Moving from an IT to a cybersecurity career
Demand in the cybersecurity space has never been higher. The current skills gap means there is a deficit of 14,000 entrants every year, according to the Department for Digital, Media and Sport, and the industry is largely seen as recession-proof so how can those in related disciplines such as IT make the move?
Many wrongly assume they’ll need to go back to university to get a degree in cyber security, or only take an entry-level role, but this isn’t necessarily the case. Only 33% of the cyber work force in the UK have a specialist degree in cyber security, whereas 30% have a general Computer Science/IT degree. In fact, 27% of cyber security workers come from non-cyber security related backgrounds.
What is advisable is looking at gaining some cyber security certifications. The type of certification will depend upon your current skill level and you might also wish to specialise. It’s also worth looking at short courses, as some institutions offer cyber security boot camps, which could help boost you on your path from general IT into cyber security. But let’s take a look at some of the most well-respected and their requirements.
Entry/Associate-Level
Systems Security Certified Practitioner (SSCP)
The SSCP is a certification from (ISC)² and is ideal for hands-on, operational IT Administrators, Managers, Directors and Network Security professionals. This certification is a great prerequisite for the more advanced CISSP (see below). Fulfils the DoD 8570 compliance directive.
Ideal for Database Administrators, Network Security Engineers, Security Administrators, Security Analysts/Consultants/Specialists, Systems Administrators, Systems Engineers and Systems/Network Analysts.
Eligibility criteria: Pass the examination, and have at least one year of cumulative, paid work experience in one or more of the seven domains of the SSCP Common Body of Knowledge (CBK). This experience may be waived for those with a degree in a cyber security program.
Cisco Certified Network Associate (CCNA)
The CCNA certification from Cisco is for entry-level professionals looking to validate their skills in Cisco security, including networking fundamentals, IP services, security fundamentals, automation and programmability. The CCNA Security certification was replaced with the new, consolidated CCNA in 2020. In the DCMS report, the CCNA and more advanced Cisco Certified Network Professional Security (CCNP) certifications are in high demand, with 21% of UK job postings listing these as a requirement.
This certification will help you get job roles such as Entry-Level Network Security Engineer, Information Security Analyst/Engineer, Help Desk Technician, Network Administrator and Network Support Technician.
Eligibility criteria: Pass the CCNA exam. There are no formal prerequisites, but Cisco recommend one or more years’ experience in implementing and administering Cisco solutions.
GIAC Security Essentials (GSEC)
GSEC is an entry-level certification from GIAC (Global Information Assurance Certification), aimed at those looking to move from more general information systems and networking roles into security roles. It will validate your knowledge in active defense, access control, password management, cryptography, network architecture, incident handling and response, Linux security, security policy and risk management, web communication security, cloud security and Windows security.
Ideal for security professionals, Security Managers, Operations personnel, IT Engineers and Supervisors, Security Administrators, Forensic Analysts, Penetration Testers and Auditors.
Eligibility criteria: Pass the examination. Having a background in information systems and networking, practical work experience and degree-level courses are recommended.
CompTIA Security+
Security+ is a great certification if you are early in your cyber security career, and want to validate your core skills and knowledge. Focuses on hands-on practical skills, and is a great follow-on from the CompTIA Network+ certification. This certification is particularly valued in the US and also fulfils the DoD 8750 compliance directive.
Well suited for those who want to enter roles such as Security Administrator, Helpdesk Manager/Analyst, Security Engineer/Analyst, IT Auditor, Network/Cloud Engineer, DevOps/Software Engineer, IT Project Manager and Systems Administrator.
Eligibility criteria: Pass the Security+ exam, plus two years’ experience in IT Administration with a security focus.
Mid/Senior Level
Certified in Risk and Information Systems Control (CRISC)
ISACA’s CRISC certification is ideal for mid-career professionals looking to validate their experience in risk management. The certification covers four domains: governance, IT risk assessment, risk response and reporting, and information technology and security.
