Editor's note: This article is part of Behind the Firewall, a recurring column for cybersecurity executives to digest, discuss and debate. Next up: How do you vet the cybersecurity of your vendors? Email us here.
Cybersecurity is still a nascent field. The first computer virus emerged just decades ago in the 1970s, younger than some cyber executives and experts.
Yet, demand for cyber roles is booming and more professionals are looking to get involved. The number of information security analyst roles, for example, is projected to grow 31% from 2019 to 2029, much faster than the 4% growth average across all occupations, according to an analysis from the Bureau of Labor Statistics.
The cyber demand is attracting candidates from an array of backgrounds, technical or otherwise. While the majority (58%) of people seeking jobs in cybersecurity are looking to transition out of IT, 42% are new to cybersecurity from an unrelated field, according to an (ISC)² survey.
So, where are cybersecurity executives today coming from? Cybersecurity Dive spoke to five leaders about how they got their start in security to showcase both the expected and nontraditional paths in cyber careers.
(The comments below have been lightly edited for length and clarity.)
Masha Sedova, co-founder and president at Elevate Security
"Today we talk a lot about women in STEM but back then I was lucky these skills were nurtured in me from an early age."
Co-founder and president at Elevate Security
I come from a family of programmers and computer scientists, so you might say that this field is in my blood.
I was born in the Soviet Union and came to the U.S. in 1990. My grandmother was in the first graduating class of computer programmers in 1954 under Stalin — the Soviet Union considered computer programming "women's work." Back then there was no such thing as programming — it was all a-frames and punch cards. She learned PL, FORTRAN and Net-C, which she then taught to my dad. He became a computer programmer and taught me how to program when I was in the sixth grade.
Today we talk a lot about women in STEM but back then I was lucky these skills were nurtured in me from an early age. It never occurred to me that I wouldn't enter this field. I used to spend a lot of time playing around on Macintoshes at the local university. We were poor immigrants and, in spite of all the computer scientists in my family, we didn't have our own home computer. If I look back into why I entered the technology field, I think the immigrant story plays into part of it. I wanted to pick hard challenges and climb tall mountains — the kind of things immigrants go through daily.
In college, I studied liberal arts for two years, including philosophy and psychology, which became relevant in my behavioral science work later on. Then I switched to this great program called CyberCorps: Scholarship for Service that is run by the U.S. government. It paid for the last two years of study in exchange for focusing on computer science and working with the government on cybersecurity projects since they were understaffed in this area.
I got to reverse engineer credit card skimmers that the IRS was trying to tackle and do cyber forensics. I actually worked on a murder case involving data hidden on hard drives. It was very "NCIS." The program could be lonely and entailed a lot of hours, but I got to rebuild computers and learn about data structure. It put me on a really great track where I got to experience a lot of different flavors of security, which was eye opening. I learned penetration testing, network security, social engineering, etc. It's fascinating to me how deep a field this is and how many avenues there are to have a career in cybersecurity.
When I graduated, I worked as a cyber analyst for Northrup Grumman. I'm fluent in Russian, so I had the opportunity to work as an analyst on Russian cyber threat accounts. It was fascinating to realize the capabilities of nation-state adversaries.
Somewhere along the way I became interested in the human element. Cyber breaches are often due to some kind of human error — e.g. someone clicks a malicious link in a phishing email. It became an obsession for me: what can we do in the infosec industry to mitigate human risk? That's when I decided to head to Silicon Valley. I started with Salesforce in 2012 working with insider threats.
Ted Wagner, VP and CISO at SAP National Security Services (NS2)
"We monitored one of the largest computer networks in the world, while continually threatened by nation states attempting to break in."
CISO at SAP NS2
In early 2000, I was working for a consulting company on IT projects. In June 2000, I joined a reserve unit that was just standing up to focus on information assurance. The Army Reserves saw this as an important mission area which required investment.
