Ben's Book of the Month: Review of "Navigating the Cybersecurity Career Path"

Posted on by Ben Rothke

Ask anyone who works in information security, and they can tell you that they get many emails and calls from people interested in getting into the field. Drive down the freeway in Los Angeles or walk through an airport terminal or subway station in New York City, and there will be signs about information security courses. Many of them proclaim how you can start your cybersecurity career in just six months.


But those looking to get into the cybersecurity field need a lot more information than they are going to get on a phone call with the cybersecurity professional. In Navigating the Cybersecurity Career Path (Wiley), author Helen Patton has written a go-to guide that fills two needs. It helps the technology novice looking to get into cybersecurity and the established information technology professional looking to break into cybersecurity. 


The challenge of cybersecurity is that – unlike professions in fields such as accounting, law, or medicine – cybersecurity doesn’t have a professional requirement of college degrees, skills, or licensing. Cybersecurity as a profession is relatively young, unlike medicine, where Hippocrates goes back almost 2,500 years. 


There are no generally accepted principles to learn about and follow when it comes to cybersecurity guidance, and there’s no specific set of security codes of contact. As to generally accepted security principles, I was part of the ISSA Generally Accepted Information Security Principles (GAISP) project some years ago, meant to create a GAAP-equivalent. But as a purely voluntary effort, it never was able to gain traction and forever languished. 


There is an excessive amount of hype coming from many different areas regarding cybersecurity. The media hypes up many of the problems and spreads the incorrect notion that millions upon millions of cybersecurity jobs are open. As to that exaggeration, see what I wrote in The Fallacy Of The Information Security Skill Shortage.


So how does one start their path into cybersecurity? Try this book. Here, Patton has written a highly practical guide on navigating an approach that can often be quite difficult. 


An important point the book makes early on is that there are very few truly entry-level jobs in cybersecurity. And most entry-level roles tend to be quite specific, focused on one part of the profession; they are not generalist roles. For example, hiring managers will want a network security engineer with knowledge of networks or an identity management analyst with experience in identity systems. They are not looking for someone who is interested in security. 


In fact, security roles are often not considered entry-level at all. Hiring managers assume you have some other background, usually technical, before you are ready for an entry-level security job. Without those specific skills, it is difficult for a candidate to break into the profession. Job seekers learn that entry-level often means at least two to three years of work experience in a related field. That should be a wake-up call for those who think they can get a security certificate and expect to have the industry welcome them with open arms and a six-figure salary. 


Selecting a career is one of the most consequential choices a person can make. This is an excellent book that should be on the shelf of anyone considering a role in cybersecurity. In fact, I have it as one of the best information security books of 2021


In Navigating the Cybersecurity Career Path, Helen Patton has written a book that can help people evaluate if a job in security is right for them. And if so, how to succeed and prosper. For your own benefit, please don’t start your career in security without first reading this book.

Ben Rothke

Senior Information Security Manager, Tapad

Professional Development & Personnel Management

professional certification professional development professional development & workforce security education security jobs

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs