"Wait, I Don't Need To Be a Programmer To Work in Cybersecurity?"

Are you sitting down? Good. I’m about to tell you something that may shock you.

You don’t need to know how to code to work in cybersecurity.

When I started to apply for jobs in the industry, I assumed I needed to learn to code. It seemed logical, since one of the core missions of cybersecurity is to secure computers and computers run on code. So, the people securing those computers must be programmers, right?  

Not exactly, I discovered. But if you watch TV shows or movies about cybersecurity, it’s easy to believe this myth.  Dramatizations of the industry often depict a cybersecurity analyst as an antisocial person who lives in their parents’ basement. They spend their days working late into the night typing furiously on the keyboard while lines of code whiz by on the screen. The work looks action-packed and important: You see them remotely connect to a device continents away to stop an active attack. After watching such a scene, it’d be reasonable to conclude that if you can’t make lines of code whiz across the screen, you can’t stop a cyber attack. While the people who largely match this stereotype do exist, their skillset is a niche within a much broader industry. The reality is that many cybersecurity roles do not require programming experience.

That’s just one myth of many that need to be dispelled so we can bring more people into an industry that sorely needs new talent. Below, I break down a few other myths and explore what’s really important for building a cyber career.

Myth 1: Cybersecurity analysts live in their parents’ basement.

Not true, mostly because theirs is one of the more highly paid and secure jobs in the world. The Bureau of Labor Statistics trends the median income for an array of information security-related roles as ranging from $92,600 - $135,800 per year which puts it in the top 15 highest paid occupations. Once you have a job in cybersecurity you are unlikely to need a career change in your lifetime because cybersecurity is an industry with an effective unemployment rate of 0 percent and projections for continued growth over the next decade.

I see you rolling your eyes. You’re probably thinking, “Yeah, those skilled professionals command such a high salary because they’re elite hackers who spent every waking moment of their teenage years teaching themselves to program.” That leads us to Myth No. 2.

Myth 2: You need to be a masterful coder to get a cybersecurity job.

The majority of people I’ve met in this industry have not been required to write a single line of code as part of their cybersecurity job. Even fewer have connected to a remote device to stop an active attack. Rather, security professionals often possess a combination of knowledge across the following areas: security tools, project management, regulatory frameworks, process development, and technology architecture.

One of the challenges for a potential applicant interested in the field but inexperienced in navigating the industry is to understand that the title “security engineer” is only one role within an ecosystem of cybersecurity teams and positions. Here is a list of cybersecurity teams that likely do not require programming experience:

Security architecture

Vulnerability and patch management

Cyber threat intelligence

Security Operations Center (SOC)

Incident response

Security operations

Compliance

Network defense

Security risk assessment

• Security audit
  
• Cybersecurity project management

Here are some teams that may require programming abilities:

Penetration testing

• Cyber threat hunting
  
• Information security engineering
  

Even though it may now be clearer which jobs do and don’t require programming skills, it’s still understandable to be confused about what skills security professionals actually need to possess to avert the technology disasters we read about in the news. In many ways, what unites security professionals is not a shared hard skill - like coding -  but a security mindset that enables them to critically test an organization, process, or tool and to understand how it can be exploited. This is a mindset that can be learned. Here are some practical and approachable resources and steps that you can leverage to learn more about the field, equip yourself with resume fodder for your first application, and expose you to a mindset that will leave you more paranoid and more employable:

Certifications: CompTIA Security+, Certified Ethical Hacker (CEH), Sans Security Essentials (GSEC)

Cybersecurity course providers: SANS Institute, MIS Training Institute, and free online University courses focused on cybersecurity  

Blogs and journalism: Krebs on Security, Schneier on Security, Dark Reading, Ars Technica

Conferences and events: BSides, the Open Web Application Security Project (OWASP), and Information Systems Security Association (ISSA)

Myth #3: All of the cybersecurity jobs are at technology companies.

One of the amazing aspects of a career in cybersecurity is that it means your skillset is applicable across industries. Technology companies whose core product is a website or an app certainly have a need for cybersecurity.  But with the proliferation of technology across industries, there are few that don’t need security professionals. The majority of cybersecurity jobs are desk jobs, but beyond that the lifestyle aspects of a cybersecurity job are largely up to you and your interests. Always wanted to work in entertainment, healthcare, education, government or finance? As long as the industry employs technology there are cybersecurity positions to be filled.

Myth #4: You’ll be at a disadvantage during a job interview if you don’t have a “traditional” background in technology. Due to the shortage of security professionals, many people make their way to the field by nonlinear paths. My coworkers’ backgrounds include a mechanical engineer, a filmmaker, a former intelligence community officer, a computer scientist, a journalist, and an accountant, all of whom are now security professionals. When you get to a job interview, don’t sell yourself short. Explain why you’re interested in the field and don’t assume the person sitting across the table from you started with a background different from your own.