Breaking into Security Careers – 2018

Cyber Careers

Cybersecurity continues to be a hot career field with many job opportunities. This means more and more folks want to break into it. A common question I’m asked is, “How do I get a job in information security / cybersecurity?” We continue seeing people who are interested, but don’t know the steps it takes to start or extend a cyber career. This blog post answers the question, “How do I break into (the) security (career field)?” It’s updated from my 2014 and 2015 blogs.

Career Triad

To get hired as a security professional, you need a mix of experience, education, and certifications. It takes all three to not only land the job, but also be successful in it.

1. Education: With education, you learn how to learn. Cybersecurity is a vast field and it’s nearly impossible to know everything. You need to be able to learn and adapt quickly to new technologies, situations, and processes. Education also builds the soft skills of critical thinking and communications. It’s readily available both online and in-person through local universities and training partners like CyberVista or Cybrary.it. It’s hard to study on your own. These resources provide you with expert instruction and guidance to not only pass the certification exams but also gain knowledge to succeed as a security professional. When looking at formal education, seek out 2 or 4 year schools that are designated Centers of Academic Excellence in Cyber Defense by the NSA and DHS.

2. Experience: You gain experience and a fine-tuning of your abilities through work, volunteering and building your own home cyber playground. Almost every job today has an aspect touching technology. Do your homework and learn all you can about it. Ask others if you don’t know. It’s also easy and inexpensive to build your own home lab or playground. Finding an old computer or getting a Raspberry Pi and learning Linux is a great technical experience builder. You can also gain experience by volunteering to help secure a local non-profit, your church, or other community organization.

3. Certifications: IT certifications get your foot in the door and help you move up in your career by showing employers you have the skills they’re looking for. CompTIA Security+ is and has been the optimal starting point for security certifications. It helps you prove basic competency in topics such as threats, vulnerabilities, and attacks, system security, network infrastructure, access control, cryptography, risk management, and organizational security. Don’t stop there. Keep your career moving by building on it with other ones like the CompTIA cybersecurity certifications (CySA+, CASP, or PenTest+). CompTIA CySA+ and CompTIA PenTest+ delve further into the cybersecurity specialty, validating the complementary skills of offensive and defensive cybersecurity teams. If you’ve been in cybersecurity for a while and want to remain in a hands-on enterprise security, incident response and architecture role rather than moving into management, CASP is for you. Once you’ve gained five years of cyber experience with those certifications, you’ll be ready for advanced cybersecurity certs like (ISC)2’s CISSP or ISACA’s CISM or CISA.

Once you’ve decided that cybersecurity for you, decide on your career track. Cybersecurity is both vast and wide and covers a myriad of jobs. Figure 1 shows the high-level cybersecurity careers. Don’t try to do or be everything for everyone. What cyber job excites you the most? In which one(s) do you have even a little knowledge and skill? Base your decision on your strengths, interests, experiences, and future goals.

Cybersecurity Career Paths

Once you’ve decided that cybersecurity for you, decide on your career track. Cybersecurity is both vast and wide and covers a myriad of jobs. Don’t try to do or be everything for everyone. What cyber job excites you the most? In which one(s) do you have even a little knowledge and skill? Base your decision on your strengths, interests, experiences, and future goals.

The NIST National Initiative for Cybersecurity Education (NICE) is a great resource for cybersecurity career information. The NICE Cybersecurity Workforce Framework, aka NIST Special Publication 800-181 is a national focused resource that categorizes and describes cybersecurity work. CyberSeek provides detailed data about supply and demand in the cybersecurity job market. Use it to see where and what the cyber jobs are through interactive maps and career pathways. NIST NICE provides numerous other resources invaluable to cybersecurity job seekers. The nice thing about these (pun intended) is that it’s all free.

Security Professional Traits

The following traits are common among successful cybersecurity professionals. Having each will differentiate you from others when you’re hunting for a job or looking for a promotion.

  • Curiosity – A wonder on how and why things work. All hackers are curious.
  • Critical Thinking – goes with #1. You need to go beyond the obvious and be able to analyze your environment to best fit business needs.
  • Communications skills – you can find the coolest things, but if you can’t effectively let others know, it’s like a tree falling in the forest. Build your ability to both write and speak. This is where education can help.
  • Technical Skills – You need to know your way around computers, networks, and applications. Understand what’s happening under the covers. You should build this both on-the-job and on your own.
  • Maturity – Stuff happens. You need to be able to keep your head when all h311 is breaking lose.

Each are discussed in more detail in Eric Steven Raymond epic paper from 2001, “How to Become a Hacker,” which should be required reading for all cyber professionals.

