Insider Insights: In Cybersecurity, Experience Is Just as Valuable as Education

The market intelligence firm Cybersecurity Ventures reports that cyber crime damages will cost the world $6 trillion annually by the year 2021.

Every year we hear about a record hack that’s taken place with record amounts of private data being compromised. Add to this the fact that the Internet of Things – whether it’s smart networks for cars, energy grids, or home appliances – is opening up an ever-growing number of vulnerabilities ripe for cyber exploitation. At the same time hackers are only getting better.

And just when the demand for cyber security professionals is going through the roof, there is a major shortage of talent in the field. Founder of Cybersecurity Ventures Steve Morgan said in a 2017 article in The Register that the number one problem with cyber security companies is a lack of qualified candidates entering the job market.

While it might seem like boasting when Morgan says that globally, cyber security is one of the few industries with zero unemployment, the risks associated with not having enough qualified applicants to fill the growing number of open positions are real and dangerous.

The founder of the legendary anti-virus company that bears his name, John McAfee, also says the situation surrounding the lack of qualified professionals is dire, pointing to the fact that there are two job openings for every qualified applicant.

Education is a Plus… Experience is a Must

So how do you become qualified? Industry experts agree it all starts with hands-on experience.

“If you have an education and no experience, you’re going to be hard-pressed to find a career in this field. You’ve got to do whatever it takes to get yourself experience. That’s more important than anything.”

These are the wise words of Kevin Hawkins, professor of IT and database administrator at Humana Health Insurance. He couldn’t have spelled it out any clearer.

In November of 2017 we had the opportunity to sit down with him for an interview. With over a decade of experience as an SQL database administrator for the nation’s third-largest health insurance company, and nearly a decade of experience as an IT college professor, we were grateful for his pearls of wisdom.

Above all else, he emphasized the importance of gaining general hands-on experience in IT for anyone thinking about going into cyber security. He also highlighted how important it is to continuously approach this field as a student – to  keep learning new things and to always stay abreast of the latest developments.

As an IT professor Hawkins would always tell his students, “The biggest jump you have in your career is going from learning into the experience.” When it comes to cyber security, he says that not only is education important, “You also need to have the experience in the field.”

Hawkins draws a comparison between computer technology and the skilled trades. A mason could earn a PhD in the theory of structural support and stone cutting. But eight years in the classroom doesn’t amount to even a week of hands-on experience as an apprentice.

Hawkins says computer technology is not just, “Hey, I’ll get my doctorate degree and I’m good to go.” He emphasizes the fact that skills are acquired in this field, not just learned: “Without the hands-on experience you’re really working with one hand.”

But that’s not to say he’s knocking education either. “You need to have both hands. You need to have the education, which is very good. But the hands-on experience is very important. In fact, many of my coworkers over the years who have hands-on experience and no education were very good at their skill.”

A 2017 article in the Harvard Business Review also highlights education as being an important credential while making a point that agrees with Hawkins’: Businesses that don’t know any better make the mistake of hiring less-qualified people with a four-year degree in computer science over those who have real hands-on experience in the field. The article goes on to identify this as one of the reasons why  many organizations are struggling with a staff of not-so-qualified cyber security professionals – they may have the degree, but not the stripes, which can only be earned after years in the trenches.

You’ve Got to Crawl Before You Can Walk

Hawkins advises that you’ve got to get a basic understanding of information technology under your belt before you can transition into the more specialized areas of cyber security. Cyber security is “the next step up.”

You simply need to have a hands-on feel for computer technology in general, and it helps to have a related education. This is supported by Sean Tierney, the head of a cyber intelligence team at Infobox, a multi-million dollar IT security company based in Silicone Valley.

Tierney agrees with Hawkins. In a 2017 Forbes article he’s quoted as saying, “The thing that will make you good at security is that you are great at something else first.” He gives examples like being well-versed in data networks, operating systems, or scripting languages.

Once you’ve established a basic foundation you have the chance of becoming what Hawkins calls a cyber security professional “by accident.” This is a common way people transition from the basic IT level up to cyber security.

Basically it means being in the right place at the right time with the right skills. Someone at your company needs to lock a network down and add a few access points in the firewall. You know how to do that, and before you know it you’re repeating the process on a dozen other networks and you’ve been promoted to network security administrator, all the while learning new things as you go.

And Hawkins isn’t the only one who mentions this type of promotional pathway. It is also mirrored by IBM in a new and innovative approach the company is taking to find qualified people to fill cyber security positions.

IBM has started recruiting people from general IT fields who have demonstrated curiosity, an ability to solve problems, and good risk comprehension, combined with an eagerness to learn. Instead of sending them to school for a four-year computer science degree, IBM develops them into cyber security professionals through on-the-job training and industry certification courses.

You might recognize that this looks remarkably like a cyber security apprenticeship, and other businesses are catching on to this model too.

Maintaining Your Edge On Your Own Time

So you’ve graduated from college, have experience in IT, and have landed a job in cyber security. If you thought your days of education were over, think again.

IT, and especially cyber security, are fields that are constantly in the process of evolving. And you’ve got to evolve with them.

“One of the things I learned early on in my career is that if you don’t keep yourself current in this field you are going to fall off the wayside.” Hawkins says. “You’ve got to continually educate yourself going forward.”

Hawkins recommends the entire gamut of continuing education: self study with your own books, company-provided continuing education classes, and industry certification courses like those offered by HP, Microsoft, and CISCO.

This means that in addition to having a technical prowess you must also have self motivation if you want to get anywhere in this field. If you’re not self-motivated Hawkins lays it out for you bluntly: your office is going to be somewhere in the corner of the basement and you’ll be relegated to irrelevancy.

Rod Rasmussen, the Vice President of cyber security at the IT security company Infoblox, agrees with Hawkins’ about continuing your education. He points out in a 2017 Forbes article that you don’t necessarily need a full degree or fancy credentials to excel in this field. “Those that are proficient will rise rapidly.”

Tierney, head of the Infobox cyber security team, adds to what Hawkins and Rasmussen say. He advises that when you go to job interviews, one of the most common questions you’ll get is about what you do in your spare time in your home lab. Keen says employers will ask you about what kinds of systems you’re working on and the lessons you’ve learned in your spare time, and you better have something more than just a slick answer… you better have the chops to back it up.