An official website of the United States government
January 2018
|I deal with businesses to identify ways of securing their IT (information technology) systems. I also mentor staff and make sure the company meets its regulatory requirements.
Businesses don’t understand what they don’t know. That’s where I can help, by working with them to identify their requirements—and to protect their information according to the law and according to risk. You can be 100 percent compliant with the regulations but still be at risk.
From a risk perspective, you need to know how hackers work so you can protect against them. A lot of organizations have penetration tests: they hire a “good guy” to hack in and act like a “bad guy.” Then they build their security around that.
Yes. At first you need to learn the basic principles, but you’ll eventually identify a specialty area. Two big areas with opportunities are computer forensics, figuring out how someone hacked in and retracing those steps, and application security, identifying and fixing software vulnerabilities.
There’s also governance, risk, and compliance. This is my area of expertise. I help set policies and oversee the security programs. I’m in a strategic role, not a tactical one.
I think it’s the morality of the work that attracts a lot of us who are in it. A lot of us just want to save the company and to do the right thing. We’re looking to save the world.
Early in my career, I was working for a computer company when someone stole the source code for our software. The company formed an information security team and developed a tool to identify when systems were misconfigured or when they were broken into. I had been teaching people how to use software and computers, so I taught people how to work the security tool.
After that, I became the security guru for the computer room. And since then, I’ve done everything and anything when it comes to IT security.
It can be extremely difficult at the entry level, because many job openings require 1 to 3 years of experience. What I usually tell people is to get as much knowledge as you can, and then network.
Step 1 is to get your knowledge. There are all kinds of information security training classes online. One site that offers free training is Cybrary.it, although you do pay to take the certification exams after completing a class.
Another opportunity for picking up knowledge is to watch online videos. For example, I might search how to hack something to learn how it happens. And once I learn how to hack it, I can learn how to prevent it.
Step 2 is networking. Go to meet-ups, or join user groups or professional associations to meet others in the cybersecurity field. Latch on to those who are able to help and answer questions. Start talking to people, and get your name out there; let them know that you’re looking to get started. It’s amazing how many people are willing to help if only you ask.
Yes. The CISSP (Certified Information Systems Security Professional), the oldest certification for IT security, is the gold standard. It’s good for identifying whether people have a baseline.
An industry association survey asked IT workers to list the certifications they had, and there were 71 different certifications listed. But CISSP was the most common.
Yes and no. Do you need a degree? No, and I know a bunch of people working in the field today who don’t have a degree. But should you get one? Yes, because it gives you the discipline to develop skills for lifelong learning.
Ideally, a major in computer science provides the foundation. There are a lot of programs around information security or information assurance; there are even master’s and doctorate degrees in this area. But if you’re driven and passionate about cybersecurity, you can come from any background.
I earned a college degree over time, through online training. It was a long and tedious experience, and I was able to take advantage of life-learning credits.
You need to be tenacious: don’t give up, and stay focused. Have a passion for learning and a passion for technology.
Having the aptitude is important, too; we’re driven for problem solving, for figuring things out, for being challenged.
You also need to understand business—the concepts of program management and teams—and not just technology. And as you progress in your career, you’ll need to build on your communication skills and your presentation skills.
Probably the challenges. And I enjoy working with my clients and peers and sharing that knowledge.
I also like the ever-changing technology. There’s always something new. I’m learning, learning, learning.
Getting people to truly understand our role. A company will often do “just good enough” security. Just like with accidents, with cybersecurity breaches, companies think, “It’s not going to happen to us.” And that presents a huge obstacle in convincing them that they actually may be at risk.
Keep learning, and don’t give up. If you’re in college, get that degree as a foundation. But to get into the occupation, focus on what skill, or skills, you need in the moment. Technology changes so quickly. Get online, talk to people, and figure out what you need to learn—and then dive in.
Elka Torpey, "Cybersecurity consultant," Career Outlook, U.S. Bureau of Labor Statistics, January 2018.