Image: Mackenzie Burke

As cybercriminals grow more sophisticated and news of major breaches reach headlines nearly daily, cybersecurity professionals are in high demand: There are 3.5 million unfilled cybersecurity jobs worldwide, according to a 2021 report by Cybersecurity Ventures.

Employees who take on these roles play a key role in the enterprise, as the average cost of a data breach worldwide is about $4.24 million, according to IBM Security and the Ponemon Institute.

A job in cybersecurity can also command a high paycheck: The median salary for an information security analyst in the U.S. is $103,590, according to the U.S. Bureau of Labor Statistics, and it’s significantly higher in cities such as San Francisco and New York.

The shortage of trained cybersecurity professionals has led many organizations to seek nontraditional candidates to fill these roles. To help those interested in the field better understand how to break into a career in cybersecurity, we’ve pulled together the most important details and resources. (Note: This article on becoming a cybersecurity pro is available as a free PDF download.)

SEE: The Dark Web: A guide for business professionals (free PDF) (TechRepublic)

Executive summary

  • Why is there an increased demand for cybersecurity professionals? Cybercrime has exploded in the past couple of years, with major ransomware attacks such as WannaCry and others putting enterprises’ data at risk. To protect their information and that of their clients, companies across all industries are seeking cyber professionals to secure their networks.
  • What are some of the cybersecurity job roles? A career in cybersecurity can take the form of various roles, including penetration tester, chief information security officer (CISO), security engineer, incident responder, security software developer, security auditor or security consultant.
  • What skills are required to work in cybersecurity? The skills required to work in cybersecurity vary depending on the position and company, but generally may include penetration testing, risk analysis, and security assessment. Certifications, including Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM), and Certified Information Systems Security Professional (CISSP) are also in demand, and can net you a higher salary in the field.
  • Where are the hottest markets for cybersecurity jobs? Top companies including Apple, Lockheed Martin, General Motors, Capital One and Cisco have all been hiring cybersecurity professionals in recent years. Industries such as healthcare, education and government are most likely to suffer a cyberattack, which will probably lead to an increase in the number of IT security jobs in these sectors.
  • What is the median salary of a cybersecurity professional? The median salary for a cybersecurity professional depends on the position. For example, information security analysts earn a median salary of $103,590 per year, according to the US Bureau of Labor Statistics. Meanwhile, CISOs earn a median salary of $229,010, according to com. Salaries are significantly higher in certain cities, such as San Francisco and New York.
  • What are typical interview questions for a career in cybersecurity? Questions can vary depending on the position and what the specific company is looking for, according to Forrester analyst Jeff Pollard. For entry and early career roles, more technical questions should be expected. As you move up the ranks, the questions may become more about leadership, running a program, conflict resolution and budgeting.
  • Where can I find resources for a career in cybersecurity? ISACA, ISC(2), ISSA and The SANS Institute are national and international organizations where you can seek out information about the profession as well as certification and training options. A number of universities and online courses also offer cybersecurity-related degrees, certifications, and prep programs.

SEE: All of TechRepublic’s cheat sheets and smart person’s guides (TechRepublic)

Why is there an increased demand for cybersecurity professionals?

Cybercrime has exploded in the past couple of years, with major ransomware attacks such as the one on Colonial Pipeline, WannaCry and the Log4j vulnerability putting enterprises’ data and vital public infrastructure at risk. The rise of the Internet of Things has also opened up new threat vectors. To protect their information and that of their clients, companies across all industries are seeking cybersecurity professionals to secure their networks.

Hiring and keeping professionals “remains a top challenge,” according to William Candrick, research director in the Gartner IT practice. “The global demand for cybersecurity skills far exceeds the current supply of traditionally qualified individuals.”

The number of attacks detected decreased steadily in 2021 from 5.5 million in January 2021 to 2.2 million in December 2021. Yet the attacks on mobile have gotten more sophisticated in terms of both malware functionality and vectors, according to Kaspersky.

Enrollment in computer science programs has also increased tremendously in the past couple years, and many schools are adding cybersecurity majors and concentrations, said Rachel Greenstadt, associate professor of computer science at Drexel University.

Additional resources:

What are cybersecurity job roles?

Cybersecurity jobs span a number of different roles with a variety of job functions, depending on their title as well as an individual company’s needs.

In-demand roles include penetration testers, who go into a system or network, find vulnerabilities, and either report them to the organization or patch them themselves. Cybersecurity engineers, who often come from a technical background within development, dive into code to determine flaws and how to strengthen an organization’s security posture. Security software developers integrate security into applications software during the design and development process.

Computer forensics experts conduct security incident investigations, accessing and analyzing evidence from computers, networks and data storage devices. Security consultants act as advisors, designing and implementing the strongest possible security solutions based on the needs and threats facing an individual company.

