There are lots of ways organizations can work to address the cybersecurity skills gap. Working with young people, providing skilling for students and implementing zero trust helps. So does amplifying gender diversity and promoting respect in the workplace. Organizations can use all these strategies to fill their open positions and meet their cybersecurity needs. But there are other ways, too, demonstrated by these stories of non-traditional cybersecurity career paths.
Here’s one more: not demanding that team members always take a traditional cybersecurity career path. Otherwise, they’d end up overlooking so many others who’ve found their own ways into cybersecurity. They’d deny the industry of the experience and life skills those individuals bring with them.
To highlight this point, I spoke to several professionals with non-traditional cybersecurity career paths and asked them to share how they entered the industry. Here’s what they had to say.
David Hoyt | Security Researcher
“I started as an ISP [internet service provider] in 1994. I got hacked quickly and repeatedly. Coding up multi-hosting for IP hadn’t been written. Spam filters didn’t exist. There was a deluge of CSAM. I needed to learn about risk management quickly. That’s what got me into security.”
Caitlin Kiska | Information Security Engineer (Threat Intelligence)
“I played online tournament poker for a living. At its core, online poker is trend analysis and data science. In poker, we are constantly identifying outlier behavior in our opponents and in ourselves to improve. Being able to analyze large data sets and form strategies based on the data is applicable in multiple fields. I was looking at a few different areas where I could leverage this skill, and cybersecurity stuck out. Additionally, many roles do not require a degree, so it was a lower barrier to entry, as I am currently in school, as well.”
“I got a Ph.D. in telecommunications in 2011, and I went with a big engineering company to design telecom networks for railway and public transport. Security wasn’t really a thing, more resilience against outage. One day, I was working on a super big project where the client wanted the best of the best including a driverless metro. I alerted on the fact that jamming could disrupt the entire line and stop millions of passengers as well as cost millions of dollars. They replied that they have a firewall (which is useless in that case). I discovered this was called cybersecurity, and I wanted to pursue this domain, but I had no chance at my work. I discovered ENISA, the European Union Agency for Cyber Security. They were looking for someone with my profile. I applied, and six months later, I was starting my job as an expert in cyber security.”
“I took a do-it-yourself approach to pivot into cybersecurity from the public policy and political science fields. One of the first things I did was self-educating myself on the basics of cybersecurity. I tried to actively learn everything from networking and systems to software and coding (Python).”
Matt Gimovsky | Contracts Manager and Supply Chain Advisor
“I made the leap into cybersecurity after an eight-year career in litigation. I knew I enjoyed strategic/tactical advising, and I decided to marry that with a long-term personal interest in code, data and, more generally, the tangible cause and effect relationship governing binary communication that exists across IT. Combining those factors led me to my current role as technology transactions advisor for a fed/civ cyber defense business.”
Justin Kinney | Information Security Analyst
“My non-traditional path actually started after I had left the Army. My battle buddy who was also being medically discharged was going to be a 17c, a cyber ops specialist. I asked him how to get started, and he told me to start on some CTFs [capture-the-flag games] and see what I liked. Once I got back home, I went straight to YouTube and was eager to learn. The first video I landed on was LiveOverflows’ video “Play CTF! A Great Way to Learn Hacking – Fsec 2017.” After that, I really dug in and got to popping boxes. Not even a year later, I found a brand new platform, TryHackMe. This platform not only gave me hands-on experience, but it also [gave] me a love of learning.”
Damon Small | Technical Director of Security Consulting
“I enjoyed working with tech in middle school in the early 80s — our computer lab had a bunch of TRS-80 computers. But in high school, I was all about being a band nerd. So, I studied music as an undergraduate at Louisiana State University. As it turns out, the music industry is like professional sports in that 1% of the people tend to make 99% of the money. I was a good drummer, but there are lots of good drummers out there. I worked in the LSU recording studio, and even in the early 1990s, we did digital editing. I was more fascinated by the technology involved than I was [by] the music I was recording and editing. That’s when the tech bug bit me.
“In a fit of desperation to make money, I took a job at Kinko’s in their desktop publishing department. Again, the tech was more interesting to me than the lightweight graphic design I was doing. I married my first wife, and we moved from Louisiana to Houston in 1995 where I talked my way into a job with Compaq Computer Corporation’s graphics lab. I was a tester and would run through test matrices of alpha and beta graphics drivers for pre-prod video controllers. That was my first job actually getting paid (a very small amount of) money to work with tech, and I loved it.
“Within a short time, that led to my first sysadmin gig in 1996 with a dot com-era company. I was a man possessed and learned a ton during those years and began collecting certifications. My then-wife and I moved to northern Virginia in 2000, where I continued working in systems. Then, the dot com bubble burst, and suddenly, systems folks like me were a dime a dozen. I needed to pivot again.
