The last five years have seen a proliferation in cyber security courses, cyber security certifications and even the emergence of cyber security degree programs. Yet despite growth in training opportunities, demand for cybersecurity talent continues to outpace supply.

There are various paths to take when it comes down to training and certification. It will depend on what career path you would like to take. Look at the CompTIA certification roadmap, it is a great visual tool to see different career paths and what kinds of certifications are needed for each. It is important to note that these are not set in stone and certain certifications are transferable.

If a job calls for a specific technology that you can get certified in, move forward with obtaining that certification. Other than those specific cases, a formal school setting will be useful in helping you navigate through critical concepts, tools and essential skills in cyber security.

The key to truly learning cyber security is practice. Completing formal education is just the beginning. You must regularly contribute to and be up-to-date with the latest trends to maintain your certificate status (depending on the certification).

It is also important to carry a balance of formal education and training. A terrific way to get a combination of both learning and practice is through a co-op program or capstone project. Co-ops and capstones, like the Diploma in Cybersecurity Specialist Co-op where I teach, at the Toronto School of Management, are usually part of a school’s curriculum along with courses relevant to your degree.

To become a cyber security expert, you will need to have “soft” and “hard” technical skills. Depending on the situation (e.g., the practice, project, organizational needs, etc.), the required technical skills will vary. For example, database handling and creating a Virtual Private Network (VPN) are two very different technical skills. The size of the organization can also influence which technical skills you may need to acquire. Some jobs will expect you to possess specialized skills that push your technical understanding, while other, usually more junior roles, will provide the on-the-job training you need to perform your duties.

Technical Skills                

Within cyber security, there are certain technical skills that you should have to better understand industry standards and applications. These include:

• A basic understanding of cloud computing, networking and network topologies
• Familiarity with the Open Systems Interconnection (OSI) model and how operating systems work
• An understanding of program syntax
• Knowledge of advanced settings on operating systems (Windows and Linux, for example)
• Knowledge of how to evaluate network architecture
• Understanding of anti-virus principles, VPNs, firewalls

While you do not necessarily have to become a functional expert in these to begin your career, having a firm grasp on what they are and how they work will help give you a firm foundation for a cyber security career.

People Skills

Soft skills are also applicable within any cyber security role. From Chief Information Security Officer (CISO) to staffing the Help Desk, you will need to collaborate with key stakeholders and be expected to distill technical information in ways that can be understood by non-technical audiences. The following are important soft skills to have and continuously develop:

Communication: A recent IBM Cyber Security Intelligence Index Report has shown that humans are responsible for 95 per cent of security breaches. Within cyber security, it is therefore important to remember that although we work with machines, human behaviour will always be a factor in keeping systems secure. Unlike the technologies that operate at nearly perfect levels of precision and predictability, people and organizations will need to be educated and managed accordingly.

Patience and Diplomacy: Not everyone is going to understand (or care) about what you do within cyber security. People will be your greatest weakness, as well as your greatest strength. Understanding that safe cyber security practices are everyone’s responsibility not only improves workplace culture but also ensures strong security – this is known as the “human firewall”.  Finding ways to communicate across all levels of your organization while implementing practices that people will follow will be critical to your long-term success.

Collaboration: In cyber security, you are inevitably going to be working with other departments and stakeholders. It is important to be able to work with others inside and outside of your own department. You may work with engineers, executives, technical support staff, sales teams, vendors, and others. You will inevitably need to be able to work with others to achieve a common cyber security goal.

A Growth Mindset: A desire to learn continuously will be essential in this fast-changing field. Staying on top or ahead of industry trends and new technologies and practices will be a part of the job, because malicious actors themselves will continue to try new ways of exploiting systems.

There are many new and emerging career paths open to aspiring cyber security professionals. They include: Network Analyst, Auditor, Programmer, Cloud Architect, Penetration Tester, and Compliance Manager, among others.

One helpful way to simplify your understanding of potential cyber security career paths is to break them down into two main categories: (1) generalists and (2) specialists.

Generalists work in distilling technical information. They know enough about a wide variety of topics to perform multiple functions at once or to oversee the integration of multiple components. Examples are project managers, auditors, analysts, and support staff.

Specialists, on the other hand, focus on a specific industry or technology. Specialist roles may also require knowledge of specific tools. For example, you may need to use Microsoft Azure when working with Cloud Computing Systems; Cisco when working with a Network; or Siemens when working with the Industrial Internet of Things (IIoT). Every aspect of technology needs a specialist to come in and understand the fine details of technical specifications.

Some of the most common career paths for those getting started in the cyber security industry are:

IT Helpdesk (Tier 1)

“Some security operation centers (SOCs) are an extension of the help desk, or in some security-based companies, the SOC is the help desk,” according to a report by CompTIA.  The point is that many cyber security careers continue to begin at the help desk, where you will have direct and daily contact with users and customers who are experiencing attacks. A good analogy would be to triage in a hospital, where you are the first point of contact and responsible for directing people to the right solution.

Entry Level Cyber Security Analyst

In this role, you will need to monitor and understand your organization’s IT infrastructure — hardware, software and networks — to evaluate threats and work with other cyber security professionals to resolve them.

Junior Network Technician

This role will require you to understand and repair computers and network systems. Basic functions of the role include setting up internet connections and networks, but this, too, can serve as a natural stepping stone into an analyst role.

Junior Penetration Tester            

In this role, you will help improve computer security by finding and exploiting vulnerabilities. The role may include planning and executing evaluation tests, programming software and monitoring reports of potentially relevant cyber security threats. This can be an excellent way to familiarize yourself with the tools and techniques used in cyber security before advancing into a specialist role.

Incident Analyst

An Incident Analyst diagnoses and documents cyber security events, reporting findings to senior technical leaders and management. An Incident Analyst may also be expected to develop and implement strategies for handling or safeguarding an organization from similar events in future.

Other areas and roles to be aware of as you progress in your career include: Chief Information Security Officer (CISO); Chief Privacy Officer; Computer Forensics; Cryptographer; Malware Analyst; Cybercrime Investigator; Security Architect; Security Consultant.

There are many different types of work environments in cyber security. Some are sedentary and independent, while others consist of large groups that require physical activity. For example, if you work at a large data center, you may need to work across large areas and in the field to support the organization’s systems.

On the contrary, if you are a cryptographer, you might be in front of your computer most of the day working with code and data. Considering whether you are someone that engages better with groups or works better alone will help you choose your best path forward and increase your chances of building a healthy relationship between you and your work.

Typical work hours will vary. Depending on your role or the sensitivity of the data you are working with you may be required to work overnight, weekends, and holidays. Understand that security is a 24/7 operation. With extremely sensitive data projects, you may be called to work additional hours. For example, if you are working with the government or military, you may be asked to work overtime in the event of a crisis.

The average salary of a Cybersecurity Analyst in Canada is $71,458 according to Glassdoor’s latest labour market data. Here is a breakdown of salary ranges for common roles across Canada organized by seniority:

However, salary will vary depending on organization size, position, and location. Look at an employer’s overall compensation package and keep the big picture in mind throughout the hiring process. The salary at one job could be higher than another, for example, but the stress, qualifications and working hours at that job may be higher too.

Also, consider total compensation, which includes, in addition to salary, things such as the bonus structure, vacation time, health plans, and other employee benefits that come with a job.

Taking your own personal situation into account is important too (e.g., regularly working six days a week may not be desirable — or possible). Looking at the full employment package and determining whether it provides what you need to enjoy a fulfilling cyber security career will make all the difference.