A closer look at The Ultimate Cybersecurity Careers Guide
In this Help Net Security interview, Kim Crawley, cybersecurity expert and Professor at the Open Institute of Technology, discusses her latest book, The Ultimate Cybersecurity Careers Guide. She shares insights on how aspiring professionals can break into the field and explores the importance of continuous learning.
What makes this guide different from other available cybersecurity career resources?
That’s an excellent question. The vast majority of books on cybersecurity certifications are guides to one particular certification or another. There’s honestly a lot of good advice on the internet about the matters I cover in my book, such as how to find work as a pentester or which certifications are better known to employers.
There are a handful of great cybersecurity career advice YouTubers, subreddits, social media accounts, and so on. But it’s very difficult to find all kinds of cybersecurity career advice in a single resource. My objective with the Ultimate Cybersecurity Career Guide is for people to have a “commonplace book” of cybersecurity career tips.
I spent quite a bit of time working for Hack The Box, which helps people get pentesting work. I teach enterprise cybersecurity at the Open Institute of Technology, where all of my students are either looking to get their first cybersecurity job, or they’re transitioning from one role to other roles. For instance, one of my students from last semester is a SOC analyst, but he’s considering cybersecurity roles outside of the SOC. Plus I had my challenging path into the industry, starting from when I was desktop tech support in 2007. My advice is filtered through my experiences and the experiences of my peers, colleagues, and students. That in and of itself makes my book unique.
Can you walk us through the structure of the book? How did you decide what to include?
Most of the chapters are on one particular certification organization or another. Each of the big vendor neutrals (i.e., CompTIA, ISC2, etc.) has a chapter, and each of the big vendor specifics (i.e., Microsoft, AWS, etc.) has a chapter too. Some certification organizations’ certifications aren’t so well known to most hiring managers yet, but the certifications are very good for proving someone’s knowledge, and the organization’s certifications will probably be better known in the immediate future.
I really didn’t want the book to be completely about certifications. Obviously, there are major shortcomings to employers taking certs too seriously. People are gate kept from certs that are expensive to acquire, or certs that require a lot of industry experience no matter how much you know, such as the CISSP. Plus even getting the certs that hiring managers love the most for each type of role is far, far from a guarantee of employment. The job market is messed up, we’re far from the boomer era where qualified people are pretty sure to get good jobs.
There is advice about how to socially network one’s way to employment. Unfortunately, the large majority of resumes and applications sent to job postings get sent to a black hole, even if you’ve got a very AI-scanning friendly resume with amazing experience and credentials. Many, perhaps most job postings are for “ghost jobs,” these days. Those are jobs that don’t exist, employers put up those job postings to make their employees feel insecure or to make their company look more successful than it actually is.
In the 2020s and beyond, people are much, much more likely to get employed by having a well known reputation online and from knowing someone. Every single job and client I’ve gotten in the past decade or so has been from knowing someone, or from my books being well known. I too have seen hundreds and hundreds of my job applications go nowhere, so I quit applying to job postings. I cowrote one of the top selling books on pentesting on Amazon, The Pentester Blueprint, and still my applications to entry level pentester job applcations went nowhere. And yet, I have pentesting engagements coming up this spring. I got that work purely from knowing people.
Informed by all of that experience, there’s a chapter about online communities where people are likely to meet someone who knows someone who can get them a job. I name specific communities. I also cover some of the best college programs, and things like CTF games and bug bounty programs. It’s near impossible to make a living as a bug bounty hunter. But, if for example, someone gets an $800 bug bounty reward here or there, that can lead to application security and application pentesting jobs that do provide a full time income.
There are so many ways to get your name out there, and meet people connected to employers online without even needing to leave home. It was super important for me to write that chapter. Because an employer may make a decision about whether or not to hire you based on your certs. But your certs won’t get you the interview, knowing people and doing things will.
What was the most challenging part of writing this book?
I must be completely honest. There’s no way humanly possible that one person can have more than a dozen certs. Even acquiring a few can be very expensive and a lot of work. I personally have had CompTIA A+, Network+, Security+, and ISC2 CISSP, but that’s it. So the majority of the certs mentioned in my book are ones I don’t have and I will likely never had.
I had to do a ton of research and talk with a lot of people in the cybersecurity community to offer tips and resources related to all the certs I’ve never had. One particular org, GIAC, offers more than forty different certs at any given time. GIAC certs are retired and grandfathered relatively frequently, and they launch new certs every so often. GIAC and the SANS Institute they’re connected to are very highly respected in the industry. But if having a huge amount of cybersecurity certs isn’t enough of a hurdle, the certs are also connected to SANS courses that cost over $8000 per person each. SANS and GIAC expect you to have an employer who will pay for it for you. How could I cover all of the currently offered GIAC certs in a single chapter? I did find a way to do it though. But I remember all of the time I spent researching GIAC certs and writing about them felt very tedious and monotonous.
Fortunately, one particular organization made covering their certs a lot easier for me. AKYLADE found out about my book while I was working on it, and they gave me inside access to training material for their A/CCRF cert. Their CEO Alyson Laderman spent hours answering my questions. Because AKYLADE went out of their way to help me cover their certs accurately, I was able to share more information with my readers.
AKYLADE are a new certification organization with a fresh perspective. They’re filling voids in the certification market, offering certs that cover matters like the NIST Cybersecurity Framework, and the NIST Artificial Intelligence Risk Management Framework in depth. They even have certs coming soon that focus on C++, VR development, and Nmap. Most of the knowledge covered by their certs isn’t covered very much by certs from other organizations, so I was happy to share that with my readers.
Were there any cybersecurity career myths or misconceptions you aimed to debunk?
There’s a chapter in my book all about ISC2. The most famous cybersecurity cert, the CISSP, is the crown jewel in their catalogue. I studied for it in 2023 and passed my exam on my first try. I had to spend my own money on study books and writing the exam. And frankly I spent all of that effort and money because employers are so obsessed with CISSPs. Unfortunately, hiring managers have an awful habit of requesting CISSPs for entry level or near entry level jobs. And they request CISSPs for roles in which the CISSP isn’t directly relevant, such as pentesting or secure application testing.
The CISSP curriculum explains a bit about what those roles entail, but only what someone who works in security operations or as a security analyst needs to know about them. Employers should only ask for CISSPs for roles that require a lot of previous industry experience, in SecOps, security architecture, or security leadership. In fact I would go further and recommend employers consider people who don’t have CISSPs for senior SecOps jobs and the like, as long as they can demonstrate the knowledge and experience in other ways. I have a love-hate relationship with the CISSP, and I make that clear in the ISC2 chapter.
I also wrote a lot of words in my book about how people should consider the wide range of cybersecurity roles. In my experience, most people who are looking to enter the cybersecurity field want to be pentesters. Like, more than half. I cowrote The Pentester Blueprint, I wrote a detailed manual on cloud “pentesting” (actually, it’s vuln scanning), I worked for Hack The Box, I did a SANS talk on pentesting reports. One might assume that I’d love how most newbies want to be pentesters. But as important as pentesting can be, it would be a disaster if the majority of cybersecurity work was pentesting.
Not only are enterprises with low security maturity not ready to be pentested, but also who is going to implement a pentester’s vulnerability findings in a world with very few defensive security practitioners? Contrary to the work I’m known for, I’m more of a cybersecurity generalist in knowledge than a pentesting specialist. I made it clear in my book that people should only pursue pentesting careers if they understand the reality of pentesting (it’s a lot of tedious work with limited scopes, they don’t get to be Hollywood hackers) and it’s what appeals to them more than other cybersecurity roles.
Choosing pentesting over being a security engineer for instance, is a bad idea if you’re doing it because you think pentesting is what will give you the most pay or job security. In my ideal world, 5% of the cybersecurity labor force would be pentesters. That’s even considering how some people specialize in pentesting applications, some people specialize in physical security, and so on.
Who is the primary audience for this book: students, career changers, professionals looking to advance?
People of all ages and genders who have yet to land their first cybersecurity job were my primary target for the book. They may have professional experience in other areas of IT, but no cybersecurity specific jobs yet. People who have experience in one kind of cybersecurity role but want to work in a different area of cybersecurity may also benefit from the book. I explain most of the common cybersecurity roles in detail, the upsides and downsides of each of them, which certs may be relevant, and how to network to get those jobs.
To be honest, when people have more advanced cybersecurity work experience, it gets more challenging for me to offer them advice. I had a Zoom meeting with one of my Kickstarter backers. He’s a really great guy and he works as a CISO now. CISO roles are the top of the cybersecurity job hierarchy most of the time. How the heck could I help him? Well, he wanted to be able to share his knowledge with companies while having the flexibility to move to different countries if he needed to. I directed him to people who have found success starting their own businesses as vCISOs or as third party GRC consultants. Thank goodness I’m friends with so many people in so many roles in our industry, otherwise I wouldn’t be familiar with how people have found success as a vCISO.
What’s one key takeaway you hope readers gain from this book?
The world is getting increasingly hostile and unpredictable. Silicon Valley types are eager to replace all human creative and thinking labor with GenAI. GenAI at a larger scale is completely unsustainable to the planet, and to ordinary humans in a world where people need employment income to survive. Plus GenAI isn’t intelligent at all. For instance, most GenAI-driven search engine outputs are dangerously wrong. Meanwhile, China is investing in people, human skills and human capabilities. They have Manus AI and various other projects. But they consume a lot less electricity, and they know GenAI cannot and should not replace human thinking and ingenuity, Tech executives in the west who are obsessed with GenAI are going to fall flat on their face very soon.
Giants like Microsoft and Apple don’t want any press releases that are pessimistic about GenAI. But quietly, in the background, Microsoft has cancelled building additional datacenters for the purposes of running Copilot and their other LLM stuff. And Apple knows the most recent iPhones underperformed commercially partly because consumers are correctly wary of Apple Intelligence being shoehorned into them. They cancelled their plans to make Siri 100% GenAI driven. OpenAI wouldn’t stay afloat without governments printing huge amounts of money and throwing it at them.
The tech giants know those of us who are too sensible to succumb to NFTs won’t willingly pay for GenAI in our applications. We have to spend many hours digging through deliberately esoteric application settings to disable Gen AI. GenAI is being forced on us. If GenAI was so wonderful, we would choose to have it willingly.
So, don’t give up. Jobs are tough to find now largely because of this GenAI nonsense, but GenAI mania will inevitably crumble very soon. When employers in the west are forced to learn that they really do need to pay human beings to use their human brains, the job market will be less hellish. I know very well that things like security monitoring in the SOC are impossible for humans to do on our own without the help of automation.
We’ll get back to reality, where human beings need to be in charge of the operation of computer technology and we’re augmented by some automation, rather than replaced by GenAI. While my readers work on becoming employable humans, I urge you to bypass GenAI in search engines, do your own thinking, and come up with your own ideas when you’re doing any sort of creative or cognitive work. A whole generation of kids think ChatGPT is a search engine, and the thinking and research skills they’re losing will put them at a grave disadvantage.