IT professionals seeking to transition into the red-hot cybersecurity field are well positioned to make the transition, especially if they possess certain technical skills, IT security hiring managers, executives and recruiters say.
And the timing to make the transition could never be better.
In a recent Robert Half Technology IT Hiring Forecast and Local Trends Report, a fifth of the 2,600 U.S-based CIOs surveyed stated they planned to increase hiring in the first half of the year. And of this group, nearly a quarter cited maintaining security of their IT systems and safeguarding their company information as their top priority.
Additionally, the cybersecurity industry is facing shortfall of 1.8 million workers by 2022, according to the Global Information Security Workforce Study.
“As a result, many organizations have started to use other methods to increase their workforce,” says Dave Tyson, executive director of the Information Systems Security Association International (ISSA). “People are going after employees with complementary skills to cybersecurity.”
So which IT careers are complementary to cybersecurity roles? Here are some examples.
IT Network Operations to Security Analyst and Beyond
NetOps is usually the easiest transition into a security analyst role, whether you target security operations or incident response, says Tom Caldwell, senior director of software development for Webroot and an IEEE Cybersecurity Ambassador.
“The other two areas are IT cloud roles, whether it is a public cloud like AWS or a private cloud like VMware. Both require an understanding of systems and networks which help to transition into cybersecurity. Strong candidates need to think like a hacker and know how it all comes together,” Caldwell says.
An incident response security analyst is responsible for investigating and working through forensic processes to discover how a company has been attacked, what machines and users were involved in the breach, and determining if any sensitive data or intellectual property left the company, Caldwell explained. “Incident response security analysts are good at analyzing malware samples and have a deep understanding of the network and operating systems,” he added.
Meanwhile, a security operations security analyst typically works in an around-the-clock Security Operation Center (SOC) environment. They review and analyze security log data from a variety of heterogeneous security devices and look for trends. Security operations security analysts work on investigating alerts and have a firm understanding of where risks and vulnerabilities may appear in the threat landscape, Caldwell says, noting their focus is on security hygiene and enabling continuous monitoring of systems, devices and networks.
As for IT cloud professionals, they might be more suited to start out in security operations analyst roles and then eventually move into an incident response security analyst role as they gain more experience, he advises.
After transitioning from a NetOps or a cloud career to a cybersecurity analyst role, the newly minted cybersecurity professional may transition onto a SOC team and start understanding risk and cyber hygiene, Caldwell said.
“Later, when [this job] candidate learns how to assemble a full security stack, they can transition into a ‘security architect’ role where you help assemble security frameworks,” Caldwell said, adding, “There are many different specialties in cybersecurity other than operations. Secure coding is a topic that is top of mind for many companies.”
IT Help Desk to Security Analyst
Michael Roling, chief information security officer (CISO) for the Missouri Office of Administration, says most of his job candidates come from other areas of state government and generally have experience providing end-user support on IT help desks.
“They have done a lot of trouble shooting, are good at communicating, and good at problem solving,” Roling explains.
As a result, this experience transfers well to a security analyst role, he notes.
Software Developer to App Security Developer
The jump from a software developer to an app security developer is a relatively smooth transition, says Jordan Fitzpatrick, senior associate of information security for recruiting firm Barclay Simpson.
“Companies favor job candidates with any development experience,” Fitzpatrick says, adding that it especially true with app security developers.
This demand becomes particularly acute for companies that are seeking to shift from a DevOps operation to one that becomes a DevSecOps organization, where security is baked into the development process from the get-go rather than added as an afterthought.
Fitzpatrick noted app security developers can make approximately $140,000 a year.
IT Compliance Officer to Data Privacy and Security Officer
Compliance officers who handle governance and control related functions, as well as possess some technical background, may find a relatively easy transition to the role of data privacy officer, Fitzpatrick says.
Data privacy officer roles will become particularly important starting 25 May. That is the date companies may be fined as much as 4% of their revenue if they do not comply with the European Union’s General Data Protection Regulation (GDPR).
Under GDPR, companies that possess European citizens’ personal information and data are required to take steps to safeguard that information. In certain cases, companies may even be required to hire a data protection officer.
“With GDPR, data privacy and security officers are in high demand,” Fitzpatrick says, noting the annual salaries for these positions can run approximately $160,000.
IT Professionals to Security Infrastructure Professionals
“Someone in IT can jump into security infrastructure jobs more quickly than someone with no experience and hit the ground running quickly,” Roling said. “Security infrastructure jobs call for such things as managing firewalls, intrusion prevention systems, or advanced malware platforms.”
Despite a relatively easy transition for some IT roles into cybersecurity, some challenges still exist, nonetheless.
“Everything in security is transitioning into leveraging artificial intelligence (AI) and machine learning,” Caldwell said.
Security professionals are seeking to gain a better understanding of Gartner’s “Adaptive Security,” which is when IT professionals leverage cyber threat intelligence with AI and machine learning to gain what security professionals term as “Adaptive Response.”
The Adaptive Security platform is designed to use continuous cyber threat intelligence (CTI) feeds to adjust its models to respond to the changing threats and new attack methodologies used by cybercriminals.
“These types of new models and strategies should be understood at least at a high level by new security professionals,” Caldwell advises.
He also suggested IT professionals consider taking classes from the SANS Institute, or at a minimum read the numerous blogs and online materials on cybersecurity.
“I work with Gary Hayslip, the CISO at Webroot and he publishes many good blogs on LinkedIn and has authored the “CISO Desk Reference Guide” with two other cybersecurity experts that are colleagues of mine,” Caldwell said. “As an IEEE Ambassador for cybersecurity, I also recommend following the IEEE site on Cyber Security and attending their workshops and conferences.”
Dawn Kawamoto is a freelance writer and editor. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s News.com, InformationWeek, TheStreet.com, AOL’s DailyFinance, The Motley Fool, and Dice.com.