Inconvenient truths about working in Cybersecurity
by Nathan Chung
#1 – Cybersecurity is not all about hackers and hoodies
I have never been to the big hacker conferences such as Defcon or Black Hat. I have never hacked a system, nor have I participated at a Capture the Flag event. Because despite how cool hacking looks, it is not the only career path in Cybersecurity.
- Amazing teachers such as Dr. Ambareen Siraj and Dr. Mansur Hasib who are educating the next generation of cyber heroes and heroines
- Lawyers who are working to maintain data privacy and data protection
- Data scientists who are developing AI and machine learning algorithms to detect security threats
- Engineers who are working to secure new technologies such as Blockchain and IoT
- Analysts who perform Threat Intelligence to find the latest 0 days
- Law enforcement who work to solve cyber crimes using digital forensics
- SOC analysts who analyze security events and perform malware analysis
- Cloud security architects who design security in the cloud
- Project Managers who keep security projects on track
- CISOs who lead security in organizations
- Auditors who assess an organization’s security posture and compliance with regulations
- And the list goes on and on….
#2 – Training, you need it but can’t get it
Cybersecurity, like IT requires lots of training. The more technical the job, the more training is needed. Ideally organizations should pay for training to keep the cyber workforce moving forward. However, in my experience many organizations do not and the biggest group that is left out are often women. For it is the opinion of some managers, directors, and executives in cybersecurity that training is a waste of money. Their perception of cyber training is a bunch of people getting drunk, not working, and not learning anything. In some other organizations, they simply do not budget for training or cannot afford it. In short, training is not high on their priority list. What can you do to get training to help get a job in cybersecurity or advance to the next level? If your employer does not offer training, ask for it. As the saying goes: Ask and you shall receive. If not, do not let that stop you. I take inspiration from President Abraham Lincoln who became interested in Law when he found books in the trash. Today there are many online trainings available. In short, sometimes you need to invest in yourself to get ahead.
#3 – Job lock with high switching costs
One big issue which I have seen almost nobody talk about is how cyber jobs lock you in and make it hard to switch roles due to limited flexibility or corporate culture. For example, you start as a hacker/pen tester, you love it, but life changes. You get married, have kids, need to take care of a family member who becomes disabled, or an accident happens and you are unable to work. After that you would want a flexible work schedule, remote work, or even a different cyber job. Problem is due to different skillsets and training, transitioning to a different cyber job will have high switching costs if you don't have the required skills. Solution to this is to have the equivalent of a business continuity plan so that when life throws you a curve ball, you can be prepared. Always keep learning and have transferrable skills so you have options. Also choose to work for a company that shows sympathy and allow for flexibility.
#4 - Not all mentors are good mentors
I’ve seen so many articles and posts that say you need a mentor. Yes it’s great to have a mentor, but not always. I can speak from experience that I’ve seen good mentors and bad ones. Depending where you are in your career, you might not need a mentor, but rather a supporter to push your career forward.
#5 - Long hours and burnout
I have worked at some companies that have small cyber teams that are expected to do everything with small budgets. Needless to say when required to do more with less with a large attack surface to defend, it leads to many sleepless nights working long hours leading to burn out. Sadly, this is the state of cybersecurity at many companies.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of any other agency, organization, employer or company.
About the Author
Nathan Chung is a passionate Cybersecurity consultant with a 20+ year proven track record with advanced training, certifications, and experience specializing in cloud security and audit compliance. Advocate and champion for Women and Diversity in IT and Cybersecurity. Member of WiCyS, WSC, SIA, and OWASP.
The article has been originally published at: