TOP FIVE JOBS TO TWO STEP YOUR WAY INTO THE CYBERSECURITY INDUSTRY

Audio:       

                        Welcome to Your Cyber Path, the podcast that helps you get your dream cybersecurity job by sharing the secrets of experienced hiring managers and top cybersecurity professionals with you. Now, onto the show.

Kip Boyle:        

                        Hi, everybody. I’m Kip Boyle and Jason Dion is here with me. And today we’re going to talk about the top five jobs that’s going to let you two-step your way into the cybersecurity industry. And I was telling Jason, before we started recording, two-step, I love that. It’s easy to say. It’s easy to visualize. And what did you say, Jason? Why did you like two-step?

Jason Dion:      

                        I like the two-step, because it reminds me of a Texas two-step. It’s, you want to get some place, but you got to take two steps to get there. And oftentimes, people who are trying to break into cybersecurity have a hard time finding that entry-level cybersecurity job. So if you could find one job that’s close to it and then you can take the second job that is in the cybersecurity industry, it helps you move from one into the other. So sometimes there’s two steps in your path to where you want to go.

Kip Boyle:        

                        Yeah, exactly. Now, people who we recommend consider the two-step, there’s usually some very specific situations going on with them. And one of those very specific situations is let’s say, somebody is mid-career and they want to switch over to cybersecurity, but they have a mid-career compensation package. And maybe they’ve got a mortgage. Perhaps their children are in private school or maybe just taking lessons in sports or something like that. The point is, is that they can’t afford to go to the help desk and earn $15 an hour, $20 an hour, whatever the help desk is paying. And so they’ve got to be more strategic. They’ve got to be smarter about how they make this change. And so that’s one of the common situations where we recommend the two-step.

Jason Dion:      

                        Yeah, I see this a lot. You have somebody who has a spouse and a couple of kids. They’ve got the mortgage. They’ve got the car payment. They’re making 70 or $80,000 a year as a manager at a restaurant, for instance. They can’t afford to go take a 20 or $30,000 year job to get some experience by working in the help desk. So they need a way to take their experience and land an equivalent paying job, or something at least within five to 10% of what they’re making, either more or less. And that’s what I call the two-step, is where you take your current experience. You leverage that into a job that’s somewhere near cybersecurity, paying a decent wage, and then you move into a cybersecurity job, because now you have experience that you can relate to cybersecurity. And that’s going to be able to get you into a wage that you want instead of starting all the way at the bottom again.

                        We’re going to talk about five of these different jobs that we see are common ones. The first one is pretty obvious, but I’ll go ahead and let you start, Kip. What’s the number one that we had come up with?

Kip Boyle:        

                        Yeah. So the first one, yes, this is very, very typical, a very typical feeder role. And that’s either a network administrator or a systems administrator. And it’s funny that we meet a lot of people who are already in one of these types of jobs. And they come to us and they say, “I want to get into cybersecurity.” And then I’ll say, “Well, you’re already kind of in cybersecurity now.” And they’re like, “What?” They don’t believe it. And so I have to sort of peel back the onion here a little bit and say, “Well, do you ever have to patch your server? Or do you ever have to flash the firmware in your router or whatever? Well, okay. Those are security things. Have you ever made an account for somebody? Have you ever set a password for somebody? Okay, well guess what? You’re doing security stuff.”

                        And so just by helping them reframe the work that they’re already doing, they begin to realize that, “Oh, wow, I am already kind of, sort of doing cybersecurity.” And so even if you don’t have this job yet, even if this is the first of your two steps, I just want you to realize that there is a huge cybersecurity component to these jobs. And that’s what makes them great feeder roles.

Jason Dion:      

                        Yeah, exactly. I mean, if you’re working as a system administrator and the cybersecurity guy hands you the STIGs and says, “Here’s the security technical implementation guide. Go through and go configure these 500 settings per this guide.” Well, guess what? You just hardened that server. Take credit for that on your resume. Make sure you’re getting credit for those things that you’re doing. If you’re creating password policies in Windows, that’s setting a GPO. That’s a security function. So all these things are things you can take credit for. And you can then make sure that you’re getting credit on your way to a two-step, so you can then become a security engineer, or a security architect, or a SOC analyst or whatever it is you’re trying to get to.

                        The second one that we have when we talk about these two-step jobs, the second one is you can get a job as an auditor, and then you can move you the IT auditing space if you have a background. Now, IT auditing isn’t considered a cybersecurity job, but a lot of people think it’s kind of on the fringes of cybersecurity, because you’re not always being a really technical indepth person here. Kip, I think you had a good story about one of your students, right?

