When searching for cybersecurity career advice on the internet, a common question that appears is "How do I get into cybersecurity?" From what I've seen, there is not one path to get into this field. There are people whose backgrounds are so distant from cybersec/infosec and yet they are killing it in this industry. The paths they took are just as varied as their experiences. I'm relatively new in this field, only having started to actively study cybersecurity in 2017. But ever since I started working, I have always been in the IT field despite not having an IT degree. Here's my journey into cybersecurity.
My college background
I graduated with a bachelor's degree in Accountancy. I spent four years in college preparing balance sheets, income statements, calculating taxes, studying finance and law, all that stuff. We did have some information systems related subjects but they never quite prepared me for a job in IT. I mean, since I graduated, I've never had to make a sing-along video using Powerpoint.
The same year I graduated from college, I took and passed the CPA Licensure exam. As with all newly minted CPAs, our first job was at an accounting/auditing firm. Despite having applied so late in the hiring season, I got lucky and was accepted at PwC. I was initially applying for a financial auditor position but because I applied late, all vacancies for the position had been filled. There was an opening for an IT auditor position and they asked me if I was okay with getting assigned to that post. It sounded interesting and despite not knowing a smidge about IT auditing, I said yes. That was a life-changing decision because since that time, I've been in IT. You might think it's a waste of my accountancy degree but actually my business and finance knowledge does come in handy when dealing with the business side of the company.
Gaining momentum in IT
Everything I know about IT and IT auditing, I learned from the job and from studying for the certification exams I took. I passed the CISA exam in 2012 and the CRISC in 2015. I am also fortunate to learn from the people I work with. After working for PwC, I transferred to a bank, and then I moved abroad to work for an insurance group. I've been in Hong Kong for four years now, and I must say that this is where I grew the most, both in my personal life and career.
I started getting more into cybersecurity in 2017 when I enrolled for the Micromasters in Cybersecurity from RIT. At the time, I felt that I somehow had a good grasp of IT operations already and I could supplement that with more knowledge about cybersecurity. Also, our audits were increasingly becoming security-focused so it would be great to know more about security so I could do my job better.
I completed the Micromasters around late 2018. That's when the announcement on edX came out that they were offering master's programs on their site, in collaboration with US universities. I applied for the OMS Cybersecurity offered by Georgia Tech and by mid-2019, I got the news that I was accepted. Since last year, as you can see from my other blog posts, I've been working on my master's degree.
Doing the OMS Cybersecurity program has opened up an opportunity for me at work. For some years now, our team has been looking for a security auditor. Since I expressed interest in cybersec/infosec and I already have knowledge about the company operations, I got the chance to transition into the security audit role. I am learning so much from the job through practice. For example, I've never cracked passwords before, aside from some examples for the RIT Micromasters, but I just cracked a bunch of them for work this year. It may sound simple, but we all have to start somewhere right? I can't just jump into big tasks without mastering the foundations. So little by little, through learning from university and through learning on the job, I am building my skillset.
While I am perfectly happy being a security auditor at the moment, of course, I can't be a security auditor forever. I also want to experience other branches of security. I'm pretty sure I don't want to be a pen tester, but I would like to explore being a cybersecurity analyst or consultant and then move on to be a cybersecurity manager or architect. There are also cybersecurity roles in risk and compliance and I am open to exploring those in the future.
Challenges in security
Since I am fairly new to being a security auditor, I do suffer from imposter syndrome. I have experiences of performing security-related testing in the past, though not to the extent that I am doing now. So I feel like do know something but it's just that I also feel that I have to prove more. Completing my master's should help me feel a bit more confident about what I know and what I can do. Plus, I am not stopping there because I will continue studying and taking security-related certification exams, and overall honing my skillset. I also want to give back to the infosec community by sharing what I am learning through blogging (which I hope to be more consistent in doing).
So that's my story, folks! If any of you are interested in transitioning to cybersecurity, just take the leap. There is so much learn but if you are really passionate about this field, that drive you have will allow you to succeed. As we are becoming more and more digital, what you learn from being in cybersecurity is easily applicable to your personal life and you can also teach your friends and family how to be more secure in the digital world. It may look daunting at first, but if someone like me, who didn't even know what SDLC was on my first day of work, is able to move to security, I'm sure you can do it too.