As a cyber security expert, you will have a huge range of career options across a wide variety of industries (e.g. finance, government, retail, etc.). But IT security is a specialist field. You’re unlikely to start your professional life as a penetration tester or a security architect. So the question remains – how do you get your foot in the door?
Start with this resource. It’s intended to help anyone interested in transitioning from a non-security career. We’ve included advice on choosing a starter IT job, tips on building your résumé and ideas for gaining practical experience. We’ve also listed hard IT skills and non-security certifications that will give you a solid grounding for the future.
Where to Start
Career Path Options
There is no one true path to working in cyber security. People come at it from all angles – math, computer science, even history or philosophy. Yet all of them share a deep and abiding interest in how technology works. Security gurus say this is critical. You need to know exactly what you’re protecting and the reason things are insecure.
Train in General IT
To that end, many experts suggest that you begin with a job, internship or apprenticeship in IT. This will verse you in fundamentals such as administering & configuring systems, networks, database management and coding. You’ll also get a sense of IT procedures and real-world business operations.
Focus Your Interests
Because it’s impossible to be an expert in all categories, employers also suggest you focus on an area (e.g. networking security) and do it well. Think ahead 5-10 years to your “ultimate security career” then look for starter IT jobs that will supply you with the right skills. Sample career paths could include:
- Exchange administrator → Email security
- Network administrator → Network security, forensics, etc.
- System administrator → Security administrator, forensics, etc.
- Web developer → Web security, security software developer, etc.
Gain Practical Experience
Starter IT Jobs
IT jobs that can lead to cyber security careers include:
- Computer Programmer
- Computer Software Engineer
- Computer Support Specialist
- Computer Systems Analyst
- Database Administrator
- IT Technician
- IT Technical Support
- IT Customer Service
- Network Administrator
- Network Engineer
- Network Systems & Data Analyst
- System Administrator
- Web Administrator
Trying to narrow your options? Make sure your entry-level IT position will give you some security-related experience. If this isn’t clear in the job description, you have an excellent question to ask the hiring committee during your interview.
Building Your Cyber Security Résumé
The Ideal Cyber Security Candidate
The ideal cyber security candidate has a mixture of technical and soft skills. On the technical side, most employers want proof that you are:
- Grounded in IT fundamentals: e.g. networking, systems administration, database management, web applications, etc.
- Versed in day-to-day operations: e.g. physical security, networks, server equipment, enterprise storage, users, applications, etc.
For soft skills, they’re looking for candidates who:
- Know how to communicate with non-IT colleagues and work in a team
- Understand business procedures & processes
- Love to solve complex puzzles and unpick problems
What to List on Your Résumé
1. College Degree
Although it’s not always necessary to have a college degree to land your first cyber security job, it’s bloody useful. College teaches you important skills in communication, writing, business and project management – skills you’ll appreciate in later years. What’s more, a strong academic qualification will ease your way to management positions. Some employers now demand proof of a bachelor’s degree before they will consider candidates. Learn more about your options in Choosing a Cyber Security Degree.
2. Relevant Job Experience
List any previous IT positions plus any other work related to IT security. That includes volunteer work, internships and apprenticeships. For government jobs, hiring committees will be interested in any military or law enforcement experience.
3. Hard IT Skills
We catalog some of the most useful hard IT skills below.
4. Professional IT Certifications
Don’t have a beginner’s security certification like Security+? Employers will still be interested to see if you have relevant IT certifications. Just be prepared to back up these qualifications with proof of real-world experience.
5. IT Achievements
List any IT and cyber security achievements that you think your employers will respect. These could include Capture The Flag (CTF) standings, contest awards, training course certificates and scholarships.
How to Gain Practical Cyber Security Experience
- Teach yourself to code. (Experts recommend this again and again.)
- Build your own computer and security lab using old PCs, your own wireless router with firewall, network switch, etc. Practice securing the computer and network, then try hacking it.
- Create an open source project.
- Participate in cyber security contests and training games. e.g. Wargames, Capture the Flag competitions (CTFs), etc.
- Look for vulnerabilities on open source projects and sites with bug bounties. Document your work and findings.
- Pair your cyber security certification exams with side projects that utilize the same skills.
- Offer to help your professor or employer with security-related tasks.
- Take free online cyber security MOOCs.
- Invest in training courses (e.g. SANS).
Networking & Volunteering
- Join LinkedIn groups, professional networks and security organizations.
- Attend local security group meetings and events.
- Connect with peers playing CTFs and Wargames.
- Collaborate with a team (at work or in school) on a cyber security project.
- Volunteer at IT and cyber security conferences.
- Volunteer to do IT security work for a non-profit or charity.
- Read IT and security magazines/news sites and blogs.
- Bookmark useful cyber security websites.
