The inexorable pace of the digital revolution brings with it the spectre of increasingly sophisticated cybercrime and cyber terrorism. This threat cannot be underestimated, as our reliance on computers and the internet becomes more fundamental to our everyday lives and that of the global economy. The public and private sectors are both vulnerable, as are we the individuals who rely on them.
With this in mind, applying for your first cyber security job can be a daunting prospect. There is a lot going for you though and with a worsening recruitment crisis in the sector, the global marketplace has never before been so desperate for experts in IT security.
In this resource for postgraduates and potential candidates, we’re going to break down the state of the cyber security industry in the UK, as well as the experience, skills and qualifications that can help you succeed and make a difference, as well as what you can expect in terms of salary.
In the UK, recent reports from the Office for National Statistics show business cybercrime is up by 63%, accounting for 4.7 million incidents of fraud and computer misuse in 2017. While the numbers fell for fraud incidents—3.6 million in 2016 to 3.2 million in 2017—56% of these were cyber-related.
Computer misuse, on other hand, increased by 145%, attributed mainly to ransomware and Trojans, as seen in the WannaCry high-profile attacks in early 2017.
As organisations, both large and small, become increasingly vulnerability to sophisticated cyber attacks, IT security experts stand at the forefront in the battle to keep company and consumer information safe. When the scale of the threat begins to outgrow the number of professionals who can handle them, then we have an altogether more significant problem.
A 2015 study by analyst firm Frost & Sullivan for (ISC)² predicts that there will be a 1.5 million shortfall of information security professionals by 2020. This is despite the fact that this industry pays more, has an increased budget, and receives a higher job satisfaction rate.
A more recent study by ISACA in 2017 puts this figure as high as 2 million as early as 2019, with 37% of employers stating that candidates are underqualified. With the industry’s global spend expected to increase to £72.69 billion ($101.6 billion) by 2020 (a 38% growth from 2016), investment has not only become a major priority but is growing rapidly.
This recruitment gap in IT security is a product of many compounding factors and shortcomings. These include:
In the UK, both the government and the private sector are working together in light of the global skills shortage in cyber security professionals.
While 30% of enterprises in Europe fail to fill their cyber security positions (behind both America at 27% and Asia at 22%), the UK cyber security workforce has nonetheless increased by 163% in the last five years. Of this growing workforce, half of are in the digital industries, with another 20% are in banking and 12% in the public sector.
Additionally, while 61% of job vacancies last year are situated in and around London, other areas of the country are also seeing an increase in the number of cyber security roles, with Wales and the East Midlands recording the highest growth in the past five years.
Around three-quarters of all job positions available revolve around security consultants, security engineers, security analysts, security architects, and security managers (see Image 2).
At the time of writing, the impact of Brexit on the UK’s ability to recruit cyber security talent from abroad is as yet unclear, due to continuing uncertainty around the nature of any deal. The impact of Brexit could also go beyond recruitment, with uncertainty on the UK’s future relationship with Europol and how information on cyber criminals is shared across borders.
The global and local recruitment crisis will continue to put huge pressure on the demand for cyber security professionals entering the industry. Many employers will already be thinking about where the next generation of cyber security professionals will be coming from.
As a postgraduate looking to get into cyber security, you will need to have a relevant degree. As well as BSc courses like IT security, computer science and network engineering, many STEM subjects (science, technology, engineering, maths) will also have transferable skills that can act as a springboard into the industry.
The traditional route for many is through IT, but as a postgraduate, knowing early on that you want to branch into IT security can play to your advantage as you can focus on getting the right experience and skills early on.
Before you go into battle, here are a few key areas that you will want to think about:
Your success in this field requires you to be a well-rounded individual. Many cyber security roles require very strong communication and managerial skills. As such your technical skill set should go hand in hand with soft skills and aptitude for the role. The latter will also help you function better with your team and eventually rise up the ladder.
Cyber security qualifications and courses will certainly give your career a boost in the right direction, but remember that you also need that all importance experience to demonstrate that you can actually perform all the tasks required to do your role.
Down the line, you can choose to specialise in any given field, such as forensic investigation, military cyber security, software developer, or a security consultant—all of which require years of experience, an updated knowledge base, and proven track record.
