By Edith Santos, Director of Global Incident Response for NTT, Ltd.

So, you want to become a cybersecurity sleuth? Excellent! We need you and so does everyone else. A quick online search for cybersecurity jobs will reveal countless available positions. There is a great demand for more practitioners in this field, as everyone is battling the shortage of workers with cybersecurity skills. Cybersecurity Ventures predicts “…there will be 3.5 million cybersecurity job openings by 2021.”[1] With the rapid advancement of technology and continuously changing threat landscape, there simply aren’t enough cybersecurity personnel to fill these positions. Just having curiosity and an interest in this field is a great first step.

How does one enter the cybersecurity field, especially if one’s background is not in Information Technology (IT), Computer Science or Engineering? A report by Frost & Sullivan shows that 87% of practitioners “…did not start their careers in cybersecurity, but rather in another career.” Cybersecurity practitioners come from diverse technical and non-technical backgrounds such as marketing, finance, accounting, military, and law enforcement. So, it can be done, and many have done it–including me. Here’s how:

Learn

There are several paths to cybersecurity that one can follow. Research the different paths and learn what the required skill sets are, evaluating all of them to help you decide which ones are of interest. For example, do you want to review data and identify unusual behavior like a cybersecurity analyst? Or would you prefer to use new technology and processes to enhance security capabilities, like a cybersecurity engineer? Perhaps, you would prefer to analyze digital evidence in response to an attack or breach, like those in digital forensics incident response disciplines. The National Initiative for Cybersecurity Careers and Studies presents the NICE Cybersecurity Workforce Framework[2], published by NIST[3], that can help you explore the different paths and roles available, along with the required skills and knowledge. Take advantage of this. Once you have identified which paths are of interest to you, learn about that subject matter and continue learning. The nature of our industry necessitates that you be on a continual path of learning.

If you don’t have a degree or are still in school at this point, I highly recommend you pursue a degree in Computer Science or one of the cybersecurity degrees that many colleges and universities now offer. This is also a great place to network with like-minded people. If you have a degree in another area but want to make a transition into cybersecurity, I suggest you take information security courses that can provide you with the fundamentals of Information Technology. These days, most community colleges and universities offer courses through their Continuing Education program and many are even available online. To become a security practitioner, one must learn the fundamentals of information systems, operating systems (such as Windows and Linux), and the architecture of network environments. You need to be familiar with how they operate and work together. You can’t protect a system if you don’t know how it works.

There are many free and very affordable computer and cybersecurity courses online. These include courses available from CompTIA, Cybrary, Coursera, Udemy, Department of Homeland Security – NICCS, and the Federal Virtual Training Environment (all of which are free to government personnel and veterans).  Many vendors also have free online webinars or their own YouTube channel with free training videos. Take advantage of any free and affordable courses, hands-on labs, capture the flag events and cyber challenges, as these will help you narrow down the path where you’re most passionate.

You must constantly be filled with curiosity, as it’s the only way you will learn. Buy books, audiobooks, or listen to podcasts while you are in transit, washing dishes, or grilling out. This is one of the main reasons why I love this field because you truly are always learning something new. It never gets boring!

Network

Networking is very important, as it helps you to meet others that are as passionate about cybersecurity as you. When you meet others in this field, ask them about their journey and let them know where you stand in yours. Ask for their advice. You will learn that most are more than willing to provide guidance.  Read blogs and articles that focus on the areas you are thinking about pursuing. Then follow the authors on social media platforms and learn from them. Leverage social media to connect with others in the industry. Perform online searches for cybersecurity events in your area and try to attend as many as possible. Research authors who have published books in the cybersecurity field. Many of them will be happy to advise and mentor you on your journey.

Join associations that focus on the specialized skills of interest to you and connect with their members.  Attend conferences, learn as much as possible and network during attendance. Don’t be afraid to ask someone if they’re willing to mentor you, or even if you can shadow them for a day. I have asked this, and it has been asked of me. Ask those you have networked and connected with if internships are available in their company. If not, maybe they can connect you with another company that offers this. Look for cybersecurity meet-up groups in your area. Members of these meet-ups operate in many different fields of cybersecurity and usually happy to share their knowledge and experiences. Even after you become a cybersecurity sleuth, never stop networking!

Soft Skills

In addition to the necessary technical skills, soft skills are also a must! Response to attacks and incidents are rarely handled by individual people. Rather, it takes a team to handle cyberattacks and you must have the soft skills in order to contribute. Regardless of the role you land, be inquisitive and listen, communicate well, focus on strong team collaboration, develop your problem-solving techniques, and polish your writing skills. You must be attentive to details, able to effectively communicate your findings to the team (technical), management and executives (non-technical). It takes an organized approach, as a team, to help protect the impacted cyber environment.

Lastly, in an effort to get into the field, never be afraid to take a lesser job than what you wanted. Sometimes, simply getting a foot in the door is the hardest part. Once inside, you can develop your skills and eventually work your way into the job that really interests you. Once you’re in a cybersecurity role, realize that you will never have all the answers. You will find that you need others, just as much as they need you, to be successful in this field. Adopt this approach and you will become a great cybersecurity sleuth, desired by all. And when you do become a cybersecurity sleuth, remember to pay it forward. Make it a point to guide or mentor someone else on their journey as well.

 

[1]        https://cybersecurityventures.com/women-in-cybersecurity/

[2]        https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework

[3]        https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf?trackDocs=NIST.SP.800-181.pdf

 

About the Author

Edith Santos is the Director of Global Incident Response for NTT, Ltd. Prior to joining NTT, Edith served in law enforcement for nearly two decades, working undercover as a detective as well as a hostage negotiator before joining the Dallas Secret Service task force. Her background in law enforcement, as well as her time in the private sector working for Bank of America, has equipped her to oversee the organization’s global digital forensics and incident response teams. Edith was recently named a winner of the 2019 Cyber Defense Global Awards for the Women in Cybersecurity category from Cyber Defense Magazine. The award recognizes her commitment to mentoring and blazing a trail for other women in the industry.

She can be reached at edith.santos@global.ntt.