Thousands of people graduate from colleges and universities each year with cybersecurity or computer science degrees only to find employers are less than thrilled about their hands-on, foundational skills. Here’s a look at a recent survey that identified some of the bigger skills gaps, and some thoughts about how those seeking a career in these fields can better stand out from the crowd.
Virtually every week KrebsOnSecurity receives at least one email from someone seeking advice on how to break into cybersecurity as a career. In most cases, the aspirants ask which certifications they should seek, or what specialization in computer security might hold the brightest future.
Rarely am I asked which practical skills they should seek to make themselves more appealing candidates for a future job. And while I always preface any response with the caveat that I don’t hold any computer-related certifications or degrees myself, I do speak with C-level executives in cybersecurity and recruiters on a regular basis and frequently ask them for their impressions of today’s cybersecurity job candidates.
A common theme in these C-level executive responses is that a great many candidates simply lack hands-on experience with the more practical concerns of operating, maintaining and defending the information systems which drive their businesses.
Granted, most people who have just graduated with a degree lack practical experience. But happily, a somewhat unique aspect of cybersecurity is that one can gain a fair degree of mastery of hands-on skills and foundational knowledge through self-directed study and old fashioned trial-and-error.
One key piece of advice I nearly always include in my response to readers involves learning the core components of how computers and other devices communicate with one another. I say this because a mastery of networking is a fundamental skill that so many other areas of learning build upon. Trying to get a job in security without a deep understanding of how data packets work is a bit like trying to become a chemical engineer without first mastering the periodic table of elements.
But please don’t take my word for it. The SANS Institute, a Bethesda, Md. based security research and training firm, recently conducted a survey of more than 500 cybersecurity practitioners at 284 different companies in an effort to suss out which skills they find most useful in job candidates, and which are most frequently lacking.
The survey asked respondents to rank various skills from “critical” to “not needed.” Fully 85 percent ranked networking as a critical or “very important” skill, followed by a mastery of the Linux operating system (77 percent), Windows (73 percent), common exploitation techniques (73 percent), computer architectures and virtualization (67 percent) and data and cryptography (58 percent). Perhaps surprisingly, only 39 percent ranked programming as a critical or very important skill (I’ll come back to this in a moment).
How did the cybersecurity practitioners surveyed grade their pool of potential job candidates on these critical and very important skills? The results may be eye-opening:
“Employers report that student cybersecurity preparation is largely inadequate and are frustrated that they have to spend months searching before they find qualified entry-level employees if any can be found,” said Alan Paller, director of research at the SANS Institute. “We hypothesized that the beginning of a pathway toward resolving those challenges and helping close the cybersecurity skills gap would be to isolate the capabilities that employers expected but did not find in cybersecurity graduates.”
The truth is, some of the smartest, most insightful and talented computer security professionals I know today don’t have any computer-related certifications under their belts. In fact, many of them never even went to college or completed a university-level degree program.
Rather, they got into security because they were passionately and intensely curious about the subject, and that curiosity led them to learn as much as they could — mainly by reading, doing, and making mistakes (lots of them).
I mention this not to dissuade readers from pursuing degrees or certifications in the field (which may be a basic requirement for many corporate HR departments) but to emphasize that these should not be viewed as some kind of golden ticket to a rewarding, stable and relatively high-paying career.
More to the point, without a mastery of one or more of the above-mentioned skills, you simply will not be a terribly appealing or outstanding job candidate when the time comes.
BUT..HOW?
So what should you focus on, and what’s the best way to get started? First, understand that while there are a near infinite number of ways to acquire knowledge and virtually no limit to the depths you can explore, getting your hands dirty is the fastest way to learning.
No, I’m not talking about breaking into someone’s network, or hacking some poor website. Please don’t do that without permission. If you must target third-party services and sites, stick to those that offer recognition and/or incentives for doing so through bug bounty programs, and then make sure you respect the boundaries of those programs.
