How to start a career in cyber security
You may have heard about the high demand (and high salaries) of cyber security professionals, and you want to pivot or upskill your career. But where do you begin?
Cyber security is a relatively young discipline that doesn't have a well-established entrance point as a career. Until recently, it was considered just one of the many tasks of information technology. But, as cyber-attacks and security breaches increase in frequency and severity, the need for increased security systems is apparent.
Cyber security vs. IT
What makes cyber security different from some other IT careers is the need for a skillset that includes communication, problem-solving, and leadership. That's because the most vulnerable point to attack IT security and computer security is usually the person sitting in front of the keyboard! So, while technical skills are useful, the ability to influence human behaviour is equally important.
ECU's Master of Cyber Security is the postgraduate qualification that's creating cyber security professionals ready to take on cybercrime. It offers cyber security specialisation for experienced IT pros as well as the necessary IT skills and subject matter for a career pivot from a non-technology background.
Associate Professor Paul Haskell-Dowland is the Associate Dean for Computing and Science in the School of Science at ECU. He's specialised in cyber security research and education for over two decades.
As the IT expert who has launched hundreds of cyber security careers, Paul has some valuable insights on how to set out on your cyber security career path.
What personal qualities make a great cyber security professional?
With his 20 years of experience, Paul knows what it takes to thrive in cyber security.
You may think of cyber security experts as tech junkies who keep to themselves. But Paul believes this is far from the ideal.
Communication skills
"In order to be successful in cyber security, we need people who can talk to other people," Paul says.
This isn't just for harmonious working relationships. For cyber security to be truly effective, its operation can't just depend on the cyber security staff. Everyone needs to be able to understand what to do to keep themselves safe online.
That's where communication skills are vital.
"We can solve all the technical problems in the room. We can fix the hardware. We can patch the software, but there is no patch to the human," Paul says. "You have to change behaviour, which is a very challenging thing to do.
"That's why we need people with communication skills. People with the ability to explain technical concepts and business problems to individuals."
The need for effective communications in cyber security was brought into sharp focus by COVID-19. As employees worked from home and parents took on home-schooling, cyber-criminals exploited cracks in security systems.
While companies secured remote workstations, it was up to parents to provide a safe environment for their children to learn. Schools have filters and blacklists as part of their network security to restrict access to the internet's dark side of pornography and gambling.
In fact, escalating cyber attacks prompted Paul to write an article to help parents aptly titled, Cyber threats at home: how to keep kids safe while they're learning online.
"The way in which people engage with equipment and software is absolutely critical to security. It's a combination that we have to get right," he adds.
An interest in technology
A second important quality in cyber security professionals is a healthy interest in all things technological.
"I frequently suggest to prospective students that, if you've got a passion for technology, you should definitely consider a career in cyber security," Paul says. "There are lots of opportunities."
There are two aspects of technology that are key to success in cyber security. First is an awareness of operating systems and the applications that run on them.
"That doesn't mean it's a deep technical knowledge. But we do need to have an understanding of the kind of systems, the kind of applications, and their interconnectivity.
"Then we need to think about the networking - the infrastructure that sits within the organisation," explains Paul.
What technical knowledge do you require in cyber security?
Many people would, understandably, assume that cyber security has a high technical focus.
"This is partly true and there will always be roles for people who are very highly technically focused," Paul says.
The good news is that the right postgraduate cyber security qualification will bring your technical knowledge up to par. ECU is the only Federal Government recognised Academic Centre of Cyber Security Excellence offering dedicated cyber security courses and the largest cyber security institute in Australia.
"The ECU security operations centre is an area where you would expect people to have a very high degree of technical knowledge. Analysts on computers would be monitoring screens, and many others would be detecting a threat or an incident that is currently happening within the network."
"Typically, this would monitor an organisation's IT infrastructure. So, they would detect a threat, they would then begin to analyse it, where you would typically have two or three tiers of analyst," explains Paul.
Technical skills are an advantage, but you don't need a strong technical background like a Bachelor's degree in Computer Science coming into a program like ECU's Master of Cyber Security, as you'll develop one during the program.
Do I need programming for cyber security?
Management and compliance roles will rely less on programming, while offensive and defensive roles will use programming more.
"If an attack is of a more technical, complex nature, it may get passed on to the higher levels of analysts. It's here they may well start to analyse code," describes Paul.
"For example, they may have a piece of malware (virus) and place it into what we call a sandbox. That's a secure environment where we can try out the software to see what it does. Test it and detect how it operates. Find out what impact it will have on the infrastructure."
