Is Cyber Security Hard? How to Find Your Way inby@jamesbore
9,414 reads
9,414 reads

Is Cyber Security Hard? How to Find Your Way in

by James BoreNovember 2nd, 2022
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

Cyber security is a huge, fast-moving field with a broad range of pathways. There are high barriers for new entrants with competition for entry roles being fierce, and the skills required being much broader than simply learning penetration testing. While hard could be used, a better description is that the field is challenging and complex.
featured image - Is Cyber Security Hard? How to Find Your Way in
James Bore HackerNoon profile picture

It’s a common question, and a difficult one to give the right answer to. The easy answer, ironically, is to just say ‘yes’ and leave it at that. Not quite the right answer though.

That’s not to say it’s easy, because it isn’t, but it is straightforward. The problem comes in that it’s also fast moving and large.

I’ve seen plenty of people say cyber security is hard because of technical knowledge required, while others will tell you that technical skills aren’t required and so it’s easy. Many struggle even to separate cyber security from information security from security as a whole, which confuses the picture even more.

In this article, we’ll talk about:

  1. Finding Your Path
  2. Cyber Security Easy Mode: The Cheat Guide
  3. The Hardest Part of Cyber Security: Defining it
  4. More Definitions: What Does ‘Hard’ Mean in Cyber Security?

I’m going to save the pain for later, so we’ll start out with ways to start a career in cyber security.

Image credited to Abrahama Tansini and created for the OpenIDEO Cybersecurity Visuals contest

Finding Your Path in Cybersecurity

One of the first challenges to overcome is to work out which pathway you want to take - or at least aim for. Cyber security is not just penetration testing (despite what Hollywood would have people believe). Various organisations present different numbers of paths, with common numbers ranging from less than half a dozen to tens of different options.

The most commonly known are red team and blue team roles, penetration testing or Security Operations Center (SOC) monitoring. Because of this they tend to be the most competitive to get into, with defined and well-sign-posted paths that mean most looking for an entry level role head in that direction.

To give yourself a huge edge, look outside of these two. Governance, Risk, and Compliance (GRC) roles are under-provided, have less of a technical barrier to entry, and frankly have more prospects. There are also application security roles for those more interested in development, architecture roles, forensics, operations, specialisms galore and - by the time I’ve finished writing this - probably a couple of dozen no one’s heard of before.

You’ll hear plenty of people saying to follow your passion. I’m against this advice - passions can be fleeting and in a field where many are already over-worked and under-resourced, pursuing them can quickly lead to burnout. Instead, I tend to suggest indulging curiosity.

Image credited to Abrahama Tansini and created for the OpenIDEO Cybersecurity Visuals contest

There is no greater advantage in cyber security than being willing and able to learn rapidly, and following topics you’re interested in is a great way to do that. You are almost guaranteed to have to pivot multiple times over a career of any length, and as the saying goes ‘We plan, god laughs’. Do not commit too strongly to plans and learn to go with the flow and take opportunities as they come up.

Cyber Security Easy Mode: The Cheat Guide

One of the biggest hurdles is getting into a role in the first place. I have first hand accounts of people sending out hundreds of applications and getting nowhere.

As much as I hate to say it, there’s a reason for this.

Most cyber security roles don’t get advertised.

Those that do often have ridiculous numbers of applications to work through. So, even with the best CV, you’re up against bad odds. Instead, the biggest successes I see from people are when they take different routes.


Building a network and connecting with people is hugely effective. It’s not simply a numbers game - having 50,000 connections won’t give you much of an edge over having a few who are the right ones for you. Look at people in roles you want to be in, or in positions to hire for those roles, and ask (sincerely, this is important) for their advice. Keep in touch, and let people know what you’re trying to do, and that you’re listening to their advice.

There are cynical approaches to networking. I do not recommend those. While you shouldn’t try and make every connection a best friend for life, keeping in touch and offering help for help (or a beer/coffee) is far better than constantly taking.

Following this tip gives you a whole network of people looking out for opportunities for you, knowing that you’re building up the right skills, and able to speak on your behalf when things do come up. Just remember it only works if the relationships you build up this way are genuine - being insincere or manipulative is not going to work in anyone’s favour for long, but openly and respectfully asking for help is the way to go.

Content and Presenting

Writing posts, articles, blogs, or anything else about your journey and what you’re learning is another way to not only build your network, but put a stamp on areas of expertise. Even better is to put together a presentation, for bonus points at a rookie conference or on a rookie track at an established conference, such as BeerCon or D.O. CON, or a local BSides event.

Take opportunities to present whenever they come up. It’s great experience, and a great way to build your profile.

