The paths to Cyber Security

There are many roads that lead to a career in Cyber Security, but some are better than others.

Photo by Tobias Tullius on Unsplash

Cyber Security is a hot topic these days. It certainly gets a lot of air time in the news, and why not? It’s expanding at a nose-bleed inducing speed. In fact, the industry is unable to keep pace with the demand for new InfoSec professionals.

If you’re looking for job security, it’s a great choice!

So today, let’s take a look at some different routes that can lead into this field: straight into the field out of college (or training,) the Systems Administrator route, or the Developer route. These aren’t the only routes available, but they are the most common ones.

Straight into the field route

This is becoming a popular option these days. Universities are offering Cyber Security degrees, there are tons of boot camps that will cram InfoSec concepts into your head in six weeks, and I’ve covered plenty of different government and private programs that offer Cyber tracks.

I hate this option.

Allow me a brief analogy to explain why. Hundreds of years ago, music was taught much differently than it is today. You first spent years studying music theory without even touching an instrument. After a few years, you had a theoretical understanding of music, but you had never made any of your own.

Starting straight into the Cyber Security field is somewhat the equivalent of studying music theory all your life without ever touching an actual instrument. You’ll be able to talk about security. You’ll have a 30,000 foot view of how to secure systems. But you won’t really ever be able to get into actual technical conversations with developers or administrators because you’ve never actually done the work.

You’ve heard of impostor syndrome – well, this route ensures you’ll have it… for life. You’ll go into most meetings hoping not to get asked hard questions. You’ll struggle to understand systems you’re not familiar with. And you may end up relegated to reactive roles like working in a SOC (Security Operations Center) rather than the more lucrative careers where you’ll architect security solutions or possibly enter the hallowed ranks of the C-suite executives by becoming a CISO (Chief Information Security Officer.)

Sure, you’ve entered your chosen field immediately, but be prepared for a life time of slogging…

Systems Administrator route

This is the route I took. I first started working in IT Support. The help desk life isn’t glorious, but if you’re working in the right place you’ll learn a lot. I learned about asset management while managing our laptop stock and performing yearly inventories. I learned about encryption through working with TPM (Trusted Platform Module) chips – this is a chip that can be attached to your motherboard and paired with your hard drive, encrypting it and preventing it from being plugged into another computer and exposing your secrets. I learned about tracking laptops and wiping them remotely. And I learned about managing users and groups in Active Directory.

When I was promoted to Systems Administrator, I delved deeper into systems, and learned how they work from the inside, how to restrict access to them, and how to perform security hardening. Gaining a deep understanding of at least some systems (you can’t know them all!) will help you better understand how to secure them.

I didn’t realize at the time that I was learning about security, but all that knowledge was hugely useful later on when I transferred into the field. This route was the equivalent of being handed a guitar and learning how to play chords before you understand the theory behind them. After playing for a few years, the theory you learn makes a lot of sense and you understand it at a deep level.

Not to belabor the point, but one regret I have is not staying a Systems Administrator for longer to soak in more knowledge. I was at this stage for roughly two years before going into Cyber, but ideally I would have stayed a Sys Admin for five years or so, really getting a deep understanding of a broad array of topics. So don’t be in too much of a rush to get out of this stage!

Developer route

With the benefit of hindsight, this is the route I wish I had taken. And if you’re not completely turned off by writing software (hey, it’s not for everyone…) or aren’t already completely passionate about another career route, then I’d advise you to consider this one.

As an Information Security professional, a lot of what you’ll be asked to secure is actually code. As you can imagine, it’s pretty challenging to secure code if you’ve never written your own. You may understand a particular vulnerability like “cross-site scripting” at a high level, but if an engineer shows you their code and asks how they should fix it, you’ll have no idea!

There is a steep learning curve to gaining enough knowledge of coding to properly do your job, but it doesn’t end there. There’s also the entire pipeline to deploy code that you’ll be unfamiliar with. The time you’ll spend learning enough about this to be effective is a lot longer than you would have to spend in the other direction: learning about systems administration.

As an added bonus, before jumping into security, you’ll make a lot more money as a developer than you would as a systems administrator. Heck, you may make so much money that you’ll change your mind about moving into InfoSec. (This might explain why there are so few InfoSec professionals with coding backgrounds!)

These are just three of the most common routes, but there are others. You could, for example, become a Network Administrator before moving into Cyber Security, but these three routes represent 95% (I’m making that number up, but it feels right) of the routes people take to get into security.

If anything, I hope that I’ve convinced you with this post to not try to take the short cut into the field by getting into it right out of school (or training.) There are already too many people in the field that have credentials saying they’re experts in security but do not have the knowledge to back them, and I want to avoid you being in that uncomfortable position.

So take the long road to InfoSec, and once you reach your goal you’ll be glad you did!

With each post, I cover a new topic to help you get your start (or keep progressing) in your IT career. If it’s your first time visiting this blog, start here. Or, see all my posts about interview questions you should definitely be prepared for.