The one constant in cybersecurity is that threats targeting networks, infrastructure and organizations’ precious data remain relentless. In January, Check Point Research released a report calculating that cyber-related attacks increased by 38 percent in 2022 compared with 2021, showing how the pace of these incidents continues to rise.
With ransomware, business email compromise, phishing schemes and cybercriminals targeting business collaboration tools that employees rely on for hybrid and remote work, enterprises large and small have begun to counter these threats by increasing their investment in increased cybersecurity awareness. This type of training helps workers, especially those not in the IT department, spot an attack or breach and report the incident to the security team before the attacker gains a foothold in the network.
This shift toward a more preventative security posture is helping. A recent study by ThriveDX Enterprise reported that 87 percent of survey participants noted effective cybersecurity awareness requires employee training, although significant challenges remain.
One of those significant problems for many organizations is finding tech- and security-centric employees willing and able to train others about cybersecurity. To help, some enterprises have turned to hiring and recruiting cybersecurity instructors to educate other staff as well as add expertise at a time when threats continue to rise and make headlines.
Cybersecurity Instructor: What Does It Mean for Tech Pros?
While a cybersecurity instructor is typically associated with academia and teaching students about cybersecurity techniques in the classroom, some enterprises are also in the market for these tech professionals who can explain complex issues to a wide range of employees.
What attracts tech and security pros to a cybersecurity instructor position is the ability to teach and have a positive impact on others while continuing to learn more about the cyber field, said Mike Parkin, a senior technical engineer at security firm Vulcan Cyber, who has taught cyber-related courses himself.
“I would say there is a certain reward in passing knowledge on to others and helping ‘make the world a better place,’” Parkin recently told Dice. “Such as it is. What skills are needed depends on how you approach the field. If you are already familiar with instruction, then you’ll want to add security skills. If you’re already familiar with cybersecurity, you’ll need to learn how to teach.”
Other security experts note that the cybersecurity instructor position is known by other names depending on the organization and its specific needs. Other titles include director of awareness, security training manager, and director of awareness, behavior, and culture transformation.
“I’ve seen this job called different things, for different reasons, but really it’s all about helping people adopt behavioral habits that keep themselves and their company safe,” Mika Aalto, CEO and co-founder of Helsinki-based security firm Hoxhunt, told Dice. “Security training is a career area of tremendous growth because it has such fantastic ROI in terms of risk and resilience in an era of tightening budgets and mushrooming threats… I’m seeing these titles evolve towards a human risk officer, as that best reflects the desired outcome for the position: to change behavior and reduce human risk.”
Besides potentially creating an alternative cyber career for tech pros, the cybersecurity instructor role also commands a solid salary for those with the right mix of skills, certifications and teaching abilities. ZipRecruiter reports the national salary average for a cybersecurity instructor now stands at $97,500, although these tech professionals can command a $128,000 annual salary in certain areas of the U.S.
The ZipRecruiter stats also find that San Francisco and northern California are seeing higher salaries for cybersecurity instructors compared to other parts of the country, although job seekers in the New York City area can also expect six-figure pay on average.
Cybersecurity Instructor: What Skills Are Necessary?
With an increase in security awareness, many enterprises are developing best practices for employee training that include regular cyber awareness training, phishing simulation exercises and encouraging employees to report any suspicious emails or activity, said Thomas Carter, CEO at True I/O, a San Diego-based security firm that focuses on tokenization.
The numbers bear this out. The 2022 Verizon Data Breach Investigations Report finds that 82 percent of data breaches involve a human element, while the Word Economic Forum links 95 percent of cyber issues to human behavior.
This emphasis on a range of security concerns means that tech professionals interested in a cybersecurity instructor career must know the latest cybercrime trends, the vulnerabilities in software that attackers can exploit and how to build better defenses that incorporate elements such as cyber resiliency. For most enterprises, however, an instructor wouldn’t necessarily need the type of credentials as a professor teaching a college-level course.
“At its broadest definition, this is a role that teaches various aspects of cybersecurity to their students,” Parkin added. “In some cases, it’s a broad course that covers a wide range of topics. In others, it’s focused on a specific aspect or even a specific product.
The qualifications can vary from venue to venue, with a professor teaching a college-level course having different requirements than someone teaching a course on using a specific company’s tool.”
Several experts noted that the majority of cybersecurity instructors have certifications, especially the Certified Information Systems Security Professional or CISSP certification. Other certificates that insiders see as essential for this position include:
- Global Information Assurance Certification (GIAC)
- CompTIA Security+
- Certified Professional in Training Management (CPTM)
“You do not need a strict security background and you can come from other parts of IT,” Archie Agarwal, founder and CEO at security firm ThreatModeler, told Dice. “As long as you have the CISSP, nobody will question your ability. People who gravitate to this position are those who love cybersecurity and can’t stop talking about it.”
Others agree that a strict cybersecurity background is not necessary, but some knowledge of the topics helps, as does an understanding of the organization’s security needs.
“I believe an ideal experience would cover both organization’s cybersecurity needs from an enterprise perspective as well as available cybersecurity solutions from the vendor perspective,” John Yun, vice president for product strategy at security firm ColorTokens, told Dice. “The gap that we are now trying to fill with these roles is to bridge the need between the organization and available tools, so experience in both areas would help greatly.”
Cybersecurity Instructor: What Does a Career Path Look Like?
For tech professionals interested in a cybersecurity instructor career, experts note that most candidates pursue this type of position as a mid-career path with an eye toward a senior leadership position at one point, including CISO.
“As professionals gain experience in this role, they may climb the ladder in security or in other change management positions within the organization,” Aalto said. “Or they may choose to specialize in other areas of cybersecurity, such as security operations, incident response or risk management. Communication and people skills are no longer considered soft skills in security; they are a competitive advantage.”
Others see a similar career trajectory. “As a career path, this position offers a unique experience. You’ll naturally gain the knowledge of leading-edge products and innovations, trending cyberattack tactics as well as long-term needs of the enterprise,” Yun said. “From this role, I can see many progressing to cybersecurity architect, CISO or even industry analyst roles.”
If tech pros decide to choose a cybersecurity instructor career path, Aalto noted, the role requires creating a bridge between the tech and business sides of an organization. The position also requires a desire to teach others about some of the most complex risks facing companies today.
“It’s a great job that delivers great impact and, if given the right tools, it’s one of the most rewarding jobs in cybersecurity. Their impact is recognized because what they do directly addresses the human element, which is the critical link in an organization's security posture,” Aalto added. “It requires a unique combination of technical knowledge, teaching skills, and an understanding of human behavior. To excel in this role, professionals should bring with them an understanding of people and change management. This involves some neuroscience, psychology, and behavioral economics.”