Just finishing a degree in computer science? Interested in switching jobs? You may want to strongly consider a career in cyber security. Although most technology graduates are sought after these days, cyber security professionals are particularly in high demand. Both the UK and US governments are hiring cyber security professionals. The private sector in both countries and in many countries around the world is hiring professionals with the requisite knowledge and skills to help fend off growing cyber security threats.
See also: Ethical hacking courses
Why is cyber security a valuable career path? Just take a look at the following numbers:
If you are close to graduating or recently graduated with a computer science degree, you may want to consider trying to land your first job in cyber security. The number of unfilled jobs in this area continues to increase, with no foreseeable drop-off in the immediate future. More importantly, however, is the fact that this career path already has a million unfilled jobs. Corporations, businesses, and governments cannot seem to fill all of their open positions. This is a troubling trend, especially considering the growing number of cyber criminals and the growing threat of cyber crime.
Finding your first job in cyber security should be easy enough with so much demand. However, you’ll want to make yourself attractive to employers before you graduate and enter the job market. How you prepare will also be influenced by what type of cyber security job you’re looking to get into.
Common cyber security jobs
Before applying for cyber security jobs, it’s good to know what’s out there for this expansive profession. The following jobs are the most common for cyber security professionals entering into the field, with the average salaries (from Glassdoor, ITJobsWatch, and PayScale) for each in the US and UK:
Primary Role: Senior-level security professional responsible for the planning, research, and design of an implemented security structure.
US Median Salary: $119,000
UK Median Salary: £72,500
Information Security Officer
Primary Role: Develops and delivers information security and privacy programs.
US Median Salary: $89,000
UK Median Salary: £65,000
Primary Role: Develops and maintains methods that ensure systems are able to withstand disruption, including from natural disasters.
US Median Salary: $88,000
UK Median Salary: £52,500
Primary Role: Provides clients with a needs assessment for computer system security concerns, focusing on vulnerabilities and targeting specific improvements.
US Median Salary: $81,140
UK Median Salary: £47,099
Primary Role: Studies and finds weaknesses in existing cryptosystems.
US Median Salary: $76,470
UK Median Salary: No data
Primary Role: Analyzes how and why different malware work.
US Median Salary: $75,000
UK Median Salary: £60,000
Information Security Specialist
Primary Role: Focuses on protecting systems by defining and setting privilege access, allocating resources and setting control structures.
US Median Salary: $71,418
UK Median Salary: £60,000
Primary Role: Investigates data breaches, cyber crimes, or other security-related incidents.
US Median Salary: $70,000
UK Median Salary: No data
Forensic Computer Analyst
Primary Role: Uses available tools to find data on computers and other devices.
US Median Salary: $68,671
UK Median Salary: £62,500
Security Software Developer
Primary Role: Uses different programming languages to develop security-specific software.
US Median Salary: $65,668
UK Median Salary: No data
Knowing ahead of time which jobs you might apply for matters. While most cyber security professions do require a similar set of skills, most will have certain upfront requirements that you may not meet. When that happens, you’ll likely have one of two primary options: Gain the requisite knowledge before you apply, or acknowledge your lack of training, but apply anyway.
The first option might seem like a better one, but don’t jump to too many conclusions here. Cyber security jobs are still incredibly hard to fill. If a company believes that you have a good technical foundation, they may be more than willing to hire you for the job and help you get the rest of the skills you need to perform those job duties in full.
If you’re graduating with a degree in cyber security (typically a Master’s), you’re likely to have more options than someone who is graduating with a more general computer science degree. There are some key differences in what coursework cyber security graduates obtain that sets them apart. In particular, cyber security graduates may be more likely to find jobs as Intelligence Analysts and Cyber Security Engineers by the simple fact of having the type of education that’s geared more toward those jobs.
Know the distinction between network security, cyber security, and information security
Computer security jobs cover several core skills areas, but they are far from the same. And when applying for your first job in cyber security (or one you’ve always had your eye on), you might want to avoid sounding like you’re not talking about the correct field. You’ll see the computer and internet-related security fields come with a lot of different titles: internet security, network security, cyber security, information security. It’s easy to assume they’re all the same thing, but understanding the nuances between them may place you further up the list of potential applicants.
Network security and/or cyber security
IT and networking leader Cisco states that “network security” is “any activity designed to protect the usability and integrity of your network and data.” That protection includes both software and hardware solutions. It’s best to think of network security as security efforts designed to help ensure that the network is strong from the inside, and focuses its efforts on ensuring that the “castle walls” are strong.
According to Cisco, network security includes all of the following types of measures and controls:
- Access Control
- Antivirus and Malware Software
- Application Security
- Behavioral Analytics
- Data Loss Prevention
- Email Security
- Intrusion Prevention Systems
- Mobile Device Security
- Network Segmentation
- Security Information and Event Management
- Web Security
- Wireless Security
Undoubtedly, of the many computer-related security branches, network security is perhaps the largest. And as you might notice, while network security primarily focuses on activities that occur within the network, it’s designed around keeping malicious actors from accessing those networks. A large focus for network security is on looking at how individuals within the network are working with and accessing the information or resources. After all, there’s no point in having internal security measures in place if someone on the inside with rights access is giving it all away (or acting against the network themselves).
Cyber security and network security can generally be used interchangeably. However, it may be wise not to use the term information security when referring to the above.
Where network security is more centered around preventing unauthorized access to a network or misuse of that network from within, information security is more singularly focused on preventing information from falling into the wrong hands. Quite understandably, information security (often called “infosec”) and network security have a lot of overlap. For example, some of the same software used by network security professionals will also be used by information security professionals.
That said, information security professionals, who may also be called “data security” workers, are often concerned about the acronym C.I.A: Confidentiality, Integrity, and Availability of data. For infosec professionals, this means that network architecture is not so much important as it is making sure that the data within that network is protected, viable and accessible for users, as well as kept out of the hands of individuals who might abuse that data. Infosec professionals will, therefore, be far more concerned about what happens to the data after a data breach and will spend far more time concerned about data stored on the servers.
All of that taken together, however, cyber security/network security and information security are increasingly falling under the same banner. Still, there are some differences you may want to consider when looking for jobs, as most security jobs will eventually require you to specialize in a few key areas. Much like any other area of study, the entire field is a bit too broad for one person to easily become an expert in all facets. You can, however, focus more on data security or more on network security as your primary field of expertise.
How to get into the cyber security industry
Perhaps one misconception with cyber security is that the only individuals hired into this industry were former hackers or those who have been poking around networks since they were in diapers. However, anyone can get into cyber security by acquiring the proper training and education.
Direct route: Obtain an undergraduate degree in a computer-related field
Of course, not all computer-related undergraduate degrees are going to help give you immediate access to a cyber security job. Health Informatics, for example, is technically a computer-related field. But unless you decide to tack on a double major or a minor in computer networks, selling that degree to a cyber security firm might be a bit difficult unless you already have other networking and security skills you’ve developed on your own.
Computer science degrees and computer engineering degrees, in general, are the best route. Within these two realms, you’ll find specializations that will help land you different cyber security jobs. Among the best degrees you can earn, which may be more or less applicable to the type of cyber security jobs listed above, include:
- Artificial Intelligence
- Computer Architecture and Engineering
- Computer Security and Cryptography
- Computational Science
- Computer Networks
- Databases and Information Retrieval
- Information Science
- Software Engineering
- Hardware Engineering
- Concurrent, Parallel and Distributed Systems
For those still earning an undergraduate degree, valuable courses may include, but are not limited to, the following examples:
- Computer Networks
- Software Security
- Hardware Security
- Information Security and Risk Management
- Information Security Strategies
- Network and Computer Security
- Database, Internet, and Systems Integration Technology
- Programming in C
- Machine Learning
- Software as a Service (SaaS)
- Software Engineering
For more courses, including subject areas and free courses, head over to Computer Science Online.
Second route: Obtain a graduate degree in cyber security
If you graduated with a Bachelor’s degree in computer science, but want to get a more specialized degree in cyber security, a Master’s degree program is a good idea. More importantly, if you obtained an undergraduate degree in a field outside of computer science or computer engineering, a graduate program may be your best option.
Think of Master’s degree programs as similar to professional trade schools. While undergraduate degrees do provide some basic knowledge that may be desirable for employers, those with a Master’s degree in a specialized field are often more attractive hires. For cyber security, even if your undergraduate degree was outside of the field, a Master’s degree in a cyber security can help get your foot in the door. You may need to provide more evidence toward your skillset if you went straight into a Master’s program without getting work experience first, but the degree will help land more interviews and potential job offers.
Master’s degree programs in cyber security are fairly easy to find. Online programs are extremely popular, although in-person classes do maintain more reputability, despite the growth in online options at even some well-respected institutions.
Third route: Obtain a cyber security certificate
If time and money are a constraint for you, consider obtaining specialized cyber security certificates or those that would be related to the field. Certificate programs are as common as Master’s degree programs. Although they often target individuals already working in cyber security who are hoping to obtain different specializations, they are generally open to anyone for enrollment.
Those who have no programming, security, or networking background can benefit from gaining different certificates. However, doing so might require noticeable legwork on your part. These certificate programs usually have no prerequisites, but the laser-focused nature of these programs may make keeping up more difficult for individuals with little to no experience. Nevertheless, many programs exist that can help build the requisite knowledge from the ground up.
Harvard, for example, offers cyber security certificates through its online Harvard Extension School. Courses include Communication Protocols and Internet Architectures; Secure Software Development; Hardware, Software, Networks, Security, and Management; Applied Network Security; Cloud Security; Networks; Cyberspace and International Security; Secure Mobile Computing; Governance, Threats, Conflict, Privacy, Identity, and Commerce; and How to Assess and Communicate Risk in Information Security.
Certificate programs, much like Harvard’s, typically require students to choose a smaller selection of classes to earn the certificate. In Harvard’s case, students are required to take two courses to earn the certificate.
Valuable certificates for cyber security newcomers
If you’re looking at the certificate route as your point-of-entry, consider obtaining a variety of certificates from the Computing Technology Industry Association (CompTIA) as a way to build up your knowledge and experience. CompTIA is an industry-neutral trade organization that offers certificates for a variety of skill levels. CompTIA provides programs that can help newcomers build the requisite certificate history to land a career in the industry.
CompTIA certificates for cyber security newcomers include:
- CompTIA A+: A foundational certificate that covers computing and networking basics.
- CompTIA IT Fundamentals: A basic foundation in networking and cyber security.
- CompTIA Network+: A certificate program designed to certify knowledge on design, configuration, and management of wired and wireless networks.
- CompTIA Security+: CompTIA’s foundational security-related certificate covering principles of network security and risk management.
Other certifications to consider:
- Microsoft Technology Associate (MTA) in IT Infrastructure: The MTA in IT Infrastructure is a good starting point for anyone. The certification program specifically focuses on building the prerequisite knowledge needed to work on desktop, server or cloud computing infrastructures.
Valuable certificates for those with computer science, engineering, and networking backgrounds
If you already have some background knowledge or experience in computing, networking, or security, the following certificates may be what you’re looking for to better enter into the cyber security industry:
- CEH: Certified Ethical Hacker: A certificate that focuses on using infiltration methods to test the strength of security systems. The CEH certificate can be obtained from multiple sources, including the International Council of E-Commerce Consultants, or EC-Council, and the Infosec Institute.
- Cisco Certified Entry Network Technician (CCENT). This Cisco certification goes into more depth than the CompTIA Network+. It’s known to be difficult but may provide someone with the prerequisite knowledge an advantage when it comes to cyber security job applications. Cisco provides this certification directly.
- Certified Information Systems Security Professional (CISSP). Administered by the independent Center for Cyber Safety and Education (Formerly ISC2), the CISSP is one of the most respected infosec certifications. The certificate focuses on security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security. These are considered the Common Body of Knowledge for cyber security professionals. ISC2 delivers this certification directly. A 4-year degree in computer science or computer engineering can be used as a waiver to bypass the 5-year minimum work experience normally required.
- Cisco Certified Networking Associate (CCNA). Cisco offers a number of certificates geared toward those with enough experience to allow for very specific specializations. CCNA certificates are offered in cyber ops, routing and switching, security, and several other key areas. The benefit to these certificates is that there are no prerequisites, although acquiring the certificate may be difficult for those with no prior experience in computing. Cisco offers these certificates directly.
Who’s hiring cyber security professionals?
While most large companies and many government organizations are hiring cyber security professionals all the time, some of the most notable include:
Many of the larger companies also target recent graduates as well with career-building jobs. These will often start out with a lower salary, but come with the benefit of more on-the-job training to help new employees gain the skills needed by the company.
Some companies and organizations offer scholarships
Not yet trained in cyber security? The need for new professionals is so great, some companies and many independent organizations offer scholarships to anyone who wants to work in the industry.
Notable scholarships for all learners:
- Cisco opened up a program in 2017 that almost immediately filled up. The company offered $10 million in scholarships to those willing to take a 3-course study in cyber security. The company promises to open up the program again in 2018 for new applicants.
- The National Security Agency offers generous scholarships to undergraduates through its Stokes Educational Scholarship Program. Those going into this program must be in computer science or computer engineering degree programs and must agree to work for the NSA after completion.
- The Center for Cyber Safety and Education (Formerly (ISC)² Foundation), offers a range of scholarships for different groups, including several scholarships specifically for women choosing to enter the field. The organization also provides scholarships to graduate students. These scholarships are partially funded by Raytheon, which hires many cyber security graduates.
- The US Office of Personnel Management offers a Scholarships for Service program for undergraduate and graduate students who intend to work for the federal government. This program covers both college costs and pays a stipend.
- The Science Mathematics & Research for Transformation (SMART) scholarship is an interesting option for several reasons. First, it’s delivered by the U.S. Department of Defense for anyone pursuing a STEM graduate or undergraduate degree, including computer sciences and information sciences. The program also accepts applicants from several close U.S. allies: Australia, Canada, New Zealand, and the UK. Successful applicants must be willing to accept a job working for the DoD after graduation.
- Microsoft offers tuition scholarships for undergraduate students pursuing degrees in computer science, computer engineering, or STEM fields related to either of those two. The scholarship covers part of the tuition for one academic year and is open to students in the US, Canada, and Mexico.
Notable scholarships for women and minorities:
- Several organizations (ASCA, Hewlett-Packard, Symantec) join together to provide interested women with the Scholarships for Women Studying Information Security. This scholarship is designed to provide up to $10,000 per accepted applicant to cover the costs of studying in and entering into cyber security professions.
- Google offers their Women Techmakers Scholars Program for women interested in technology careers. This includes cyber security or information security degrees. The program is open to applicants who identify as female and live in North America (US, Canada), Europe, the Middle East, Africa, and Asia Pacific.
- The Women in Defense organization offers their HORIZONS Scholarship for women who want to pursue careers in national security or defense agencies. This is designed to cover any woman who want to obtain a degree in cyber security and who intend to work for a defense agency.
- IBM and the American Physical Society offer an internship program for both women and underrepresented minorities. While not a scholarship, these are paid internships to work for IBM while an undergraduate student and gain valuable experience in the process.
- The Society of Women Engineers offers several different scholarships for women pursuing STEM degrees. This includes computer science and computer engineering, cyber security and information security-related degrees. In 2016, the organization offered $750,000 in new and renewed scholarships.
- Black students working on a STEM degree and attending an HBCU may acquire a scholarship from Development Fund for Black Students in Science and Technology. Scholarships are only in person through the HBCU’s listed on the website and require an in-person screening.
More such scholarships exist as well. Many companies are willing to pick up the cost for those willing to work for them after graduation. This may require you to contact a company directly and inquire about any such opportunities. However, diligence is generally required even with the large demand for cyber security professionals.
Additional scholarships can be located using major scholarship databases, such as the following:
Stay Active in the Cyber Security Community
The cyber security community is not only large but continues to grow every day. Becoming an active participant will not only help you keep up with this quickly-changing industry, it may help you land a job. One Comparitech writer, Lee Munson, found his way into the cyber security field by keeping an active blog, posting on LinkedIn, and closely following industry leaders. You can read more about his journey here.
The size of the industry does mean that there are a very large number of personal bloggers, industry-facing websites, forums, and other web spaces. Here are some of the best places on the web for cyber security newcomers, broken down by category.
One of the highest-ranked cyber security websites on the web, Dark Reading focuses on all aspects of cyber security, with special attention on attacks, app security, cloud security, data leaks, privacy, and a lot more. Follow them on Twitter @DarkReading.
Digital Guardian calls Brian Krebs a “household name in information security.” His site’s rankings and most infosec professionals would likely agree. Krebs worked for The Washington Post for over a decade and authored over 1,300 articles for their Security Fix blog. You can follow him on Twitter @briankrebs.
Security company Kaspersky runs its own cyber security news website called Threat Post. Considering this comes directly from Kaspersky, it shouldn’t be a surprise that the site is very popular within the security community. You can follow them on Twitter @threatpost.
Andrew Hay is Senior Security Research Lead & Evangelist at Open DNS. He offers up his insight and years of experience on his blog. You can follow him on Twitter @andrewsmhay.
Cryptography expert Bruce Schneier is well-respected within the cyber security industry. His blog, Schneier on Security, has enjoyed 10 years of growth, focusing specifically on security and privacy matters important to the industry and consumers. Schneier is the Chief Technology Officer of IBM Resilient, an incident response company. Follow him on Twitter @schneierblog.
The fun bloggers at Emergent Chaos provide a bit of entertainment to the educational value in this blog. Those new to the industry might find a lot of use in following the posts here, and even in digging through old posts about various topics in cyber security.
Leading Google’s abuse response team, Elie Bursztein is a young but talented cyber security professional with a bit of an eccentric flair. Bursztein is an ethical hacker who works with Google to help invent new ways to prevent cyber attacks. His blog posts often focus on his work. You can follow him on Twitter @elie.
Graham Cluley has his finger on the pulse of the infosec industry. He’s often first covering major topics related to cyber security and privacy, making him a go-to source for those keeping up with what’s happening in the industry. You can follow him on Twitter at @gcluley.
Newcomers can go to eLearnSecurity to not only brush up on their IT know-how but to get some good insight into the industry. eLearnSecurity maintains an active blog with posts that should help newcomers get a good grasp of what’s happening in cyber security. Most of the posts focus inwardly on eLearnSecurity’s products and services, but many will still provide value for interested parties. You can follow them on Twitter @elearnsecurity.
Cyber security company Sophos offers up an industry-focused blog that’s a good source for both newcomers and professionals alike. The Naked Security blog is a great way to stay abreast of the latest concerns and issues happening within cyber security—perfect for before you head into your first interview. You can follow them on Twitter @NakedSecurity.
This Reddit community for internet security professionals is a great source, especially for those looking for work. /r/netsec often posts hiring threads for those who are looking for work, and for those who are either hiring or know of companies that are hiring internet security professionals. This community has over 180,000 subscribers.
A great place for any undergraduates or graduate students alike, or even self-learners, this subreddit is designed for those just getting started in the internet security industry. This subreddit only has around 20,000 subscribers, so it’s a bit less active, but filled with good discussions and helpful moderators. It’s useful as a tool to help find where to get started with network security.
Another great starting point for newcomers, this Reddit forum is designed for just what the name would suggest: Asking questions about network security. You’ll find that the somewhat small community is very friendly and a great place to go to for advice.
A page similar to, but smaller than, /r/netsec. A good, small community with a fair amount of activity focused on cyber security news and discussions.
Stack Exchange is a great place with a limited number of communities. One such community is all about information security. Stack Exchange works differently than Reddit, although it’s still a fairly open community. Ask questions, get answers, and find the best answers voted to the top. You can easily browse, but you can also engage to get valuable information.
The Hack Forums is a forum website designed around hacking, with a special emphasis on white hat, or ethical hacking. Anyone interested in ethical hacking, security, and software vulnerabilities should spend some time here reading forum posts and discussions.
Keep up with cyber security news and concepts
Cyber security is a constantly changing field. Even the most well-known professionals in the field keep up-to-date with the latest news and important literature that help define the field. As a newcomer entering the industry, you’ll want to make sure you’re also well educated on major concepts and maintain a steady stream of knowledge as the industry changes.
