Cyber Security Cross Over: What To Expect When Making That Transition
Best practices for navigating into the cyber security career path
The struggle is real! Are you a person who is interested in this subject area, obtained a degree or possibly obtained various credentials? Are you still lost on what path to go down or wondering why these positions are still unfilled?
If you responded yes to all these questions, I wanted to convey some key concerns and recommend best practices. Making the transition to the cyber security field will have its obstacles, but will be worth it in the end.
See Related: "Utility Of Cyber Security Certifications"
The Term Cyber Security
The first concern: depending on who you ask in the industry, the term cyber security has a lot of definitions. In the media, it’s portrayed as a person sitting behind the computer with a hoodie and hacking into a system. This image sometimes is the only thing people associate with this term.
However, what about the other aspects? A quote from Dr. Mansur Hasib defines it as: “Cyber security is the mission-focused and risk-optimized governance of information, which maximizes confidentiality, integrity, and availability using a balanced mix of people, policy, and technology, while perennially improving over time.” If cyber professionals think in this mindset, it could help the transition become simpler. Another challenge is choosing the cyber path that fits best, according to your skill set.
Cyber Security Career Path
The second concern: cyber security is a broad area and cyber professionals should have an idea of their career path. Nevertheless, this is a major concern I watch often. Picking out your career path should be based off your experience, and skill set. For instance, my background is in engineering and previous work experience in project management, systems engineering, and information technology. To find my career path, one resource to reference is the NICE workforce framework as this document breaks down specialty areas, work functions, jobs and skills.
So for example, according to this document within concurrency of my background is as follows:
Specialization Area: Oversee and Govern this area provides leadership, management, centering to an establishment. This area also breaks down the areas such as: cyber security management, executive leadership, program/ project management, and training education.
Employment Role: As an example, for a Program Manager a cyber professional can expect to lead, organize, communicate and ensure alignment with agencies or enterprise priorities. To succeed in this role below are the abilities and knowledge that someone should bring to this position.
Abilities: In this role someone should be able to employ supply chain risk management, oversee development and update of the life cycle, and ensure security practices are treated through the accomplishment procedure.
Knowledge: Within this role someone should get in with knowledgeable skills in computer networking concepts, risk management process and laws regulations and policies.
Using this resource will help cyber professionals understand where they fit in the field. The next concern is finding a position with all the knowledge you gained over the years or just starting out.
Navigating The Positions Within Cyber Security
The third concern: once a cyber professional has either obtained a degree or earned numerous certifications, the next challenge is finding a position. There is a major disconnect between recruiters, hiring managers, and even job descriptions for these positions. What I have observed is certain requirements are not ideal for certain positions.
For example, below is Junior Cyber Analyst position:
- 1-5 years of experience in managing IT systems and IT systems support for Navy/DOD customers or directly for Navy/DOD
- Familiar with NIST SP 800-37 RMF and DIACAP C&A, System Security Plans (SSPs), Risk Assessment Reports (RAR) processes.
- Familiar with Secure Technical Implementation Guides (STIGs), Information Assurance Vulnerability Alert (IAVA), DCID 6/3, Federal Information Security Management Act (FISMA) and other tools using industry best practices.
- Familiar with the following network protection devices: Firewalls, intrusion detection and prevention systems (IDS/IPS), log analysis, malware analysis, network traffic flow and packet analysis
- NAVSEA Program Executive Office (PEO) experience - desired
- Possess strong oral and written communication skills
- Bachelor level degree (BA/BS) in Engineering or related field desired
- IAM Level I certified
- DoD 8570.1-M Compliance at IAT Level I or equivalency (e.g., Certified Information Systems Security Professional (CISSP)) certification- desired
If I were a job candidate interested in this position, the education requirements do not align for a junior-level role. The major trouble with those counting for a candidate to receive a Senior-level management certification CISSP for a junior-level role is looking for a purple unicorn. To improve for a junior level role, the education requirement should be focus on the IAT Level I Cortes' (A+ CE CCNA-Security Network+ CE SSCP). Most cyber professionals are known to get an entry-level certification first, in order to get exposed to this field.
If companies worked together as a team to highly improve and create more accurate job descriptions based off using various resources such as the NICE workforce document, COMPTIA roadmap, SANS roadmap, and AWS Cloud roadmap — then a lot more positions will be filled. The talent is out there, but the workforce mindset needs to change as well. Finally, cyber professionals must know how to relate their past experience into a cyber security role.
Relating Past Experience Into Cyber Security Roles
Fourth, relating your experience into cyber security roles is another concern. In my previous experience, I did not have all the knowledge I needed, and I thought I did not have cyber security experience. It wasn’t until I found a mentor to guide me and change my mindset about cyber security that I had the knowledge I needed; it was just in a different industry dealing with the oversight and governance within cyber.
Here is one example based off my research on how a non-technical professional can relate their past into cyber security roles. Let’s say you have a criminal justice background and a law degree, and you want to transition into this field. Well guess what, you can make that transition using all the skills from your background: Using the NICE workforce document, a person with this expertise could potentially apply for a Cyber Legal Advisor position. This will fall under the oversee and govern category, with a specialty area of legal advice and advocacy. This role would provide legal advice and recommend best practices to cyber law.
In the end, there are still many challenges to navigating the cyber security professional landscape, but it's best to start by knowing what you're passionate about. Reference sources like the NICE Workforce to learn the details for your specific career route, and familiarize yourself with the different areas, roles, tasks and skills within that role. Use your certifications as a baseline for jumpstarting your career and gain as much hands-on experience as possible (I mentor others during my personal journey). Finally, you cannot know everything there is to know about cyber security. This industry is very broad, so focus on one area and become THE subject matter expert. It will set you apart from the competition.
See Related: "Certifications Vs. Experience: What's Most Important"