- Keep tabs on cyber security message boards like Information Security Stack Exchange.
- Run a background check on yourself to see if there are any existing red flags, then determine what you can do to address them. Security is a sensitive field and employers are looking for ethical candidates.
Useful IT Skills & Certifications
Hard IT Skills to Cultivate
While you’re building your cyber security résumé (see above), work on developing hard IT skills like the ones listed below. These are often in high demand by employers. Since technology is always subject to change, we also recommend you consult your colleagues, mentors and/or professors for the most up-to-date advice.
Operating Systems & Database Management
- Windows, UNIX and Linux operating systems
- MySQL/SQLlite environments
Programming & Coding
- C, C++, C# and Java
- Python, Ruby, PHP, Perl and/or shell
- Assembly language & disassemblers
- Regular Expression (regex) skills
- Linux/MAC Bash shell scripting
- System/network configuration
- TCP/IP, computer networking, routing and switching
- Network protocols and packet analysis tools
- Firewall and intrusion detection/prevention protocols
- Packet Shaper, Load Balancer and Proxy Server knowledge
Thanks to the nature of their job and industry, security experts usually end up specializing in a specific area of interest. For example:
- Cisco networks
- Cloud computing
- Microsoft technologies
- Database modeling
- Open source applications
Helpful Non-Security IT Certifications
Before you get too deep into security-focused certifications, check out the following IT credentials. You’ll often spot these acronyms on the LinkedIn profiles of security professionals. However, we’d be the first to state there are plenty of others out there. Ask around or visit security message boards to decide which ones are worth the investment.
A “go-to” certification for entry-level network engineers and specialists working with Cisco routers and network systems. CCNA certificate holders have proven their ability to install, configure, operate and troubleshoot medium-size routed and switched networks.
This qualification is on par with CCNA Security, which emphasizes core security technologies, confidentiality, the availability of data/devices and competency in the technologies that Cisco uses in its security structure. Experienced Cisco engineers can aim for the higher level Professional and Expert levels.
CompTIA A+ is one of the most common baseline certifications for IT professionals, especially IT support specialists and technicians. The exams cover the maintenance of PCs, mobile devices, laptops, operating systems and printers.
A+ is required for Dell, Lenovo and Intel service technicians and recognized by the U.S. Department of Defense. Many folks follow it up with Network+ and Security+.
The second in CompTIA’s trinity of qualifications (which includes A+ and Security+). Network+ is an ISO-17024 compliant certification that tests a professional’s knowledge of data networks. This includes building, installing, operating, maintaining and protecting networking systems.
Network+ fulfills U.S. DoD Directive 8570.01-M and is held by nearly half a million people worldwide. It’s often recommended for network administrators, technicians and installers.
ITIL certifications focus on ITIL best practices. Foundation is the basic level and the ITIL credential most frequently seen on job requirements.
The exam tests candidates in key elements, concepts and terminology used in the ITIL service lifecycle, including the links between lifecycle stages, the processes used and their contribution to service management practices. If your company is using ITIL processes to handle their services to internal/external customers, then Foundation is worth considering.
Anyone working with Microsoft technologies should take a close look at the Microsoft Certificate Solutions Associate (MCSA) and the expert MCSE. You must complete the MCSA before tackling the MCSE.
Widely respected in the industry, MCSE demonstrates a professional’s ability to build, deploy, operate, maintain and optimize Microsoft-based systems. For the MCSE, you can choose one of nine certification paths, including Server Infrastructure, Private Cloud, SharePoint and more.
PMP is aimed at mid-level project managers. Candidates without a bachelor’s degree must have at least five years of project management experience (7,500 hours leading and directing projects); bachelor’s degree holders must have at least three years (4,500 hours leading and directing projects).
Successful PMP holders have demonstrated they have the experience, education and competency to handle project teams. It’s not a “must-have” by any means, but it can certainly help you zip through the résumé screening process and proceed into discussions about salary.
Interested in becoming a Linux expert? Take a look at RHCA, probably the most challenging qualification in the Red Hat certification program. To attain RHCA status, Red Hat Certified Engineers (RHCEs) must pass at least 5 exams and demonstrate their skills in performance-based tasks. Beginners should consider the RHCAS and the CompTIA Linux+ certification.
VCP5-DCV is expensive, but probably worth it if you’re interested in virtualization. To obtain this foundation-level certification, candidates must demonstrate hands-on experience with VMware technologies, complete a VMware-authorized training course and pass an exam. This proves a certificate holder’s ability to install, deploy, monitor, scale and manage VMware vSphere environments.
Once you have the VCP5-DCV, you might wish to consider more advanced levels of VMWare DCV certification. In addition to data centers, VMWare also offers credentials in the cloud, end user computing and network virtualization.