Have you ever stopped to think about where your information is being stored and/or what is protecting that information from being accessed by unauthorized users? If the answer to that question for you is “no,” you are not alone.
Have you ever thought like a “hacker” and considered how you would go about obtaining someone’s information if you had the opportunity to do so? Would you target their mobile device or their laptop or their email account? Do you think Linux, Microsoft Windows or Mac OS X are all equally vulnerable or that one of them has more weaknesses than another?
These are only some of the questions a cybersecurity professional ponders every day, albeit usually from a different perspective. As a cybersecurity professional, it is your job to think about these questions and determine solutions that will help protect someone’s information when it is stored in a network or on a system under your domain of responsibility.
When I started my career early on as an IT professional, some of the largest concerns that we had around security were about how someone might disrupt business with some silly antics or deface the organization’s public image by altering the website. In 2023, cyberthreats have evolved to the level of organized cybercrime and cyber warfare. In our ever-increasingly connected global economy with mobile data access, the challenge for cybersecurity professionals is to stay in front of the “bad guy” and think strategically and offensively to protect the organization’s assets.
In traditional societies, internal protection has always come in the form of law enforcement. If you are speeding through traffic, you get a ticket. If you rob a bank, you go to jail. Societies have always historically protected themselves externally through military force and political negotiations and agreements. However, in the cyber world there are no physical territories or borders to be concerned with. You can be sitting on a computer in Malaysia and breach a computer in the U.S. in a matter of seconds if there is a vulnerability that can be exploited.
The industry currently has a shortage of cybersecurity professionals to the point that we are in a crisis. In 2022, there were 755,743 cybersecurity job openings, with a national fulfillment average set at 68 percent, meaning there were only enough cybersecurity workers in the United States to fill 68 percent of the cybersecurity jobs that employers needed filled. At the same time, global cybercrime is expected to increase to $10.5 trillion by 2025.
Cybersecurity is currently a zero-unemployment industry. The profession could bring many years of stable and lucrative employment to the cybersecurity professional. So, why is it that it is so difficult to get people interested in this industry? Is it because people are unaware that these opportunities exist? Do we have to do better to educate the public about the need for cybersecurity skills and a trained cybersecurity workforce? What do you think?
For me, I cannot imagine why someone would not want to do what I do in a day. Don’t get me wrong, as with any job in any profession, there are moments of doing things I don’t enjoy, but for the most part, I love what I get to do every day. I started my career in information technology in the 90s working for the U.S. military and then went into the financial services sector and back again to the military as a defense contractor until I went on a sabbatical in 2006.
As a woman in information technology and now in the cybersecurity sector of the profession, I am acutely aware of the statistics around women in the industry. Women comprise 25 percent of the information technology industry workforce and only about 14 percent of the cybersecurity workforce (estimates vary). On my current team, women represent 15 percent of our group.
When I went on sabbatical in 2006, I was also acutely aware of the fact that most women leave IT jobs in their 30s never to return. In 2004, as a result of a military training program, I had earned my ISC2 Certified Information Systems Security Professional (CISSP). My interest in cybersecurity had already been piqued as part of my responsibilities as a system engineer and the things I was beginning to see happen in the cyber world. To make a long story short, it would be another nine years before I would find my way back to the profession in 2015. I was laid off from a position that I had taken in an interim job and I have not looked back ever since.
I graduated with my MSIT in Information Assurance in June 2019. During these last few years, I have also gotten to work on some state-of-the-art projects and battled threat actors from nation-state hacker groups, touching almost every aspect of the industry. I am very thankful. I also earned two new GIAC certifications through the SANS institute, GIAC Security Essentials (GSEC) and GIAC Certified Incident Handler (GCIH), while continuing to maintain my ISC2 CISSP for the last 15 years.
I am sharing my personal journey because I encourage anyone interested in this profession to explore the possibilities it has to offer. There is a wide range of opportunities that to utilize these skills in the industry. From policy writing to risk assessment, penetration testing to digital forensics and cyber defense, there are so many possibilities and too few interested candidates.
Editor's Note: This article was originally published in May 2019 and has been updated for accuracy.