Ideal for those looking for roles as Security Directors/Managers/Consultants, Compliance, Risk, Privacy Directors/Managers, IT Audit Directors/Managers/Consultants and Compliance, Risk and Control staff.
Eligibility Criteria: Pass the CRISC examination and have a minimum of three years’ cumulative work experience in at least two of the four CRISC domains (one of which must be in either Domain 1 or 2).
Certified Information Security Manager (CISM)
The CISM certification from ISACA is globally esteemed. This certification is for those with technical expertise looking to move into more senior, managerial roles. You’ll validate your experience in information security governance, information security risk management, information security program and incident management.
The CISM certification will help with employability for positions such as Information System Security Officer, Information/Privacy Risk Consultant and Information Security Manager, among others (including executive level).
Eligibility Criteria: Pass the CISM exam, and have at least five years’ experience in InfoSec management, with experience waivers of two years (max) available in certain circumstances.
Certified Information Systems Auditor (CISA)
CISA is another certification held in high-esteem globally, from ISACA. This is for any mid-career professional who audits, controls, monitors and assesses their organisation’s information technology and business systems. You’ll be tested on five domains: information systems and auditing process, governance and management of IT, information systems acquisition, development and implementation, information systems operations and business resilience, and protection of information assets.
Some common roles for a CISA holder are Internal Auditor, Public Accounting Auditor, InfoSec Analyst, IT Audit Manager, IT Project Manager, IT Security Officer, Network Operation Security Engineer, IT Consultant, IT Risk and Assurance Manager, Privacy Officer and CIO.
Eligibility Criteria: Five or more years’ experience in IS/IT audit, control, assurance, or security. Experience waivers available for a maximum of three years, depending on circumstances.
Certified Information Systems Security Professional (CISSP)
The CISSP is another sought-after, and globally recognised, certification from (ISC)², and meets the DoD 8570 compliance directive. This is for experienced security professionals who want to validate their skills in designing, implementing and managing cybersecurity programs of an excellent standard, and show they can create and maintain an organisation’s overall security posture. It is ideal for those who are in, or want to move into, leadership roles. It is the most commonly requested certification by UK employers.
It’s good to have, and might be a requirement, for job roles such as CIO, CISO, Director of Security, IT Director/Manager, Network Architect, Security Analyst, Security Architect, Security Auditor, Security Consultant, Security Manager and Security Systems Engineer.
Eligibility criteria: Pass the examination, plus a minimum of five years’ cumulative, paid experience in two or more of the eight domains of the CISSP Common Body of Knowledge.
CompTIA Advanced Security Practitioner (CASP+)
The CASP+ certification is for advanced security professionals who want to validate their technical expertise, without a focus on management. It covers both security architecture and engineering, offering Security Architects and Senior Security Engineers the chance to show how they can implement solutions within the frameworks Security Managers set out. Meets the ISO 17024 standards and the DoD 8140/8570-M requirements.
Ideal for Security Architects, SOC Managers, Senior Security Engineers and Security Analysts.
Eligibility criteria: Pass the CASP+ examination. CompTIA recommends a minimum of ten years’ general hands-on IT experience, with at least five years of broad, hands-on security experience.
Specialisms
Certified Ethical Hacker (CEH)
The EC-Council’s CEH certification is a globally recognised qualification for white-hat hackers. You’ll gain a hands-on understanding of ethical hacking phases, various attack vectors, and preventative countermeasures, with a hacking challenge at the end of each module. Particularly important if your organisation has a SLA, as white-hat hackers need to be seen to be trusted.
Ideal for InfoSec Analysts/Adminstrators/Managers/Specialists/Professionals/Officers, Information Assurance (IA) Security Officers, Information Systems Security Engineers/Managers, InfoSec/IT Auditors, Risk/Threat/Vulnerability Analysts, System Adminstrators and Network Adminstrators/Engineers.
Eligibility Criteria: Completion of an official EC-Council training, or at least two years’ work experience in the InfoSec domain, then pass the examination.