Preparing your CV is crucial, especially for entry-level positions, as that two-page document would either open or close the gateway in that company you’re aiming for. To make your CV stand out, include the following:
Interview processes differ for each company. Typically, however, you will be interviewed two to three times, after your CV is shortlisted. To make sure you maximise your chances at the interview stage, keep in mind the following:
A 2018 survey by recruitment firm Robert Walters shows that salaries for cyber security roles in the UK are going to increase 7% this year—one of the highest in the IT sector. This growth is highly attributed to the increasing number of cyberattacks, especially last year.
Entry-level positions include cryptographers, penetration tester, secure code auditor, security analyst, and security engineer. Refer to Image 3 to find out how much various cyber security positions earn per annum in the UK; image 4 is the per day rate, which will tend to apply to contractors. All figures are based on 2018 figures.
A 2018 study by Capgemini shows that although the UK has the world’s third largest cyber security talent pool, the country also has a huge skills gap: while 7 in 10 businesses need cyber security skills, only 4 in 10 have these talents in-house.
In light of the recent high-profile cyberattacks, the upcoming implementation of the GDPR, and stronger data protection laws, organisations are in even more need of cyber security specialists. From operations to finances to brand reputation, the consequences of cyberattacks are all potentially devastating for a business.
Business sectors that have the highest proportions of cyber security experts include insurance, banking, consumer products, automotive, telecom, retail, and utilities (see image 5). However, the National Cyber Security Centre (NCSC) believes that there needs to be a collaboration among the government, various industries, and academia to address the cyber security threat and recruitment gap in the country.
Accomplishing this means there will be more demand for security specialists in SMEs, as well as government departments (e.g. health, local government, national infrastructure).
Cyber security is a multidisciplinary field that requires constant learning and re-learning to adapt to cutting-edge technologies, authentication strategies, and solutions to newer threats.
By continuously training, applying for the right qualifications and courses, and keeping a learning mindset, you will stay head of the curve and be an even bigger asset to your company and industry as a whole.
Cyber security covers a wide range of skills and job positions, with each role requiring specific skill sets that aspiring specialists should have.
This industry also tends to change as fast as technology develops. That means you would have to, at some point in your career, take new courses to update your knowledge base.
While technical skills should definitely be your starting point, you should also work on taking management courses, since moving up the ladder is often the career path for IT security roles. With more experience you get, you can then choose to specialise in various fields like digital forensics or ethical hacking.
The great news is that good employers also help fund these courses, but may require a few years of working for the company.
On top of relevant degrees (e.g. IT, computer science, network engineering, etc) and/or apprenticeships, you should also consider taking these industry-standard courses and earn certifications to boost your qualifications:
Description and Course Structure: Accredited by the British Computer Society, this certificate is a great jump-off point for your cyber security career.
The course covers the foundation of information security, including risk management, legal frameworks, vulnerabilities in social media, ISO 27001 (security standards), cloud security, and business continuity.
You can click here for the syllabus. If you pass the exam, this qualification is recognised by employers all over the UK.
Cost: £1,595 for the five-day course (may change depending on accredited partner); online test via Pearson is £174.
Experience Needed: None, but prior IT knowledge is expected.
Relevant Job Roles: IT professionals who want to venture into security management
Description and Course Structure: The ISACA Certified Information Security Manager (CISM) certification is an internationally-recognised qualification aimed for those who want to advance their careers in security management.
To help you pass the test, you can attend a CISM exam preparation course or you can self-study.
Keep in mind that there are only three testing windows per year. In 2018, these are: February 1 to May 24, June 1 to September 23, and October 1 to January 24 (2019). Make sure you schedule your training and exams within those windows.
Preparation course covers CISM job practice domains, namely Security Governance, Risk Management, Security Program Development and Management, and Security Incident Management. These domains are also the topics of the exam.
Time: Duration of prep course varies, depending on accredited training partners. The 200-question, multiple-choice test is limited to 4 hours.
Experience Needed: The preparation course does not need any prior experience other than a basic understanding of CISM roles.
However, to qualify for the test, you need to have a minimum of five years in security work, with minimum of three years in security management. This work experience should be gained 5 years after passing the exam, or within the past 10 years prior to exam application.
Additionally, to maintain your CISM certification, you need to follow ISACA’s Code of Ethics, complete 20 hours of CPE, and sustain adequate knowledge in the field.
Relevant Job Roles: IT professionals who want to specialise in Security Governance, Risk Management, Security Program Development and Management, and Security Incident Management
Description and Course Structure: If you want to advance your career as a senior manager in the field, the (ISC)² Certified Information Systems Security Professional (CISSP) certification will help you do so.
Being CISSP certified means you have the necessary skill set to engineer and run an information security program, proving that you are worthy to be high up the ladder.
Among the topics you need to study include security risk and management, asset security, security operations, security engineering, and software development security, among others. You can click here to download an app that can help you review for the test.
Time: You have three options: self-study, attend programmes by accredited partners, or attend the (ISC)² training seminars. The duration of your study depends on which option you choose. The exam, on the other hand, is six hours long with a mixture of multiple choice and advanced questions.
Cost: Course prices vary. Exam costs £560.
Experience Needed: Five years of security work experience. There are, however, exceptions depending on your educational background and current credentials.
Relevant Job Roles: Senior management roles in information security, IT governance, and audit
Description and Course Structure: Designed and accredited by the EC Council, being a Certified Ethical Hacker (CEH) means you can think like a malicious one—look for the vulnerabilities of a system and find out how to exploit it. However, instead of attacking it, you’ll come up with ways to defend the system.
The CEH is an industry-recognised qualification for penetration testers and ethical hackers. The EC Council training covers topics on ethical hacking, basic system security, pen testing, and internet security.
Time: To register for accredited classes near your location, click here. You can also opt for EC Council’s own training course (choose which of their options fit your needs). The duration of the multiple-choice exam is 4 hours, delivered either by the ECC or any Pearson VUE exam centre in the UK.
Cost: If you choose to self-study, EC Council’s courseware costs $850 (£608.87). The exam—whether you self-study or train with partners—costs $950 (£680.50) with $100 (£71.63) application fee.
Experience Needed: At least 2 years of work experience in the security (or related) field.
Relevant Job Roles: Senior-level role for penetration testing and digital forensics
Description and Course Structure: CompTIA is a worldwide organisation that offers vendor-neutral certifications recognised by employers in over 147 countries.
There are three CompTIA courses that you can start with: 1) CompTIA A+, for IT technical support and operational roles
2) CompTIA Network+, for troubleshooting and managing wired/wireless networks
3) CompTIA Security+, for core security functions.
Time: CompTIA A+ has two exams which takes 90 minutes each (multiple choice, drag and drop, and performance-based)
CompTIA Network+ exam takes 90 minutes (multiple choice, drag and drop, and performance-based)
CompTIA Security+ exam takes 90 minutes (multiple choice and performance-based)
Relevant Job Roles
Description and Course Structure: A Microsoft Technology Associate (MTA) certification, particularly for Security Fundamentals, means you have an in-depth knowledge of security layers, operating system security, network security, and security software. As it is a globally recognised company, qualifying as an MTA will open doors for entry-level IT professionals.
Microsoft’s Virtual Academy provides their own training courses to prepare you for an MTA certification. You can either take the Security Fundamentals course or a good alternative would be the Networking and Security Fundamentals course.
Time: The Security Fundamentals course takes 5 days, while the Networking and Security Fundamentals course takes 3 days.
The MTA Exam 98-367 covers approximately 30 to 50 questions in a multiple choice format. However, Microsoft does not publish the exact number and is subject to change any time. The test comes with a 50-minute time limit.
Cost: The course costs £87 and you can register with Certiport or Pearson VUE, depending on whether you’re in education or not.
Experience Needed: None, but hands-on experience with Windows Server, Windows-based methodology, Active Directory, and security software/hardware is expected.
Relevant Job Roles: For individuals who want to start their careers in technology and improve their current knowledge
Description and Course Structure: Cisco’s Certified Network Associate (CCNA) Security certification lays the foundation for associate-level competencies, giving your current or future employers the confidence that you can implement threat containment techniques.
Completion of this programme will provide you the baseline knowledge for deploying, testing, configuring, maintaining, and troubleshooting Cisco security networks.
To prepare you, Cisco provides their own approved training course with a curriculum that covers installation, troubleshooting, and monitoring network devices to make sure all data and services remain secure.
Afterwards, the CCNA Security Exam (called the 210-260 IINS Exam) will test your knowledge of VPN encryption, content security, security concepts, and firewalls.
Cost: $1,000 (£718.66) for the training. The exam costs $300 (£215.55).
Relevant Job Roles: Network Security Support Engineer, Network Security Specialist, Security Administrator
Description and Course Structure: Provided by Hewlett Packard Enterprise (HPE), the Certificate of Cloud Security Knowledge (CCSK) course provides both theoretical and hands-on training for students to lay the foundation of cloud security issues and their corresponding solutions.