Kip Boyle:        

                        Yeah, absolutely. In the two-step here, the first step would be to become an IT auditor. Okay, so I met a guy one time who was in finance. I mean, this was just a fellow who supervised a small team of people and they were keeping the books for a company. He was actually working for a very large publicly-traded company. So he had a very, very small slice of the overall finance responsibility. But the point was, is he was working with the numbers in the general ledger and so forth. And I remember him saying to me, “Man, I really wish I could get into a cybersecurity, but I don’t think I can, because I don’t have a technical degree. And I have work experience in any of these technologies. And I just feel like that door is going to be closed me forever, because of choices I made a long time ago.”

                        And so I said, “Well, let’s not be too hasty here. I think there could be a path for you.” And so we spent some time unpacking it. And so it turns out that because he was working for this large publicly-traded organization, we went and we took a look at the job postings. And there they were. There was job postings in there for people to work in the governance, risk, and compliance area of their information security team. Now, what is governance, risk, and compliance? Well, that’s GRC. And that’s a kind of a non-technical or not heavily technical set of roles that you can move into. And guess what? The experience that he had being a financial analyst and then eventually having a team of financial analysts working for him, fit perfectly with doing governance, risk, and compliance work.

                        Long story short, he did a little bit of internal networking. He ended up meeting the hiring manager for these open job postings. And that hiring manager, God bless her, she recognized immediately that this guy had a lot of transitionary skills, things that he could bring to the role. And she was having a hard time finding somebody to take that job. And here he was, and he just almost waltzed right into that job. And I swear, I’ve rarely seen a happier dude.

Jason Dion:      

                        Working in GRC. GRCs usually not the fun job. Yeah. I mean, I had a similar experience. About 10 years ago I was working for the government and the government was going through some consolidation actions. And they consolidated some of the accounting functions for the DOD into a couple of areas. And so they started closing down some of the older organizations that were doing it. And they had this organization that was filled with bookkeepers and accountants. And they had to find some new work for them to do, because the government can’t just lay you off. They had to find you a new job when they repurposed that organization.

                        So they started training these folks into doing some cybersecurity auditing. And they took all these bookkeepers and accountants, because they realized these are people who can follow the checklist. They can make sure that every I is dotted and every T is crossed. And they were going in and inspecting us as the cybersecurity experts to make sure we were doing our jobs right. And these people really didn’t understand cyber at all, but they knew how to follow that checklist and do the audits in the GRC realm, just like you’re talking about.

                        And so it is one of those things that is common to see, that we see a lot of people going from accounting, and finance and, bookkeeping into an auditor role, specifically an IT auditor role. And then they can use that to leapfrog into a pen testing role, or a SOC analyst role, or whatever else they want to work at inside their organization. Or they may just like the GRC realm, because they’re already good at that type of work.

Kip Boyle:        

                        And it pays well. So if you’re mid-career and the use case we talked about going into this episode, then that’s what this is all about, the two-step. So you two-step your way into a GRC role. And then just by talking to your coworkers, who do the very deeply technical work, that’s also going to give you an opportunity to kind of do a gut check. Do I really want to do this? Maybe it’s not as cool and glamorous as I thought it was. And maybe I don’t need to do two steps. Maybe one step was just enough for me.

Jason Dion:      

                        Yeah. Very true. Number three. So our third one, as far as jobs we see people commonly using as a two-step into cybersecurity, is software development. Now, this one makes pretty good sense. If you’re a software developer, you can code, whether it’s coding websites, mobile applications, web applications, or desktop applications, you’ve got some experience doing coding. So how do you think you can get into cybersecurity? Well, one is being part of a DevSecOps team. And two, you could start working with bounty hunters, or bug bounty hunters, or pen testers, because they need people to make their tools. And so these software developers can start being embedded into those teams or then work into those bug bounty or pen testing roles as well. This is something I commonly see.

                        Now, this is a little bit harder to get into, because you already have to know how to code to become a software developer. But I see a lot of software developers who are not happy with the pay they’re making in the regular software development industry. I have a lot of friends who work in the game development industry and they’re lucky to make 60 or $80,000 a year. But if they went over and became a bug bounty hunter or a pen tester, they could be making mid to high six figures. And so these are the things you want to be thinking about as you’re looking at these two steps.