“I wish I could say that I was super smart and predicted where the industry was going, but if I’m honest, I think I got lucky when I was able to get an infosec role. In 2001, we moved back to Houston, where I continued working in infosec, this time for health care orgs in the Texas Medical Center. In 2006, I started moving towards management roles, and in 2012, I pivoted yet again into consulting, where I’ve been ever since.”
“Coming from an IT background, cybersecurity came more naturally to me as I was familiar with the basic concepts of it. Being a software developer in the early stages of my career, testing applications for finding flaws and vulnerabilities was also part of my job.”
Haydn Bowers | Senior Solution Architect: Security
“I’d never considered cyber or even information technology as a career growing up. My interests always piqued around history and physics. I in fact failed first-year engineering for having written an essay on David Hume when asked to discuss induction in engineering. I have an undergraduate degree with a double major in history & philosophy of science and quantum physics. I continued down this path, working in the university’s quantum computing department on the development of quantum circuitry. My work centered on the development of superconducting diamond[s], looking to test and establish the reality of theoretical models predicting room-temperature superconductivity. I believed in making Marty McFly’s future a reality; I was on the path to making superconducting circuitry with the sci-fi application of a hoverboard — although I still don’t believe it’d be able to hover across water.
“One day while taking adult skiing lessons with an instructor (now my fiancé), I realized my skillsets weren’t technically focused but operational. I’d spent my theses developing, constructing and rebuilding processes. Something that I didn’t necessarily need to do in a materials science setting but wanted to go explore outside of academia.
“I’ll admit that I was incredibly lucky and stumbled upon an opportunity I hadn’t considered. I discovered a job advert looking for a cyber technologist requiring individuals who could deconstruct machine learning and anomaly detection and explain how these mathematical processes could help companies perform network detection and automated response. I had to explain how to operationalize new technologies within existing ecosystems.
“This first career move was in pre-sales for a cyber start-up where I would work with enterprises from national telecommunications to building contractors, from international banks to mid-tier law firms. During this time, I broadened my cyber experience with the help of some exceptional analysts and discussed business problems, all the while utilizing my background to discuss the benefits of anomaly detection and how to operationalize new technologies within an ecosystem.”
“I worked as an investigator/case officer in multiple government agencies, and through my expertise in fraud, I ended up in LE working as a cybercrime specialist. From being moderately interested in cybersecurity, it led me into taking courses and seminars towards cyber forensics and security. I’ve mostly realized that almost all fraud is cyber-enabled or cyber-dependent. One contributing factor is that I have a personal interest in computer science and enjoy building and programming computers and drones.”
“My second year at university, I fell in love with the internet. Only it wasn’t called [that] back then. And I wasn’t allowed to use it because it was reserved for science researchers and librarians. Computer science majors had to use the mainframes. So, I switched majors to be a librarian and get an account. I then bribed the cleaning crew with cigarettes I hacked from the machine to let me follow them in after the library closed. There, I spent night after night exploring the new online world. After university, that left me uniquely qualified for a position to use this ‘internet’ to send field data from hospitals back to the CDC.”
Ian Parsons | Cyber Threat Intelligence Analyst
“Until a job I thought I could do in cybersecurity came up, I had a slight interest in the industry. I was keen to protect myself and my family, so I knew about phishing and using a decent antivirus, but that was about as far as it went. I was a contractor at the time producing synthetic intelligence products, and I had a background in operational intelligence.
In 2018, I decided it was time for a new challenge, and I saw a job advertised as a cyber threat intelligence analyst. I applied for the job, passed the initial application, and was selected for interview. Armed with what an APT was and with knowledge of where to find the MITRE ATT&CK Matrix, I went to the interview. Luckily, the questions were based on my background, and the interviewer told me, “We can teach you cyber if you have the intelligence background.” Its similar processes with different information. It has been a steep learning curve, but I am so glad I took the chance, and I love my job.”
“I started my career in IT when I joined the U.S. Air Force in 1971. It wasn’t by design. When I reported to base, there were two openings, and one of them was working in the data center. I was offered a choice, and I picked the IT role. After the Air Force, I begin working at a large manufacturing firm and eventually moved into an IT mainframe administrator role, which, over time, included IT security functions.”
Simon Backwell | Information Security Manager
“I joined my current employer as a systems analyst with no qualifications and over eight years prior experience in customer service and analytical roles. My company was building an internal audit team, and my name was suggested as a candidate due to my attention to detail. For two years, I took part in the ISO 27001 internal audits. At the same time, I moved to a test analyst role within our development team, but I was getting more interested behind the scenes in auditing and compliance. When a role opened in our security team, I applied and joined as a security analyst. Since then, I’ve qualified as an ISO 27001 lead auditor, achieved CISM certification and have been promoted to information security manager.”
More Expert Insight to Come
This is the first part of a three-part series. In the next installment, see how their non-traditional paths have shaped these cybersecurity professionals’ careers.
David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...