How to get into Cyber Security
What is Cyber Security?
The technology giant Cisco defines cyber security as “the practice of protecting systems, networks, and programmes from digital attacks”. Whether it’s ensuring hackers cannot overwhelm websites or data cannot be held to ransom, cyber security is essential for organisations to safeguard themselves against devastating incidents.
The threat of attacks is vast. Britain's local governments have been hit by almost 100 million cyber-attacks over the past five years, according to research by privacy campaign group Big Brother Watch. At national levels, the governments of both the US and the UK issued a joint warning over Russian targeting of internet infrastructure.
There is a huge role for cyber security experts to play in keeping companies and citizens safe. The sector has a shortage of professionals and combines excellent job prospects with high salaries. This makes it the perfect option for candidates with transferable skills looking for a lucrative career change.
How to pivot your career to cyber security
While there is no single path into cyber security, certain skills and certifications are a baseline for entry.
There are three attributes you’ll need:
- IT skills
- Soft skills
It’s important to understand the holistic nature of information security work: it’s a large area of expertise. This means that alongside broad skills, you will also need to specialise in a certain area.
Essential IT skills for the cyber security job market
Cyber security is rooted in technology so you will need an excellent general understanding of computer systems and potential security flaws – no matter what role you seek.
The most common pivot into dedicated cyber security roles is from people with a background in IT, particularly those who have experience in networking.
The IT basics you will need are:
- A firm grasp of using various operating systems – Windows, Mac OS and Unix-like systems such as Linux, BSD etc
- Strong experience of networking – ideally of running a network or having certifications to show that you can
- Experience of handling virtualisation software such as Virtual Box or VMWare
- A basic knowledge of the security and networking apparatus of enterprise systems, firewalls and network load balancers
- Some experience of setting up and running databases such as MySQL
- A familiarity with interpreted and compiled programming languages such as PHP, Python, Perl, or Java, C/C++ etc is useful.
If your IT skills are not up to par, there are a range of certifications that you can pursue. But you may need to commit to a few years of study to get your skills up to scratch.
Cyber security professionals need more than just technical knowledge. They also must be able to:
- Pitch security requirements to different stakeholders in an organisation who may have conflicting requirements and priorities
- Understand how security fits the business goals of their employer or client – and be able to compromise
- Understand the human requirements, as well as the technological ones.
Strong problem-solving skills – to spot potential problems for computer systems and their human operators – are often as important as technical nous when it comes to working in cyber security.
It’s vital that experts are able to predict, identify and mitigate a myriad of risks before they become a reality that could cripple an organisation.
Knowledge about the server environment and the exploitable loopholes in software isn’t enough – professionals need to innovate to stay ahead of the criminals and develop solutions quickly.
The ability to think “outside the box” and pre-empt weaknesses in your company or client’s security system requires creativity.
It’s not just about taking a methodological or systematic approach to a problem – sometimes you need to flex your creative muscles and put yourself in an attacker’s shoes, particularly when considering weaknesses in the human element of the network.
Some of the most damaging cyber-attacks have bypassed systems and targeted employees – known as “social engineering”. This includes a $47 million theft from US hardware manufacturer Ubiquiti, and the 2013 breach of 3 billion Yahoo accounts.
So while you might not think that “creative types” would find fulfilment in internet security, you might be surprised.
The ability to educate
While a lot can be done to protect a system against an external threat, the main line of defence is users. This means it’s vital you can effectively communicate the intricacies of information security to a range of staff.
This is more than just creating IT handbooks or staff policies. You will need to engage potentially uninterested people in the importance of security and support those who aren’t tech savvy.
This requires buckets of patience; if your security policies are to be implemented correctly you need everyone to be aware and invested.
If you have project management experience, especially if you deal with a lot of IT as part of your job, you’ll find these skills come in very handy.
The most successful cyber security professionals understand the wider business context of their role. Solving a security issue can involve taking down important systems, leading to loss of revenue or cascading delays to other projects.
