October 1, 2015 By Martin McKeay 4 min read

Almost every profession requires a commitment to learning for career growth, but there are few that require the level of learning that security does just to maintain the status quo. Driven by the rampant change of technology in general, the security field is always playing catch-up, trying to secure the wild new systems of the cloud and Internet of Things (IoT).

While these fields already offer enough challenges to keep every current security professional in existence busy for the next decade, in that time, entrepreneurs and engineers will come up with some new idea that pushes the envelope even further — which is why the field of security is home to some of the most exciting and demanding careers you could have.

On-the-Job Learning Dominates Professions

Let’s be honest about one thing: We’re not doctors. Securing most networks is not a matter of life or death. We don’t spend the better part of a decade learning our craft before we’re allowed to operate in the real world. Instead, most of us learn our trade because we found it interesting and spend a large part of our early careers getting on-the-job training. With more universities offering courses and degrees in information security, this is becoming less true every year, but for now it’s still the case for most of us. And because we start our pathway having to learn on the job, any career growth we want will also require that we learn something new to progress, whether it’s through work experience or learning opportunities outside of our jobs.

When you consider doctors, they’re required to continually learn because the technologies and methodologies they have access to are changing constantly, and humanity’s understanding of our own bodies is changing, as well. We’ve all seen and heard of fad diets that become popular for a year or two and then fade away. We’re told that carbs are good for us, then they’re bad, then they’re good again. It’s because new research comes out that disproves previous research or supersedes it, or adds nuances to previous understandings that significantly change the impact on how we believe diets work. As new revelations come to light that explain the inner workings of the human body, physicians must unlearn old facts and learn how the new ones impact their work — something that takes up a considerable amount of time.

Battling the Half-Life Problem

In his book, “The Half-Life of Facts,” author Samuel Arbesman talks about this phenomenon and draws upon a variety of research that shows facts in the medical field have a lifespan of seven to 10 years — which means that at least once a decade, half of everything a doctor knows about medicine will have been proven wrong, superseded with additional understanding or simply proven less important than some other factor. Think on that for a moment: Half of everything that a doctor learned in the first year of medical school will have become less true than newer data by the time he or she is in the first or second year of practice. If a career spans 40 years, only 1/32 of what was learned in that first year will still be valid.

Let’s bring that back to a security career. The cost of bandwidth is cut by half approximately every 30 months, storage drops 50 percent every 20 months and computing power follows Moore’s law of doubling almost every 12 to 18 months. While many of the underlying concepts within security remain the same, the actual technologies that make our jobs possible are changing at least as fast as computing power is growing. That means we see a doubling of the amount we need to know and understand at least every 18 months. While it may take 40 years for almost all of a doctor’s knowledge to be rendered irrelevant, in the security field it can happen in six years or less.

It’s important to realize that while the atomic facts that make up our understanding of security may be changing, many of the basic concepts and philosophies that make a good security professional are evergreen. That underlying sense of paranoia, the need to trust but verify and the understanding of what makes a system secure — these are all required and don’t change.

But how professionals apply the current sets of technologies and use new tools to further their mindset are constantly changing and need to be relearned multiple times throughout a career. You might be able to get away with ignoring the changes in a few niches, but any career growth will always require adapting to a constantly shifting landscape.

Fostering Career Growth

What form learning takes is always up to the individual. Most of us will pursue different methods of education throughout our careers. Going back to college may not be for everyone, but it can be a good learning experience — not to mention that it provides a tangible degree that makes it much easier to get past human resources for that next job. Organizations like Coursera or Khan Academy have online learning classes you can take at your own pace, and in many cases offer certificates to prove course completion. Conferences offer classes in specific technologies in addition to the talks themselves and the opportunity to interact with other security professionals. This networking is another important aspect of career growth.

Finally, on a daily basis, most of us are reading articles, stories and blog posts to keep up on all the latest news and technologies. There’s always something new in the news. Sometimes it’s tiring to know you must be constantly learning to have a career in security; you want to take a break and rest on your laurels from time to time. But that need to learn is a large part of what draws so many people to this career in the first place. You know you’ll never be bored, you’ll never lack a challenge and there’s always something new and exciting to learn. So what if half of what you know today will have changed in 18 months? That just means there’s that much more for you to explore tomorrow.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today