7 Tips for Infosec Pros Considering a Lateral Career Move
Looking to switch things up but not sure how to do it? Security experts share their advice for switching career paths in the industry.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltf09d9e77560493c8/64f0d3b7e32bda436276bda3/LateralMovesIntro.jpg?width=700&auto=webp&quality=80&disable=upscale)
Cybersecurity professionals have their pick from a diverse range of specialties within the industry, from network security to penetration testing to incident response. It's not uncommon to switch specialties over the course of a career. The question is, how do you to go about changing?
"As part of normal [career] growth, I've noticed people want to move into different areas," says (ISC)2 CIO Bruce Beam. Some people may not make the jump from offense to defense but instead switch from security operations roles to positions more focused on compliance.
A lateral career jump can be beneficial not only for security pros, but for the industry overall. The ability to move from job to job is needed because it introduces different perspectives into the workplace, says Kayne McGladrey, member of IEEE and CISO at Pensar Development.
"Right now we have an unprecedented challenge in hiring a diverse workforce in cybersecurity," he explains. Still, it's more difficult for some practitioners to make a transition because of obstacles in the hiring process. It may be easy for a Certified Ethical Hacker to apply for a job seeking the CEH, for example, but someone without that certification may be filtered out.
"Human resources, in a lot of organizations, has become a regulatory control function and inhibits hiring because of its focus on certifications," McGladrey says. This is partly why it's difficult for blue teamers to jump to the red team, a process that "looks to be an insurmountable and very difficult series of certifications," he points out.
Another challenge for infosec pros seeking a lateral career move is the lack of time spent in their desired area of expertise. If HR sees two applicants with the same skills, but one has been in the related role for two to five years, they're more likely to pick who has more experience.
"In cybersecurity we have a slightly more pronounced competition for talent, but also people change jobs more frequently in cybersecurity," McGladrey says. It's not unusual to meet a CISO who has held three different jobs in the past five years, he points out. In an industry where professionals commonly love learning and seeking new challenges, it's likely they'll also want to test new career paths.
For security practitioners who want to work in a new area of the industry but don't know how to go about doing it, McGladrey and Beam share their steps and advice. How about you? Have you made a lateral career move? What tips would you offer security pros? Feel free to share your thoughts in the Comments section below.
One of the advantages of swapping career paths today is the amount of available educational resources to help you prepare. "I think the first thing folks could do is start off with either free or low-cost online training to see if they actually like the work," McGladrey says. You might like the work and want to continue, he says, or you might get halfway through and think, "Well, that's terrible."
Either way, it's more practical to learn what you enjoy through an inexpensive course, rather than learn you dislike a topic in an expensive course that could cost thousands. Not sure where to start? StackSocial, Udemy, and Cybrary are all good places to find free or low-cost cybersecurity training, advises McGladrey, who says he is unaffiliated with the brands.
It can be intimidating to learn an entirely new skill set, especially if it's unrelated to your current role. That doesn't mean you shouldn't try, says Beam, diving into a story about how (ISC)2 unexpectedly found an application security hire.
The organization's development and Web teams were working together, trying to integrate security into everyday operations. They recognized a need for an application security pro and began to recruit, a process that proved difficult. "We could not find that person," Beam adds.
Going back to the drawing board, the team decided they could hire a security practitioner and teach that person the basics of development, or they could hire a developer and teach that person security. (ISC)2 found its answer in a developer with a strong .NET background. They trained him through in-person and online training courses, thereby filling a security-intensive position with an operational person.
"It's made a huge difference so far," Beam says. Jobs in cybersecurity aren't standard, and sometimes the right person doesn't have the expertise you initially think you need.
Assuming you take a course and enjoy the work, McGladrey advises seeking out professionals in the area where you want to take your next steps.
"Concurrently or right after, get on social and find out who's doing this," he says. "[Ask] what do they like and what they don't like about the work? What's the thing they wish they'd known before they took the role? What do they love or what really drives them nuts?"
Twitter, home to an active community of cybersecurity professionals, is a good place to start. "People are very open and willing to talk about their experiences and expertise in their careers," McGladrey explains.
LinkedIn is another useful resource where curious professionals can meet with recruiters who can help them take the next steps in their career paths. It's going to take several conversations, McGladrey says, but recruiters are generally open to chatting about employers' specific needs. The good ones will share what companies are looking for, irrespective of HR's job descriptions. Some may also give advice on a couple of things you can do to make your resume stand out.
"Getting a relationship established with a recruiter can give that insight," he adds.
It can be tricky to move from one specialty to another, especially if you're jumping from offensive security to defensive. "The first obstacle they face is they already have a full-time job," Beam says. "Now they need to learn a new toolset."
This swap from defensive to offensive will require you change the way you approach your job. "When you're in a defensive pattern, you're planning, laying the traps and things that will allow a threat to be mitigated before [the attacker] can get anywhere," he explains. On the offensive side, you're testing those defenses, trying to find a gap to break in.
There's a "huge" mindset shift one has to take to go into an offensive nature, Beam explains, noting that transitioning from defense to offense is better than the other way around. Defensive security pros tend to better know the environment. Because they're accustomed to working with its regular maintenance and operation, they have a better grip on overall infrastructure.