Kip Boyle:        

                        Yeah, absolutely. There’s another thing you could do too, if you’re a software developer and that is secure code coaching. And the way that typically happens is by doing things like threat modeling, actually helping software developers think about what they’re building and how it could be exploited. And there’s all these different models that you can use. So if you’re a person who likes to, for example, teach people and you also know how to do software development, well, you can pivot. And you can get really good at secure software development life cycles. And there’d be a whole world open up to you in that area as well. It continues to amaze me just how many different types of cybersecurity jobs there are and how they’re not that far from the work that is much more well understood.

                        And if you’re a software developer right now, it’s just like the network and systems administrators, you think, “Oh, well, I just develop software. I don’t really have any security responsibilities.” Wrong. You have tons of security responsibilities. Go check out the OWASP Top 10. And that is a list of common flaws and bugs in software that allows cyber exploitation over the internet. And if you do nothing else as a software dev, as you’re trying to figure out how to get into cybersecurity, get smart on OWASP Top 10 and start figuring out how you can write more secure code and you can get paid for the job that you’re doing right now. And you can sharpen your skills in cybersecurity.

Jason Dion:      

                        Definitely. Our number four way to two-step your way into a cybersecurity job, and this is actually one of my favorites, is project management. So there is projects galore that happen inside of IT and inside of cybersecurity. And most cybersecurity folks aren’t project managers. But if you’re a project manager, you can go lead a cybersecurity project and now you’re in that realm of cybersecurity. I see a lot of folks who have their project management certifications, whether it’s PMP, or Prince2, or Prince2 Agile, or Scrum, and they’re going to work on IT-related projects, use that to build up experience and now, they have a lot of experience in cybersecurity that they can use to get a cybersecurity role.

Kip Boyle:        

                        Yeah, you’d be amazed at how much you can pick up by being the project manager for a big cybersecurity project, just by listening to the folks that have a lot of cybersecurity specific expertise, just by listening to them give status reports in your meetings. And listening to them talk about the blockers that they’re encountering and what it’s going to take to remove those blockers in order for them to hit their milestones. You can pick up a ton of great information. And often these projects are going to be filled with people from different disciplines. And so you can listen to a blue teamer who’s doing systems administration work. You might listen to somebody who is doing some coding work or some configuration work or whatever. And it’s going to be like almost as seminar for you to figure out, what are the job opportunities?

                        And then you can even meet these folks outside of the work environment and continue to ask them questions. Hey, you’re already on a project together. You don’t need a special reason to reach out to them and get some one-on-one time to learn more about their work. So it’s just a fantastic two-step, a first step and a two step.

Jason Dion:      

                        Yeah, exactly. And I’ll tell you, one of the projects I worked on about 15 years ago, I was the project manager for a 30 million upgrade of a gigabit ethernet network for our organization. Now, that meant I had to deal with the physical security of it. I needed to deal with all the contractors and the budgeting on it. I needed to deal with all the IT folks to make sure that we were running the cables correctly, getting all of our switches upgraded, all of our routers upgraded, all of our servers upgraded and making sure all those pieces and parts were working together in a secure manner. And because of that, I got a lot of experience over that 12 months in and around all the different disciplines that were related to this project. And so it really does work well to get your feet in and make all those connections really quickly.

Kip Boyle:        

                        Yeah, it really does. So the fifth job in our list of five is physical security. And before you tell your story, Jason, I’m sure everyone is like, “What? How in the world does a physical security job get you a two-step into cybersecurity and [crosstalk]?”

Jason Dion:      

                        I think maybe we need to define physical security first, so-

Kip Boyle:        

                        What?

Jason Dion:      

                        … physical security is talking about locks, and cameras, and doors, and security guards, and all the things we use to protect our buildings and our systems that are in those buildings. So when I was a college professor, about 10 years ago in the Anne Arundel County area, we had a lot of students who were trying to get jobs in cybersecurity, because the National Security Agency was right there in our backyard. And so one of the things that our students would do is they would get jobs either as a janitor or in physical security. At every single gate in that facility, there’s somebody checking your badge. At every single gate and hallway, there’s people walking around doing physical security checks, because they have top secret information in that building. And so one of the things people did was they got a job working in physical security at the agency as a contractor or a government civilian, and that got them their top secret clearance.

                        So now, when they wanted to go get a job, it was a lot easier to get a job as a cybersecurity person. Once they had one or two key certifications and a top secret clearance, they could walk right in and become a cybersecurity analyst at the agency or for one of their contractors. So this is a very common thing I’ve seen in and around military bases and government facilities. Now, even in a regular facility, if you’re doing physical security, that is one of the eight domains underneath CISSP and is considered one of the eight domains of cybersecurity.

