Cyber attacks are increasing in frequency and sophistication. Unfortunately, there has been a huge shortage of cyber security specialists for quite some time. What’s more, many companies believe that candidates are not adequately qualified. This opens the door to a career in the industry for good professionals.
However, in order to become one, it is worth for you to know how to learn cyber security, how to know that cyber security is for you, what you should have at the entrance, what skills are important, where to start learning, where to get knowledge from and what training methods to use.
This article will help you build your desired competencies and guide your career path and development.
Table of Contents
What is cyber security and why is it important
Cyber security is „a set of telecommunications and computing issues related to the estimation and control of risks arising from the use of computers, computer networks, and the transmission of data to remote locations, considered from the perspective of confidentiality, integrity, and availability,” referring to Wikipedia.
It is the management, development, and use of information security, operational technology (OT), and information technology (IT) concepts, tools, and practices to protect the cyber environment and user or organization assets (Parker and Brown, 2019).
As the world becomes more connected, there is ubiquitous digitization, governments, corporations, institutions, and many different companies (regardless of size) store a lot of sensitive information.
This is a perfect opportunity for cybercriminals, who never stop looking for vulnerabilities and bugs and new ways to take over valuable data or defraud. It is reported that data breaches cost enterprises an average of $3.92 million (CSO Online).
With the increasing number and sophistication of cyberattacks, protecting sensitive personal and business information is a top priority. Unfortunately, according to an ISSA report, 70% of cyber security professionals claim their organization is impacted by the cyber security skills shortage.
It would seem that simply hiring more people is enough. Nothing could be further from the truth – professionals need the right skills, and it turns out that 61% of companies think their cyber security applicants aren’t qualified (ISSA).
Who is a cyber security specialist?
The cyber security specialist plays a very important role in the whole „puzzle”. In general, his task is to secure IT systems, monitor, detect, analyze and respond to security incidents. It should protect systems from vulnerabilities and threats, reduce the risk of attack and leakage of company or organization data.
Today’s cyber security industry needs many (good!) practitioners. And you can be one of them, using the content of our comprehensive guide.
Is cyber security for me?
Probably not one of you has wondered if cyber security is the right choice for you. It is worth at the very beginning to look at yourself – what you are, what predispositions and interests you have. This all affects the way we work, and the right fit for the job makes performing duties and tasks easier, more efficient, and more enjoyable.
There are a few behaviors and abilities that may indicate that you are a good fit for the cyber security industry.
You read a lot, you’re up to date
It is absolutely not about reading advanced level publications, intended for specialists with 5 years of experience. News from the industry, information about new vulnerabilities, their expoits, following updates, etc. are enough.
This is the first sign that cyber security might be a good path for you because you are interested in what is happening in it. It is also a good predictor of staying in an industry that is all about continuous learning and improvement. If you find it difficult to add to your knowledge in the early stages, the situation may not change much later on.
You have a desire for continuous learning
It’s a predisposition that can be an indicator of future job performance. Since new vulnerabilities are constantly emerging and cybercriminals’ modus operandi is constantly evolving, you need to stay up-to-date on attack vectors, new technologies, and how to secure them.
According to Dawson and Thomson (2018), the pace of their development is so fast that after just 3 months without supplementing knowledge, a cyber security professional can become significantly less effective.
If you can adapt to the rapidly changing reality and are open to continually adding to your knowledge and improving your skills, this may be the green light for you to start a career in cyber security.
You have problem solving skills
If you have a proactive attitude – typically able to identify problems that arise, find solutions and implement them, and evaluate their effectiveness – that’s a good sign. Along with communication skills, this is one of the competencies that make students see themselves as suitable for cyber security jobs, according to Mishra et al. (2019).
Communication is not a problem for you
You have the ability to convey information to your interlocutors in a clear and understandable way, and transferring sometimes difficult issues into easy-to-understand ones is a piece of cake for you. You will need this skill at work and you will learn more about it later in this article.
Should I get a degree?
Recently, there has been a dramatic increase in the number and scope of educational programs offering cybersecurity-related content, and many of these are at the undergraduate or graduate level, leading to a degree.
Academic programs have the potential to develop new talent and support the formation of skills that are in demand. It’s important to remember, however, that the right skills don’t necessarily equate to a degree in security studies (although there may be clear advantages).