Join the Community

The last piece of advice is for you to join a local or national cybersecurity organization. ISSA, ISACA, (ISC)2, and OWASP have chapters throughout the World. They provide access to expert instruction on cybersecurity topics. There’s also tremendous power in networking (the human kind). Most jobs are found through someone you know. Plus, at their meetings, you’ll can meet other passionate cybersecurity and IT professionals to help you jumpstart or extend your cybersecurity career.

For more ideas on breaking into cybersecurity careers, I recommend Launch Your Cybersecurity Career in 8 Steps from CompTIA: https://goo.gl/3aV74t.

Cybersecurity jobs are aplenty and it’s a great career. It’s up to each worker to set her/his own path. Use the ideas above and share others.

Applying for an Internship

I’m often approached by students who are wondering what they need to do to become more marketable for an internship.  First, pursuing an internship is a great way to build practical experience and also a way to show your skills to a prospective employer.  These are competitive positions however and there are a few things you should keep in mind on your journey to secure a position.

Generally an internship is going to be most beneficial after you have completed the first year of your program.  That means by starting to consider an internship early you still have time to make yourself more marketable.  Employers are going to be looking for someone they can benefit from with the potential of hiring in the future, that means you need to be competitive with others.  You should assume that everyone applying for the internship will be enrolled in a similar college program to you, so your grades need to be competitive.  This is where most students stop, “I have good grades, hire me.”  Unfortunately, that is often not enough.  Here are some other actions you can take to become more likely to likely to secure that coveted position.

  • Any IT work you can do is valuable to put on a resume.  That may mean working a help desk but that is a starting position.  Some organizations are also looking for volunteers to help with setting up networks or administering systems.  A good place to find these opportunities in your area are professional groups – see next bullet.
  • Become a student member of ISACA, ISC2, OWASP, ACM, IEEE, or any other cybersecurity focused professional group in your area.  Find a group that has a local chapter (google for those organizations in your area).  They have speakers that provide great info and you make good connections for potential internships/jobs
  • Practice learning skills in a home lab. Start by downloading VM-Ware or Virtual box.  Both have free versions.  These allow you to set up a virtual machine on your computer.  Then load a linux version such as Ubuntu or Fedora.  Use your access to BU’s Microsoft Imagine site and download Windows Server – practice working through them.  You can set up a virtual network and share files between the machines to see how that works.  Our library has several good resources on those topics
  • Talk with our career center – http://www.bellevue.edu/student-support/career-services/career-services, they can help with info as well, especially with preparing for interviews, building a resume, etc.

CyberSeek resource for cybersecurity career information

NIST, in partnership with burningglass and CompTIA recently introduced  the CyberSeek resource for cybersecurity career information.   Per the NIST press release:

The CyberSeek tool fills in knowledge gaps so policy makers, employers, security professionals and others will have greater visibility into the demand for cybersecurity professionals around the country. It will allow them to see the skills and types of workers that employers are looking for, as well as the true supply of professionals to fill those positions.

If you are looking for that initial job in cybersecurity, identify the skills you need to improve, or get ideas on how you can progress in your cybersecurity career I highly recommend spending a few minutes on CyberSeek.org

 

NIST publishes draft Cybersecurity Workforce Framework

It probably comes as no surprise to most that demand for cybersecurity professionals continues to rise.  The U.S. Department of labor projects an 18% growth in computer and mathematical occupations during the period 2012-2024. Unfortunately, 52% of IT professionals surveyed in a recent ISACA and RSA Conference survey stated that fewer than 25% of all job applicants were qualified.

One effort to address these shortfalls was recently updated with the publishing of the draft NIST Cybersecurity Workforce Framework (NCWF), NIST SP 800-181.  The NCWF provides information about cybersecurity work roles, the tasks performed by individuals filling those roles, and the knowledge, skills, and abilities needed to complete those tasks successfully.  The document is open for public comment through January 6, 2017.

*Additional cybersecurity workforce demand statistics  are available in this infographic published by the National Initiative for Cybersecurity Education here.

An Introduction

I wanted to take a quick moment to introduce myself.  I’m Professor Douglas Rausch and have recently taken over the role of the Cybersecurity Program Director from Professor Ron Woerner.  Ron has moved back to industry but don’t worry, he is still an adjunct Professor in the program at Bellevue and I’m sure will still be an active contributor to this blog.

I joined the full-time faculty at Bellevue about a year ago after serving in an adjunct position for about a year and a half.  Although I taught across both the undergraduate and graduate programs my focus was as director of the undergraduate cybersecurity program. That changed with Ron’s departure and I now oversee both programs.