                        And so getting that physical security experience can build clock time where you’re working in and around cybersecurity. And in addition to that, as you’re walking around the building and doing your physical security job, guess what? You’re able to network and make connections with people in that building who are doing the job you want and maybe they’ll mentor you and take you under their wing. So I’ve seen a lot of people use this as the first step in their two-step into a cybersecurity role.

Kip Boyle:        

                        I got to tell you, this is one of the things that I love about the fact that you and I are working together on this podcast and the other things that we’re doing to help people, because you’re bringing a perspective in here that if it was just me, I would never have put physical security on this list. Because in the private sector where I’ve been working for the last 25 years, I almost never see that. Almost never see that. If it happens, it doesn’t happen very often, at least as far as I can see. In fact, I kind of see the opposite. So when I was working at an insurance company, we kind of toyed around for a little bit about merging the information security team with the security team, because the sort of the prompt here was, well maybe we can save some money by not having as many people, maybe we can do more work with less, so on and so forth. And so we kind of dug into it a little bit.

                        But I’ll tell you, I quickly found out that was not a good idea, only because the culture of the two teams was so, so different. Now, I’m not saying that means that physical security people can’t cross over. In your example, I’m sure that that probably works fine. But I was just shocked and surprised by just how different the cultures of these two teams were. I don’t know if that’s the way that it is everywhere, but anyway, that was my experience. So I’m glad you brought this up.

Jason Dion:      

                        I think that’s interesting as well, because one of the things I’ve done in my past was some digital forensics work. And when I went to school for digital forensics, the entire class, there was two of us that were actually technical background, cybersecurity guys. The other 28 people in that class were all security guards, police officers, and federal agents. Why? Because they found that teaching cybersecurity folks how to do all the processing of the data and making sure you’re logging it properly for evidence was really hard and we would screw it up all the time. But it was easier for them take a police officer and teach them cybersecurity to do the digital evidence collection, because they knew they would get the chain of evidence properly done and the chain of custody properly done. And that was one of the things that kind of blew my mind. When I got there, I’m thinking, “Everyone’s going to be here that’s going to be technical.”

                        And I went in there and people didn’t even know what the motherboard was or what the memory module was. We had to start at zero to teach these folks, because they were coming from a law enforcement background. But they understood search and seizure. They understood evidence. They understood chain of custody. And they had that culture that wasn’t the way that we do things in cybersecurity. And so it was a better process in that agency to do it that way, but it was something that really took me off guard as well.

Kip Boyle:        

                        Wow. That’s super insightful. And I think it also points out something that we say a lot, which is important, which is transferable skills. I’ll bet you there’s a lot of people listening to us who are working as a police officer or in some form of law enforcement, and probably hasn’t even realized that they already have all these fantastic transferable skills that could get them a digital forensics job. So that’s great. Well, that’s our top five. Do you want to do a recap and get us out of here, Jason?

Jason Dion:      

                        Most certainly. So those top five jobs that we see the two-step being used for is network or system administrator, because it’s a feeder role and it’s kind of the traditional path for people getting into cybersecurity. We also see auditors, especially coming from bookkeeping, financing and a counting, moving into IT auditing and then into cybersecurity. We see a lot of software developers who move into pen testing, or bug bounty hunting, or DevSecOps teams, or secure coding. We see project managers who are working on IT-related projects to build up that cybersecurity experience, make the connections and then make the leap into cybersecurity.

                        And then fifth, we see physical security, or at least I see physical security, especially in the DOD, the government sector and government contracting world, because it’s a good way to get your clearance. And then pairing that clearance with one or two key certifications can really help you land that job.

                        So if you like the show, we would really appreciate if you could jump on over to iTunes and leave us a quick review. Reviews are the best way to tell the podcast algorithms out there that you love the show and you want to hear more of it and have others find it as well. So I hope you take a moment to do that and thank you very much.

Kip Boyle:        

                        We’re glad you were here. We’ll see you next time.

Audio:             

                        Thank you for listening to this week’s episode of Your Cyber Path. Don’t miss an episode. Press the subscribe button now. If you would like to learn more about how to get your dream cybersecurity job, then be sure to visit YourCyberPath.com, where you can access the show notes, search the archive of our top tips and tricks, and discover some fantastic bonus content.