Besides, almost anything you want to learn by doing can be replicated locally. Hoping to master common vulnerability and exploitation techniques? There are innumerable free resources available; purpose-built exploitation toolkits like Metasploit, WebGoat, and custom Linux distributions like Kali Linux that are well supported by tutorials and videos online. Then there are a number of free reconnaissance and vulnerability discovery tools like Nmap, Nessus, OpenVAS and Nikto. This is by no means a complete list.
Set up your own hacking labs. You can do this with a spare computer or server, or with older hardware that is plentiful and cheap on places like eBay or Craigslist. Free virtualization tools like VirtualBox can make it simple to get friendly with different operating systems without the need of additional hardware.
Or look into paying someone else to set up a virtual server that you can poke at. Amazon’s EC2 services are a good low-cost option here. If it’s web application testing you wish to learn, you can install any number of web services on computers within your own local network, such as older versions of WordPress, Joomla or shopping cart systems like Magento.
Want to learn networking? Start by getting a decent book on TCP/IP and really learning the network stack and how each layer interacts with the other.
And while you’re absorbing this information, learn to use some tools that can help put your newfound knowledge into practical application. For example, familiarize yourself with Wireshark and Tcpdump, handy tools relied upon by network administrators to troubleshoot network and security problems and to understand how network applications work (or don’t). Begin by inspecting your own network traffic, web browsing and everyday computer usage. Try to understand what applications on your computer are doing by looking at what data they are sending and receiving, how, and where.
ON PROGRAMMING
While being able to program in languages like Go, Java, Perl, Python, C or Ruby may or may not be at the top of the list of skills demanded by employers, having one or more languages in your skillset is not only going to make you a more attractive hire, it will also make it easier to grow your knowledge and venture into deeper levels of mastery.
It is also likely that depending on which specialization of security you end up pursuing, at some point you will find your ability to expand that knowledge is somewhat limited without understanding how to code.
For those intimidated by the idea of learning a programming language, start by getting familiar with basic command line tools on Linux. Just learning to write basic scripts that automate specific manual tasks can be a wonderful stepping stone. What’s more, a mastery of creating shell scripts will pay handsome dividends for the duration of your career in almost any technical role involving computers (regardless of whether you learn a specific coding language).
GET HELP
Make no mistake: Much like learning a musical instrument or a new language, gaining cybersecurity skills takes most people a good deal of time and effort. But don’t get discouraged if a given topic of study seems overwhelming at first; just take your time and keep going.
That’s why it helps to have support groups. Seriously. In the cybersecurity industry, the human side of networking takes the form of conferences and local meetups. I cannot stress enough how important it is for both your sanity and career to get involved with like-minded people on a semi-regular basis.
Many of these gatherings are free, including Security BSides events,DEFCON groups, and OWASP chapters. And because the tech industry continues to be disproportionately populated by men, there are also a number cybersecurity meetups and membership groups geared toward women, such as the Women’s Society of Cyberjutsu and others listed here.
Unless you live in the middle of nowhere, chances are there’s a number of security conferences and security meetups in your general area. But even if you do reside in the boonies, the good news is many of these meetups are going virtual to avoid the ongoing pestilence that is the COVID-19 epidemic.
In summary, don’t count on a degree or certification to prepare you for the kinds of skills employers are going to understandably expect you to possess. That may not be fair or as it should be, but it’s likely on you to develop and nurture the skills that will serve your future employer(s) and employability in this field.
I’m certain that readers here have their own ideas about how newbies, students and those contemplating a career shift into cybersecurity can best focus their time and efforts. Please feel free to sound off in the comments. I may even update this post to include some of the better recommendations.
FAQs
Cybersecurity has the two key logistical advantages for a strong career: Low to no unemployment and solid compensation. Plus, if you choose this path, you'll always have room to grow. You'll continually be learning new skills and working to understand new technologies.
Is cyber security a good career? ›
Cybersecurity is a growing industry that needs skilled professionals to fill entry, mid, and advanced-level jobs. Cybersecurity jobs are in high demand and the demand is expected to grow by 18% over the next five years.
How do I know if I will like cyber security? ›
The best way to know if cybersecurity is right for you is to research and understand what cybersecurity really is, get an understanding of the continual learning commitment that cybersecurity takes, and go see cybersecurity in action.