At the top of the chain, CISOs helm a company’s cybersecurity strategy, and must continuously adapt to battle the latest threats.

Additional resources:

What skills do cybersecurity pros need?

The skills required to work in cybersecurity vary depending on what position you enter and what company you work for. Generally, cybersecurity workers are responsible for tasks such as penetration testing (the practice of testing a computer system, network, or web application to find vulnerabilities that an attacker could exploit), risk analysis (the process of defining and analyzing the cyber threats to a business, and aligning tech-related objectives to business objectives), and security assessment (a process that identifies the current security posture of an information system or organization, and offers recommendations for improvement).

SEE: How to build a successful career in cybersecurity (free PDF) (TechRepublic)

Certifications in cybersecurity teach these and other valuable job skills, and often lead to higher salaries in the field. Those such as Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM), and Certified Information Systems Security Professional (CISSP) are in high demand.

Anecdotally, companies are looking for people who can deal with more sophisticated attacks such as zero day, ransomware, and spear phishing, said Rob Clyde, a member of the ISACA board of directors.

Some 45% of enterprises also said they don’t believe that job applicants understand the business of cyber, the report found. “One of the skills to learn is to really understand the business, and how cyber relates to the business,” Clyde said. “Don’t just use fear and talking about how bad things can happen, but say ‘We’ve looked at the risk, this is where the biggest issues are, here is the first priority we are going to address.’ Put it in business terms they can understand.”

Cybersecurity is an interdisciplinary field that requires knowledge in tech, human behavior, finance, risk, law, and regulation. Many people in the cybersecurity workforce enter the field from other careers that tap these skills, and translate them to cyber.

“You may think that you have to have so much technology background to go into security, said Ning Wang, CEO of Offensive Security. “And again, I know firsthand that is not the case. What does it take to be a great cybersecurity professional? And I think from my observation and working with people and interacting with people, they need a creative mind, a curious mind, you have to be curious about things. You have to have the perseverance to go through. You can’t just give up easily. We call it try harder, but you have to have that. You have to have the attention to detail because you are reading a lot of the scripts and the codes; we’re writing them. So, if you don’t have attention to detail it would take you so much longer and it has to be your passion. You cannot do this just for a job, unfortunately. You can’t just follow a playbook and then think that you will be able to do that.”

Additional resources:

What is the top cybersecurity software in use today?

If you want to work in cybersecurity, you’ll need to be aware of the most important cybersecurity software. At the most basic, you need to know about the best enterprise password managers, as well as endpoint protection software and the best antivirus software.

SEE: 5 types of cybersecurity tools every admin should know (TechRepublic)

Additional resources:

Where are the hottest markets for cybersecurity jobs?

Executives across almost every industry worldwide are looking to bolster their security standings and are hiring professionals to help them do so. Demand for cybersecurity professionals continues to grow.

The number of encrypted threats spiked in 2021 by 167% (10.4 million attacks), ransomware rose by 105% to 623.3 million attacks, cryptojacking rose by 19% (97.1 million attacks), intrusion attempts by 11% (a whopping 5.3 trillion) and IoT malware rose by 6% to 60.1 million attacks, according to SonicWall’s 2022 Cyber Threat Report.

The only category to decrease in 2021 was malware attacks, which dropped by 4%. Still, SonicWall logged 5.4 billion malware attacks in 2021, making it the second highest attack type by total volume.

Cybersecurity is a great field for veterans, too. “Veterans take with them the skills and experiences they developed while in the military, skills readily transferable to civilian organizations. Also, the cybersecurity field allows them to bring their passion for helping others into a private-sector setting,” said Sloane Menkes, cybersecurity, risk and regulatory principal at PwC.

“Teamwork and leadership serve as a natural part of the military experience. This differentiates them from those who have not served in the armed forces. Every veteran understands that leadership happens at all levels and will continue developing this skill throughout their civilian career in cybersecurity.”

In May 2021,Gartner forecasted risk management service and information security spending to exceed $150 billion in 2021, representing a 12.4% increase from 2020. As organizations look to onboard new talent amid a tight labor market, a speculated Great Resignation of sorts could complicate operations in the months ahead. But there are strategies companies can implement to attract, recruit and retain their top security talent.

Diversity is also important in cybersecurity jobs. A 2019 (ISC)2 study found that the global cyber workforce will need to grow more than 145% to meet the demand for professionals.

“In my first cybersecurity role, a coworker told me that the only reason I was hired is because ‘they’ needed a female on the team. He was insinuating that I was a diversity hire, and not hired because of my potential, ability and skill sets,” said Megan West, X-Force Cybersecurity Incident Response Consultant at IBM. “I was much younger and this was an older person I looked up to. But I took it as a challenge and let it light a fire underneath me.”