Giving a first talk on a topic that interests you helps pull in people interested in finding solutions, which is exactly the type of person you want noticing you. Most people won’t follow through on speaking on stage, even though rookie tracks will provide support and mentoring throughout the process, and so a simple presentation can really put you forward as the expert in an area.

Many of these events are remote, but when they’re in-person you’ve also got another opportunity to build up your network to catch new opportunities.

Once You’re In: Opportunity Knocks

After you’ve found that first role, you will hear people say you should spend x or y years in a role to prove you’re stable and loyal. My next piece of advice is not a popular one (with employers), and isn’t for everyone.

Not for everyone. There is nothing wrong with staying in a role long term. There are employers who will give opportunities to grow and develop while in a role. Equally, you may be happy in a role and have other priorities. There is nothing wrong with either of these and the next piece of advice is in no way intended to suggest there is.

Keep your eyes open for opportunities. While there are arguments about what’s known as the cyber security skills gap, there is definitely demand for those who have already managed to break in (the hard part comes in getting in to start with). It is worth keeping eyes and ears open, and looking at new opportunities as they come up.

Loyalty to a role is all well and good, but opportunities should not be overlooked out of misplaced loyalty. If there’s no room to grow and you want to develop further, moving is the easiest way to do so in most cases. Be upfront and open, and don’t allow a limited role to limit your growth.

You will hear people arguing against job hopping on principle, accusing anyone who changes roles as rarely as every few years of lacking commitment. My own experience is anecdotal, but during two decades of my career before going independent my average tenure in a role was ten months - and this never came up as an issue. I wouldn’t say move simply for the sake of moving, but I would strongly suggest that not taking new opportunities out of fear of being labelled disloyal is a mistake.

The Hardest Part of Cyber Security: Defining it

You’ll find plenty of definitions. Some are useful, most are…not.

For example, the NCSC gives a definition which starts with ‘Cyber security is how individuals and organisations reduce the risk of cyber attack’. It’s an accurate definition, just happens to be completely useless because it doesn’t explain that ‘cyber’ piece.

So let’s start by breaking it down. If you’re in the US, you probably see cybersecurity more than cyber security, which is just a regional variation. What is security? The best, simplest definition I’ve come across that’s useful to us is that it’s protection of assets from threats (realistically both the assets and the threats are ultimately people - even in cyber - and sometimes they’re the same people). Great, we’re halfway there, we’ve defined the discipline we’re working with.

Now what’s cyber? Well, plenty of definitions out there again, but most of them boil down to it being a domain made up of interdependent networks, technology infrastructures, and the data that lives upon them. Even better, we’ve now got the domain we’re working with.

That means cyber security is applying the security discipline within the cyber domain.

This is why people get so confused about what cyber security is, and it gets conflated with information security and other security. They are all applying the same fundamental security principles, the same discipline, just within different domains.

There are plenty of other security domains - we can talk about food security, bio, financial, economic, and many more, but we’ll focus down for now. The diagram shows physical, information, cyber security, and their relation to each other. You’ll quickly see why…

Image credit to the author

…boundaries and definitions get blurred very easily.

I would have included information technology on this, but that requires extra dimensions I can’t represent in a 2D format. IT, computing, technology, or whatever term we want to use contains cyber security in the same way as information does, while with information security it overlaps but does not contain it.

More Definitions: What Does ‘Hard’ Mean in Cyber Security?

There’s a problem when we start throwing around the word hard, that comes back to definitions again (sorry, I know this is turning into a dictionary, but this stuff is important to make sense of the question). When we say something is hard, we often mean it’s frustrating. While cyber security can be (often is) frustrating to break into, that’s different from it being hard itself.

A better description is that cyber security is challenging. It can be learned, you can improve, it requires certain ways of thinking, abilities to research and learn rapidly, and a number of other skills depending on which area you’re looking at. There may be areas you excel in, there may be ones you struggle with, and finding these will shape the rest of your career.

An even better way to put it is that achieving a secure state is complex. There are a lot of moving parts involved, and the larger the organisation or environment the more complex it gets. The principles being applied are straightforward, but they have to be applied thoroughly everywhere, missing nothing, to a massively diverse range of technologies and systems all of which are moving targets.

On top of that, you’ll have limited resources and need to constantly translate between different areas of the business so they understand not only their need for security, but also what it means.

This may sound like I’m warning you off a career in cyber security, or in security more generally. I am absolutely not - there are few fields where you can have such a massive positive (or negative) impact, even if it may be invisible. It can be frustrating and exhausting; it can also be incredibly fulfilling.

If you’re looking for a security career, then I’m always happy to try and help. Connect and say hi on Twitter or LinkedIn.