What are 3 skills you must have for cyber security? ›
The Top Skills Required for Cybersecurity Jobs
- Problem-Solving Skills. ...
- Technical Aptitude. ...
- Knowledge of Security Across Various Platforms. ...
- Attention to Detail. ...
- Communication Skills. ...
- Fundamental Computer Forensics Skills. ...
- A Desire to Learn. ...
- An Understanding of Hacking.
In cyber security, you will never feel like you're doing archaic, unnecessary work. The world of cybercrime and cyber security is constantly evolving. Staying ahead of criminals is a significant part of the job. You can feel good about your work knowing that you're helping protect peoples' livelihoods and privacy.
What is your passion in cyber security? ›
A passion for cyber security can come from the sense that you're making people's lives better. You want to protect people and help them help themselves by adopting security-aware behaviors.
Is cyber security hard to study? ›
Learning cybersecurity can be challenging, but it doesn't have to be difficult, especially if you're passionate about technology. Nurture a curiosity for the technologies you're working with, and you might find that challenging skills become easier.
Is cyber security harder than coding? ›
Cybersecurity is often simpler to enter; you don't need very technical and complex skills to start your career. On the other hand, it is harder to get entry into coding. You require technical skills to learn actual coding; hence you have to be an expert to a particular level to start your career.
How do I start cyber security with no experience? ›
While many entry-level security hires today do have bachelor's degrees in computer science or a related subject, some combination of self-directed learning, cybersecurity boot camps, online courses and professional certifications can provide the necessary educational and hands-on experience to help land that first job.
Is 30 too old for cyber security? ›
It is never too late to get into cybersecurity. I know plenty of folks in the industry that got started in their 40s and 50s.
You can learn cybersecurity on your own, thanks to the multitude of online courses and learning resources available these days. For example, top schools such as MIT, Harvard, Stanford, and many others have open courseware that you can use to learn cybersecurity concepts from the best of the best instructors.
How do you land your first cybersecurity job? ›
Gaining professional work experience is the best way to jumpstart a cybersecurity career. You can find entry-level cybersecurity positions on job boards, company websites and social media platforms like LinkedIn. U.S. citizens can also apply for cybersecurity jobs with the federal government via USAJobs.
What is the first thing to learn in cyber security? ›
The first thing you need to tackle when it comes to cybersecurity is the basics of IT systems and networks, for example, the different types of networks available and their protocols. Once you are familiar with the fundamentals you can delve into the basics of networking traffic, security, and communication principles.
Which cybersecurity skills are in the highest demand? ›
What are the Most In-demand Cybersecurity Skills?
- Programming Skills.
- IT and Networking Skills.
- Ethical Hacking.
- Risk Assessment/Risk Management.
- Cloud Security.
- Internet of Things (IoT) Security:
- Blockchain Security.
- Network Security.
While a lot of entry-level cyber security positions do not require programming skills, it is one of the crucial skills for some mid-level and upper-level cyber security jobs.
What should I focus on cybersecurity? ›
Cybersecurity Focus Areas
Effective cybersecurity operations rely on layers of offensive testing, defensive architecture and monitoring, forensics and incident response, cloud security, and leadership. Advancing your capabilities in these focus areas is our mission because it furthers your ability to protect us all.
Is cybersecurity a lot of math? ›
What Kind of Math is Used in Cybersecurity? Most entry-level and mid-level cybersecurity positions like cybersecurity analyst aren't math intensive. There's a lot of graphs and data analysis, but the required math isn't particularly advanced. If you can handle basic programming and problem solving, you can thrive.
What is the hardest part of cyber security? ›
The most stressful thing for a security specialist is to understand the computing environment's current vulnerabilities and the new ones that pop up now and then. Another problematic thing that security analysts have to deal with is keeping up with technology changes, new solutions, and constant vulnerabilities.
Is it too late to study cyber security? ›
It's never too late to begin with
One of the best things about the Cyber Security is it's never too late to realize that you want to be in this profession.
