How to overcome the beginner cybersecurity career Catch-22
The workforce gap constantly makes headlines, but that doesn't mean breaking into the field is easy. Get advice on how to start on an entry-level cybersecurity career path.
You've probably read the statistics about the dearth of open cybersecurity jobs. Among them, ISC2's Cyber Workforce Study found a nearly 4 million worker gap worldwide.
The actual number of job openings is a controversial topic among cybersecurity pros, but most agree a global cybersecurity skills shortage exists. Recent research from TechTarget's Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) backs up this belief. "The Life and Times of Cybersecurity Professionals Volume VI" found 71% of organizations have been affected by the cybersecurity skills shortage, leading to overwhelming workloads, new jobs remaining open, and high burnout and attrition rates among staff.
Given this data, you'd think every cybersecurity newbie would have multiple job offers to choose from. Alas, that's not the case. Junior cybersecurity applicants often face a Catch-22 situation, where entry-level positions require advanced certifications and multiple years of hands-on infosec job experience -- not exactly attributes you'd have upon college graduation. And while a shortage of cybersecurity professionals exists, entry-level candidates often outnumber actual jobs available.
When ESG and ISSA asked cybersecurity professionals which group was the most difficult to hire, only 12% of organizations pointed to entry-level candidates (0-3 years of experience). Forty-two percent claimed mid-career candidates (4-7 years of experience) are the most difficult to hire, while 33% said senior candidates (7-plus years of experience) are the most difficult to hire.
It appears a cybersecurity degree simply isn't enough to gain admission to the cybersecurity career club. What then can entry-level candidates do to crack into the profession? ESG and ISSA asked this very question to a global panel of 301 cybersecurity professionals and ISSA members. Here's what they recommend.
Get an apprenticeship, internship or mentor
Twenty-nine percent of respondents suggested seeking an apprenticeship, internship or mentor to guide them in developing skills and career plans where they can get hands-on experience. I would add that money shouldn't be a consideration here. Volunteer, if need be, to get the experience. Many cybersecurity technology vendors offer summer internship programs and extend these with full-time offers to some participants. Some state and federal agencies have similar programs. Students should also explore campus-based opportunities at their colleges, universities or perhaps across a university network. For example, the OmniSOC program, a security operations center servicing several colleges and universities, offers internship programs where students gain hands-on experience.
Obtain a cybersecurity certification
While it might be obvious, 27% of respondents suggested getting a basic cybersecurity certification. My recommendations include CompTIA Security+, GIAC Information Security Fundamentals, ISC2 Systems Security Certified Practitioner or an ISACA Cybersecurity Fundamentals Certificate. Any of these should get you started, but look for hiring requirements in your area and pick the most applicable. Alternatively, get a vendor certification in high-demand security technology. Cybersecurity pros who know how to use technologies from vendors such as CrowdStrike, Palo Alto Networks and Splunk are always in need.
Join an industry organization
Fifteen percent of respondents suggested networking with or joining a professional industry organization with local chapter events. ISSA has chapters in multiple cities and states, as well as all over the world, as do other professional organizations. Many such organizations have special rates and programs for entry-level and junior cybersecurity professionals.
Learn how security supports business
Eleven percent of respondents suggested developing business skills to better understand how cybersecurity can support the business. While this might be advanced advice, it's never too early to understand the relationship between cybersecurity and the business -- especially if you aspire to be a CISO someday. Emerging regulations, such as the new SEC cybersecurity rules or the European Union's NIS 2 Directive, will only increase the need for understanding and oversight around this intersection.
Hopefully these suggestions can provide some help so entry-level candidates can overcome career frustration, open a few doors and circumvent the Catch-22. Let me know what of any advice I missed, and please reach out to me and share your experiences. It takes a village.