Why I Hire Non-IT Graduates in The Cybersecurity Field

I am always amused to tell new friends about my job because no one knows what a security consultant is. Some confused security with securities (as in the stock market, which Hong Kong is famous for), and some only know about IT. On one occasion, my friend asked why I studied at university and became a security guard.

For me, I am more like a security guard than an IT guy. As I always say to my colleagues, to keep a different mindset than IT staff. The main differences are: Security will not improve efficiency or productivity, but Confidentiality, Integrity, and Availability (CIA).

My colleagues always said I know something new as I am different. Yes, I agree. But it doesn’t mean that I am a freak or genius to do a better job. I obtained my Master of Computer Forensics.

Yet, I was only a Science undergraduate working at nightshift to save money for the tuition when I started my career. By telling you my story, I hope more people will be interested in pursuing InfoSec careers even if they do not have experience.

The Proof of Your Interest

Most people would tell you to find your passion for being successful in your career. I think it is what makes success in all parts of life. To find a job in cybersecurity, you need to show your interest in this field.

Studying a tertiary education in InfoSec is one of the methods. Writing about security also works (but it may need more to start writing). The purpose of the proof is to let people, especially employers, know that you like InfoSec.

Taking the CISSP examination was my way to show my enthusiasm. The CISSP exam now uses Computerized Adaptive Testing (CAT) for all English exams. It was a six-hour straight examination on pencil and paper when I took the exam. My exam started from 0900 to 1500. I only left my chair once for the toilet.

Passing the exams does not necessarily demonstrate that you are an expert in the field. However, it can tell companies you studied in the area and spent hours of effort on the subject related to the job.

Most people who took the exam with me are working in the field. But why not take the exam to learn about the area first and then gain experience along with the career? Studying for InfoSec exams can help you gain the necessities in this job.

There are different levels of exams for different kinds of positions, such as what I mentioned. For example :

• CEH: Certified Ethical Hacker.CISM: Certified Information Security Manager.
• CompTIA Security+CISSP: Certified Information Systems Security Professional.
• CISA: Certified Information Security Auditor.

Look into organizations such as (ISC)², CompTIA, and ISACA. In addition, you can find more about certifications by looking at the job advertisements.

The InfoSec Language

I also took the Security+ examination weeks after CISSP, as the syllabus is similar. All these efforts were what I wanted to tell my potential employers how much I like this job.

Studying for the exams was not easy, especially for a rookie. Of course, it will be easier if you like the contents. But the best thing about passing these exams is about learning a common language with other real professionals.

Speaking a common language does not necessarily need field experience. Like you do not need to live in Japan to know Japanese. However, it is a crucial advantage if you can understand questions in a job interview with security professionals.

You show the interviewer that you know the subject but do not have experience. Moreover, you indicate your interest in the field and also the know-how of the basic concepts. By that point, you are ready to learn more and find your more specific area of interest.

You can learn the language in different ways. Taking an exam is one way. Or, like learning a natural language, reading more on that subject would unquestionably help. I read different kinds of magazines in InfoSec and online media, like BlackHat, Hacknoon, and Darkreading.

Is experience a must?

I once saw a LinkedIn post about getting into a cybersecurity career. The passion of this instructor admired me as I also taught, although not full-time. He pointed out to work in this field may require a full spectrum of IT knowledge.

With such a steep learning curve, you could only see people nearly retired in the security department. But what do we see in the Security team? We have people of different age groups and both genders.

All industries have junior positions. I do agree that experience matters. But what kind of job does that experience not matter? From time to time, we all should recall our memory of how we started our careers.

You need to know the basics. The key is the width of knowledge, not the depth. To suit yourself in a job, you need to know what kind of work would fit into your domain but not the others.

If you glance at the exam outline of CISSP, you can find the “width” of the things we need to learn later in the job. It is recommended to know the meaning of the eight domains to get started.

• Security and Risk Management
• Asset Security
• Security Architecture and Engineering
• Communication and Network Security
• Identity and Access Management (IAM)
• Security Assessment and Testing
• Security Operations
• Software Development Security

Studying for the exam can surely learn about the meanings. But you can also learn them from books or google searches (maybe a lot of searches). As I said, technical knowledge can be learned by anyone. But we only have 24 hours a day, so pick the subject wisely to focus on once you are in the field.

For me, I would suggest learning about the definitions of different areas of security. For example, in Identity and Access Management, you will come across the descriptions of the following:

• Access Control
• Biometric
• IAAA (Identification, Authentication, Authorization, and Accountability)

Do not worry. No one can be an expert in all domains. The focus at the beginning is the “What,” not how or why. This industry is so dynamic that we need to continually update our knowledge; otherwise, we are no better than junior associates.

Like driving a car, you do not need to understand every part inside the engine. To find a job in Cybersecurity, you do not need experience in all IT aspects. Instead, you can learn all technical knowledge from training and day-to-day operational tasks.

An Insecure Child

Since I was young, there have been things that I am not comfortable with and constantly prepared for the worst. To be more specific, I was an insecure child, even paranoid. However, my living area was safe.

I would not walk strange back home if someone were with me when leaving the elevator (In security, this is called piggybacking). Likewise, I would not open the door if someone could not prove their identity. (This is authentication in the old fashion.)

Later I found out it was very relevant to what I need in my job. So, I thanked my mum for that. But she and I do not know it will go that far. Think differently makes a considerable difference from the beginning and my career.

In a security professional’s daily life, our primary goal is not to make sure everything is running as expected but to minimize or mitigate the unexpected or unknown. When everything is considered and handled, IT should be happy and business as usual — Nothing happens.

Being a great security professional is not just about how excellent your technical skills are. It would be best if you were particular about the choices or suggestions based on the different contextual information you had.

To know more about what a Security Mindset entails, please refer to my previous article.

https://vocal.media/stories/the-one-thing-that-makes-a-great-cybersecurity-professional

Extra: Shortcut for a CISSP

As I did not have any working experience in the field, passing the CISSP exam does not immediately certify the profession. I was only called “The Associate of (ISC)².” According to the requirements of CISSP:

A candidate who doesn’t have the required experience to become a CISSP may become an Associate of (ISC)² by successfully passing the CISSP examination. The Associate of (ISC)² will then have six years to earn the five years required experience.

But I got certified with only four years of experience. If you prepare for the examinations like me, to study the rules before examining the contents, you will find the following waivers:

• Based on educational qualifications, the candidate can get a waiver of a maximum of one year of work experience as full-time direct security professional.
• A one-year professional experience waiver is also applicable if the candidate possesses an additional (ISC)² credential from the approved list.

I planned my study for the Master's Degree and Security+ examination. These two fit in the waivers and help me to get my CISSP two years earlier.

Final Words

Once in a while, I come across different kinds of candidates in the job interview. I look into people who are dedicated to the field. Most often, it is the one who does not have an IT degree. Why?

People who overcome their difficulties and show me their passion is the one who truly wants the job. I preferably teach them than an experienced IT guy who does not think like an insecure child.

If you are interested in an InfoSec career, I dare you not to be afraid if you do not have any experience. Instead, be prepared, like any other job, to let people know you are open to the challenge. As a Chinese saying goes, “You need to show your back to the public if you want people to give you a push.”

Below are the areas you can begin with:

• Get the proof of your interest in the field (overcome a challenge like further training, exam, or a lot of reading)
• Learn the InfoSec’s common language (focus on the what and the overall concepts)
• Tune yourself into a security mindset (it is the most important)

Thank you for reading—happy reading and getting into Cybersecurity (if you are inspired).