How to Succeed as a Cybersecurity Pro: Three Crucial Steps

A vast majority of HR and IT hiring managers agree that the most difficult positions to fill are in the cybersecurity department. That's trouble for them but good news for you, if you're looking for a new IT career and want to get hired quickly. But even with a global skills shortage that's been going on for a few years now, there are some important steps you need to take if you want to succeed.

The Enterprise Strategy Group (ESG) and Information Systems Security Association (ISSA) recently completed a joint study based on global survey responses from 489 cybersecurity professionals. Based on those answers, current cybersecurity pros have three key bits of advice for newbies looking to break into the field.

Widen Your Network

Building a network of other security, IT, and HR professionals is the best way to land a job in a company with competitive benefits for security personnel. According to the study, 38% of currently-working security pros say they found their job by mining their network of industry contacts. Meanwhile, 24% said they got a gig from a headhunter, while 22% got theirs through a job posting.

In case you're short on network contacts, there are several ways to build your people web up in a hurry. Aside from following these steps, you can also build up your current network quickly by joining and actively participating in some popular online cybersecurity groups, such as the Certified Information System Security Professional (CISSP) or the Computer Security Institute groups, which are both on LinkedIn. Two more good bets are the large r/CISSP and r/ComputerSecurity subreddits.

Get Certified But Don't Overdo It

For the fifth year in a row, the majority of respondents to the ESG-ISSA survey pointed to the CISSP certification as the single best cert to hold for security job seekers, and it's actually one of the most valuable IT certifications overall. Fifty-nine percent said they'd already achieved it, and 51% said it had been the most important certification when it came to finding their current job.

Respondents also cautioned against "certification loading." With the long list of increasingly arcane security certs available, some job seekers have taken to adding as many credential acronyms as they can to their resumes. But those working in cybersecurity now believe that's a waste of time unless you're doing it to advance a specialized skill set.

A small hurdle for newcomers: Most respondents (52%) said demonstrable hands-on experience was more valuable and more likely to get you hired than simply having a certification. But if you're a seasoned IT generalist, especially one with experience managing cloud and hybrid cloud environments, that experience is certainly relevant when you're switching to a cybersecurity track. In fact, cloud and application management experience were among the top security specializations highlighted by respondents, coming in at 39% and 30%, respectively. Combining that experience with a CISSP certification is apparently a solid recipe for job-hunting success, borne out by the fact that 79% of survey respondents said they started their tech careers in IT.

Shop Around

The ESG-ISSA survey respondents indicated that even newcomers will probably get an offer fairly quickly if they're qualified candidates. They also believed you shouldn't jump at the first offer you get. Some of that is because, with the current cybersecurity-skills shortage, it's effectively a sellers' market (although 38% of respondents indicated their companies still didn't offer competitive wages). But respondents cited another factor as being more important than compensation—namely, how your prospective employer treats security professionals.

Recommended by Our Editors

What Will Be the Highest-Paying IT Career 5 Years From Now?

Stay Safe in The Office With Top Back-to-Work Tools

Because security is a difficult discipline, and there are fewer qualified staffers available, many companies are dropping big workloads on their security personnel. That's why 60% of respondents said they had significant trouble achieving any kind of work-life balance. A big factor here was training. To keep current, cybersecurity professionals need to keep their skills honed, and 91% of respondents said that means regular training. Yet 59% also said their employers refused to take that into account when doling out workloads, so they had difficulty keeping up. That's why 38% of respondents said the biggest problem their organizations had with attracting and keeping security professionals was burnout due to being overworked. Make sure to ask what kinds of work your prospective employer is expecting you to do and whether it offers benefits such as tuition for certifications and time off for training.

Another important concern was how an organization approaches cybersecurity. Many respondents said that the best ways their organizations could improve cybersecurity overall was to put security personnel on new IT projects from the start and to make sure that they were also members of every technology working group (58% and 38% gave these answers, respectively). That means a large number of cybersecurity pros are out there right now trying to do their work but being sidelined by IT. That not only makes the job harder, but also makes it chronically frustrating. Be sure to ask how typical IT projects are managed and where cybersecurity professionals generally fit in that workflow.

A bonus tip: Keep your options open. Once you've got some verifiable experience in cybersecurity, 23% of the ESG-ISSA survey takers said you'll probably receive calls from headhunters several times a week. So if you wind up not being happy with a current employer—well, as my Dad used to say, it never hurts to listen.

How a cartoon gorilla turned out to be the friendliest-looking malware of all time