The course includes Cloud Security Alliance (CSA) guidelines, as well as recommendations from the European Network and Information Security Agency. The HPE’s module covers a wide range of cloud security topics, including data security, compliance and audit, Security as a Service, and developing and securing cloud applications, among others.
Your training ultimately prepares you for the CCSK certification exam (published and administered by the CSA), which would tell your future employers that you know how to protect their sensitive information when they move it to the cloud. On top of that, having a CCSK certification was ranked #1 in the Average Salary Survey in 2016.
Time: 2 days for the virtual training; 90 minutes to answer 60 questions for the CCSK exam.
Cost: HPE’s training costs £1,368 (click here to register to UK classes, which already includes an exam voucher).
If you choose to self-study and go to the CSA website directly for the test (click here to register), the exam costs $395 (£283.77). Note that you will receive a PayPal invoice once you sign up for the exam. Upon purchase, you will receive an exam token that will be valid for 2 years from the purchase date.
Experience Needed: None, but basic understanding of security fundamentals is recommended
Relevant Job Roles: All security professionals and those who want to start specialising in cloud security
While there is a growing demand for cyber security experts—the past year alone saw 7,000 available job positions each quarter for cyber security personnel—business owners will continue to have high expectations of their applicants, with the appropriate soft skills and experience expected in candidates as well as qualifications.
It’s therefore important that you do everything to stand out from other applicants and secure the experience you need to get your foot in the door and start climbing the career ladder. Of course getting experience isn’t always easy as a postgraduate.
Here are a few methods you might want to think about, in order to boost your CV and hiring appeal to future employers.
Apprenticeships combine the advantages of on-the-job-trainings and classroom instructions—both under close supervision of a trade professional. You will learn the theoretical and practical applications of cyber security with the following benefits:
While apprenticeships give you real-world knowledge, you will need to commit, since these programs can take a few years to finish. If this is your chosen career path, you can start looking for apprenticeships at The National Apprenticeship Service.
If you choose to stay in university or there are no available apprenticeships near you, you can either apply for summer internships or get a work experience placement.
Both would give you a hands-on approach to working as a cyber security personnel—exposure that you will not get inside a classroom. This helps pad your CV, giving your future employers the confidence that you can handle their tasks as soon as you graduate.
However, unlike apprentice programs, you will most likely not get paid for this (if there is payment involved, it would only cover basic expenses). Work experience and internships are, more often than not, on a short-term basis.
The Cyber Security Challenge is a series of tests designed to evaluate the current level of your cyber security know-how. It involves learning programmes, national competitions, and networking initiatives.
The joint venture is sponsored by the UK Government and some of the biggest companies in the UK and is aimed to inspire more people to join the industry. Those who beat the challenge may be offered a job position, based on their aptitude.
The current challenge, similar to a 3D game, is called CyPhinx. You need to enter the virtual skyscraper, solve puzzles, and overcome various challenges. Since forensic, analytical, and digital skills are put to the test, this challenge often attracts those who are interested in cryptography.
Apart from getting hands-on experience via internships or apprenticeships, you can also set up your own testing site at home. With the help of two or more computers connected by a router, you can perform tests on the security of your own personal firewall, server, hardware, and software. You can also find your own weak spots, then come up with ways to secure your network from that.
Should a future employer ask, you have the advantage of having your own cyber security strategies that you have both tested and proven to be effective. Make sure to document and record your work so you can give detailed examples of what you’ve done to potential employers.
Expanding your network by joining professional associations, even before landing your first job, will open doors to meeting people who may turn out to be instrumental to your success later on. Associations like the Institute of Information Security Professionals (IISP) is a great place to start.
Since these groups often host networking events attended by experts and beginners alike, you might just meet your future mentor or your future employer. You can also easily start conversations with industry leaders, who may be out of your reach outside these networking events and ask for feedback or guidance.
Moreover, these organisations also provide trainings and workshops (often at a discounted rate), as well as send out regular newsletters—resources that you can learn from in addition to your university curriculum. You’ll also gain access to their members-only job boards.
If you’re looking for your first job on the cyber security ladder, register with us today to see what roles are out there. If you’re a recruiter looking to post a new cyber security job, then you can register here.
Or if you’d just like to ask us a question then you can always use our contact form to drop us an email.
Our sister site, Cyber Security Courses, is also a great place to find out what IT security courses are running up and down the UK