more.
Cast a wide net when looking for work
The most common mistake I see in professionals looking for that first, or fifth job in cybersecurity is they cast too narrow a net when considering options. They are looking for a CISO role in a hot tech start-up. They are wanting to be an independent pentester but have no ability to represent their work to the market. They’re looking to create great compliance programs but limit their applications to the big four consultancies.
There are millions of cybersecurity jobs available in the market, but you have to know where they exist. Here are some places to look:
- Inside companies – the smallest bucket. Large companies will have SOC teams, security analysts, CISOs, etc. Small companies will only have a single analyst trying to keep the lights on and deal with a million challenges.
- Security vendors – from small to large, one of the great things about vendors is that everyone is there to make security better for their clients. A diversity of roles from sales to marketing to delivery and tech support can provide entry points for people of all levels of seniority. There are lots of jobs here and opportunities for lateral movement in larger companies.
- Service providers – whether it is the security arm of an IT MSP, an SOC analyst role for a managed security services provider or the DevSecOps team in a large SaaS provider, service providers are a great place to not only experience a diversity of security activities but also live the experience of a ton of customers.
Security can be incredibly rewarding – lifelong learning, an opportunity to do meaningful work. Build a strong network by participating in communities like ISACA, learn from others, cast a wide net, and you can develop a great career.
About the author: Michael Argast is an experienced cybersecurity professional with over 20 years of industry experience. He is the co-founder and CEO of Kobalt Security Inc., a rapidly growing cloud-focused security services provider. Kobalt works with over 100 cloud-focused technology companies to help ensure the security of their organization and cloud infrastructure. Kobalt’s experience across AWS, Azure, GCP and a wide range of SaaS services is unique in the security services industry.