I’ve worked in cyber security (and its predecessors) almost my entire adult life, about 25 years or so. I fell into it by pure chance, luck you might say. I had just moved to Canberra, and after being unemployed for several months, landed a spot in an ACT government program to fast track more IT professionals into the workforce – 12 months of TAFE 1 day a week, combined with 4 days a week on the job training with a participating employer.
The lucky part was that being Canberra, most IT work was in some way related to the government, and at that time, the government was basically the only place where “IT security” was a significant concern. The net result being that many of the jobs people were placed in through the program ended up being in IT security. I got thrown in the deep end with a bunch of firewalls that were suddenly my responsibility to manage. The rest is history.
Prior to arriving in Canberra however, I had spent the previous 12 months in Sydney trying to get an entry level help desk job, only to be told over and over by smiling recruiters that since I had no prior experience, I was basically un-hirable. Some glibly suggested I get a Microsoft Certified Systems Engineer certification to boost my chances. An MSCE cost about $16000 to do the training and exams back then, so the suggestion was quite insulting really, having been turned down just seconds prior for a job which paid barely double that in a year.
Fast forward 25 years, this same catch-22 about needing experience to get experience still haunts hopeful people, both young and old, who aspire to work in cybersecurity. Perhaps unsurprisingly, vocational trainers and industry bodies are still pushing these poor souls into expensive private certifications, or mostly useless TAFE courses like the Certificate IV in Cyber security.
Yes, I said useless. Useless in the sense that on their own, these courses aren’t going to help anyone get a job, or prepare them to work in a real cyber security job. That isn’t their purpose you might argue, the Cert IV is intended as an introduction to cybersecurity topics, to be a precursor to an advanced diploma, or some other further study. That may be so, but that isn’t how they are being sold to students.
After 25 years in the industry, I have chosen to give back by being a mentor to people (mostly women) trying to get that proverbial foot in the door. One of the most common stories I hear is from an aspirant who has completed their Cert IV or some other entry level certification like Security+ and then gone straight to looking for a job. They inevitably hit a brick wall of rejections and end up dejected and confused. The reason is they have been told by their career counsellors or training providers that these basic qualifications are enough to get a job in cyber security.
Thus, we come to the greatest myth in all of “Cyber security” – the entry level job.
I use “Cyber security” in quotes to demonstrate a key misconception which underpins this myth – the idea that cyber security is a singular and distinct profession. There are no entry-level cyber security jobs, because there aren’t really any cyber security jobs at all.
“Cyber security” is umbrella term used to describe a range of professions which all work towards a common purpose – the same way “medicine” describes a vast field of professions and practices – specialisations - in the medical realm.
Specialisation. That is what it really means to “work in cybersecurity”. When I say there are no cyber security jobs at all, what I mean is that every job we broadly think of as falling under the umbrella of cyber security is really just a specialist practice in another field. System administration, engineering, software development and testing, risk management, compliance and assurance. These are fundamental practices with core skill sets. Cyber security is just a specialist body of knowledge applied over the top.
The distinct separation between different “cyber security” jobs becomes obvious when you think about transferable skills. You wouldn’t expect a cloud security engineer to be able to do a penetration tester’s job. Their general knowledge of cyber security concepts might help smooth the transition, but ultimately won’t really help them because the fundamental knowledge, skills, and tools in both professions are almost entirely different. By contrast, someone with background in web development would likely be able to move into penetration testing web applications with relative ease, because it’s fundamentally about finding bugs in code, something they very likely already know a lot about.
We can also see evidence about the true nature of cyber security jobs from the recent trend with employers to recruit people sideways from foundational disciplines into their specialist cyber security roles. Having spent years trying and failing to fill their skills gaps with inexperienced graduates, they have finally started to wake up to the fact that the ramp up time for an experienced professional with foundational skills is much, much shorter than for a graduate with a dozen certifications but no real experience.
My point is this: Entry level cyber security jobs aren’t just a myth, they are an outright lie. As an industry we are failing those who aspire to follow in our footsteps by perpetuating the idea that a job in cyber security is attainable without any prior experience - regardless academic qualifications. Our failure stems from our own hubris in wanting to distinguish ourselves from our peers by labelling ourselves as “cyber security professionals”, rather than being content to exist as specialists in our respective fields.
Returning to the medical analogy, no one expects to come out of university and go straight to being a brain surgeon. There is a well-established path for anyone that wants to pursue that career, and it involves years of practicing general medicine under the supervision of more experienced doctors, and then more study and training, and more supervised practice.
I don’t mean to suggest that a career in cyber security warrants such an arduous journey, and I certainly don’t want to put up more barriers to entry either, but perhaps we could learn something from this approach. Perhaps we would better serve both employers and aspiring practitioners if we did away with the idea of entry level cyber security jobs entirely, and instead directed people into learning pathways and entry level jobs in associated fundamental disciplines so that they can get that ever elusive prior experience that all employers seem to crave.
Educators and the government need to get on board. They need to change their messaging and start setting realistic expectations among students and people looking for a career change. We need everyone with an interest in cyber security to understand that there is no short or easy path into the industry, that it does in fact take years of prior experience to build up the requisite fundamental knowledge and skills before you are truly ready to take on your first cyber role.
Most of all, it is we existing practitioners, self-styled experts in our profession that need to facilitate this shift in attitudes and the public perception, by being mentors and role models for the people who look up to us, so that one day they can work alongside us as peers. We are the ones who need to make this happen.
Author Bio:
By day Corch is an outspoken independent cyber security consultant, the self-titled "Chief Trouble Shooter" of his own one-man empire - Shogun Cyber security. By night he is a mediocre gamer, decent Wadaiko drummer, never-quite-made-it DJ, hopeless coffee addict, devoted dachshund-daddy, AWSN mentor, and a Cicle of the Moon druid.
Corch is a regular speaker at the Australian Cyber Conference on topics ranging from diversity and inclusiveness, to SIEM for small business, and privacy on the web. With a passion for hacking and security that began with watching the movie War Games as a kid, he has a lifetime of stories to tell, and experience that touches everything from system hardening to NIST CSF. Above all else in his professional life, Corch relishes working on difficult technical problems, and he lives by a simple motto: RTFM.