Solving for X: Fixing the Cybersecurity Pipeline #3

Part 3 of a series

By 2021, experts predict we’ll see 3.5 million open cybersecurity positions worldwide, with at least 500,000 of those unfilled jobs in the U.S. alone. That’s more than triple the shortfall that existed just two years ago. Meanwhile, cyber-attacks are growing in scale and impact.

What’s an industry to do? Clearly, fixing the cybersecurity pipeline is imperative, and it won’t be a simple fix.

The problem is not merely a talent shortage. There are plenty of people interested in a cybersecurity career. And while companies need people who can be effective immediately, they may not require traditional, let alone advanced, degrees.

So how did our analysts and developers get started? What would they tell a friend interested in a cybersecurity career? Here’s what they said in their own words. (Identities retracted to protect the very busy.)

Find what interests you.

“Half of the time the person is really asking “how do I become a hacker/pen-tester?” without realizing how broad cybersecurity is. So, my first advice to anyone is to research the different domains in cybersecurity and pick a few that seem interesting. Find your passion in this awesome domain chart.”

Get experience!

“When I was mentoring college interns, I’d tell them the degree doesn’t mean anything to me without actual practical experience. Get the experience however you can whether it’s through an internship or just personal education. Two of my best hires came from completely different worlds: one was just out of the Army with a networking background and the other had just completed his Masters. Both had ‘the hunger’ and were always searching for the Why. ‘Why did this alert fire? Why did this desktop communicate to a malicious site? How did it happen? Who else could be impacted?”

Get involved!

“Find local security and security-related groups where you can both network and learn. Many are free and are great opportunities to meet people at all different levels and career paths in the industry.”

Learn a language!

“If you don’t have any experience as a developer, you need to get some. Learn a language or two. Python is popular, but even learning Powershell can be helpful. Knowing .NET, Java, Elixer, or any other language that is used for web applications is extremely helpful if you’re looking to get into penetration testing.”

Get the basic concepts!

“Gain at least a basic understanding of networking concepts. You don’t need to be a CCIE, but understanding routing and switching concepts, network segmentation, traditional networking tiers/layers, and what should go where from both a network and security solution perspective (e.g. IDS/IPS placement) are conversations that our engineers and architects have on a daily basis. Most organizations have separate application development and network engineering roles/teams, and you need to be able to communicate with both of them.”

Read up on Cloud and DevOps!

“Understand what Cloud and DevOps are — they’re being embraced by more and more organizations, large and small. As with networking and application development, you need a good grasp on what these concepts are, how they differ from traditional data center and waterfall development models, respectively, and how to interweave security controls into those concepts.”

Toastmasters anyone?

“The ability to write and speak in front of others are soft skills that are not always emphasized but are very important. At some point, you’ll need to write a policy, procedure, process, or report of some type, and it can’t look like a fifth grader put it together. Similarly, be able to effectively present and communicate your ideas in front of people, whether it’s a group of peers, a customer, or your executive board.”

Dig in!

“Experience is, first and foremost, the most important factor to getting hired, but even if you’re experience is limited to a lab environment, a class in school, or what you put together at home, it’s still experience. There are plenty of free solutions out there than can be installed virtually on a laptop to at least gain an understanding of how something like a firewall, SIEM, or IPS works. You can also download many free toolkits for pen testing and vulnerability scanning, and then test them locally on a VM to see how they work.”

CNAP

Cloud Native Anayltics Platform

GSOC

Global Security Operations Center

EMDR

Enterprise Managed Detection & Response

RTaaS

Red Team-as-Service

SIRT

Security Incident Response Team

CLOUD

Cloud Security

ITDR

Insider Threat Detection & Response

Overview

Our Unique Approach

IAM

Identity & Access Management

CRC

Cyber Risk & Compliance

EA

Enterprise Architecture

STAFF

Strategic Staffing

LAB

Technology Lab

Cyderes: The New Powerhouse in Managed Cybersecurity

Actionable Security Operations Tools for Educational Institutions

Google Cloud Security Talks – Fireside Chat Replay

CYDERES’s First Code-a-Thon: Collaboration and Competition