Prior to joining the University, I spent 26 years in the Air Force as a communications and cyber operations officer.  It was great fun and an exciting time.  As with all of our instructors, I use those ‘on the job’ experiences to take the foundational concepts we teach in the classroom and provide thoughts on their application to the challenges you will meet each day as a cybersecurity professional.

rausch-web-hs-medWell, that’s a little bit about me.  I’m looking forward to using this forum to discuss the evolving world of cybersecurity as well as some of our activities here at the University.

Cheers
Doug

Accelerating cybersecurity education to meet industry demands

Seasoned information security professionals now have another flexible option to complete a Masters of Science in Cybersecurity, with the Bellevue University accelerated cohort format. The new online degree program enables students to complete their degree in about 14 months, alongside other professionals in their field. The cohort group will take all of the required courses together and finish at the same time, sharing experiences and expertise along the way.

There are twelve classes taken two classes at a time, each lasting nine weeks following a set agenda.  All of the classes are held online, which enables flexibility with student schedules. When students complete the program, they will have attributes, knowledge, and skills needed by industry as a master information security professional.

The faster pace of these classes requires students to enter the program with a set of knowledge, skills and abilities in information security. Students accepted into the accelerated cohort format must be seasoned professionals with a Bachelor’s Degree in Computer Science, Computer Information Systems, or Information Assurance/Cybersecurity, at least ten years of directly applicable information security experience, a major security certification (CISSP, CISA, CISM), and notable communications skills (published or spoken at conferences).  This allows a common frame of reference and skill level among all students.  In other words, students are learning with their peers and are able to share common problems and collaborate on solutions.

This program will be led by Ron Woerner, who has extensive academic and industry experience.  [See his bio here at http://academic2.bellevue.edu/rwoerner/.]  Ron is looking to work with students as professionals rather than the traditional teacher-student relationship.  Participants are encouraged to leverage their experiences and knowledge in completing the course work.  “I love joining people in their educational journey and learn alongside them.  I see my job as coaching them to that next level of their career rather than professing what I know down to them,” says Ron.

Students lacking the certifications and experience are encouraged to enter the traditional Masters of Cybersecurity program. This format allows students to take 1 or 2 classes per quarter term.  Twelve courses are required for graduation, however the traditional program allows students to pick their class schedule and concentration classes based on their preference.  This is more suited for people transitioning into the cybersecurity career field or looking for a more flexible program.

For more information on the Bellevue University Masters of Science in Cybersecurity programs, go to http://www.bellevue.edu/degrees/master/cybersecurity-ms/.

RWoerner-Class

Breaking into Security – 2015

One of the common questions I am asked is, “How do I get a job in information security?”  Infosec continues to be a hot career field with many job opportunities.  Therefore, we continue seeing people who are interested, but don’t know the steps it takes to gain employment in information security.  This blog post answers the question, “How do I break into (the) security (career field)?”

A few years ago, I was asked a similar question of how I got started in security.  It all started as a computer science major at Michigan State University. I was also in Air Force ROTC.  This combination allowed me to start developing my security mindset.  As a military intelligence officer, I learned about data classification and safeguarding sensitive information. I left the Air Force for a job as a UNIX systems administrator where I learned how to apply technical controls to protect the systems and its data. As a junior security analyst, I learned the importance of policies and awareness. The combination of technical and managerial experience led me to security management roles. (You can read more about my experiences here: Me and my Job: Ron Woerner, Bellevue University, SC Magazine, April 2011)

To become a security professional, you need a mix of experience, knowledge, and abilities. It’s not generally an entry level career field, because you need time to develop yourself as a security professional who understands the many aspects of cybersecurity.  Traits to be successful in cybersecurity include:

  • Curiosity – A wonder on how and why things work
  • Critical Thinking – goes with #1. You need to go beyond the obvious
  • Communications skills – you can find the coolest things, but if you can’t effectively let others know, it’s like a tree falling in the forest
  • Technical Skills – You need to know your way around a computer
  • Maturity – Stuff happens. You need to be able to keep your head when all h311 is breaking lose.

The security community has a vast number of articles on breaking into the security career field.

This reminds me that everything old is new again. Many of the articles I mention above were written a few years ago. Things really haven’t changed over the years.  The career path still requires education, training, experience, and persistence.

As an extra, added bonus, here’s a 3 ½ minute Ted talk from Richard St. John: 8 secrets of success http://www.ted.com/talks/richard_st_john_s_8_secrets_of_success.html (Watch for his explanation of CRAP).  It’s great, general information on how to succeed in any career.