Employers are desperately seeking to fill cybersecurity positions. The number of available cybersecurity jobs coupled with accelerated attrition due to the Great Resignation has led to companies offering ridiculously high salaries, a bevy of benefits, and free training and certifications to woo candidates. Even so, the candidate pool is limited. Employers are exploring ways to help applicants fill in the gaps in their experience so that they can be hired.
"The No. 1 thing anyone interested in cybersecurity careers should do is apply," says Justine Fox, principal product manager, technical, at NuData Security, a Mastercard company. "Most technology skills are adjacent to the needed cybersecurity versions, and there is no faster way to learn the role's required skills than in the role. Whether you are self-taught or formally educated, I encourage folks to apply."
Mitch Ashley, principal at Techstrong Research, echoes that sentiment. "Cybersecurity is no longer a network-centric skill," he says. "Security hiring is hopelessly behind, while software continues eating the world."
Cyber leaders must "widen the net" to bring in "talents beyond only traditional cybersecurity domains," he adds, and managers "must think more like software leaders and less like network engineers."
Hiring companies are also becoming more flexible about job requirements and creating opportunities to help fast-track people into the industry. There are also quite a few things people can do to strengthen their job applications and gain the skills they need, even if they don’t have the exact on-the-job experience being requested.
The increasing desperation is undeniably leading employers to "get creative to help fill roles and stay competitive," according to Dan Desko, CEO of Echelon Risk + Cyber.
Get Real, Fast
Given the flux in current hiring guidelines for nontraditional applicants, what skill or experience counts most on a winning resume? Real-world, hands-on experience. But how do you gain experience before you land a job in the field?
"A well-stocked GitHub page showing contribution to security tools and projects, a blog talking through security research, their bug bounty or vulnerability disclosure Hall of Fame listings – these are all practical ways to demonstrate and communicate real-world skills to a hiring manager quickly," says Casey Ellis, founder and CTO at Bugcrowd.
However you choose to do it, get real-world experience as quickly as you can.
"In many cybersecurity jobs, education requirements have become a thing of the past,” says Peter Lowe, principal security researcher at DNSFilter. "Therefore, people looking to get into cyber should prioritize acquiring real-world experience and skills over diplomas."
Dive in on Open Source Projects
Indeed, open source projects are a prime place to get hands-on experience on the cheap.
“Two of the simplest ways to level up are engaging with the infosec community via social media, namely Twitter, and contributing in some small way,” Lowe says.
Picking an open source or open data project to contribute to is "a fantastic way to connect with others and begin developing techniques and skills required in professional environments," he adds. "Nothing big to start - just a way of having a thread to follow that will expose you to people and ideas. As a bonus, any public work and/or conversations you have are great proof points to show potential employers that you have a real passion for cybersecurity."
Try to Score an Apprenticeship
Apprenticeships are becoming more popular and more widely available.
"Apprenticeships are a great opportunity for cyberskills training because they provide practical experience and the opportunity to learn from someone else,” says Demi Ben-Ari, CTO and co-founder of security and risk management company Panorays. "In addition, operational cybersecurity training, both defensive and offensive, is also a great way to build a broad skill set. Any opportunities for increased networking, programming, and resource utilization is essential to sharpening your cybersecurity knowledge and capabilities."
Apply From Within
Consider making a career change to cybersecurity from your current position at the same company. Many companies have programs to assist with training. Further “known” applicants, in terms of work performance and willingness to learn, are often preferred hires over newcomers.
“At 1Password, we have several examples of individuals who have joined us and started in our customer support department and then moved into security roles, given the experience they built in front-facing roles with our customers,” says Katya Laviolette, chief people officer of 1Password, a password management company.
Leverage the Technical Skills You Do Have
Cybersecurity is a much bigger field than it used to be and now contains a growing number of specialties. Play up the technical skills you already possess because many of them will likely transfer to cybersecurity.
“Today, cybersecurity skills must be built upon disciplines new to security, coupling security with cloud, software development, scripting, automation, infrastructure-as-code, and [the] Internet of Things," says Techstrong's Ashley. "Cisco’s DevNet, for example, helps new and experienced engineers with Python courses, scripting and orchestration training, working with APIs, code exchange, exposure to MLOps, and sandboxes to learn, test, and play utilizing skills new to traditional cybersecurity.”
Upskill Your Self-Taught Program
Self-taught is great but often not enough if that’s all you have.
“While [capture-the-flag contests] and other types of self-taught routes can help broaden your skill set as a practitioner, it is not a direct substitute for training and experience in terms of getting into the business," says Panorays' Ben-Ari. "In other words, the self-taught routes like CTFs or bug-bounty programs help increase knowledge, but in order to excel in the cybersecurity industry, you need practical experience that these exercises don’t often provide.”
Security boot camps have their limits, too.
“There are many boot camps and programs out there, but these can only get you so far,” Ben-Ari warns. Most only prepare you for junior positions which is problematic because most companies looking to hire want some practical experience so you can excel instantly on the job
The good news is that many security companies offer programs that can help you get more structured training too.
“Many security companies cater to those who are starting their infosec career and offer ‘pay-what-you-can’ training," says Brian Wilson, CISO at analytics software company SAS.
Draw from Free Hacking Resources
It’s often said that cybersecurity is more about mindset and problem-solving because the rest is just teachable skills. So if you possess the mind and the will, there are plenty of free resources where you can pick up the skills.
“There are a ton of free hacking resources on the Internet and a robust community of people dedicated to curating them," Wilson says. One example is Awesome Hacking Resources on GitHub.”
There are also several reasonable penetration testing lab websites to virtually test your skills to “see if you have what it takes in different security arenas,” he adds, citing HackTheBox as a popular example.
Find Your Own Mentor
Seasoned mentors are invaluable to aspiring professionals, midcareer pros, and mentors, too. Many companies assign mentors to new hires, and those programs are often worth their weight in gold, or at least in better security for company assets. But if you aren’t yet employed or your employer doesn’t offer a mentorship program, other resources are available.
“A great strategy is to seek out mentorship opportunities via local security organizations like ISC2 or regional Defcon organizations," Wilson says. "Similarly, consider checking out cybersecurity-focused Meetup.com groups, many of which are free. These avenues can help newcomers to the field network while sharpening their skills."
The Lowdown on Certs
Wondering about the values of certifications? Almost everyone wants to know where those fit into the new hiring requirements.
“Certifications can certainly help when obtaining initial jobs, [but] they lack importance the longer you remain in the field," says Ben-Ari. "Furthermore, your experience in the industry will quickly become the most valuable aspect of your cybersecurity resume.”
However, some certifications prove your chops better than others.
“My employer recognized my certification, the eJPT, as a hands-on baseline to demonstrate my skill," says Lily Clark, a former communications specialist-turned-cybersecurity consultant at Echelon. "Pairing that with CTF experience and activity on platforms like HackTheBox and TryHackMe gave me the confidence that I was prepared for the next step.”
Show the Stuff You’re Made of
In the end, the “proof” you need isn’t documented on paper or in pixels.
“On the talent development side of the house, we look for those who exhibit the underlying values that we see as critical for a firm like us, and couple that with a strong ability to learn," says Echelon Risk's Desko. "Once we find those people, we help turn them into cyber superstars.
Clark, he says, is "an incredible inspiration to us all, but also a great success story that shows others what is possible. Also notably, we have a former family counselor on staff who is now a senior cybersecurity consultant.”