We've been battling the cybersecurity talent shortage for more than a decade, yet the problem seems to be getting worse, rather than better. According to CyberSeek, right now, there are almost 755,800 cybersecurity job openings in the US alone.
Over the past year, there's been a lot written about how companies are trying to close this gap by considering candidates with nontraditional backgrounds — including people looking to make a career change. While it's encouraging that someone may want to jump into cybersecurity, actually understanding how to make such a move can be difficult.
Let's face it: Making a career change is scary. It's completely unfamiliar territory. How do you even begin a career in cybersecurity? What steps are required? Do you need certifications before applying to a position? Do you need a degree? These are all real and relevant questions, and there hasn't been much guidance on how aspiring cybersecurity professionals can go about making a switch.
With both a bachelor's and a master's degree in elementary education and teaching, I recently went through this process and had to find my own way, with very little outside help. So, it has become a passion of mine to help others in a similar position — no one should have to go this road alone.
Here are five practical steps for pursuing a new career in cybersecurity.
- Reflect on the reasons you want to get into cybersecurity: Don't make the career change because the grass seems greener or the pay seems higher. Really take the time to understand why this change resonates with your personal core value system. The old adage "If you love what you do, you will never work a day in your life" is applicable here. Make sure you're getting into cybersecurity for the right reasons.
- Research different cybersecurity career paths to determine which you're most passionate about: The job possibilities in cybersecurity are endless. If you want a technical role, applicable positions include designer/architect, defender, hacker, responder, auditor, and manager. If a less technical position is more up your alley, consider getting into education and training, conducting risk assessments, getting into marketing or HR, or becoming a salesperson. Whichever direction you choose to take, make sure your core cyber pathway aligns with your persona.
- Look at your own job board: Once you know which cybersecurity path you want to explore, look at your current company's job board to see which positions are open and if any of your skills are transferable. Don't worry if you don't have all the job qualifications listed — certain expertise and experience you do have could outweigh what you don't. For example, common "soft skills" required for many jobs across industries — such as being a life-long learner, a problem solver, or an effective communicator — now are essential to cyber roles and as equally valued as technical skills.
- Network: If you need to look outside your company for a cybersecurity role, think about who you know who could make a connection on your behalf. Joining industry and local cybersecurity groups is a great way to network. Women in CyberSecurity (WiCyS), which has a mission to "recruit, retain and advance women in cybersecurity," is an example of one such organization committed to networking and support.
- Leverage the resources available to you to gain cybersecurity experience: For example, (ISC)2 offers a free Certified in Cybersecurity Certification to help individuals kick-start their career. (I took this exam myself and found it very helpful and relevant.) Don't worry too much about overloading on certifications upfront, though. These can come down the road, if you decide to specialize in a certain area.
A Note to Hiring Managers
Entry-level cybersecurity job descriptions are deterring career changers (and recent graduates) from applying to open positions — and this in and of itself is contributing to the talent shortage.
Often, the requirements within entry-level job posts are unrealistic. For example, many require a Certified Information Systems Security Professional (CISSP), which can be attained only after five years of experience. How can an entry-level candidate already have five years under their belt? They can't. Cybersecurity professionals do not need a college degree to be successful. Post-secondary vocational schools, online training courses, and even self-learning can give candidates the skills they need to succeed.
We need to reset expectations, and the best way to do this is by having cybersecurity teams in need of new employees work directly with hiring managers to fix the disconnect between job descriptions and the actual qualifications needed to be successful in an entry-level cybersecurity role.
It's All About Support
Just as cybercriminals band together to go after victims, we in the cybersecurity industry need to collaborate too — not only to defend against bad actors but to help each other succeed. When security teams are fully staffed, companies' defenses against cybercriminals will be stronger. And we can help fill these open positions by supporting people who want to jump into cybersecurity, providing the resources they need to be successful, and helping to correct hiring managers' misperceptions of entry-level job qualifications. When we come together as an industry, we can truly make great strides to overcome the cybersecurity talent shortage.