Breaking Into Cybersecurity: A Story About Overcoming Professional Anxiety

“Any advice for an aspiring cybersecurity professional to break in?” This is the question I get the most.

I always answer by telling my story. I don’t see my path as a model of anything. Each will find a different way. What remains identical is the mental state one has to go through.

Let me tell you how I got my start in cybersecurity: which errors I made, which emotions I’ve endured.

While the rewards are worth it, it’s not an easy path.

Start with the why

Like many of you, I chose information technology for the “wrong” reasons: I wanted a good-paying office job.

I hit an emotional rock bottom in 2014. I had two toddlers. I was about to graduate from my PhD in literature. I had written a novel which got rejected by every editor out there. I got my post-doc grants denied. I applied for 50 teaching positions to no avail. I was miserable.

As Scott Galloway points out, unemployment is the most devastating situation a man can be in. I needed to turn myself around.

I saw ads for accelerated 18-month diplomas in information technology that guaranteed job placements. The course never took off due to a lack of registrants. But I had caught the technology bug. So I took the risk of getting a university computer sciences degree despite not having done calculus in a decade.

Now my question to you: do you want this job bad enough to grind for years? No matter which education you choose, whether it’s college or YouTube, you will need years to get good.

This is why I’m questioning your why. Why cybersecurity, aside from the office job? The core why of cybersecurity is a belief in ethics, integrity, and rigour. There is a reason why so many military individuals join this profession. Another strong value of cybersecurity is a deep interest in knowing how things are made, and how things work. What behaviour in your life shows these values?

And see, my story of a “cushy office job” showed why I picked IT, but not why I chose cybersecurity. Most of my pals picked sexier topics such as machine learning, video games, and big data.

I got interested in security for the wrong reasons, again. I was a fan of the MrRobot TV show, I saw headlines about the Ashley Madison hack, and I thought all this stuff was cool.

I got my reality check in what I feel, to this day, is my biggest professional blunder: an internship interview where I looked like an idiot.

I had no idea about security aside from the hacks I was reading about in the media. I didn’t know anything about the day-to-day work. I got asked about shellshock and I didn't even know what was a shell.

Do you have an idea of the daily activities of a cybersecurity professional?

Let’s dig into why this job may not be for you:

• Its got one of the highest rates of burnout of all jobs. I wrote about it. Too many threats, too many systems, and not enough managers that give a shit;
• You are never the main character in an enterprise. Nobody builds software for the sake of security. You are a supporting player. No matter how many attacks you thwart, you are not getting the spotlight.
• That learning grind you are on? It’s your new normal. Things change fast in tech. No matter how much learning and development your employer allows you, it’s not going to be enough. You will study nights and weekends. If you don’t, you’ll get leapfrogged by guys like me all the time in the org chart. LLMs are all the rage. Engineers are building generative AI apps in every company in the world right now. They need security advice now. So study LLM threat modelling right now or get left out in the dust.
• If you don’t do the above, by the time you have 10 years of experience you’ll ask for a senior‘s salary with outdated knowledge. You’ll write bitter posts on LinkedIn about how “these companies” don’t value experience. In worst cases, you‘ll bullshit your way into consulting gigs selling software projects with good-looking PowerPoints. You'll become the thing that you hated when you started.
• Most of the work is boring. Most of your time on the job is spent looking at code, debugging software, granting access to developers whose eyes roll at you, fixing hard drive encryption, and bailing out the helpdesk on tasks that are too overwhelming to do. There is nothing to tell your spouse at home about. Trust me, I've tried.

Most people online like to encourage you into the training but that’s because they sell training.

I was never told about any of these during college either. Luckily, it was only when I got my first internship that I discovered that my “devotion to learning” was a superpower in this field.

But how did I land that first internship?

I am embellishing when I say Mr. Robot was my sole reason for joining cybersecurity. Another event triggered my interest. One day on campus, a security analyst gave a speech during one of these "Lunch and Learn career events". He had, like me, transitioned to security while raising toddlers. The presentation caught my imagination and I emailed him afterwards. A few weeks later, I was invited to visit the premises. I spoke with a dozen people about the job. 4 months later, I applied for an internship at the same company. Despite making a good impression during the interview, I got accepted because another guy bailed. My internship supervisor facepalmed when I told him that I had never heard of an Active Directory.

So what was my secret? Unlike the majority of people, I attended these college events. I networked. And I got lucky.

This is something I always tell people that DM me: the mere fact that you are DMing people puts you ahead of the pack.

The biggest mistake you are making is asking us right away if we have jobs open in our company for you. We've never met. Why would I want to find you a job? Ask for help with a technical topic, and talk about some problems with the subject matter. Let us be helpful. Show you're a wise learner. Attend in-person conferences or webinars with a Q&A section.

"Yeah, but you had a degree!" Indeed...

The degree question

I always feel I must add this asterisk to my story. I live in Canada, where the university is affordable and delivers quality education. I realize the situation is much different in other countries.

A college degree unlocks the "HR filter". When you get 2,000 applicants online, it's only human to filter for the CS degree for the sake of having a more manageable pile.

I would never require a degree in a job posting. The fact of the matter is that gate-keeping is bad for diversity of backgrounds and experiences. One of my most valuable colleagues used to be a welder, for crying out loud!

The problem? Lots of people conflate "a degree is an erroneous gatekeeping requirement" with "a degree is useless".

My computer sciences degree with a major in cybersecurity forced me to study full-time for 3 years about computer-related subjects. The curriculum was curated. I built projects. I spent weeks on 3-hour sleep nights finishing C++ algorithms. I learned how to design scalable systems. I managed projects in agile methodologies. I evaluated costs. University got me ready for enterprise-scale questions. I didn't make many friends due to having a third child during the degree, but the connections you make with peers do matter.

Yes, you do not need a degree to be successful. But there is a lot of stuff to know!

I still believe going the degree route was the best professional decision I've made.

Now that you know my story. Tell me yours!