October 1, 2015 By Martin McKeay 4 min read

Almost every profession requires a commitment to learning for career growth, but there are few that require the level of learning that security does just to maintain the status quo. Driven by the rampant change of technology in general, the security field is always playing catch-up, trying to secure the wild new systems of the cloud and Internet of Things (IoT).

While these fields already offer enough challenges to keep every current security professional in existence busy for the next decade, in that time, entrepreneurs and engineers will come up with some new idea that pushes the envelope even further — which is why the field of security is home to some of the most exciting and demanding careers you could have.

On-the-Job Learning Dominates Professions

Let’s be honest about one thing: We’re not doctors. Securing most networks is not a matter of life or death. We don’t spend the better part of a decade learning our craft before we’re allowed to operate in the real world. Instead, most of us learn our trade because we found it interesting and spend a large part of our early careers getting on-the-job training. With more universities offering courses and degrees in information security, this is becoming less true every year, but for now it’s still the case for most of us. And because we start our pathway having to learn on the job, any career growth we want will also require that we learn something new to progress, whether it’s through work experience or learning opportunities outside of our jobs.

When you consider doctors, they’re required to continually learn because the technologies and methodologies they have access to are changing constantly, and humanity’s understanding of our own bodies is changing, as well. We’ve all seen and heard of fad diets that become popular for a year or two and then fade away. We’re told that carbs are good for us, then they’re bad, then they’re good again. It’s because new research comes out that disproves previous research or supersedes it, or adds nuances to previous understandings that significantly change the impact on how we believe diets work. As new revelations come to light that explain the inner workings of the human body, physicians must unlearn old facts and learn how the new ones impact their work — something that takes up a considerable amount of time.

Battling the Half-Life Problem

In his book, “The Half-Life of Facts,” author Samuel Arbesman talks about this phenomenon and draws upon a variety of research that shows facts in the medical field have a lifespan of seven to 10 years — which means that at least once a decade, half of everything a doctor knows about medicine will have been proven wrong, superseded with additional understanding or simply proven less important than some other factor. Think on that for a moment: Half of everything that a doctor learned in the first year of medical school will have become less true than newer data by the time he or she is in the first or second year of practice. If a career spans 40 years, only 1/32 of what was learned in that first year will still be valid.

Let’s bring that back to a security career. The cost of bandwidth is cut by half approximately every 30 months, storage drops 50 percent every 20 months and computing power follows Moore’s law of doubling almost every 12 to 18 months. While many of the underlying concepts within security remain the same, the actual technologies that make our jobs possible are changing at least as fast as computing power is growing. That means we see a doubling of the amount we need to know and understand at least every 18 months. While it may take 40 years for almost all of a doctor’s knowledge to be rendered irrelevant, in the security field it can happen in six years or less.

It’s important to realize that while the atomic facts that make up our understanding of security may be changing, many of the basic concepts and philosophies that make a good security professional are evergreen. That underlying sense of paranoia, the need to trust but verify and the understanding of what makes a system secure — these are all required and don’t change.

But how professionals apply the current sets of technologies and use new tools to further their mindset are constantly changing and need to be relearned multiple times throughout a career. You might be able to get away with ignoring the changes in a few niches, but any career growth will always require adapting to a constantly shifting landscape.

Fostering Career Growth

What form learning takes is always up to the individual. Most of us will pursue different methods of education throughout our careers. Going back to college may not be for everyone, but it can be a good learning experience — not to mention that it provides a tangible degree that makes it much easier to get past human resources for that next job. Organizations like Coursera or Khan Academy have online learning classes you can take at your own pace, and in many cases offer certificates to prove course completion. Conferences offer classes in specific technologies in addition to the talks themselves and the opportunity to interact with other security professionals. This networking is another important aspect of career growth.

Finally, on a daily basis, most of us are reading articles, stories and blog posts to keep up on all the latest news and technologies. There’s always something new in the news. Sometimes it’s tiring to know you must be constantly learning to have a career in security; you want to take a break and rest on your laurels from time to time. But that need to learn is a large part of what draws so many people to this career in the first place. You know you’ll never be bored, you’ll never lack a challenge and there’s always something new and exciting to learn. So what if half of what you know today will have changed in 18 months? That just means there’s that much more for you to explore tomorrow.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today