Main image of article Cybersecurity Career Advice for New Tech Grads

For recent college and university graduates, cybersecurity is one field within the broader tech industry that offers significant potential for career growth, the chance to earn a solid starting salary, and several career paths to leadership positions for those interested in management.

Although large tech and social media companies have recently announced layoffs and budget cutbacks, cybersecurity remains a growth area. While the number of job openings is off its peak from earlier this year, the latest data from CyberSeek, a joint initiative of the National Institute of Standards and Technology’s (NIST) Nice program, shows more than 660,000 open cyber-related positions in the U.S. alone.

With thousands of open positions, security experts and industry insiders explained that recent graduates, even those without specific cybersecurity-related degrees, are likely to find an entry-level position if they want. One reason is that cybersecurity remains a relatively new field and even those with a general tech degree can get a foot in the door.

“Cyber is a relatively new discipline in the technology world and many people currently in senior leadership roles started their career in more traditional IT roles,” said Tom Molden, CIO for global executive engagement at security firm Tanium. “As the industry evolves, and cyber careers are a thing, it’s advisable to think about a path.”

For those looking for stability, cybersecurity—while not fully recession-proof—remains a top priority for many enterprises. Cybercrime and threats from attackers continue to increase, according to the latest data from the FBI. New regulations also related to cybersecurity mean that companies still need to invest in security and hire talent to ensure compliance.

For graduates with interests outside of the private sector, the federal government and agencies such as the U.S. Cybersecurity and Infrastructure Security Agency continue to prioritize recruiting cybersecurity talent.

“When the economy caves, as it did in 2008, it has a way of revealing the industries that are more recession-proof than others,” said Mika Aalto, co-founder and CEO at security firm Hoxhunt. “Cybersecurity seems to be well, not recession-proof, but better suited to budget tightening than other jobs in other departments. Regulatory pressure is making cybersecurity a business imperative, and so long as there is cybercrime, there will be cybersecurity. And cybercrime is booming.”

With graduation season wrapping up, Dice recently asked security experts and insiders for their advice for recent tech grads interested in cybersecurity, including what areas of the industry they should consider and which skills can help jumpstart their careers.

What Skills Do Tech Grads Need?

The biggest obstacle for anyone—tech or non-tech—to getting hired is experience. Gaining valuable experience is essential for job hunting, but what’s the best way to gain that experience without a job? One way is to build up skill sets. That means knowing at least some of the major programming languages in use among cybersecurity pros.

“Applicants need excellent programming skills, but definitely in more than one language, and particularly in non-interpreted languages such as C, C++, or even better, Assembly,” said Grant Goodes, innovation architect at security firm Zimperium. “In addition, we look for strong debugging skills, using multiple tools and approaches—since debugging is very much like reverse engineering.  Applicants also must have a burning enthusiasm for understanding how modern computing platforms—especially mobile—work at the high- and low-levels.”

While having tech knowledge and programming skills helps, Molden noted there are also numerous openings for those with non-tech skills. This is especially true for companies and organizations that need to ensure compliance with government regulations. 

“From the outset, you’ll want to have a view on whether you are more suited for technical vs. non-technical roles. This will likely align with your study concentration.  Study the different types of roles and think about what best fits you in general,” Mullen said. “There is nothing to say you can’t be both, but there are different career paths. For example, you can be successful in the governance, risk and compliance (GRC) space, or equally so on a technical path If you find an opportunity to go into another direction, for example in IT or even in the audit world, there will always be pathways back into the cyberspace.”

Then there is the issue of soft skills. These include communication, which remains critical for many tech and cyber jobs, especially for those who need to relay information to other parts of the business. George Jones, CISO at Critical Start, noted that grads with a foundation of networking, operating systems, encryption, risk management and compliance frameworks skill are also well positioned to get hired. 

For those looking to move up, however, business skills play a significant role. “While technical competence is important, teamwork and communication are critical to your success,” Jones said. “Being able to operate in a cool, calm and collected manner when things seem to be spinning around you will take you farther down the road of success. People look to those that are calm in times of stress. Be that beacon.”

What Areas of Cybersecurity Should Grads Focus On?

With so many openings, there are various areas for grads to consider when entering the cybersecurity field. For those with good soft skills and a desire to teach and understand how humans contribute to threats, Aalto recommends human risk management, which is an extension of security awareness training.

“This is a field that combines communications and soft skills with analysis and program management ability,” Aalto said. “The problem of data breaches is continuing to grow, and nearly all of them occur at the human layer, which means upskilling people on the arts of cyber defense will be an ever-growing job description.”

On the technical side, Critical Start’s Jones sees four areas that recent grads should explore:

  • Cloud security: With cloud computing increasing in adoption, and its prevalence in most organizations, the demand for skilled professionals who can secure cloud architectures, infrastructure and services will continue to grow.
  • IoT security: While not growing as quickly as some areas, the Internet of Things (IoT) field is still growing rapidly. There is also a rising need for experts who can protect the security and privacy of IoT systems and understand the complexity of compliance around these systems.
  • Data privacy and compliance: Professionals with expertise in data protection, privacy regulations (such as GDPR) and compliance (such as FedRAMP) are in high demand due to the escalation of data breaches and privacy concerns.
  • Threat intelligence and incident response: Organizations require professionals who can proactively identify threats, respond to incidents and develop strategies to mitigate future risks. This specialization is growing as the attack surface of organizations continues to expand.

Other experts also noted that incident response and penetration testing are in demand.

“It is hands-on experience with things happening to the company, with the possibility to take action to protect the company,” Molden added. “You’ll typically be exposed to all aspects of cyber and beyond, into the enterprise itself. Vulnerability analysis is another good place to learn. Understanding the vulnerability landscape will also give you a broad appreciation of the technology environment across the company.  If you are technically very strong, penetration testing—while difficult to do at an entry level—is exciting for some people.”

Should Grads Specialize or Not?

For graduates looking to enter the cybersecurity field, one question comes up time and again: Is it better to specialize in one area or have a general understanding of multiple topics?

Some see specialization as a must, especially in the early stages of a career. “It is generally a good idea to specialize earlier in your career. There are multiple sub-functions in the cyber world, ranging from very technical penetration testing and threat hunting to operational functions around preventing and responding to risks, to equally important functions around policy and compliance management,” Molden said.

Other experts noted that, while specialization can help at the beginning of a career, motivated tech pros can branch out after a few years. “You can start on a security architect or SOC analyst path and then pivot to security awareness training if you decide you want to deal with the human factor more, for instance,” Aalto said. “It’s kind of like when you were applying to college: admissions wanted to see a passion for learning, especially in one subject, but everyone understood that you were at a point in your life where your goals and ambitions could grow in new directions. Cyber is a really nice place to grow.”

Still, there’s a third path: Have a tech specialty along with enough interest and skills to be considered a generalist by management. “The answer is ‘both.’ You need to be a specialist and generalist, which means knowledge of a broad number of areas, but at depth as well,” Goodes added.

“Cybersecurity involves many areas simultaneously, including operating systems, compilers, linkers, cryptography, reversing frameworks, etc. You need to be familiar with them all, and even be able to demonstrate expert-level knowledge on some specific, security-related aspects of those areas.”