On the flip side, offensive pros who want to transition into defensive security struggle because they are typically more specific in their skills: They go after Active Directory, for example, or after SQL injection and other Web issues. It's tougher to move into defensive security because they have to learn more operational capabilities.
It's one thing to be familiar with the skills you need; it's another to develop them. If you want to join the red team, there are online capture the flag (CTF) events, such as Hack The Box, where you can practice your skills in a live environment. McGladrey advises checking out local BSides events with a CTF component to see what it's like working with a team of people who have varying levels of skill. Is it rewarding? Do you find it too stressful? These are answers you'll want to know before making a career move.
"Do these things before getting a certification," McGladrey says. Those who have done online trainings, participated in CTFs, connected with professionals in the field, and chatted with recruiters are better positioned to pursue a certification -- if that's what they decide to do.
When you feel ready to find your next gig, start by searching for a business -- not an empty slot. Conduct a simple Internet search for the specialty or technology you want to work in and find companies providing that service. Look them up on Glassdoor to learn about their culture, and check Bloomberg or TechCrunch to see their associated financials. LinkedIn can show you whether you already know someone who works for the company.
Once you have a list of the top 10 companies you want to work for, reach out to recruiters on LinkedIn. Introduce yourself; say you're excited about this particular organization and why. Be specific and honest about why you would like to work there and the skills you can offer.
"It doesn't mean there's a job there today, but it does mean once you've made that connection, they'll be more predisposed to think of you rather than open [a job] up to the Internet" when an opportunity is open, McGladrey says.
It's never too late to make a lateral career move in cybersecurity, but those who are early in their careers have the opportunity to build a well-rounded background and better prepare themselves for a more diverse range of opportunities going forward, Beam says.
He tells the story of an (ISC)2 intern who was finishing her master's in cybersecurity and wanted to move into the education space to teach about it. Instead of jumping into that space, he advised her to build a range of experiences in different organizations, starting with the one she was in: a nonprofit without a lot of regulation but a large footprint of 150,000-plus members.
From there, he said, move to somewhere highly regulated -- a bank or healthcare institution, for example -- and learn from them. Then move into a SOC environment and build additional skills.
"If you really want to move into a full, well-rounded position, that's one of the things you need to do," he says. "We need to become a part of the business and be an enabler; to help them, say, 'I can do this' with a limited amount of risk."
It's never too late to make a lateral career move in cybersecurity, but those who are early in their careers have the opportunity to build a well-rounded background and better prepare themselves for a more diverse range of opportunities going forward, Beam says.
He tells the story of an (ISC)2 intern who was finishing her master's in cybersecurity and wanted to move into the education space to teach about it. Instead of jumping into that space, he advised her to build a range of experiences in different organizations, starting with the one she was in: a nonprofit without a lot of regulation but a large footprint of 150,000-plus members.
From there, he said, move to somewhere highly regulated -- a bank or healthcare institution, for example -- and learn from them. Then move into a SOC environment and build additional skills.
"If you really want to move into a full, well-rounded position, that's one of the things you need to do," he says. "We need to become a part of the business and be an enabler; to help them, say, 'I can do this' with a limited amount of risk."
Cybersecurity professionals have their pick from a diverse range of specialties within the industry, from network security to penetration testing to incident response. It's not uncommon to switch specialties over the course of a career. The question is, how do you to go about changing?
"As part of normal [career] growth, I've noticed people want to move into different areas," says (ISC)2 CIO Bruce Beam. Some people may not make the jump from offense to defense but instead switch from security operations roles to positions more focused on compliance.
A lateral career jump can be beneficial not only for security pros, but for the industry overall. The ability to move from job to job is needed because it introduces different perspectives into the workplace, says Kayne McGladrey, member of IEEE and CISO at Pensar Development.
"Right now we have an unprecedented challenge in hiring a diverse workforce in cybersecurity," he explains. Still, it's more difficult for some practitioners to make a transition because of obstacles in the hiring process. It may be easy for a Certified Ethical Hacker to apply for a job seeking the CEH, for example, but someone without that certification may be filtered out.
"Human resources, in a lot of organizations, has become a regulatory control function and inhibits hiring because of its focus on certifications," McGladrey says. This is partly why it's difficult for blue teamers to jump to the red team, a process that "looks to be an insurmountable and very difficult series of certifications," he points out.
Another challenge for infosec pros seeking a lateral career move is the lack of time spent in their desired area of expertise. If HR sees two applicants with the same skills, but one has been in the related role for two to five years, they're more likely to pick who has more experience.
"In cybersecurity we have a slightly more pronounced competition for talent, but also people change jobs more frequently in cybersecurity," McGladrey says. It's not unusual to meet a CISO who has held three different jobs in the past five years, he points out. In an industry where professionals commonly love learning and seeking new challenges, it's likely they'll also want to test new career paths.
For security practitioners who want to work in a new area of the industry but don't know how to go about doing it, McGladrey and Beam share their steps and advice. How about you? Have you made a lateral career move? What tips would you offer security pros? Feel free to share your thoughts in the Comments section below.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024