You must be able to effectively plan and forecast the impact your cyber security recommendations might have on the business – or quantify the consequences that a breach might bring.
Such skills are the core of project management, making it a valuable transferable skill.
It’s no use being able to understand systems, attackers and users unless you can communicate and sell the benefits of your security proposals.
You need to be able to persuade stakeholders at all levels that it’s worth making compromises for security. For senior people, this might also come with the added difficulty of having a cost or other delay attached.
The role is more than just holding ad-hoc workshops and supporting non tech-savvy people to understand the need to take action. You’re going to have to continuously sell the benefits of a security policy if you want it to be followed.
There are a number of IT certifications with industry-wide acceptance, which could be a logical starting point for changing your career.
You’ll probably need to start out with IT-focused certifications and gradually bring more security expertise into the mix.
None of these certifications on their own will be enough for getting into cybersecurity but they’re a good starting point.
The CompTIA is an internationally recognised non-profit trade association. It offers three training options – their A+, Network+ and Security+ qualifications are highly valued worldwide.
The CompTIA A+ is a common baseline certification for IT professionals, especially technicians. The exams cover the maintenance of PCs, mobile devices, laptops, operating systems and printers.
Dell, Lenovo and Intel all require this for their technicians, and it’s recognised by the US government among others.
The CompTIA Network+ is a certification that tests a professional’s knowledge of data networks. This includes building, installing, operating, maintaining and protecting networking systems.
The Security+ is a great introduction to cyber security. It emphasises practical skills and is a well-recognised entry point into the profession.
There are other training options, including the CSX Cyber Fundamentals, run by ISACA, a professional association for those working in information security. This is a useful entry-level course that takes you through the basics – from cyber security principles to incident response.
The Information and Cyber Security Foundation (ICSF), developed by The Chartered Institute of Information Security (CIISEC), covers key competencies – from risk assessment to compliance. Those who pass the exam successfully also gain accredited affiliate membership to the CIISEC for one year.
The Certified Cyber Security Foundation Training Course, led by provider IT Governance, is a one-day foundation programme that covers a broad range of topics including the threat landscape, social media protection and supply chain security.
IT Governance also runs a Cyber Incident Response Management Foundation Training Course. This one-day programme will teach you how to respond to and manage a cyber-attack.
Another provider, QA, runs the Network Security Foundation course. This three-day programme gives attendees basic knowledge in numerous areas including networking, firewalls, encryption and malware.
Cisco is a respected vendor in the IT networking and security world.
Networking newbies should consider the Cisco Certified Entry Network Technician (CCENT) programme. This covers networking fundamentals and is a prerequisite for their other courses.
Following the Cisco path would then involve completing the Cisco Certified Network Associate (CCNA) courses. You could earn a CCNA Security certification before going on to do the Cisco Certified Network Professional Security (CCNP) courses.
The CCNP series is an industry standard in IT and networking. It’s a well-respected certification for those looking to demonstrate that they have security expertise.
For anyone interested in courses offered by Microsoft, the first option is the Microsoft Certificate Solutions Associate (MCSA). You need this under your belt before carrying on to the Microsoft Certified Solutions Expert (MCSE).
The latter will teach you all you need to know about building and sustaining a Microsoft system. There are nine certification options in the course, covering everything from server infrastructure to SharePoint.
Learning on the job is a great way to earn while you transition into, or even start, your cyber security career.
Cyber security provider QA, for example, is recruiting for security operations centre analyst apprentices. This role gives you invaluable practical experience – for example you will be responsible for scrutinising and investigating security alerts for QA’s customers, managing incident responses, and identifying new and potential threats – as well as training opportunities.
Well-known telecommunications company BT also runs a cyber security technology apprenticeship. While this is for school leavers, it shows that you can look beyond cyber security providers for opportunities. The course offers you the chance to gain a degree and work across different departments including the security delivery and the solutions and software teams.
Accountancy and business advisory firm BDO are also on the lookout for apprentices to join their technology risk assurance team. This programme would give you broad experience, working with a range of clients in areas including cyber security, IT controls and data analytics.