Notable mailing lists and newsletters
The U.S. Computer Emergency Readiness Team provides mailing lists that help keep industry professionals up-to-date. Lists include alerts on security issues, vulnerabilities and exploits, bulletins covering vulnerabilities and patches, tips on common security issues, and current activity around the industry. Individuals can sign up via RSS feed.
Cyber security training institute SANS provides several newsletters to help readers stay informed on cyber security issues. Their newsletters include OUCH!, which is designed for common users; @RISK, which covers new risks and vulnerabilities; and SANS Newsbites, an executive summary of major headlines in cyber security from the past two weeks.
Def Con is not a single list, but a website you can use to find a large number of different cyber security lists. Def Con provides detailed information about each mailing list, including volume and frequency.
Like Def Con, Security Focus provides a large list of interesting and useful security mailing lists. The full list is not well organized, although it is regularly updated.
Although a small list, Security Awareness provides excellent, high-quality infosec mailing lists. The lists are simple to sign up to via email.
Important and notable books
Cracking the Coding Interview
By Gayle Laakmann McDowell
A best-seller for software engineers looking to land their first job, this is an important read for any potential security software engineers. McDowell covers the process both as someone who has been through the process as an interviewee and as an interviewer.
RTFM: Red Team Field Manual
By Ben Clark
Consider this book your best friend if you’re headed into ethical hacking or cyber security in general. The Red Team Field Manual provides a valuable reference for Linux and Windows syntax, including the most difficult to remember tools, values, syntax, and scripting.
BTFM: Blue Team Field Manual
By Alan J. White
Similar to the RTFM, the BTFM is designed for individuals working within the NIST Cybersecurity Framework and focuses on the five core principles: Identify, Protect, Detect, Respond, and Recover. The book is for anyone who wants practical information on how to handle cyber security incidents and should be considered essential for anyone who wants to work as an incident responder.
Hacking: The Art of Exploitation
By Jon Erickson
This must-have book helps guide those with some security knowledge through the hacking process. The book focuses on the thought process behind hacking, with some hands-on hacking methods for a variety of different purposes.
Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World
By Bruce Schneier
Bruce Schneier has several books available. This includes his exploration of cyber threats in the modern world. This book provides a good grounding for cyber security professionals who want to gain a broader understanding of the on-going cyber threats to individuals and companies.
Black Hat Python: Python Programming for Hackers and Pentesters
By Jason Seitz
Python hacking is among the most common hacking methods. As such, Jason Seitz’s book is a perfect primer for information and network security professionals, as well as anyone interested in a future in ethical hacking.
The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers
By Kevin D. Mitnick
Although presented through a fictionalized view, Kevin Mitnick adds in his expert hacking experience to present real scenarios in hacking. His book dives into what hacking looks like from both sides of the fence—and how the victims could have prevented the hacks.
Average day of a cyber security professional
What does a day look like for a cyber security professional? While it can vary depending on your specialization, here’s what your typical cyber security professional may do on any given day:
Reviewing security standards
A good amount of time for a cyber security professional might consist of reviewing security standards and setup. This could involve reviewing any incident reports as well and checking networks for suspicious-looking activity.
Reviewing security architecture
If everything looks good on the security front, cyber security professionals may spend a good amount of their day reviewing the established architecture. This may include looking for places where the current architecture is vulnerable and reviewing mitigation strategies.
One of the key jobs of a cyber security professional is understanding what a threat actually looks like before, during, and after it has occurred. You may hear about times when companies have suffered security breaches that they did not discover for days, weeks, or even months. This may happen when the professionals they’ve hired have failed to fully recognize the incidents that exist. A large part of the job for a cyber security professional is staying on top of the type of threats that can occur, what these look like, and knowing how to put a stop to them as they happen.
As cyber security professionals are often called upon to “think like a hacker,” this also means putting their own systems to the test. Security professionals may spend some time looking for flaws by trying to break through their own secure networks and then working to solve vulnerabilities as they’re discovered.
There is no real 9 to 5
A security professional’s duties rarely fit nicely into a 9-5 schedule. As cyber threats can occur at any time day or night, security professionals are often called on to work at all hours. Many companies will hire multiple professionals to work at different hours, in fact, so as to create a 24-hour security workforce.