What pays more coding or cybersecurity? ›
Salaries can range depending on where you live, but full-time cybersecurity jobs are on the rise everywhere. Software engineers earn slightly more than cybersecurity professionals; the BLS found the 2021 median pay to be $120,990 per year or $58.05 per hour for a freelance programmers' income.
Jobs in both cybersecurity and data science can provide opportunities to earn a lucrative salary. However, data scientists typically earn more than cybersecurity professionals. The average salary for a data scientist is $119,378 per year , while a cybersecurity analyst earns an average of $94,360 per year .
How long does IT take to learn cybersecurity? ›
You can learn the basics of cybersecurity in a year with the right bootcamps and courses. It takes about two years of hands-on experience to consider yourself competent in cybersecurity. As you upskill further with resources and certifications, this time frame may increase.
Can a non IT professional learn cyber security? ›
Many employers have so many open positions that they are willing to accept candidates with basic cybersecurity training rather than full-fledged degrees. If you can prove you have the skills to do this work, and perhaps some industry certifications, you can easily get your foot in the door.
Is Cyber security hard to learn for beginners? ›
No, cybersecurity isn't hard. Although there may be difficult concepts, like cryptography or areas that require more technical knowledge, cybersecurity is one of the few fields in the tech world that doesn't require a strong technical background.
Is Cyber security hard to get into? ›
The Math and Science requirements are easier than you think.
Cyber security doesn't have the high math and science requirements that many other courses need. If you tend to struggle in these areas, you shouldn't be nervous about going into this field because of it.
Can cyber security make 6 figures? ›
Many cybersecurity jobs pay well over the six-figure mark, with some professionals earning $225,000 and more, according to research from Mondo, a recruiting firm for tech and creative companies.
How many hours a week is cyber security? ›
Most cyber security professionals spend roughly 40 hours a week in the office for full-time employment. However, during technology releases or program updates there are often longer hours required. Sometimes systems need updates or maintenance overnight, over weekends, etc.
How stressful is working in cyber security? ›
Cybersecurity staff are feeling burnout and stressed to the extent that many are considering leaving their jobs. According to research by VMware, 47% of cybersecurity incident responders say they've experienced burnout or extreme stress over the past 12 months.
Can I learn cyber security in 2 months? ›
On average it will take between six months and two years to learn about cybersecurity. If only a basic understanding is needed, a six-month course may suffice.
What is the most entry-level cyber security job? ›
Security analysis is considered an entry-level cybersecurity job, often requiring a bachelor's degree in computer science or a related field. Most companies seek analysts with one to five years of on-the-job experience in systems administration.
An excellent place to train in cyber security is the Certified Cyber Security Foundation Training Course. From social engineering to security in the Cloud, you will gain foundation-level knowledge of the threat landscape, cyber attack methodology, legal and regulatory obligations, and incident response.
Who hires the most cyber security? ›
Of all the companies hiring cybersecurity analysts, Deloitte is perhaps the biggest. Clocking in at over 300,000 employees, Deloitte provides auditing, consulting, financial risk analysis, risk management and other related services to clients worldwide.
How do I succeed in cyber security career? ›
How to Build a Successful Career in Cybersecurity
- Embrace advanced learning—your way. Advanced degree holders, in general, earn a salary 35 percent higher than those with a bachelor's degree, and the cybersecurity field is no exception. ...
- Choose a holistic cybersecurity program. ...
- Follow your passion. ...
- Plug into a network.
FEEDER ROLE ENTRY-LEVEL MID-LEVEL ADVANCED-LEVEL Cybersecurity Specialist Cyber Crime Analyst Incident & Intrusion Analyst IT Auditor Cybersecurity Analyst Cybersecurity Consultant Penetration & Vulnerability Tester Cybersecurity Manager Cybersecurity Engineer Cybersecurity Architect Networking Software Development ...
What codes do hackers use? ›
Three of the best programming languages for ethical hacking are PHP, Python, and SQL.
What language is best for cyber security? ›
The top cybersecurity languages include Java, JavaScript, Python, SQL, PHP, PowerShell, and C. Depending on your career path, you may find other languages useful as well.
...
PHP
- PHP is used to build websites. ...
