Cybersecurity: Why 5 years experience is needed for [some] entry-level roles

It seems weird. Why would an employer want applicants to have FIVE years of experience for an entry-level role? Surely if employers are looking for "entry-level" then no experience is required? It may seem incredibly frustrating to those wanting to break into cybersecurity, that even though they are only applying for "entry-level" roles they are being knocked back time and again because they don't yet have the prerequisite experience. In this article, we'll talk about why the elusive 5 years is not simply an arbitrary figure bandied about by recruiters and how those wanting to get into cybersecurity can achieve that goal!

The CISO Unicorn!

Before we talk about the entry-level roles, it's worth talking about the [potential] end game. The highest level security role in an organisation is the Chief Information Security Officer (CISO). Whether you pronounce it See-So, Sy-So or spell out each individual letter one by one, the CISO has a lot on their plate. You only need to look at the SANS CISO Mind Map to get a high-level view of the issues that a CISO will face. In fact, in any one day, a CISO can be dealing with all of these issues in some shape or form. Believe me, I know! There is also a regular hosepipe of questions from all areas of the business (or clients in our case). Questions about the approach to take on a certain issue. Questions over the monthly metrics. Presenting to senior management. Advising a system owner what compensating controls may be needed to keep a critical legacy server secure. And if that wasn't enough, there are the inevitable incidents. It's not a wonder that so many CISOs experience burnout!

If you take a look at some of the most senior CISOs protecting the largest organisations in the world and you see a pattern. They all started their careers elsewhere. Take a look at the Fortune 500 CISO list as a case in point. Take a look at the LinkedIn profiles of the CISOs for Walmart, for Amazon, for AT&T, for Boeing. These CISOs all started their careers outside IT. Within the Fortune 500 list, they are not alone. Many, like myself, started their career in the military. Many worked first in technology. Many had operational roles within the business. Not one started in cybersecurity. That's because to protect a business effectively, you need to understand how the business works inside out. Sure you can understand the theory of how networks are secured, what the OWASP Top 10 is or how to implement Role-Based Access Control. The thing is you won't learn much about operational life or the trials and tribulations of delivering business projects on time and on budget, from a textbook. You need to live it! You NEED operational experience!

Now many reading this may never want to be a CISO - and that's absolutely fine. The above is simply to highlight that if you do want to get to the top, there is a lot you need to know.

So, how do you get that experience...and why do some entry-level cybersecurity roles need experience?

Two sides to the same coin...

There are two kinds of entry-level roles - the ones that need experience and the ones that don't. Let's talk about the former first - the roles that need experience. Some entry-level security roles are entry-level because the roles are the first rung of the security career ladder but not necessarily a person's first exposure to the technology they will be protecting. These roles require a certain amount of foundational experience. This is because it is simply not possible for an entry-level cybersecurity analyst to know about the practical implementation of technology in a corporate infrastructure simply from education alone. Universities don't teach it and organisations are moving at such breakneck speed that even if education providers did, it would become quickly out-of-date. These junior cybersecurity roles need to be ready to support their organisations from day one because the business will be relying on their advice and guidance from day one. These roles tend to be on the higher end of the salary brackets for this reason. These roles are definitely NOT note-takers who pass on tickets for someone else to deal with. In many situations, there won't be anyone else. At best there may be an Information Security Manager who also has a pretty hefty operational role. With the above in mind, below are some of the entry-level roles which may require five years of experience and, in brackets, the role/area where that experience could be derived.

• Junior Identity & Access Management Specialist (Business Operations)
• Junior Application Security Specialist (Software Developer)
• Junior Security Operations Specialist (Network Engineer)
• Junior Cloud Security Specialist (Service Desk Manager/Wintel Engineer)

The list in the above section is not at all meant to be an exhaustive list. It is a very basic way to show where someone would develop the skills necessary to build the types of infrastructure we are ultimately trying to protect. By being part of the doing, the cybersecurity entrant will be in a much better position to offer practical [and pragmatic] advice about how to manage business risk effectively. They will be able to offer solutions that mitigate risk but also keep the business operating. They will understand the costs and the benefits associated with their advice. In short, they will actually know what they're talking about!

