Todd Holloway's moxie is the reason he got into cybersecurity; he designed his college courses around a subject his college didn't recognize yet. That was more than 30 years ago. Holloway was not alone.
Recognizing today's cybersecurity profession is in high demand and ever-evolving, people are curious enough to join the workforce. With open jobs outpacing available talent, jobseekers aren't hung up on pursuing education based solely in security, especially when certificates and job experience can supplement their curiosity.
Based on a survey of more than 2,000 cybersecurity professionals and jobseekers in the U.S. and Canada, (ISC)² found 57% of respondents — who have been in the field for more than eight years — say a cybersecurity education is "nice to have." The number begins to drop off to 53% and 49% among respondents who have been in the cybersecurity workforce for seven years or less.
When he was in school, the programs "did not even include a security component," said Holloway, manager of security architecture & engineering at Malwarebytes, and a University of Houston graduate. Holloway built his education to fit cybersecurity; "I got as close as I could at the time and majored in mathematics with a specialty in applied analysis."
As companies build out security teams, they become focused on the talent they don't have instead of the talent they do have. The skills in cybersecurity are transferable. Yes, there are technical aspects of responsibilities people need training in, but the soft skills needed in cybersecurity — curiosity, critical thinking, creativity, communication — are constant.
While 58% of people seeking jobs in cybersecurity are looking to transition out of IT, 42% are coming from an unrelated field, according to the survey, released Wednesday. Motivation for joining the cybersecurity workforce is relatively equal: problem solving, fulfilling interests, and opportunity for career advancement.
"It's a difficult industry, because it's technical, people don't know about it, and they're scared of it," said Heather Stratford, founder & CEO of Stronger International and Drip7, a cybersecurity education platform. But everyone has a hand in technology, and relying on a small part of the population to have interest in cybersecurity is impossible to ward off the 3.1 million global job gap.
"There are many people in the industry who desperately want to have a more diverse workforce," including gender, ethnicity, or socioeconomic, said Stratford. "And yet, there's a lot of stereotypes there because it tends to be a very specific type of person who currently is leading that fight in an organization. And they look and have a similar background."
Piquing your interest
Of the 1,010 cybersecurity job-seeking respondents, 40% of them are younger than 40 years old. While only 35% of jobseekers were women, women outside of IT were more likely to have interest in cybersecurity than the men.
Forty-two percent of women not working in IT are interested in working in cybersecurity, according to the survey.
Pivoting careers into a new field was something Stratford did after years working in marketing. Now Stratford said "this is a growing field, it's something that's very needed, and I think I can add value here."
"I purposely went toward cybersecurity," she said.
However, (ISC)² found women's presence in the field diminishes with the increase in tenure. The report suggests it's indicative of advancement opportunities flatlining.
"I'm considered a unicorn in the industry and it's hard," said Stratford. "I'm a woman and I own the company. And yes, most of my executive staff are women."
Entering the cybersecurity workforce is high pressure. In the first one to three years of employment, survey respondents recall "having to survive in a 'sink-or-swim' environment," (ISC)² said. Overcoming the initial shock of the working environment is a barrier to entry for other entry-level jobseekers.
The top technical concepts jobseekers should pursue include cloud security, data analysis, coding and programming, encryption, and risk assessment and management, according to the survey.
Employees can learn the fundamentals of infrastructure or information security in a short amount of time, according to Holloway. (ISC)² respondents said tasks in updating endpoint security signatures, malware forensics, or IT management helped them most moving forward in the profession, after the first one to three years.
As the field becomes more mainstream thanks to large cyberattacks and breaches invading media coverage, more curious minds will come forward.
"I started war dialing from my Commodore 64 with a 300 baud modem after seeing the movie 'WarGames' in 1983," said Holloway. "I was too afraid of getting caught doing anything illegal, so I just learned the methods of hacking."
By the time Holloway graduated high school, the computer espionage thriller "The Cuckoo's Egg" was published, coinciding with learning university Linux systems. It was a combination of inspirations that cemented Holloway's interest in cybersecurity. To pursue it, he "started sending the part-time systems administrators at the mathematics department information about the vulnerabilities I discovered in their systems."