At the time, we had very little doctrine and policy to go by, so we were establishing precedence every day. We had ample access to training, which I saw as a great opportunity to improve my IT skills. There were a few bumps, but by October 2000, we were monitoring a Department of Defense network during drill weekends. A real mission and real data.
My experience with the reserves and some cybersecurity projects at my consulting firm enabled me to successfully apply for a position the at the Army Computer Emergency Response Team. In 2003, I was accepted into the organization, and spent nine years there. It would be difficult to create a more challenging environment. We monitored one of the largest computer networks in the world, while continually threatened by nation states attempting to break in. It was a rich experience that I will always treasure. I worked alongside committed patriots and some amazing technical minds.
In 2005, the Army Reserves asked for a return on their investment in the training I received. I was mobilized and deployed to South West Asia, to monitor the Army network for security. It was my second Army deployment, far different from Desert Storm, but difficult, nonetheless.
I spent the year traveling around the theater trying to educate senior leaders on cyberthreats and keeping an extensive network secure. In many cases, commanders were focused on tactical threats on the battlefield, not aware of strategic virtual threats on the networks they were using. While I was passionate, I learned that it was important to consider my audience's perspective when engaging on cyber topics.
Om Moolchandani, CTO, CISO and co-founder of Accurics
" A manager there saw my hacking skills and proclivities and encouraged me to take a cybersecurity course. That gave direction to my madness."
CISO at Accurics
I've learned that cybersecurity professionals are usually very inquisitive — we want to know more about everything. That was certainly the case for the story behind how I got into cybersecurity.
I was working with a chip manufacturer, and part of my job was to find ways to reduce the cost of programming. By experimenting I figured out how to program the chip to post more messages than it otherwise would. My manager told me that I'd just 'hacked' the chip without realizing it. That's how I got into the mindset of trying to break things, and learning more.
Later, at my first software job, I was writing software and, stemming from my desire to go deep into any subject, I was always interested to know: Can we break it? A manager there saw my hacking skills and proclivities and encouraged me to take a cybersecurity course. That gave direction to my madness.
I wasn't really hacking before then, I was just looking for ways to make things work better by trying to make software do things that were against the principles of how it was built, and that led me into a career in cybersecurity.
Brent Johnson, CISO at Bluefin
"Technology and security are fascinating and always evolving, and I've had the chance to see the world through client engagements (not to mention, the pay isn't half bad)."
CISO at Bluefin
I've always loved technology and even though my bachelor's degree centered around computer science and programming, I started to realize that wasn't where my passion lied.
I'm one of those people who never knew exactly what I wanted to do for a career, but I knew I wanted to be around technology. Right after college, I worked as a systems engineer at a medium-sized company and then at a software startup managing software implementations and customer support.
Six years after graduating and having gained experience in technology as a systems engineer and managing software implementations, an opportunity presented itself 1,200 miles away in Atlanta at a consulting firm to manage critical infrastructure protection (power grid) cybersecurity standards for clients. Despite not knowing a single person in Atlanta, the job, opportunity to travel and the chance to move to a new city intrigued me, so I took the leap.
Twelve years later, 10 of which I spent as a consultant in cybersecurity standards (CIP and PCI), it was the best career decision I could have made. Technology and security are fascinating and always evolving, and I've had the chance to see the world through client engagements (not to mention, the pay isn't half bad).
Ferruh Mavituna, founder and CEO, Invicti Security
" I realized that I should actually be trying to get customers secure, rather than just pointing out their problems as a penetration tester."
Founder and CEO, Invicti Security
I started off as a penetration tester, meaning I was paid by companies to hack into their websites and report back to them about their vulnerabilities. One day, I was working for a banking company and my customer approached me and asked: "How is the test going?"
As someone whose mission was to go into a system and successfully hack it, I told the customer that the test was going fantastic. She then said, "Oh that's great, we don't have any vulnerabilities." And immediately I had to respond, "It's actually the opposite, you have so many vulnerabilities." At that moment in my personal journey, I realized that I should actually be trying to get customers secure, rather than just pointing out their problems as a penetration tester.