"Ultimately, maybe even reverse engineering that code to try and work out what it's trying to achieve and how it is remotely controlled. If indeed it is," he adds.
So, an understanding of at least one programming language is valuable for a technically-oriented career in cyber security.
Filling the gap with cyber security careers
The definition of a cyber security profession is still developing, despite growing rapidly. As a result, there isn't a large number of people with the correct skills on paper; however, cyber security positions continue to grow.
According to Paul, this is exacerbating the cyber skills shortage.
"When I was a student, I studied a computing degree, and that was pretty much all that was available. Cyber security really wasn't a thing."
"As cyber security degrees have only been a thing for the last decade, there simply aren't many people out in industry who have a cyber security qualification. There are lots of professional certifications, but in terms of an academic qualification - this really hasn't been significant in the industry for very long," says Paul.
One thing's clear: Having a degree in cyber security will help you stand out.
Degrees like ECU's Master of Cyber Security are filling this qualification gap within the field with advanced technical skills and comprehensive knowledge of best practice approaches.
What are some areas of need in the cyber security industry right now?
So what skills will make a cyber security graduate stand out to employers?
Software and hardware development
While it's not all about technology, Paul says the industry also needs software developers.
"We need people who can build, design, configure, install, setup, and maintain networks, as well as the hardware that runs on them. Every single touchpoint within a computing system needs to be considered from a cyber security perspective," he explains.
Cyber security careers in these areas include roles such as DevSecOps Engineer, Application Security Lead, and Infrastructure & Security Tester.
Retrofitting cyber security
As a young field, one of the biggest challenges is that cyber security is often an afterthought to organisations. Cyber security measures are often added onto existing systems long after the design process is finished.
For Paul, that's a backward process that just doesn't make sense.
"When you're designing a car, you don't add the brakes on afterward. So, when we're designing a computer system, we need to think about the IT requirements upfront."
An example we can all relate to is passwords, which have been retrofitted onto many legacy computer systems. Even though there are many issues with passwords, they're still being designed into new technology.
"Most of the problems with passwords aren't technical, they're actually human-based. Because humans can't remember complex passwords. But complex passwords are the solution to dealing with password attacks," Paul says.
"We know that we need to improve human behaviour, and we need tools to help support that. We need a vast range of different people with different skills engaging in different levels within the IT systems and supporting the cyber security endeavours of our organisations," he adds.
To improve options for passwords, Paul explored the effectiveness of the Graphical One-Time Password (GOTPass). GOTPass uses images rather than text or numbers as a password.
It turns out that as humans, we're much better at remembering unique pictures than long strings of characters.
What are some common cyber security career paths postgraduates follow?
A quick scan of any cyber security jobs board will reveal there are as many different career paths as there are companies hiring. But still, the usual idea of a cyber security professional is somebody monitoring and responding to threats in real-time.
"In terms of career opportunities, there are some traditional careers that people might think of in terms of cyber. So that's the operation centre analyst. It's the Hollywood version of cyber," suggests Paul.
Having said that, Hollywood is yet to recognise the day-saving abilities of the cyber security expert. To date, cinema has been more focussed on hackers. That's because a lot of the work in cyber security is more about human soft skills than dramatic digital dramas.
"There's a lot of opportunity in other roles that involve talking with people. Things like providing guidance, training, and supporting organisations in improving cyber security procedures" clarifies Paul.
Cyber security careers can be found across company areas such as marketing, risk management, and policy. Some of the many cyber security jobs available include Cyber Security Assurance Advisor, Information Security Analyst, Security Engineer, Senior Cyber Security Officer/Analyst, Security Architect, and Cyber Security Project Manager, just to name a few.
Looking for more information on roles in the cyber security industry? We dive into potential careers for cyber security experts on our blog.
Upgrade your qualifications with ECU's Master of Cyber Security
The global Cyber Security sector was valued at US$131 billion in 2017, but that's expected to grow to almost US$250 billion by 2026. The Federal Government recently committed to creating 500 new jobs in its cyber intelligence agency alone.
Now is the time to begin your cyber security career path.
ECU's online Master of Cyber Security is arming people with comprehensive job-ready cyber security skills.
"We now have more than 1,000 students studying cyber security. But it's only in the last three to five years that we've seen that significant growth as people have become more aware of the opportunities," says Paul.
Be prepared for nuances of a career in cyber security with ECU's online Master of Cyber Security.