Is there a career in IT Security/Cybersecurity in the Philippines? – This is the question that is always asked when I give workshops or lectures in the academe. I always answer an astounding “yes.”

Here are the reasons why:

• Reason #1: There is a need for cybersecurity professionals because of the increasing number of cybercrimes and data privacy issues.

We see the news every day, from global news such as the Bangladesh Heist and the San Bernardino shooting, or high-impact news such as the Equifax data breach to local ones such as when the UST Hospital was defaced or when a Public School Teacher’s identity was stolen. No matter how big or small these issues are, a key discipline required is in cybersecurity. There will always be a need for cybersecurity professionals

• Reason # 2: The demand for cybersecurity professionals is high while the supply is low.

Various reputable sources say that a lot of cybersecurity roles remain unfilled. According to CSO, there were a million cybersecurity roles that remained vacant in 2014. It is also predicted that there will be 3.5 million cybersecurity jobs that will remain vacant by 2021. 

ISACA and CyberSeek concur with these trends. At the same time, the cybersecurity unemployment rate is 0% in 2016 and is expected to remain at 0% until 2021.

How to build your cybersecurity career?

• Answer #1: Shape your career to be difficult to replace and high-value adding to the industry.

This idea is not only applicable to cybersecurity but for any role in general. In the human capital matrix, the “easy to replace and low value-added” roles are sure to be automated. “Easy to replace and high value-added” can be outsourced on the other hand.

A lot of the usual triage or customer service support is already replaced by chatbots that can trace your problem without missing any questions for diagnosis. In the same way that traditional Security Operations Centers (SOC) have matured with the help of Machine Learning (ML) and Analytics that the old Security Analyst roles have already been replaced with more proactive tasks such as threat hunting and intelligence.

• Answer #2: Assess yourself in the following aspects: Desire, Ability, and Practicality

I have always shared this in career talks- Desire, Ability, and Practicality are things that you have to seriously consider when choosing a career path. For cybersecurity, it is very straightforward. A lot of the roles require the cybersecurity professional to be critical, stealthy and skeptic. In the ability angle, the cybersecurity professional has to have knowledge of programming, networking and system administration to name a few. Lastly, there are so many opportunities for the cybersecurity professional that the practicality aspect is not a problem. I usually use the practicality question for those who intend to study very unique courses with little to no opportunities after graduation.

• Answer #3: Start your career with operational roles going to management roles.

I started my career as a Security Analyst in a Security Operations Center (SOC) in a US company that caters to more than 500 financial institutions. The work was demanding and there was so much to learn- searching for logs, communicating with clients specifically C-level executives. , classifying which alerts are true and false positives, meeting the SLA, optimizing the SIEM, conducting QA on devices, etc. Our shift back then was 12-hours long and I spent the majority of my stay there in the night shift. The work was very tiring and not advisable for the older and/or family guys. But that stint helped me boost my cybersecurity career.

In my next work, I learned other domains in cybersecurity. I did risk management and a lot of vulnerability assessment and penetration testing (VAPT). Afterward, I moved to handle administrative tasks and became part of the management team creating programs and projects to strengthen cybersecurity in the organization.

I strongly believe that to be a good IT security leader, you must have a solid understanding of some important domains in cybersecurity. Management training alone may not be enough because of the cybersecurity’s nature that requires you to have experience working with frameworks and tools. Although you will not be configuring the tools on your own, it will help you in your decision-making if you will buy the tool/s based on the business requirements of the organization.

• Answer #4: Invest in education and certifications.

I am not a fan of comparing universities and claim that one is superior to the other. I’ve met a lot of outstanding cybersecurity professionals from all over the world. Some came from the known schools while some graduated from relatively new schools. Some didn’t even finish their degrees but they are great at work.

Obtaining a college degree is a qualification (usually first in the list) in most cybersecurity jobs. Other than a qualification, I think significant experience is a better measurement of cybersecurity mastery. Schools may try to provide the best lab for the students but it is still different in the real-world. Cyber attacks don’t have scope and limitations. They just hit and harm.

Lastly, I personally think that certifications are important too. Aside from that, it is also a qualification, it helps you learn the body of knowledge in a standardized and systematic manner. It will also validate what you know and give you more inputs to advance your skill. I know there are different schools of thought on certifications and I agree with the important points. I even wrote a blog entry about it. But there are far more advantages to taking them to equip people with the right skills and knowledge for the job.

You can view the IT Certification Roadmap from CompTIA for a guide and sample here.

So what are you waiting for? Start your cybersecurity now!

You can download my presentation slide on this topic here: A Primer on IT Security Career Privacy and Ethics v1.