Certified Hacking Forensic Investigator (CHFI)
The CHFI is another certification from EC-Council, focusing on digital forensics and evidence analysis, designed for professionals involved in information system security, computer forensics, and incident response.
It is ideal for Police and other law enforcement personnel, Defense and Security personnel, e-Business Security professionals, Legal professionals, Banking, Insurance, and other professionals, Government agencies, IT Managers and Digital Forensics Service Providers. Common job roles for CHFI accredited professionals include (but are not limited to): Forensic Computer Analyst, Disaster Recovery Expert, Cryptographer, Information Technology Auditor, Cyber Crime Investigator, Malware Analyst and Security Consultant.
Eligibility Criteria: completion of an official EC-Council training, or at least two years’ work experience in Information Security, then pass the examination.
Certified Cloud Security Professional (CCSP)
(ISC)²’s CCSP certification is for IT and InfoSec professionals looking to prove their understanding of cyber security and securing critical assets in the cloud. Great for validating your expertise and technical skills in cloud application and infrastructure design and management.
A good certification if you’re looking for Enterprise Architect, Security Administrator/Architect/Consultant/Engineer/Manager and Systems Architect/Engineer roles.
Eligibility criteria: You must pass the exam, and have at least five years’ work experience in IT, with three of those years in InfoSec, and at least one year in one or more of the six domains of the CCSP Common Body of Knowledge.
Certificate of Cloud Security Knowledge (CCSK)
CSA’s CCSK certification is more knowledge-based, compared to the practice-based CCSP. It is for cyber security professionals looking for a vendor-neutral understanding of cloud security, paving the way for you to earn more specialised cloud credentials.
Ideal for those wanting to move into roles such as Cyber Security Analyst, Security Engineer, Security Architect, Enterprise Architect, Security Administrator, Compliance Manager, Security Consultant, Systems Engineer and CISO.
Carving out a career path
Which branch of cyber security to pursue will often dictate the certifications required. There’s a handy tool from the UKCSC about the various career paths available within cyber security which show the skills needed, from risk assessment and management, to cryptography, security operations, information assurance, authentication, Linux, information systems, digital forensics, coding languages, and more.
Another useful tool is CyberSeek – a resource for gaining information on careers in cyber security, how to start or advance your career in cyber security, and regional demand for cyber professionals in your community.
Having an IT background does, however, provide technical and ‘soft’ skills that will translate well into a cyber security role. Some of these may include: an understanding of the industry, network systems and database management, knowledge of commonly used terminology and data privacy, an understanding of cyber security across various tech platforms and devices, coding skills, problem-solving, presentation skills, attention to detail, teamwork, communication, a desire to learn, logical and analytical thinking, interpersonal skills.
To make yourself a viable candidate, it’s important to demonstrate these in your current role and document examples of when you have used these skills. Create as much evidence as possible of how you possess transferable skills as this will set you apart from other candidates. Ideally, you don’t want to leave a mid-level or senior IT role for an entry-level cyber security role, so the more you can build a case for yourself, the better although with any change in career, you likely won’t take a sidestep in pay and responsibility.
What often happens is that those in IT will use their current role as a spring board into cybersecurity where they are, by getting in touch with the security and privacy departments in the organisation. By taking on some junior-level tasks, they can acquire new skills and hands-on cyber security experience and position themselves as a candidate for any openings. Volunteering, or creating a project at home, can also help provide the evidence needed to demonstrate an aptitude for the cybersecurity.
Research and explore the industry
Other means of proving you’re committed to this change in career include reading widely and staying up to date on relevant cyber security news and publications, attending webinars, listening to podcasts, going to conferences and joining the cyber workforce community. There are numerous industry bodies with local chapters but also more informal forums and meet-ups. Ever been to a hackathon? Now might be the time to start.
To be seen as a viable candidate, you should be able to hold an intelligible conversation about the latest security innovations if you’re going to impress the interviewer. If you can do this, you’ll demonstrate your passion for the industry, and boost your profile.