- PHP is used in most web domains and helps cybersecurity professionals defend against malicious attackers.
In a recent survey, the International Information System Security Certification Consortium (ISC)² noted that a degree and certifications were often a major fact...
New to the world of cyber security and don't know where to start? This guide covers the cyber security skills you'll need to know to break into this in-...
They want to learn cyber security, but perhaps don't have the money or the time availability to take formal college classes. Perhaps their work schedule is ...
Experienced and senior cyber security analysts can expect to earn from around £35,000 to in excess of £60,000.
Is cyber security a high paying job? ›
While more experienced professionals are likely to earn higher salaries, many cybersecurity roles pay more than other tech jobs. An information security analyst (typically an entry-level cybersecurity role) earned a median salary of $102,600 in 2021, U.S. Department of Labor Statistics figures show.
Is cyber security really in demand? ›
In addition, the "2022 Cybersecurity Skills Gap" report from Fortinet found that 60% of firms struggle to recruit cybersecurity talent while 52% find it hard to retain them, putting many organizations at risk. This problem represents a world of opportunities for skilled cybersecurity professionals.
No, cybersecurity isn't hard. Although there may be difficult concepts, like cryptography or areas that require more technical knowledge, cybersecurity is one of the few fields in the tech world that doesn't require a strong technical background.
Can you make 200k in cybersecurity? ›
All security engineers are paid well, but some branches of cybersecurity have a higher pay scale than others. In fact, reports from the Bureau of Labor Statistics show that some positions may pay over $200,000 per year. How much you can earn depends on the following: Branch of cybersecurity.
Does cyber security use math? ›
Does cybersecurity involve math? The short answer is yes. Cybersecurity is a technical field in computer science, and potential job seekers will need strong analytical skills. It isn't a math-intensive field—not like astrophysics or engineering—but it requires comfort using certain math types.
Does cybersecurity require coding? ›
What Skills Do I Need to Start a Cybersecurity Career? Most entry-level cybersecurity jobs don't require any background coding experience.
Can you make 400k in cyber security? ›
Top Paying Cybersecurity Jobs in 2022. Professionals who possess advanced cybersecurity skills are in a “seller's market” — one with zero percent unemployment, companies and government agencies competing for top talent, and senior-level jobs paying as high as $400,000 and above.
Are cybersecurity jobs stressful? ›
Cybersecurity staff are feeling burnout and stressed to the extent that many are considering leaving their jobs. According to research by VMware, 47% of cybersecurity incident responders say they've experienced burnout or extreme stress over the past 12 months.
What pays more cyber or software security? ›
Salaries can range depending on where you live, but full-time cybersecurity jobs are on the rise everywhere. Software engineers earn slightly more than cybersecurity professionals; the BLS found the 2021 median pay to be $120,990 per year or $58.05 per hour for a freelance programmers' income.
What is the hardest cyber security job? ›
Penetration tester or pentester is among the toughest roles to fill in this space, reports CyberSeek.org. CompTIA describes this position as a “white hat” or good/ethical hacker, with the goal of helping organizations improve their security practices to prevent theft and damage.
Which is better cybersecurity or data science? ›
It totally depends on you which one you like to learn. Both are future skills and they are expected to be among the top skills that would be required in future jobs. As more information are moving in digital, people & Companies equally need Data Science to manage it and Cyber Security to make sure it is safe.
Can cybersecurity be self taught? ›
You can learn cybersecurity on your own, thanks to the multitude of online courses and learning resources available these days. For example, top schools such as MIT, Harvard, Stanford, and many others have open courseware that you can use to learn cybersecurity concepts from the best of the best instructors.
You can learn the basics of cybersecurity in a year with the right bootcamps and courses. It takes about two years of hands-on experience to consider yourself competent in cybersecurity. As you upskill further with resources and certifications, this time frame may increase.
How do I start learning cybersecurity? ›
The first thing you need to tackle when it comes to cybersecurity is the basics of IT systems and networks, for example, the different types of networks available and their protocols. Once you are familiar with the fundamentals you can delve into the basics of networking traffic, security, and communication principles.