Ian McShane, field CTO at security operations software provider Arctic Wolf, said unconscious bias, poorly written job descriptions and preconceived notions of what is required for security jobs are not only deepening the skills shortage but a diversity shortage in the industry as well.

Much of the issue is self-imposed, McShane added, and organizations must reframe their expectations of who can fill roles and what skills are required for addressing today’s cybersecurity issues.

The industry is “dominated by middle-aged white people who have privilege and all the luck in the world,” said McShane, who is also a former Gartner analyst.

Tech vendors in particular, “don’t make it easy” with their hiring criteria and tend to use words like “cutting-edge,” “rock star” and “unicorn” in their job descriptions, which creates a bias, McShane said.

To help alleviate the problem, Deloitte Cyber recently launched a global awareness campaign to attract more women with diverse skill sets and backgrounds into the cyber profession. About 25% of the practice’s over 22,000-member team is women, and Deloitte Global Cyber Leader Emily Mossburg acknowledged that more work needs to be done–both at the company and the industry at large–to elevate women in the cybersecurity field.

Additional resources:

What is the average salary of a cybersecurity professional?

The median salary for a cybersecurity professional depends on the position and the company. For example, information security analysts earn a median wage of $103,590 per year, according to the U.S. Bureau of Labor Statistics. Meanwhile, CISOs earn a median salary of $229,010, according to Salary.com. Salaries are significantly higher in certain cities such as San Francisco and New York.

According to data by Cyberseek.org, there were about 500,000 open jobs related to cybersecurity, between April 2020 and March 2021, according to Harvard Extension School. And the demand for qualified individuals is only likely to increase.

SEE: Where to find the best-paying cybersecurity jobs (TechRepublic)

What are typical interview questions for a career in cybersecurity?

Hiring security professionals can often be a difficult task, said Charles Gaughf, security lead at ISC(2). “Depending on your organization’s structure you may be looking for a very specific knowledge set or skill, but most likely the need is for a competent professional who is well versed in a variety of technology, who is driven, inquisitive, and honest,” Gaughf said. “That is why it is a good idea to cater your questions to ascertain these qualities. It is also a good idea to throw out some questions that make the candidate think and that you know hasn’t been practiced prior to the interview.”

Questions can vary depending on the position and what the specific company is looking for, Pollard said. For entry and early career roles, more technical questions should be expected. As you move up the ranks, the questions may become more about leadership, running a program, conflict resolution, and budgeting.

SEE: Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)

An opening question to test the candidate’s ability to think on the spot might be “How do you build a botnet?” causing them to work out how they would infect, control, and coordinate a botnet from scratch–instantly putting them in the shoes of the attacker, Gaughf said. Then they may be asked “How would you defend against your botnet?” to gain the other perspective.

In an initial interview, Pollard said, a candidate can also expect technical questions, such as:

  • What are some ways malware can evade detection by antivirus products?
  • What is a cross-site scripting (XSS) attack, and how does it work?
  • Outside of XSS, what are a few other examples of web application attacks?
  • What is a man-in-the-middle attack, and how can it be prevented?
  • What is the difference between TCP and UDP? What kind of use cases are better for UDP?

Candidates may also expect questions to determine how they keep up with the industry, Gaughf said, such as:

  • Do you belong to any local security groups?
  • How do you keep up with cybersecurity news?
  • What security podcasts do you listen to?

After an initial interview, candidates often move forward to a simulated exercise of doing the job, which may be simple or complex, depending on the role. Employers are usually looking for candidates who can explain their decision making process, rather than those who complete the task perfectly.

“I might hand them some log data and ask questions about the contents of the data. I might hand them a forensic capture from a system and ask them to perform light investigative work and answer details about the attacker,” Pollard said. “If the person was going to be a developer I might ask them to write some code that could parse through data. If the person was going to be a penetration tester, I might hand them a basic web application and ask them to attack it.”

After that point, the candidate may have a final interview to explain their solution, reasoning, and methodology.

“For both parties–the company and the candidate–this is lots of work,” Pollard said. “And it doesn’t fit the traditional interview arrangement where you sort through a mountain of resumes, pick some people to interview, and then rely on a series of 30-45 minute questions, and move people forward based on some combination of responses, instinct, and emotion.”

SEE: How to answer tough interview questions: 8 tips (TechRepublic)

Where can I find resources for a career in cybersecurity?

Several national and international organizations for cybersecurity professionals and those interested in the field exist ISACA, ISC(2)ISSA, and The SANS Institute offer information about the profession, as well as research and certification and training program options.

You can reach out to the person in your organization who is responsible for cybersecurity, and see if you can shadow them or become a mentee.

A number of universities and online courses also offer cybersecurity-related degrees and certifications.

Additional resources: