Cybersecurity careers are a hot topic right now. According to a study by the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. But the folks who have been here a long time understand that a shortage of workers does not necessarily translate into a shortage of talent.
People often say, “Well, I didn’t take the typical path to InfoSec.” But for anyone who has worked in this industry for any length of time, it’s clear there is no “typical path.”
I recently carried out a small-scale study of an Incident Response (IR) team. All the participants had more than five years of experience. Some folks had no degrees, while others possessed doctorates. Still others were still working on their Bachelor degrees. When they joined, several of the IR team members had no certifications. They later acquired those marks of technical distinction through their jobs.
That’s a lot of different arrows pointing in different directions. I’m sure it’s enough to leave newcomers bewildered and wondering where they should start.
As you plot your path in InfoSec, remember that many of the most talented people had no degrees - or non-traditional degrees - when they started down the InfoSec path. I actually started in technology with a degree in Political Science. Whatever credentials people have acquired over the years took time. They, too, often started from scratch.
Telling Traits
What’s more, credentials and formal education or training don’t present the full picture of a person’s abilities. They are just snapshots in time. Still, there are some commonalities. While there may not be a single, best pathway to a career in InfoSec, there are typical traits that I’ve observed make someone ideally suited. Here are some of the important skills and traits that I’ve found indicate whether someone would be a great fit for InfoSec.
The entire domain exists because of integrity and trust. This becomes something you need to be willing to grant. It’s also something you need to recognize that you have been granted.
Do you want to make a difference and secure the world? Cybersecurity is a mission-oriented field. Those that have been here for any length of time are still here because they believe it’s a mission that matters.
Do you enjoy an environment of constant learning? Security technology changes constantly. Solutions that exist today will not necessarily be the solutions that apply tomorrow. That means you need to be aware and willing to learn new things. You also need to be OK with the fact that you often may not be the smartest person in the room.
Networking and communication may be the most important skills of all. Cybersecurity is a challenging career. But despite its technical nature, communication is generally what leads to success. You need to communicate with empathy and understanding and see things from various vantage points. Also, you need to be able to remain close to trusted sources.
Rules of the Road
But unlike grading someone’s ability to code, it’s hard for prospective employers to quantify these traits. This is where you can help yourselves by considering the following simple rules of the road:
Check your online presence and profile. Be sure they reflect integrity and trust - not only in your own profile, but also for those connected to you. Don’t tag people without permission. Be respectful of privacy boundaries for everyone that you are connected to. The world is more connected than you can imagine, and every interaction matters!
Think about an answer in case someone asks what makes you interested in this field, and what will keep you interested ten years from today. Show that you have thought that what you know today may need to change in the future. It matters.
Build a referenceable body of work. This could consist of blogs, participation in the community, and online exercises. These items will help demonstrate your passion as well as a continued investment in your own learning.Be prepared to talk about how you like to learn about new things. An interviewer may ask you to walk them through a security event you were involved. Be sure to tell me about a lab you may have set up, even if it’s just two virtual machines on your home network.
Be able to identify your trusted resources for information about technology and security. I always tell people that I don’t expect them to know everything, but I do expect them to know what resources are available to find the right answer. You should be able to say, 1I don’t know the answer, but I know where to find it.’ And then find it.Who you receive communications from and whether you have insight into trusted sources is important.I expect red team members to be able to look at things and communicate to the blue team through the eyes of the opposing team member. I expect blue team members to be able to look at something and know if it is attractive to the red team people. Security people need to be able to assess and communicate risk not only from the, “is this a zero day” or “is this the hot worm right now” perspective, but also from a “does it matter to your business” perspective.
Formal courses can teach you technical skills. But your chances to thrive in this domain will hinge on having traits that cannot be taught. Those include passion, a problem-solving mindset, and the ability to build on the human side of security. In the end, those will drive the success of the greater mission of securing the world.
![都大路Sの調教プロファイル[2026年バージョン]](http://cdn-ak.f.st-hatena.com/images/fotolife/s/sanzo2004321/20260523/20260523123758.jpg)
