Careers in Cyber Part 2 - Myths and Misconceptions
Anyone who has searched for information on a career in cybersecurity will have come across numerous providing contradictory (though well-meaning) guidance. The result of this confusion has been the persistence of several misconceptions about cybersecurity which can either mislead or scare off potential enthusiasts. In this blog post, I hope to dispel some of the myths and provide you with a reasoned perspective. If you're thinking about a cyber career, then this post is for you.
Myth #1: "You just need to hack to be in cybersecurity." One of the common fallacies which members of my profession seem to perpetuate (perhaps in an attempt to make the profession seem "cool?") is that cyber professionals just hack for a living. Nothing could be further from the truth. Yes, it is important that cyber professionals have an understanding of the adversary and enough technical expertise to diagnose how systems can be exploited. That said, the vast majority of a chief information security officer's (CISO's) time is spent on issues unrelated to hacking.
The figure above illustrates all of the areas that a CISO must be aware of, skilled in, and/or manage during his tenure. While knowledge of hacking tactics, techniques, and procedures is necessary only one of the major areas listed (Detection) has dedicated tasks which require the application of hacking techniques and skills. There are many careers, jobs, positions, and opportunities in cybersecurity that are not dependent upon hacking or hacker knowledge.
Myth #2: "If I get into cybersecurity, I can do the work and not communicate with anyone." Believe it or not, this is one of the myths that I hear most often -- especially from 18-to-24 year olds. As I discussed in my previous post, cyber professionals do not have the option to be non communicative. At every level, be it verbally or in writing, cyber professionals need to translate their findings into a message that business leaders understand.
The above chart illustrates this point. This is a snapshot of a nonscientific survey which I conducted on the Pulse networking platform. Pulse is a forum that allows technology executives to exchange ideas and ask questions of their peers. In this survey I polled over 130 cyber hiring managers as to what the most critical knowledge skills and abilities were for cyber professionals. As you can see, verbal communication skills rank just slightly below critical thinking skills and knowledge of cloud computing infrastructures. As an aside, written communication skills placed sixth in the survey with 53% of respondents stating that this was also important. Having the knowledge to identify a problem and the skills to fix a problem are only slightly more important than your ability to communicate that the problem exists and/or its severity and criticality the organization.
You should note that I said "communicate," as opposed to being an extrovert. While extroverts tend to be better at verbal communication, introverts on the whole tend to be better writers (and better listeners!), because they like to digest and process information before they choose to respond. It is possible to find a communication medium and style that works for you as an introvert and still be successful in cybersecurity.
Myth #3: "Cybersecurity is purely a technology problem." Cybersecurity is an interdisciplinary problem requiring skills that go beyond just your knowledge of the technology. Successful cybersecurity professionals:
are highly technically skilled;
have the ability to think critically;
understand the tenets of governance, privacy, and risk; and
can communicate their ideas in a cogent fashion.
Those entering the cyber profession should focus on more than just their technical acumen in order to succeed.
* * * * *
There are a plethora of opportunities to be had in cybersecurity; as you begin to walk the path toward entering this career field, be certain you research the requirements thoroughly from multiple sources in order to get the most accurate picture of what it means to be a cybersecurity professional.
My two cents...