Well, only less than a quarter of respondents believe educational programs adequately prepare students to enter the industry. There is some observed caution about viewing graduates as „qualified for the job,” or more specifically, as qualified practitioners (Furnell, Fischer, & Finch, 2017).
Unfortunately, curricula often focus on teaching theories and concepts rather than building experienced practitioners who are capable of critical thinking (Topham, Kifayat, Younis, Shi, & Askwith, 2016).
It is hard to imagine athletes who assimilate the rules of their sport or tactical strategies and never go out on the field to practice them, test them, work them out…
It is no different for cyber security professionals if they acquire the right level of technical knowledge but fail to apply it in practice.
If we already want to focus on which qualifications seem to be the most relevant, an analysis of job ads shows that the most common is a Bachelor’s Degree (52% of ads). Less common are Certificates (9.2% of cases), Bachelor’s Degree or Postgraduate Degree (3.6%), Master’s Degree (1.5%) (Parker and Brown, 2019).
Furthermore, when asked about the relevance of security education, most working professionals of varying seniority do not indicate that it is a critical aspect, but a welcome one (ISC)2.
Is having an IT background important?
Cyber security branches into many specialties and subspecialties, each of which requires focused training. However, as in other fields (e.g., medicine or law), some basics must be learned and understood before specializing.
It is required to have a solid understanding of the technologies for which you will be responsible for security, and it is worth mastering related technologies at a decent level.
Recent research confirms that the most common path to security-related positions is through roles in IT. Arguably, it is from an understanding of technology that makes the job easier that 55% of professionals come from this industry.
Of the remainder, 21% began their careers in another field, 13% after obtaining a degree in that field, and 8% acquired the needed competencies on their own (ISC)2.
What do professionals, on the other hand, think about experience in IT? It depends on the seniority they have. Those who have worked longer in the cyber security field are more likely to indicate that it is an essential element, while individuals with less seniority are more likely to say it is welcome.
An interesting insight into the situation can be provided by who employers are recruiting. Research from Ireland’s Cyber Security Cluster shows that almost three quarters of respondents (74%) recruit from a previous cyber security position, 56% from within the organisation, 53% hire new starters, graduates or interns and 41% recruit from non-cybersecurity roles.
You can see that a lack of an IT back ground does not disqualify you from getting a job in cyber security, but some foundation is required here. If you haven’t studied computer science or cyber security or worked in the IT industry, you’ll have to figure out that the necessary foundation needs to be built on your own.
Do I need to know programming?
This question is one of the most frequently asked. Whether someone working or looking to enter cyber security should know programming languages depends largely on the specific role and position.
Not all positions require programming – for example, for Blue Team members for an enterprise network or those typically involved in network security.
If, on the other hand, you are thinking about working in the Red Team or becoming a pentester, the matter looks a little different. Then this skill will be useful for finding bugs in code, which you should be able to point out.
At the initial stages of your career programming will not necessarily be required. However, as your seniority increases, you will need more knowledge and code analysis. Sooner or later, this skill will be needed if you are thinking about advancing your career and getting more job offers. The (ISC)2 survey found that coding and programming is one of the top 10 technical concepts for success in this industry.
When it comes to specific languages to know, these are:
- C family languages (C, C++)
In conclusion, knowledge of programming languages is welcome as it helps to detect security vulnerabilities, identify malicious code and examine software.
What about cyber security certificates?
Certificates are a form of demonstrating one’s credibility, showing competence in a given field. Many sources and observations suggest that yes, having certifications is valuable to employers, but it is the relevant work experience of those hired that they place the most value on.
In one study, employers indicated that work experience was valued at 50%, academic degrees at 30%, and certifications at 20% (Beveridge, 2020). Professionals themselves also indicate that work experience is the best indicator of success (40% of respondents), compared to education (12%) (Dawson and Thomson, 2018).
The requirement for cyber security professionals to obtain an approved industry certification cannot be expected to go away. It certainly won’t. However, certification alone is not a sufficient form of proof of an individual’s qualifications.
Aside from the sometimes high cost, they often have assessment mechanisms that do not verify individual skills in a practical way. Nor do they always build the experience needed at the level employers expect. Just pay attention to the often available question bank and bootcamps offered to prepare you to pass exams.
Therefore, it is not worth fixating only on the certificates, and take into account the training methods that will also allow you to gain valuable experience sought by employers.
Cyber security skills relevant to the industry
To meet the challenges that arise in the cyber security domain, certain competencies are necessary. Competencies are defined as the set of knowledge, skills and abilities that are assigned to a job. In the early 1970s, McClelland found that these „competencies” were a significant predictor of performance and success in the workplace (St. Clair and Girard, 2020).
It is worth mentioning here the existence of the „Cybersecurity Competency Model”, which aims to identify the competencies needed by those whose actions affect the security of the organization. It consists of several levels, and its design is indicative of the increasing specialization and specificity of the skills it covers.
Level 1: Personal Effectiveness Competencies
Often referred to as soft skills. These include: interpersonal skills, honesty, professionalism, initiative, adaptability and flexibility, reliability and dependability, and lifelong learning (commitment to self-development).
Level 2: Academic Competencies
Acquired primarily in the school setting, they are most likely to apply across all industries and occupations. Includes thinking styles and cognitive functions: reading, writing, mathematics, science & technology, communication, critical & analythical thinking, fundamental IT user skills.
Level 3: Workplace Competencies
They are applicable to many industries and professions. They include traits and motives as well as self-management and interpersonal styles: teamwork, planning & organizing, creative thinking, problem solving & decision making, working with tools & technology, business fundamentals, health and safety.
Level 4: Industry-Wide Technical Competencies
They are industry specific. They refer to competencies that can be used by employees, regardless of the sector. They are considered transversal because they allow the employee to move between sub-sectors. So they relate to understanding things rather than performing tasks.
- Cyber Security Technology,
- Information Assurance,
- Risk Management,
- Incident Detection,
- Incident Response and Remediation.
Level 5: Industry-Sector Functional Areas
This level is based on the NICE Framework, corresponding to 7 categories of work:
- Securely Provision,
- Operate and Maintain,
- Oversee and Governance,
- Protect and Defend,
- Collect and Operate,
They are a representation of the specialization that occurs within a profession. Specific requirements and managerial competencies can be found here.
The application of the Cyber security Competency Model is quite broad (it encompasses „average” employees using the company network or the Internet, as well as novice cyber security professionals). However, it is important to keep in mind that this does not mean that all employees should have all of the competencies listed. Nor that the model exhausts all possible skills, knowledge, and abilities.
In case anyone still had doubts, knowledge alone is not enough to be a professional and successful in the field of cyber security. An extremely important factor is the skills possessed, which (as we have already established), are a component of competencies.
Cyber security skills are those that allow you to ensure IT security from the perspective of data storage and integrity and OT, concerning the systems that control physical devices (Sohime et al., 2020).
In order to effectively perform their duties and resolve issues as they arise, cyber security professionals must possess 2 types of skills:
- technical skills,
- soft skills.
Cyber security professionals are now expected not just to configure themselves, but to take a holistic view of the entire system, understanding therefore the configuration was done in a given manner. It is desirable to have a skill set that enables one to securely configure different devices from different vendors (Zain et al., 2018).
To build cyber security skills, adepts need a solid foundation that covers 2 basic areas: computer networks and operating systems. It is necessary to understand how traffic to and from these services takes place and how they are offered. Thus, it can be said that for technical positions, skills related to specific technologies and an operational understanding of technical infrastructure are desired (Yamin and Katt, 2019).
What are employers looking for in terms of technical skills? In job postings, these were of most interest to recruiters for positions in the cyber security industry, accounting for 41.4% of all required skills (Parker and Brown, 2019).
Prominent among these are:
- Technical writing
- Designing technical solutions and systems
- Vulnerability management
- Performing penetration tests
- Network architecture and security design, troubleshooting
- Threat intelligence gathering
- Firewall administration
- Implementation of security solutions
- SIEM products management
- Network administration
- Systems administration
- Programming or scripting
- Source code review
- Other (IoT, log analyses, data migration, disaster recovery)
The picture of desired technical skills in cyber security can be completed with the top 10 technical concepts identified by Professionals in 2021 (ISC)2 Cybersecurity Career Pursuers Study:
- Cloud Security
- Data Analysis
- Coding and Programming
- Risk Assessment/ Management
- Intrusion Detection
- Access Management
- Malware Analysis
- Backup and Storage
However, it’s worth remembering that each position in the cyber security industry will have its own set of needed skills. We’ll use the example of the requirements for an information security analyst. The priorities are considered to be:
- communication skills,
- ability to navigate the IT infrastructure,
- ability to identify potential risks,
- project management skills,
- analytical skills (Sohime et al., 2020).
As can be seen, technical skills (while very important) are not the only indicators of success.
Fresh graduates are not aware of the need for soft skills when applying for a job, as research shows. Employers, on the other hand, find them helpful in determining whether a candidate fits into the prevailing company culture, but not only (St. Clair and Girard, 2020).
On the other hand, cyber professionals most often indicate that they would like to acquire soft skills at school (Jones, Namin, Armstrong, 2018). This may indicate an underestimation of these types of assets in the early stages of a career, the need for which is realized later – in the course of work that professionals have immersed themselves in and have probably noticed some deficiencies in this area.
Soft skills are non-technical attributes that are not measurable. They are a mix of character traits, personality, social skills, and attitudes. According to Oxford Languages, they are simply personal qualities that enable you to interact effectively and harmoniously with other people. They enable you to navigate the work environment, perform well and achieve your goals.
A lack of soft skills can be quite a challenge. One of those of great importance is communication skills. Quite a few people with well-developed technical skills may have difficulty communicating effectively with co-workers, subordinates, or superiors and conveying a message that will be noticed and can be given a rank appropriate to its actual criticality.
Communication skills are important for high performance (e.g., during attack and defense when close coordination with co-workers is needed). Another situation where communication is the key to success is communicating technical knowledge (sometimes very extensive) in a way that non-technical people can understand.
Imagine you are a pentester and you need to communicate what you did and why the results are so important. Or that you’ve been delegated to conduct internal cyber security awareness training for people in other departments. Another example – you are a manager and you need to justify to management the need for certain costs. Without communication skills, doing your job may be difficult or even fail. These are considered especially important when promoted to management positions.
The cyber security professionals surveyed indicate that communication skills are the most important of the soft skills in their jobs. Among them are written communication, public speaking, communication with clients, and communication with management (Jones et al., 2018).
Moreover, familiar human behaviors are often used in offensive actions. Therefore, professionals should have knowledge of human interactions.
An employee in the cyber security industry should also be trustworthy, credible and reliable, as indicated by both employers and lecturers (St. Clair and Girard, 2020). With the importance of cyber security to companies and institutions and regardless of one’s degree and experience, those in the industry should make ethical and informed decisions when performing their duties. Professionalism, initiative, adaptability and flexibility are also considered important.
Given the ever-evolving cyber security landscape, it will be useful to have perseverance, the ability to stay motivated, keep up with changes in the field, and knowledge of logic.
Despite the advances that have been made in cyber security in terms of technological tools that allow for significant automation of threat monitoring and detection, there are tasks that require the analytical skills of a decision maker.
The importance of soft skills in cyber security is also outlined in the Cyber Security Skills Report 2021 National Survey (Cyber Ireland Ireland’s CS Cluster). It appears that respondents indicated oral and written communication, teamwork and critical thinking skills. Similarly, the (ISC)2 report highlights critical thinking and the ability to work in a team, adding also analytical and creative thinking and problem solving.
In cyber security, technical skills play first fiddle – expertise is required to be a good employee, and there’s no doubt about that. However, soft skills should not be underestimated. The key to success is having a spectrum of skills. Both technical and soft skills that will work together and create unity – an effective cyber security professional.
Where to start learning cyber security?
Talking to the more experienced
Talking to people who have been in the cyber security industry for a while is one of the first steps you can take towards starting your career. Whenever you have the opportunity, ask them to tell you about their work, share opinions and insights. They may also be able to give you some advice, which will give you valuable insights.
Remember, however, that it is you who decides your future. No one will decide for you who you should become, where to train, what path to take, etc. You will not get a ready-made recipe. Besides, some beliefs of your interlocutors may result from their personal, specific experiences, characteristics of a given company, etc. Take their advice with your personality, goals and preferences in mind.
Membership in community groups
If you don’t know anyone who is already in the cyber security industry, you can certainly find such people in various social networking groups, such as on LinkedIn or Facebook. There are actually quite a few groups, with different topics and targeting different audiences.
You can also connect with other beginners and find out if they have similar dilemmas as you. There are often questions there from people with some seniority, which will give you insight into what challenges they face on a daily basis.