Those working in Business Operations will know how data is used within a business and who needs what privileges. They will have been exposed to both good and bad practices in terms of data hygiene and system use. They will have seen the challenges that affect those who are just trying to get things done and the shortcuts they take to meet deadlines. They will know how access can be circumvented. Developers, who have coded many live projects, will have first-hand knowledge of the development process. How regression testing is often paid lip service and how easy it is for bugs to appear in poorly crafted code. They will know exactly where to look to find those bugs - but they will also know how to fix them too! Network engineers will know exactly what traffic should be traversing the network - and what should not. Engineers can spot anomalies and identify the root cause at lightning speed. Why? Because they have had to do that in their live environments time and again. Service Desk Managers and Wintel Engineers will have been heavily involved in deploying and supporting infrastructure in another person's data centre. They will know the issues that cause the most pain. They will have dealt with outages day in and day out.

The experience described above is invaluable to the business and why junior cybersecurity roles attract higher than average salaries compared to other junior level technology roles. Whilst some of it can be simulated in a classroom environment, no simulation comes even close to living it every day. Nothing is going to replace the process of making real-time decisions in a live environment where getting it wrong could have major consequences. It's this "battle-hardened" individual that is needed, even in junior roles, as the business will be looking to you when things are going wrong. That entry-level analyst may be the only person on call on the day it all goes wrong. The business will be asking that analyst...

"What do we do?"

In the heat of the moment. When that advice could make or break. It's the experience you have already gained in your non-cyber security role that will be your saviour. Even more important than being calm in the inevitable crisis is the ability to have spotted the potential issues well in advance so that they're already fixed - prevention trumping the cure. To be persuasive enough to get those in operations, who need to do the fixing, to play ball. To not be bluffed by someone who thinks they can pull the wool over your eyes. It is a combination of all these points that makes the non-security experience such a highly sought after commodity for entry-level cybersecurity roles where the person really needs to hit the ground running - and even more so when there is noone to hold their hand.

OK, so what about the other kind of entry-level role?

Now I did say cybersecurity roles "mostly" start outside cybersecurity. In more recent years, however, the apparatus has been established to allow direct-entry routes into cybersecurity. Opportunities now exist to learn skills such as Penetration Testing, Malware Analysis and Security Operations. If you join a company that specialises in these skill areas then there will be people in the wider organisation who can support your training and development - you can learn on the job. In more recent years, in the UK at least, apprenticeship standards have been developed covering a number of cybersecurity roles. If you can find an organisation that are hiring apprentices, you will not only have the potential to gain that 5 years of initial experience but you will also have a worthwhile qualification to add to your CV too. It's also worth considering the military to gain that initial experience too. The military is not for everyone but many militaries now provide a cybersecurity pathway for those who have absolutely no experience. These roles however do pay less on average but that should be expected. Essentially, you're remunerated for what you can currently bring to the table ,not for your potential at some point in the future.

Experience counts but so too do qualifications!

My very good friend is a cello teacher and I once said to her "Practice makes perfect" and she scowled at me and said...

"Practice makes PERMANENT. It's good practice that makes PERFECT!"

It's so true. We may learn something online, in a book or, on a course. We may also be taught to do something by a peer and more senior member of the team. We may also have a mentor or coach. But how do we know that we truly understand what we have been taught? How do we know that what we have been taught in the first place is correct? We could be blindly applying a technique and getting it totally wrong or, missing a critical component every time without realising. The person who taught us may know what they're doing but may not necessarily be a great instructor. That is why it is so important to get your "practice" validated through external training, professional qualifications and continuing professional education (CPE). Some in the industry may think qualifications are not important. Personally, I think the right ones are essential. I need an objective assessment of my competence from an external body of experts because I can never be objective over my own knowledge (or what I have taught to others). What I think I know could be totally wide of the mark...and that could result in me missing something that should be totally obvious...with the obvious disasterous consequences should something go wrong.

Summing Up...

Whilst there are entry-level roles requiring no prior experience those hiring in these roles assume one very important thing. That there is someone else in the organisation to hold your hand and can help develop you and train you. The remuneration for such roles is lower - because you don't know anything yet. Conversely, many organisations need someone who can hit the ground running. The role is still an entry point to cybersecurity - but still requiring skills learned from another area of business or technology. Whichever route you take, there are great careers available. It's an amazing job and I wouldn't want to be doing anything else! Good Luck!

About The Author

Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy. Stephen has worked in the information security risk, business continuity and data protection world for nearly 20 years. Stephen has delivered complex risk programmes across defence, real estate and financial services. Stephen has also authored the popular book "The Ultimate GDPR Practitioner Guide" which is available on Amazon in both paperback and Kindle eBook.

About Fox Red Risk

Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.