One of the questions I get asked quite frequently is how I got into information security, especially since I have a health sciences background and do not have a computer science degree. Before we get into how to get into the field let’s start with why you may want to pivot.
Recently, data out ranked oil as the most value resource in the world . This means someone needs to ensure that data is secure against evildoers. Software engineering and being a code monkey is not for everyone, security is a way to be technical without having to code all day. The security field is relatively unsaturated with huge growth potential over the coming years. This matters because it means organizations are more willing to take a risk on someone who may not be completely qualified but shows potential and willingness to learn and grow rapidly. Being in unsaturated market makes the interviewing process less competitive than other fields and you will often find yourself with multiple job offers once you have a few years of experience.
One nice thing about the security field is that you can become qualified without going to additional schooling. I did all of my certifications while holding full time roles at organizations.
First step I took was to understand how networks and the internet works. If you don’t know the foundation and layout of a house and all the rooms you cannot secure it. Same goes here. Learning how routers, switches, even cabling standards, sets the foundation for understanding how to secure a network.
I found the best way to learn this information was to prepare for the CompTIA Network+ certification. Since I’m a kinetic learner I signed up to take a bootcamp that was three days long but you can also just get a couple books and learn the material by going through the books and taking the practice exams.
Once I completed my Network + certification, I went on to take the CompTIA Security+ certification. This is an entry level certification into security and a great way to get introduced to the field. If you have a solid understanding of networking you could even skip taking the Network+ certification and go straight into taking the Security+ certification. Similarly, there is another three day bootcamp you can take or just go through the books and take some practice tests to prepare for the exam.
I personally completed both of these exams while holding a full time position within six months. They don’t require a ton of time to prepare for since they are both targeted for entry level positions. That being said, still study and build a strong foundation here. This will help you immensely for the more difficult certifications down the road. As with any subject area the more you deeply understand the topic the better able you are able to apply that information to complex scenarios. Both the Network + and Security + certifications will enable you to get entry level roles in security. You can start building some experience now while you prepare for the next certification.
After these, I pursued my Certified Information Systems Security Professional (CISSP). This is the gold standard in the industry and is known to be one of the most rigorous exams. Do not under estimate it. I would equate preparing for the CISSP to the Bar in law school or the Boards in medical school. The reason it is so highly respected is not only is a difficult exam to pass but it covers a broad spectrum of security topics from cryptography to risk management.
This certification is well worth the effort since once you do pass it is an universally recognized exam and you will get decent increase in compensation. You will have at least proven to recruiters and future employers that even though you do not have formal training in computer science or security, you have the knowledge. The only thing missing in your package would be years of experience and that will naturally come with more time in the field.
The CISSP took me about a year to prepare and study for while working full time. I underestimated the exam the first time I took it and failed. This however, motivated me to make sure I had a deep understanding of the information the next time I took it. I highly recommend studying for at least a couple months and enrolling in a bootcamp before you take your exam.
Aside from passing the CISSP exam you need five years of experience working in the security industry (four years if you have a college degree or another qualifying certification, like the CompTIA Security+ I mentioned earlier). When I first passed my CISSP exam, I did not have the necessary work experience to hold the credential so I had an Associate of ISC2 and held that until I had the necessary experience.
After the CISSP there are many different directions you can go depending on your interests. I personally wanted to learn more about securing information in a cloud environment so I completed my Certified Cloud Security Professional (CCSP) and used a bootcamp to prepare for that exam as well.
There are many exams and trainings but with your CISSP and some work experience you will be more than qualified for most mid-level positions in security. Find out what niche you like and try to learn more about it. Security is a very broad field with roles that range from limited to no coding experience to others that require immense technical experience and knowledge of systems and their architecture.
This is great field for people who love finding loopholes in complex systems and enjoy constantly learning. So if you’re looking to pivot careers or at least dip your toe into security you now have the tools to do so. Start with the CompTIA Network+ and Security+ certifications and see if you enjoy working in the field. To further solidify your foot hole, complete that CISSP and see the doors into the security field open up with opportunities. As always feel free to contact me if you have any questions about my journey or how I got into this field.