Books and ebooks
It probably doesn’t take anyone to justify the importance of books in education. They are usually a comprehensive collection of knowledge that you can go back to at any time and recall certain topics. Although cyber security, as we have mentioned many times, is a thriving field, it is worth having in your library especially for those items whose content is current and evergreen.
This is especially true for basic knowledge – you could say the foundations of cyber security – but also for content that prepares you for certifications. Various types of rankings will be helpful in your selection.
An attractive supplement to education are certainly CTF (Capture the Flag) competitions, in which both individuals and teams can compete. They are based on solving tasks from different categories (e.g. forensic, hardening, exploitation). They allow to test one’s skills, better understand computer security and increase self-confidence. You can try Capture the Flag training here.
Definitely valuable events where you can meet insights from industry experts, learn about new trends and technologies, but also make new contacts. If you are still a student, find out if you are eligible for a discount. You can choose from offline, online and hybrid conferences. It’s up to you which one you decide on.
These are concentrated full-time or part-time courses. They take less time than undergraduate and graduate courses and can be offered by a variety of providers, including private companies. They are short and intensive, often ending after several weeks.
Different levels of bootcamps are available, ranging from basic to advanced, designed to help you qualify for other higher-level positions. They are also created to prepare for a specific certification exam.
It is worth mentioning that some require you to do some work beforehand, to prepare for them. They’re also more expensive than self-study and quite rigorous (they have a set pace, schedule), so if you’re not committed enough, you may fall „behind”.
Serves as a sort of transition stage between university life and full-time work. Sometimes it can even result in a job offer. Sometimes, however, internship opportunities in the industry can be ore obtainable. Which is to say, internships are a great opportunity for beginners to test their skills.
You won’t learn all the elements of working in cyber security during an internship, and you certainly won’t explore the ins and outs of one specialty, let alone the others. However, with any exposure to the profession, you can gain valuable information and initial insights into whether you would even fit in there and whether this industry is the place for you. An internship gives you a chance to enter the business world, a chance to learn, get in touch with technology, make new contacts and learn how companies operate.
Cyber security training & courses and cyber ranges
Nowadays, you can find many courses on the market, conducted according to different methods, e.g:
- Instructor-led training
- Paper-based teaching and exercises
- eLearning including videos and tests
- Simulation and virtualization training
There is no single, ideal training method. It is good when they complement each other, but it is worth paying attention to the practical aspect. In cyber security it is especially important.
Although the first mentioned give the opportunity to teach many people at once, have recorded lessons in an interesting form, assessment in the form of quizzes and tests, unfortunately, they have a problem with developing problem-solving and critical thinking skills, and above all – incorporating realism that builds experience.
This also applies to popular e-learning platforms like Udemy, Coursera, Skillshare, Pluralsight, etc.). Even if they provide a demonstration.
The learning process should provide exciting challenges, but also shape the skills we care about. As a participant of the training you should think outside the box, but you should also feel motivated to work on yourself and to counteract cyber threats.
Trainings with the use of simulation and virtualization environments allow for this. According to research, they are preferred over other methods that do not provide the opportunity to practice certain actions without suffering consequences if they fail (which in the real world would affect networks and production systems). Simulations with a high level of realism engage in a way not possible with other methods.
Cyber range CDeX is an appropriate example of a training platform that uses simulations of various types of attacks and neutral network traffic, and mirrors real infrastructure and allows the use of real cyber security tools. This enables immersion in a hyper-realistic training environment, enhancing the experience needed to work in the real world.
As it turns out, without realism, the value of training and the ability to build valuable experiences decreases (Beveridge, 2020). Furthermore, utilizing gamification, cyber range is an attractive training medium, and with the ability to track progress, it provides motivation for further self-improvement.
No less, when deciding on a career in cyber security, training will accompany you very often. You’ll probably be faced with a choice more than once. Answer yourself then how much practical and realistic training you need and what will be expected of you. Our guide can help you choose the right cyber security training.
There is no better time to start a career in cyber security. The demand for good professionals is huge, and by implementing the tips in our article, it will be easier and more effective for you to learn cyber security and build the competencies you desire in the job market.
Remember that this industry requires continuous improvement. When choosing trainings and courses, consider those that will keep up with the changes, equip you with the necessary experience and allow you to stay up to date.
Schedule an appointment today and learn about the tremendous opportunities CDeX cyber range has to offer in this area.