The art of working cybersecurity is about more than just protecting systems and networks; it requires a strategic perspective, lots of planning and building a comprehensive roadmap of priorities and goals for the future. Technology continues to evolve and so the ways in which it can be put at risk evolve as well, necessitating a constant pace of career development.
Book learning and technical training are essential elements for any IT-related profession, but some additional skills are essential to build due to the high level of complexity and ever-changing requirements behind a cybersecurity career.
I spoke to Javvad Malik, security advocate at AlienVault, to get his take on what how to build a solid and stable cybersecurity career. Here are a few of his summarized insights after reflecting back on his career, along with some follow-up elaboration based on my own experiences in cybersecurity.
1. Get a mentor
Malik recommended finding a mentor early in your career and use them to help work out a career strategy. He had no such strategy when he started his profession and feels it cost him a few years to make up for it and get up to speed. A mentor can be a friend, a colleague, a manager, an associate in an online group or forum, or anyone else with the know-how and experience as well as the willingness to share both.
2. Develop your soft skills
Malik feels communication is an integral part of cybersecurity; explaining the what, why and how to people to help them understand what they should be doing, or why you're choosing a certain course of action or plan is essential. Knowing how to speak to people and becoming a better writer and communicator can be immensely helpful in improving interactions with others. Get better at listening to others as well.
He paraphrased Seth Godin, "If I try to explain why you need to do security and you don't get it, that's my failing, not yours"
In my experience, one good example here would be telling users why their computers have to automatically reboot once per month in order to install patches and what threats might befall them otherwise can help ease their frustration and lower resentment.
SEE: Working in IT: Why we love it, why we hate it (free PDF) (TechRepublic)
3. Blaze your own trail
Malik expressed regret that he hadn't spent more time early on his career engaging in self-study and experimenting with systems and devices when he had the opportunity. A hands-on exposure to testing new concepts or applications can help you determine your own path and what you enjoy or want to focus on (or perhaps want to steer clear of).
In my view, this day and age provides opportunities involving virtualization, snapshots and cheap storage/hardware which all make it even easier to build a testing environment and really delve into the innards of how things work to help better understand how to apply security practices.
4. Establish a network
Malik advised interacting with industry peers from the onset of your cybersecurity career (conferences or otherwise). "Meeting different people from different geographies with different experiences and motives is a really good way to cram a ton of different perspectives and skills into a short timeframe," he observed.
I participate in online forums, Facebook, LinkedIn and Twitter groups, and professional organizations such as the International Information Systems Security Certification Consortium and the SANS Institute can all be helpful in building a peer network. However, it takes more than just joining the groups or bookmarking the links - it's important to actively participate to provide and absorb news, tips, technical details and other material related to the field.
SEE: Interview tips: How to land your next tech job (free PDF) (TechRepublic)
5. Manage conferences effectively
Malik said that conferences are a great place to learn and network, but they can also be a negative experience if not managed well. He recommends them in moderation; there's no point in going to every single conference as many details will overlap and the experience can become redundant.
He said the best strategy is to find the conferences most relevant to your needs and attend them with a well-defined plan. If you want to meet people such as from your peer network, try to contact them beforehand and set aside some time to get together to share ideas. If there are certain skills you want to learn, attend those talks or workshops. If you're in the market to buy new technology, make a short list of all relevant exhibitors and visit their booths. Speaking opportunities and giving back to the community by sharing information are also beneficial.
6. Engage in content creation.
Generating content on the cybersecurity field is a great way to learn and retain details and gain a more comprehensive set of insights.
Malik found out a great deal of useful information by creating content for a blog; it forced him to research topics, connect with people and to tailor messaging for different audiences. Those concepts resonate and stick with you long after what you might learn from merely reading articles.
SEE: Launching your cybersecurity career: 10 jobs to consider (free PDF) (TechRepublic)
7. Keep your skills fresh using public material
Malik stated that security professionals must keep their skills fresh, yet don't have to bankrupt themselves paying for training. You can continue to study on your own using content and tutorials that are freely available now through websites like YouTube. There are also plenty of free webinars out there, from vendors as well as analyst firms which give a really good overview of market trends, new technologies and vendors in the space.
He also feels it's critical to look at skills outside of information security or technology - things like writing and presentation courses can be useful since those skills are important for all InfoSec professionals.
Finally, he suggests taking advantage of the fact that many security professionals document and share their knowledge and research publicly and provide feedback to others; consider doing the same. This can be very useful because you get a chance to share what you know and people can critique the material. It also helps you network with your peers.
8. Prevent burnout
Burnout can be a major problem for many technology workers and security professionals are no exception. The ease with which people can be contacted and drawn into issues can result in an ever-increasing cycle of work.
It's important for people to exercise discipline and maintain clear boundaries to separate work from personal life - even more so for remote workers. The separation between work and personal life must also extend to social circles and hobbies. Your mentor can also help in this regard by highlighting the areas of work that are most important and how to create an effective work-life balance.
SEE: How to build a successful career in cybersecurity (free PDF) (TechRepublic)
9. Have patience and go at the proper pace
"Technology operates and evolves quite rapidly but businesses themselves usually do not," Malik told me. Have patience and wait for things to get done in due time. You can't change the world with a click. A solid cybersecurity career is based on protecting assets and preventing chaos.
There's often a lot of pressure from other groups to roll out changes to satisfy compliance requirements or for security scans (such as Qualys) to pronounce a clean bill of health for systems. However, it's important to resist the pressure if it's too onerous or unreasonable.It's been my observation that all too often cybersecurity professionals cause inadvertent harm by rushing to roll out security changes such as patching or configuration changes. The irony here is they can cause more damage to an organization while trying to do good works than a malicious individual with immoral intentions might ever dream of accomplishing.
Malik stated that "anyone who's worked in security for any period of time understands that there's no definitive way to outsmart the bad guys; their tactics will always change." It's a matter of understanding risks, identifying acceptable losses, and determining what needs to be responded to. You need to understand your own tolerances, then it becomes a matter of being able to effectively detect and respond to the important threats as they arise.
10. Remain focused on what you can handle
"Focus on your area of speciality and become proficient at it," Malik said. Avoid trying to influence areas you only think you know about; cybersecurity is a complex enough field without hanging your career on hypotheticals. Moreover, don't try to solve problems that may not even exist in your company. If there are security threats which aren't applicable to your business don't bother focusing on or worrying about them.
Stick to what's meaningful. I've found that vulnerabilities on test systems or expired certificates on unused servers might provoke concern (particular if these show up on a security scan) but it's best to stick to the genuine risks first and perform clean-up work on irrelevant systems later. Don't be a perfectionist; sometimes good enough is good enough. You have to remain focused on the big picture to remain successful.
Malik concluded our talk with a parting thought: "Everyone makes mistakes. Learn how to deal with them and move on."
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- 10 questions job seekers can expect in a cybersecurity interview (TechRepublic)
- 84% of cybersecurity pros are open to switching companies in 2018 (TechRepublic)
- Landing that infosec job: These experts share their best career advice (ZDNet)
- Tech careers: It's time to pump up the volume if you want to succeed (ZDNet)
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.