There’s a lot going on in Cybersecurity and Information Security so let’s just answer a few of the questions I get on a somewhat regular basis. This post will more than likely contain some subjective or anecdotal answers where appropriate but I’ll do my best to link, cite, and credit objective or better educated sources than myself.
Is it hard to get into Cybersecurity or Information Security?
As mentioned in a previous Myth Vs. Fact post and commonly referenced as “the way” comes the answer: “It depends”. The truth is that today it’s much easier to find a more prescriptive route to the security field, be that the larger InfoSec industry or the more granular Cybersecurity (sometimes they’re used interchangeably but they DO have different meanings). The truth is also that there’s a massive issue and opportunity in the bridges between Human Resources and security. More than a few job descriptions are either inherently contradictory, while others are sometimes downright misleading. It’s very true still that security is tough to get into and there’s a huge survivorship bias prevalence and there’s also the “you should suffer because I did” crowd. However, there’s a growing movement of new routes into the field, empathetic and servant style leadership, and a much more concerted effort to bring technical inexperience into the fold because good people are just good people, where technical can be taught to a fairly reliable degree.
What’s the hottest area in security right now?
While the standard answer is definitely still “Anything cloud” I’m also typically found in Twitter threads going out on a limb saying that GRC, technical writers, product/project managers (whatever your company call’s a PM), and risk managers be they Third Party/Vendor, Insider, or otherwise are on the rise. I’m seeing a lot of interesting discussion around teams controlling what they can control and using some of the available data which indicates that a breach doesn’t affect reputation as much as we’ve been screaming about for years now. The link there shows that sure a breach might affect share price – but to me, doesn’t constitute causality – I’ll take a 3% dip in share price >6 months after a breach. Instead the focus should be moving to uptime/availability – meaning that if your product can’t bring in $$ that affects the share price quite a bit more. So for my money, we’re also going to see a convergence of reliability engineering and security if not a shared responsibility or reporting model at some point in the future.
What kind of company should I look for?
This is tough only because everyone’s experiences are vastly different, even inside of an organization. You’ll find every company has micro-cultures inside the larger culture that could be an amplification of the organization’s culture, or a divestment from it. As an example, it’s hard to say that a Marketing team will have the same team vibe as Security, Sales, HR, or Accounting. However, if you use some sites like Glassdoor, BuiltIn, LinkedIn, or use Blind you can get a decent finger on the pulse. The word of caution when using any of these platforms is going to be similar to looking up restaurant reviews – people are more likely to leave a comment about a negative experience than positive.
That all being said there’s arguments for and against FAANG and there are arguments for and against other routes like mom and pop shops, MSPs, or startups. Since 2020 we’ve also seen a massive embrace of remote work so there’s really a marginal risk in looking at remote or hybrid roles. When it comes to what kind of company, you need to reflect and understand what you want. Smaller companies or newer/small teams within established companies can give you a chance to be a utility player who does it all and is there building from the ground up. Larger companies can be incredible experience but can also be more challenging if you’re looking for breadth in your experience. If you get in to a large, established company and security program, expect to be in a fairly rigid role. Let’s say you land a vulnerability management gig, expect to do that and only that for a long time. If you’re looking to gain and hone a particular set of skills this might be perfect, but if you are like me and change focus almost on the hour, look for a small or growing team.
How might you find these teams? Well the best thing is going to be making connections and chatting with people around these roles and companies, but also getting interviews is a great opportunity to ask questions. Whenever the interview starts to wind down the interviewer typically will throw it to you for questions – never leave an interview without asking any meaningful questions. In regard to this particular question, I would ask about current team size, planned headcount, longer term strategy for this team, what does people management look like on the team, what do roles and responsibilities look like etc. Now that’s a lot of questions and that’s not even getting into nitty gritty on the given role and expectations. What I’d likely do is *hopefully* break those out over a few conversations with the recruiter, hiring manager, and reporting chain.
There’s probably a lot more to look at too – consulting, security-focused companies vs. other industries like advertising, finance, etc. and much more – maybe that’s a topic for another post and I can get some outside help!
What certifications should I get?
This is a post unto itself but I think it deserves at least a little bit of addressing here. I’ve also mentioned it before in my Myth Vs. Fact post too so some of the ideas are going to be reiteration, but anything worth saying might just be worth saying twice!
Certs are a great way to prove your knowledge and competency on a given domain. That domain might be a specific platform or technology, an industry, or in the case of security – the whole darn pizza pie. I personally have a few and most of them are valuable. Some were included in my Western Governor’s curriculum, while others I attained on my own (CISM). I can say I’ve gotten something out of all of them either in the process or sometimes just getting a conversation based on the letters on my resume. I may have to do an entire post on subjectively ranking the impact given certifications have had on my career but for now my top is the CISM. This is because I learned massive amounts of information and shifted my school of thought on risk, business, and security through in-person trainings the Denver ISACA chapter (and an incredible local guy Mike who also happened to be my involuntary mentor through the start of my journey). These in person trainings were great (and free!) because the most informational sessions were conversational – we would discuss and debate a scenario or concept and without a doubt this served me incredibly well in how to talk about risk in an enterprise where I may be telling the C-Suite what is going on or asking IT to remediate something all the way to asking accounting to stop clicking links.
In summary on the certifications piece – there are a lot (this sheet is incredibly handy) and they’ll vary in their utility to your journey. My most commonly recommended path for those that are interested in certifications actually starts with CompTIA – skip the A+ and go right for either Network+ or Security+ (as long as you have some tech background or foundation) then I really enjoyed the CySA+ myself because it was closer to the day to day analyst work and what you would actually see beyond some of the theoretical. If you’re ambitious (or maybe dumb?) like I was you could just go right for the CISSP or CISM but you should be aware that those are largely leadership/program style certifications. It’s not anomalous for a senior analyst or engineer to have a CISSP but it becomes more common the more you’re in a position of leadership or overseeing a team. Most CISO’s will have one or both, program managers, some GRC analysts etc. – some of this is anecdotal as I don’t have data handy on who has what across the industry or globe, but I do have data on the Colorado Security industry.
*note: The data referenced is part of the Colorado=Security 2022 Salary Survey. The results of which can be gathered by joining the group but is not owned by myself nor am I in a position to distribute the data freely.
In 2020 47% of respondents had a CISSP while in 2022 the number jumped to about 49%. The Security+ being the second most prevalent certification in the data shows up at 24% in 2020 and 29% in 2022. Maybe one of the most surprising jumps to me, was the GSEC which in 2020 was in the single digits (7%) and in 2022 jumped to 12% and was the third on the list. From there we see more broad spread of the certification peanut butter with many CEH’s, CISM’s, CISA’s and CCSP’s. If you’re more of a dollar person, be assured in the data from 2022 there was no significant correlation between the sheer number of certifications and total compensation. So in short…say it with me: “it depends!”
Final Jeopardy
The last question of the day isn’t a question at all – it’s an ask of myself to you dear reader. If you’re in or looking to get in to cybersecurity, turn around and extend the hand back to those trying to get over that wall. There were a few people in my journey who did just that and I would not be where I am today without those individuals. Be that person for someone else and until next time – stay vigilant!
