Throughout my career as a cybersecurity professor, I often get questions about starting a career in cybersecurity. This question seems simple, but it is not easy to answer. If you are reading this article, it is quite likely you are thinking about cybersecurity as a career option. This article aims to summarise some key points, and provides you with the initial directions — with the aim of overcoming inertia — kickstarting you into the first steps.

在担任网络安全教授的整个职业生涯中，我经常会遇到有关开始从事网络安全职业的问题。 这个问题看似简单，但不容易回答。 如果您正在阅读本文，很可能您正在考虑将网络安全作为职业选择。 本文旨在总结一些关键点，并为您提供最初的方向(以克服惯性为目标)，将您带入第一步。

(几乎)每个人都认为网络安全应该是一个跨学科领域 ((Almost) everyone agrees that cybersecurity should be an interdisciplinary field)

Increasingly, cybersecurity programs around the world are starting to introduce non-technical courses such as business communication and legal aspects of cybersecurity, and industry internships into their technical cybersecurity curricula.

越来越多的全球网络安全计划开始在其技术网络安全课程中引入非技术课程，例如商业交流和网络安全法律方面的内容以及行业实习。

In my own experience developing national and international cybersecurity curricula, I am often struck by industry experts suggesting that ‘we need to introduce soft skills into the curriculum because the geeks are unable to articulate their concerns to the management’. This assertion is partly true. To be fair to geeks (and I am one myself), I think there is also a responsibility for management to actively understand cybersecurity risks and remove the culture of leaving techie stuff to techies. Also, ‘soft skills’ should and could also be learned from the home or even from part-time work experience during high school or university days.

以我自己开发国家和国际网络安全课程的经验，我经常被行业专家震惊，他们建议“我们需要在课程中引入软技能，因为极客们无法向管理层表达他们的担忧” 。 这个断言部分是正确的。 公平地对待极客(我也是我自己)，我认为管理层还有责任积极了解网络安全风险并消除将技术人员留给技术人员的文化。 同样，“软技能”应该并且也可以在高中或大学期间从家里甚至从兼职工作中学习。

To be more precise, graduates of the cybersecurity curricula should perhaps be exposed to diversity of thinking, and be appropriately trained to handle different challenges including communicating serious data security breaches to affected stakeholders and leading incident responses to cyber attacks. Hence, this goes beyond ‘soft skills’ per se, and includes appreciation of a wide range of disciplines including but not limited to criminology, political science, public relations and communications, corporate governance and law.

更准确地说，网络安全课程的毕业生可能应该具有多种思维方式 ，并应接受适当的培训以应对各种挑战，包括向受影响的利益相关者传达严重的数据安全漏洞，并领导对网络攻击的事件响应。 因此，这不仅超出了“软技能” 本身 ，还包括对广泛学科的赞赏，包括但不限于犯罪学，政治学，公共关系与传播，公司治理和法律。

网络安全职业：事实与虚构 (Cybersecurity careers: Fact versus fiction)

As compared to other ‘traditional’ industries like medicine or law, it is hard to define a relatively new and rapidly-changing industry like cybersecurity but it is perhaps easier to define what cybersecurity careers are not:

与医学或法律等其他“传统”行业相比，很难定义一个相对较新的且瞬息万变的行业，例如网络安全，但是定义哪些网络安全职业可能不容易：

Cybersecurity careers are not (just) about hacking. I believe that the root of this common misperception about cybersecurity careers being all about hackers is the consistent portrait of a person who is an ostracised loner who loves to sport a hoodie jacket, types quickly, and has a face with digitally-rendered 1’s and 0’s. Look around the stock images used by cybersecurity articles and you can see what I am referring to. The media tends to glorify and sensationalise top hackers, but a cybersecurity career is beyond finding ways to break systems, and in fact, it is not just a technical career path. Just as healthcare systems have several roles such as midwives, nurses, pharmacists and radiographers on top of doctors, cybersecurity careers offer a large spectrum of roles including but not limited to writers, legal experts, cyber insurance professionals, malware researchers, law enforcement and intelligence officers, policy advisors and even soldiers.

网络安全事业不是(仅仅)与黑客有关。 我认为，人们对网络安全职业的普遍误解是黑客，这是一个普遍的误解的根源，他是一个被排斥的孤独者，喜欢运动连帽外套，打字速度很快，并且脸上的表情是数字“ 1”和“ 0”。 。 环顾网络安全文章所用的库存图像，您可以了解我所指的内容。 媒体往往荣耀和sensationalise顶尖黑客，但网络安全的职业生涯已经超出想方设法突破系统，而事实上，它不只是一个技术性的职业道路。 正如医疗保健系统具有多个角色，例如助产士，护士，药剂师和放射线照相师等，医生一样，网络安全事业可以提供多种角色，包括但不限于作家，法律专家，网络保险专业人员，恶意软件研究人员，执法和情报人员军官，政策顾问甚至士兵。

Cybersecurity careers do not require a prerequisite computer science degree. Yes, this is coming from a computer science professor. Let me start with a few examples, Graeme Proudler, one of my ex-colleagues at Hewlett-Packard Labs, is a physicist but is one of the most-respected names in the cybersecurity research area of trusted computing. Sai Honig, an ex-board member of (ISC)2 (one of the gold-standard professional certification bodies in cybersecurity) started her career as an aerospace engineer before switching over to a cybersecurity career. My own PhD was in the area of artificial intelligence planning applied to supply chains and collaborative business processes. All of us kind of ‘stumbled upon’ our cybersecurity career. If you ask your friends in the cybersecurity industry about their qualifications, you will likely get the same answers. So the bottomline is, the qualification is not the only way to enter the industry. What matters more is that you focus, and look for the niche in cybersecurity that aligns to your strengths and interests.

网络安全职业不需要必备的计算机科学学位。 是的，这来自计算机科学教授。 让我先举几个例子，格雷厄姆·普罗德勒(Graeme Proudler)是我在惠普实验室的前同事之一，是物理学家，但却是可信计算网络安全研究领域中最受尊敬的名字之一。 (ISC)2(网络安全的黄金标准专业认证机构之一)的前董事会成员Sai Honig开始了她的航空航天工程师职业生涯，然后才转而从事网络安全职业。 我自己的博士学位是应用于供应链和协作业务流程的人工智能计划领域。 我们所有人都“偶然发现”了我们的网络安全职业。 如果您向网络安全行业的朋友询问他们的资格，您可能会得到相同的答案。 因此，最重要的是，资格认证不是进入该行业的唯一途径。 更重要的是，您要专注于并寻找与自己的优势和兴趣相适应的网络安全领域。

使您开始网络安全职业的步骤： (Steps to get you started with your cybersecurity career:)

So, how do you get started? As with most major things in life, it helps to start with the right mindset.

那么，您如何开始？ 与生活中的大多数重要事物一样，它有助于从正确的思维方式入手。

1.考虑一下您希望获得的遗产并向后努力 (1. Think about the legacy you wish to achieve and work backwards)

What is your purpose in life? This sounds cliché, but it is actually the key to a great career (note the difference between a career and a job). As Mark Twain said, “The two most important days in your life are the day you are born and the day you find out why.” For my friend Sai Honig, I know that she is driven by a desire to help people. This is evidenced by her work outside her job helping the Grameen Foundation. What drives you?

你的人生目标是什么？ 这听起来有些陈词滥调，但这实际上是成就美好事业的关键( 请注意，事业与工作之间的区别 )。 正如马克·吐温(Mark Twain)所说：“人生中最重要的两个日子是出生的那一天和找出原因的那一天。” 对于我的朋友Sai Honig来说，我知道她渴望帮助别人。 她在帮助格莱en基金会之外的工作证明了这一点。 是什么驱使您？

What is your desired cyber security job? After knowing what drives you, it is important to look at the types of jobs. It is important to do your homework, and speak to a wide variety of people. Do not just base your whole life and career decision on the advice of one or two people (who may be disgruntled with their misaligned jobs). Do you like to write and effect change through policies? Perhaps the policy advisor role focusing on cybersecurity affairs would suit you. How about exploring internships? Some firms, especially the big four accounting firms, take in a large percentage of interns and this would be an interesting opportunity to have a toe dip before diving into the field.

您需要什么网络安全工作？ 在知道驱动因素之后，重要的是要查看作业的类型。 做作业并与各种各样的人交谈很重要。 不要仅仅根据一两个人(他们可能因工作错位而感到不满)的建议来决定自己的一生和职业生涯。 您喜欢通过政策来撰写和实现变更吗？ 专注于网络安全事务的策略顾问角色可能适合您。 探索实习如何？ 一些公司，尤其是四大会计师事务所，吸收了大量的实习生，这将是一个有趣的机会，可以在涉足该领域之前先做些准备。

2.了解所需的相关资格，技能和知识。 (2. Understand the relevant qualifications, skills and knowledge required.)

(Disclaimer: In this section, I am simply listing the qualifications commonly sought after by employers. The example qualifications in this presentation are not an endorsement, and similarly, those not listed are not to be interpreted as “not endorsed”.)

(免责声明：在本节中，我只是列出雇主通常寻求的资格。本演示中的示例资格并非认可，同样，未列出的资格也不应解释为“不认可”。)

I often get asked the question “What is the best and value-for-money certification/training for me?” My reply would be “the one which will enhance your reputation”.

