How to Transition from General IT to Cybersecurity

Over the past two-plus years, work from home and hybrid job positions have shaken the modern working world. As much of the workforce moved online and relied more heavily on the internet to handle personal and private data, cybersecurity took an important step into the spotlight—not only in terms of companies’ shifting strategies, but also related to the broader cybersecurity threat landscape and challenges related to the persistent skills gap.

With this new spotlight on cybersecurity and a changing working world, people increasingly wondered how to change careers to cybersecurity, especially when they already had experience working in adjacent IT fields. If you are looking to transition to cybersecurity in your career, here are some helpful tips and insights to keep in mind throughout the process.

How to Transition into Cybersecurity
It is more common for people to change jobs and careers than ever before. Whereas many employees used to work at the same company for years, slowly working their way up through promotions, today’s workforce is more inclined to shift to new companies or into different industries. The COVID-19 pandemic has proven to be a catalyst in changing the way people work and view their jobs, with more and more organizations expanding to remote or hybrid positions. Living through such unpredictable times reinforces that no job is guaranteed to be secure, so it is critical to be able to adapt and learn.

The cybersecurity field presents tremendous opportunity for those looking to change careers. According to ISACA’s State of Cybersecurity 2022 survey report, when asked if their organizations had unfilled (open) cybersecurity positions, 63 percent of respondents answered “yes.” And, in the next year, 82 and 51 percent of respondents believe that the demand for technical and nontechnical cybersecurity positions will increase, respectively. These numbers indicate just how much opportunity there is and will continue to be for those who are looking to transition to cybersecurity.

Are you interested in a transition to cybersecurity? Here are the five next best steps you can take:

1. Educate yourself. People often ask, “How do I change my career to cybersecurity with no experience?” or “Can I get into cybersecurity without IT experience?” It is critical that employers can distinguish you from your peers. Employers certainly prefer job candidates with experience; however, degrees and certifications also demonstrate your understanding of relevant topics and can set you apart from other applicants. Nearly 9 in 10 (88 percent) of respondents to ISACA’s survey reported that a cybersecurity candidate’s credentials are somewhat or very important in determining if they are qualified.
   
   How quickly can you learn cybersecurity? It depends on your path—degrees typically take two to four years, depending on the level of education and focus of the subject matter. Certifications are less of a time commitment but be sure to pick the one that is right for your background and level of experience. For example, ISACA’s Cybersecurity Fundamentals Certificate is designed for entry-level professionals, but the CISM and CSX-P certifications are meant for more seasoned practitioners.
   
   Naomi Buckwalter, director of product security at Contrast Security, encourages people to not rush through the steps. “I’d caution anyone interested in cybersecurity to NOT rush the learning. There is SO MUCH to learn, and you’d be doing yourself a disservice if you rushed it. Learn about things like proper asset management, configuration management, data security, and change management. These are the ‘fundamentals’ of every good information security program.”

2. Leverage your IT experience. If you work in IT, you likely already possess many of the skills needed to be successful in cybersecurity professions. Your experience is already adjacent to the cybersecurity field, so you have an edge over competition in the eyes of employers. Understanding networking, database management, industry terminology, communication, coding and how to problem solve are just a few examples of valuable, transferrable skills. Seventy-three percent of respondents in ISACA’s survey reported prior hands-on cybersecurity experience as a very important factor in determining if a candidate is qualified.
   
   “The thing is, almost everyone has SOME experience in cybersecurity, you just have to know where to look. It might not be full-time work experience, but you’ve done things to help the security posture at your company, trust me,” says Buckwalter. “Have you enabled 2FA? Do you report phishing emails? Do you follow security guidelines and recommendations? Do you comply with data privacy laws? All of these things can be considered ‘experience’ in cybersecurity, and these are things you should mention on your resume and in interviews.”

3. Join adjacent roles. Even if you are not part of the security or privacy department of your organization, you still contribute to the strength of its cybersecurity. Make sure you are staying up to date on best practices for not only your role, but also your peers’ roles and responsibilities. Cybersecurity requires an all-hands-on-deck approach to be successful.
   
   “One of my favorite ways to transition into cybersecurity is to ‘do security’ in your current role,” says Buckwalter. “Be an advocate for good security on your team. Be a champion for the security team. Ask how you can help them with their security initiatives. Ask to take on junior-level tasks that they might not have time for. Get on their radar. Who knows? They might just open a junior-level role on their team for you.”

4. Find your niche. Cybersecurity is a large industry with dozens of branches, specializations and job roles, which means there are many opportunities for you to find your best fit. There are also numerous certification programs that allow you to hone your skills in whatever interests you the most.
   
   Here are eight specializations in cybersecurity to consider:

• • Architecture and policy
  • Data loss prevention
  • Governance, risk and compliance
  • Identity and access management
  • Incident response and forensic analysis
  • Penetration testing
  • DevSecOps
  • Secure software development

5. Stay sharp. In this age of constant and rapid digital transformation, it is important to keep up to date with the newest resources, skills and technology. Certifications, industry webinars, conferences, newsletters, podcasts and cybersecurity coverage in industry media are excellent, often cost-effective resources to help keep you abreast of the latest trends. Utilizing those skills with practical, hands-on applications will give you a competitive edge over your peers who are out of practice. Having the knowledge is one half of the equation, but being able to apply it to the current threat landscape is the other. You would not want to be stuck using a rotary phone when the rest of the world has upgraded to smartphones, and you would not want to be stuck using outdated technology or strategies when the world has upgraded to something more advantageous.
   
   Working in an unrelated field does not necessarily mean you will fall behind, either—there is an abundance of resources available for you to access online.
   
   “You can pick up this experience on your own outside of work by volunteering, building a home lab, and doing IT projects on the side,” says Buckwalter. “Do something that interests you! Build something, integrate something, teach something. There are so many possibilities.”