How to get into cyber security

James Milligan, Global Head of Hays Technology

What qualifications do you need to work in cyber security? How easy is it to transfer to a security job? What’s the best thing about working in the sector?
 
I recently spoke to some of our cyber security recruitment experts from around the world to find out the answers to these questions, and many more. In this blog, you can read insights and advice from:
  • Edmond Pang, Hays Shanghai & Suzhou Regional Director 
  • James Walsh, Hays UK & Ireland Cyber Security Business Director
  • Miguel Duran, Hays North America Cyber Security Lead
  • Robert Beckley, Hays Technology Regional Director, Australia & New Zealand
 

1. What qualifications do you need to work in cyber security?

Miguel (North America): In the last five years we’ve seen the adoption of cyber security and information security specific degrees in the US. Previously, if you were applying for an engineer job, you’d be expected to just have a foundational IT knowledge; you may have come from a traditional IT infrastructure role and slowly transitioned into cyber.
 
But now, we’re seeing demand for these new degrees – which teach foundational network and infrastructure understanding, but from a security perspective, rather than broader elements such as router and switch configurations.
 
So, there’s been a shift in professionals coming out of university and straight into a SOC role, working as an analyst on SIEM monitoring – rather than more traditional transitions into the roles.
 
This isn’t just specific to universities and degrees, though. Generally, there is more cyber security specific learning content being created. Eventually, this is something every university and college will be offering as it’s highly in-demand by organisations – and will be in the future too.
 
James (UK&I): In the UK, whilst there are some cyber security degrees available, this is much less prevalent. Generally, we find that people who want to work in cyber are the types of people that have learnt to hack from 14 or 15 years old. Often, these people won’t go to university to study, but these will probably be the best Penetration Testers, as they’ve been learning about the sector from such a young age.
 
Alternatively, there are some cyber apprenticeships available. These are limited, but tend to be run by either GCHQ or specific organisations who look for leavers from top schools and universities.
 
Robert (ANZ): Certifications are by no means a necessity when trying to get into cyber security in Australia and New Zealand. But if you have no hands-on experience, they can be a good way to demonstrate your enthusiasm and ability to learn.
 
There are many different sub-specialisms within cyber security, and there are certifications to go with each one. We recommend starting as broad as possible, with certifications like Comptia Network and Security+. For those more advanced professionals who have a good idea of which path in cyber security they wish to take, it’s time to get more specific. If your focus is on GRC, a CISM or CISSP, if your passion is offensive security, a CEH or any of the SANS Certifications would be a ‘nice to have’ on your resume.
 
Edmond (Asia): In Asia, I’d recommend certifications in CISSP, CRISC, CISM, CISA, GIAC, CCSP or CCSK. You should also be familiar with COBIT, NIST AND ISO27000.
 

2. How easy is it to transfer into a cyber security job from another tech role?

Edmond (Asia): In general, it’s not easy to transfer between tech roles – especially when it comes to cyber security, as companies would want to know they’re protected with a trusted and capable team. However, there are entry-level roles such as Security Analyst/Operations, or functional roles like risk where strong a foundation of infrastructure and network knowledge, with basic cyber security certifications should get your foot in the door.
 
Miguel (North America): I think how easy it is to transfer into cyber depends on where you’re coming from. There are always going to be roles that are more aligned, but ultimately, it’s about the individual changing their mindset. For example, moving into configuration and implementation, you need to shift your mindset and ask: how do I defend this? How do I monitor this piece of equipment?
 
Again, having the relevant foundational knowledge is going to make the transition easier. You need to acknowledge what you want to move into, and assess if you have the required skills to do so. If you need to study or train, then a certification or online course will be the easiest route. Or you could go to the local community and find a mentor to help you.
 
And of course, always work with a specialist tech recruiter. If this is something you’re interested in, contact one of our Hays Technology consultants by clicking here.
 

3. Does the experience of working in cyber security differ depending on the size and scale of the business?

Robert (ANZ): Definitely. In a large enterprise you will have big teams often working in narrow specialisms. In a smaller business you are likely to have broader responsibility.
 
James (UK&I): I agree with Robert; in a larger organisation, there is the potential that your role would be more siloed; you will have a standardised first, second and third line of defence in place. Whereas in a smaller organisation or start-up, it’s likely you will be the first, second and third line of defence!
 
But if there is a little more demarcation of roles than that in a start-up position, your role will be focused on risk rather than operations (operations roles tend to be assigned to technical-focused cyber professionals). That means your role would include risk controls, audits, monitoring and business advisory.
 
Miguel (North America): I think Security Program Maturity is what determines the experience. Smaller companies will have a broader skill range need for an individual due to the lack of people in the team. They will likely out/in-source areas of their business such as monitoring, risk or engineering.
 
Whereas a much larger business may have a stronger, more developed program, where they have large teams segmented into their retrospective areas such as SOC, IAM, Architecture, GRC. Therefore, their hiring is more focused on professionals in certain skill categories.
 

4. So, when starting your cyber security career, which is better to work for – a large organisation, or a small company?

Robert (ANZ): There are pros and cons of both. Starting in a large business, you are more likely to have structure, support, exposure to different teams, and a clear progression path. But in a smaller organisation there may be an opportunity to take on more responsibility earlier.
 
Miguel (North America): In a very small organisation like a start-up, as we’ve discussed, there’s going to be one (or potentially two) cyber security employee. That person is the go-to security expert, and needs to be able to do anything and everything. So that role won’t be suitable for someone starting out in their career.
 
The focus should be on the maturity of the business instead, rather than the size/scale. It’s best to begin your career with a mature business (that could be large or an SME), to ‘earn your stripes’.
 

5. What’s the best cyber security job to begin your career with?

Robert (ANZ): Start as broad as possible! Ideally a position that would expose you to the technical aspects of IT Networks and the Governance requirements placed upon them.
 
Edmond (Asia): A Security Analyst role that may be less technical is a good place to start. Plus, IT Service companies (security services/product providers) and professional consulting agencies (such as PwC, Deloitte, EY and KPMG) have incubated cyber security professionals and Security Technical Experts. They provide massive cyber security compliance and technical projects from various industries and regions which would be a strong place to start a career.
 

6. For someone thinking about a career in cyber security, how would you sell it to them? What’s the best thing about working in cyber security?

James (UK&I): In my opinion, it’s the diversity of role and the fact it’s so wide and varied. There’s a place for all skillsets and types of people in cyber security. It’s probably the most diverse tech specialism in that sense.
 
And the big salaries help, too!
 
Robert (ANZ): It’s a strategically important, constantly evolving sector, where you will be exposed to the latest tech. It’s a career that will provide opportunity and reward.
 
Edmond (Asia): Cyber is the hottest area in the tech market right now. And it will continue to be, because organisations’ business systems and architectures will continue to grow and get more complex as they expand their business and go through digital transformation. Cyberattacks are real and increasing. This means the demand for cyber security professionals will always exist, which offers good career progression and returns.
 
Miguel (North America): Working in cyber security is a mindset. Everyone shares this mindset – whether you’re working in prevention or offensive security. The industry is geared towards the people who have this mindset, and those people thrive.
 
If you’d like to hear about the specific soft and technical skills you need to work in cyber security – plus the jobs that are most in-demand by employers right now – then read my previous blog, The skills you need for cyber security career success.
 

Author

James Milligan
Global Head of Hays Technology

James Milligan is the Global Head of Hays Technology, having joined in 2000. In his role, he is responsible for the strategic development of Hays' technology businesses globally.

00