The US and other countries continue to see a massive gap between the demand for security professionals and the limited supply produced by colleges, bootcamps, and other training methods. Demand is so high that some companies are even recruiting professionals from other disciplines into security analyst roles.
In North America, there are slightly more than 1.2 million workers in disciplines related to security, but the market could support at least 560,000 more, according to estimates from the (ISC)2 Cybersecurity Workforce Study.
The result is that there continues to be tremendous demand for newly trained security professionals, experts say. For people entering the field, there is good news: A technical degree is not necessarily required, and experience can be trumped by quality, according to the 2020 Cybersecurity Salary Survey conducted by Cynet, a breach protection firm.
In fact, shifting into security often results in a higher salary, the firm found. Individuals who pivoted from an IT position to a security one earn more than their peers who started out in security, according to the survey. For application security, often that means moving from being a developer or in deployment into an app security engineer position.
The benefits can be huge. The salary for the role of application-security engineer currently tops $133,000, while that for penetration testers averaged $116,000 in 2019, according to jobs-posting service Indeed.com.
So how do you break into the security field? Here are four ways.
1. Get your game on
Not everyone is suited for security. While non-technology graduates can find ways to enter the career track, they need the ability and perseverance to succeed.
One way to prove that you have the ability—and prove it not just to potential programs and companies, but to yourself—is to play one of the many games that test ability. While a number of security games test end users' awareness of threats, a few contests are targeted at finding potentially talented information security professionals. While most games are not focused on application security per se, most have a component of vulnerability discovery or triage.
For high school students, the SANS Institute created the CyberStart program to attract students to the discipline. Rebranded as GirlsGoCyberStart, the program now focuses on attracting young women into security, but the contest is open to all students as long as four female students are competing, noted James Yacone, director of mission and partnerships at the SANS Institute.
"[The CyberStart game] is a magnificent tool ... that assesses kids' aptitude in a gamified environment, and it teaches them skills— such as coding, Linux, software applications—along the way. Kids don't know that they are being assessed."
—James Yacone
In the UK, where the program debuted, more than 100,000 students have played the game, and about 7,000 were identified as having serious abilities and given entry into an accelerated program, he said.
Other companies and groups have regular capture-the-flag and security competitions aimed at recruiting adults, such as the US Cyber Challenge, run by the Center for Internet Security, and Cyber Talents, a site aimed at showcasing talent for private companies through games and contests.
For college students and recent graduates, the National Cyber League runs regular cybersecurity competitions, and the SANS Institute offers the Cyber FastTrack competition.
2. Decide on your destination
Security is not a monolithic field. Practitioners need to focus on specific disciplines.
Professionals focused on core cyber defense—often referred to as the blue team—may work to secure a company on their own, with a small team, or as part of a security operations center (SOC).
The flip side of those information security professionals are the red team—penetration testers and vulnerability researchers—who focus on finding system weaknesses before the attackers can. When an attack does happen, incident responders and forensic investigators are needed to figure out what happened: how the attackers got in and what they did.
The majority of workers with their sights on security enter the field through these paths, applying for positions such as IT security specialist (29%), information security analyst (12%), security analyst (9%), and security engineer (4%), according to Indeed.com data.
Application security professionals typically enter the field from the software development and deployment side of the business, growing from a security champion to an application-security engineer. With more companies focused on agile development and deployment, incorporating security from the get-go is more important now than ever, the SANS Institute's Yacone said.
"Trying to bolt security on at the end of the process never works well. So application security professionals are sitting with the engineers and developers during the process."
—James Yacone
Other segments of information security include industrial control systems, which blend physical and cybersecurity with compliance management, which is even more important in light of increasing fines for violations to privacy regulations from the European Union and others.
3. Pursue college or a professional course?
Breaking into security does not require a college degree. While two-thirds of security professionals do have a college degree—and 59% of those degrees are in computer science or engineering—about a quarter of workers in the security market have either a high school diploma or an associate's degree, according to (ISC)2's report.
Talent trumps academic degrees, according to Cynet's data. Only 17% of security analysts with an academic degree make more than $90,000, compared with 30% of security analysts without an academic degree, the firm found.
Even so, getting a master's degree in security can be a good way to make a mid-career change. Georgia Institute of Technology's Online Master of Science in Cybersecurity, for example—an offshoot of the university's computer science program—already has 650 students in its first year.
Moreover, working full time does not prevent students from taking the course. In fact, some companies offer the program as a perk, and the average age of students is about 35 years old, said Raheem Beyah, vice president for interdisciplinary research at Georgia Institute of Technology.
"The degree program is flexible, so that people who work during the day can still participate. [The goal is] to attract as many people as we can."
—Raheem Beyah
4. Get certifications
Anyone looking to break into security will almost certainly need a certification or two under their belt.
For IT security specialists, the most common first security position (29% of cases) on professionals' resumes — nine of the top-10 most common requirements in job postings are certifications, according to Indeed.com. The top three are Certified Information Systems Security Professional (CISSP), CompTIA Security+, and Certified Ethical Hacker.
In fact, for most entry-level positions, a certification is one of the three most common requirements, Indeed.com notes. The only exception is for the lowest rung of the ladder, the information-technology intern.
Certifications, however, just set a baseline. The organizations that manage the certification process boast that professionals with information security certifications make, on average, 22% more in North America.
But workforce analysis firm Foote Partners puts the average at about half that and, for application security specialists, the actual pickings in terms of getting certified are small, noted David Foote, co-founder and chief analyst of Foote Partners.
"Most programming languages and frameworks have no certifications. So most companies will actually have to test applicants' secure coding expertise."
—David Foote
The Certified Secure Software Lifecycle Professional (CSSLP) accounts for about an 11% bump in pay at companies, he said.
It's nice to be in demand
In the end, the world needs all levels of security expertise—from technicians who set up firewalls to application security specialists who keep code secure and security architects that design security into products and networks, said Georgia Tech's Beyah.
And for professionals wanting to move into security, the gap in the number of security workers is good news.
"We need both certifications and degree programs. It is not an either-or proposition, but a focus on providing a full spectrum of solutions."
—Raheem Beyah
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
