I recently did an interview with Karen Marcus for Careers in Cybersecurity on education, career development, and cybersecurity career success. The transcript is provided below and is divided into a section for those just starting out in cybersecurity, those mid-career and those late into their career. Enjoy the read and please let me know your thoughts in your comments.
For someone just starting out in cybersecurity:
What degrees should they pursue? Any advice for landing that first job?
There are a variety of degrees from associates to Ph.D. that concentrate on security in some way such as Information Assurance, Cybersecurity, or Information Security. Some may also decide to pursue a similar degree such as IT or Computer Forensics with an emphasis on information security. However, if you do not have a degree in one of those fields, don’t despair. Cybersecurity touches on many aspects of the organization, and your individual discipline and experience can give you insight into that part of cybersecurity. For example, those in HR would relate to employee training, onboarding and termination procedures, employee screening and background checks, and employee compliance requirements while a person from an accounting background could understand the SOC/SSAE accreditation process, ROI, the financial impact of implementing new systems. If you fall into this category, consider training to educate you on compliance, security controls, and risks so that you can adapt your own business understanding to cybersecurity.
What three things should they focus on in their first job to support advancement later on?
This is a hard one as each job will be different and there may be different methods used for advancement. However, generally, a person in cybersecurity should demonstrate that they are a continual learner by striving to stay ahead of the technology curve and never stop reading. Second, focus on your communication skills. Communication skills are essential at any level, but they are increasingly valuable the further up the ladder you move. Lastly, be adaptable. Cybersecurity is an ever-changing industry, and you will need to be able to change with it.
What pitfalls should they watch out for?
Don’t peg your life to some arbitrary set of career objectives. Your career is as unique as you are and you should be the one to determine where you want to go. Next, be successful from start to finish. Success is not something that is achieved finally at the end of a career by seeing if you met some life goal or accomplishment. Rather, it is being satisfied with the position you have, the value you bring to your company, and the impact you have on those around you. Satisfaction is not complacency. Goals are excellent, and you should set exciting stretch goals for yourself, but understand that each goal would not be accomplished if not for the successes of the moment. Recognize those successes and take the time to cherish and celebrate them.
Mid-Career (those who have been working in cybersecurity for a few years but haven’t progressed to a senior or executive level):
Do you recommend pursuing a Master’s degree?
A Master’s degree is an excellent choice for those who have established themselves in the industry and want to move forward. I do not recommend it for those who have not yet entered the industry yet as it will price them out of entry-level jobs by being overqualified and yet they will be underqualified for other jobs. A Master’s degree can be an excellent way to augment a degree that was not in cybersecurity such as those with a CIS, Computer Science, or Business degree. Those are likely the people who will see the most value from a Master’s degree. Some employers will want a Master’s degree in order to progress up the ladder and so this may be a requirement.
What skill gaps may a person in this position need to fill? How can they get appropriate training and/or mentoring to address them?
A mentoring relationship is an excellent suggestion, but I wouldn’t wait till you are in your middle career to do it. I found a mentor shortly after starting in the industry and have mentored those who haven’t even entered the industry yet. There is hardly ever a time when the experience of someone who has gone before you cannot be put to good use.
Your employer may have training options for you on specific skills. The type of training should be based on your own learning style. Some can learn easily from reading books, while others learn best from webinars or from online training. Still, others require instructor-led training. Each has its advantages and disadvantages regarding ease and cost.
Each person needs to take responsibility for his or her own training and keep learning each day. This includes reading articles and other materials regularly to keep abreast of changes in the industry. Consider following a cybersecurity expert on Twitter and read what he or she posts. You can also subscribe to RSS feeds from cybersecurity sections of major publications or for cybersecurity blogs. You would be surprised at how much you can learn just by reading a little bit each day.
Are there other obstacles that may have nothing to do with the person (e.g. company politics or being in a particular sector)? If so, how can they be overcome?
Company culture can be a catalyst or an inhibitor for success. Ensure that you are well-suited for the company culture. Many have found themselves in a culture that is counter to their own, and their career progression was difficult like swimming against the current. Let the culture current take you where you want to go rather than fighting it. You will have a much more satisfying life if you do.
Late-Career (those who have been working in cybersecurity for many years and have seen substantial success, perhaps progressing to executive and C-suite levels):
What is the next level for professionals in this position, and what can they do to get there?
Executives are the big fish in a company, and the way to move up is to find a larger pond or to grow their own pond. That often means finding a larger company or one that is growing at a faster pace. However, the real focus should be on what your goal is. You may be perfectly satisfied with your current position. If you make enough money and enjoy the position, there may not be a need to increase stress by changing jobs, learning a new routine, establishing new relationships, and proving yourself all over again. Consider the cost of changing new jobs when evaluating the potential benefits.
What advice do you have for diversifying skills or fine-tuning specialties?
There comes a time in everyone’s life when they realize that change has finally made part of their skill set irrelevant. In the cases, it is important to recognize this and not fight it. Next, seek out complementary skills that build on the knowledge and experience you have already and then seek those out. Add breadth to your skill set by extending outward in your retraining rather than seeking out greatly differentiated skill sets. Retraining with this method will make it much easier for you to adopt those skills and to thrive.
Is there a common post-retirement path or pattern?
I am a strong proponent of mentoring others. I think the process should begin long before retirement and extend into retirement. Mentoring gives the mentor a connection back to a previous generation and into the workforce after they have left it and it is a great benefit to those they mentor. Seek out no more than three people to mentor and establish a real relationship with them, asking them questions about their goals and strategies and sharing your understanding and the things you have learned along the way.
Retirees can also participate in professional groups. Those who spent a lifetime learning likely won’t want to stop, and this can be an excellent way to keep up with what is happening in the industry.