我经常被问到“对我来说，最好的，最物有所值的认证/培训是什么？” 我的答复是“将提高您的声誉的那份”。

With this advice in mind, it would be key to look at the following when choosing qualifications:

牢记这一建议，选择资格证书时，请务必注意以下几点：

1. What are employers’ perception of the qualification/degree? For example, the Offensive Security Certified Professional (OSCP)’s 24 hour examination proves to employers looking for penetration testers that the candidate is technically competent to perform the jobs they will be assigned to. Another example is the (ISC)2 Certified Information Systems Security Professional (CISSP), which is recognised as an entry requirement according to the U.S. Department of Defense (DoD) Directive 8570.1. Another interesting homework you can do is to look at the qualification requirements of the highest paying jobs in the cybersecurity sector: which are the qualifications commonly sought after? An alternative method is to observe the Linkedin profiles of Chief Information Security Officers (CISO) of companies. What qualifications are they typically holding?

   雇主对资格/学位的看法如何？ 例如，“进攻性安全认证专业人士( OSCP )”的24小时考试向寻找渗透测试人员的雇主证明了该候选人在技术上有能力胜任将要分配给他们的工作。 另一个示例是(ISC)2认证的信息系统安全专家( CISSP )，根据美国国防部(DoD)指令8570.1 ，该专家被视为入境要求。 您可以做的另一项有趣的作业是查看网络安全领域中薪资最高的职位的资格要求：通常追求哪些资格？ 一种替代方法是观察公司首席信息安全官(CISO)的Linkedin个人资料。 他们通常拥有什么资格？

2. What is the quality control of the curriculum and how do they manage their common body of knowledge (CBK)? A keen cybersecurity student would ask questions about the way the organisations regulate the qualifications’ CBK? Is it refreshed regularly and how is it developed? For example, when I was involved as one of the experts developing the first Certified Cloud Security Professional (CCSP), I was thoroughly impressed with the way (ISC)2 worked with Pearson VUE psychometricians to develop the CCSP curriculum through several consultative stages — from understanding the job tasks expected of the certified professional, to designing of the examination questions, and testing the questions, etc. This development process can also be found with other organisations such as COMPTIA, ISACA and so on.

   课程的质量控制是什么？他们如何管理自己的共同知识体系(CBK)？ 一位热衷于网络安全的学生会问有关组织规范资格CBK的方式的问题？ 它会定期刷新吗？如何开发？ 例如，当我作为开发第一批认证的云安全专家(CCSP)的专家之一参与时，我对(Pearson VUE)心理计量学家与PSearson VUE心理测量师合作开发CCSP课程的方式(从了解认证专业人员所期望的工作任务，设计考试题和测试题等。在其他组织(例如COMPTIA ， ISACA等)中也可以找到这种开发过程。

3. How are the exams proctored? Some certification organisations do not handle this well, and do not manage the examination proctoring well — leading to reputation implications for genuine holders of their qualifications. You would need to look out for qualifications with excellent proctoring to prevent cheating. Examples include examinations run by professional test taking centres combining CCTV recording, biometric and facial ID verification.

   考试如何安排？ 一些认证组织不能很好地处理这一问题，并且不能很好地管理考试的督导工作，从而给真正拥有资格的人带来声誉的影响。 您需要寻找具有出色督导资格的人，以防止作弊。 例如，由专业考试中心进行的考试结合了CCTV录制，生物特征识别和面部ID验证。

4. Are there black markets ‘selling’ the qualifications, affecting the brand of your qualification? Unfortunately, with an increased demand for qualifications, some rogue suppliers and training centres (predominantly in South Asia) ‘sell’ qualifications such as the Certified Ethical Hacker (CEH). The provider’s website was also previously defaced by hackers. From my experience interacting with industry partners in Australia and New Zealand, these incidents leave a nasty taste with employers, resulting in some employers I know of shun CV’s with the affected qualifications — since they can be perceived to be ‘buyable’ and may affect their company’s reputation. It is very sad as it affects the genuine holders of the professional certifications. I strongly recommend you to do a bit of homework and observe some heighten sense of caution before deciding to invest in affected qualifications, or even to the extent of thinking twice before including the affected certifications into your CVs.

   黑市是否有“销售”资格，从而影响您资格的品牌？ 不幸的是，随着对资格证书的需求增加，一些流氓供应商和培训中心( 主要在南亚 ) “出售”了资格证书，例如，“道德认证黑客(CEH)” 。 提供商的网站以前也曾遭到黑客的破坏 。 根据我与澳大利亚和新西兰的行业合作伙伴互动的经验，这些事件给雇主留下了令人讨厌的滋味，导致我认识到某些雇主不愿接受具有受影响资格的简历 -因为他们被认为是“可购买的”并可能影响他们的公司的声誉。 这很可悲，因为它影响到专业证书的真正持有者。 我强烈建议您在决定投资受影响的资格之前，要做些功课，并要加倍谨慎，甚至在将受影响的证书纳入您的简历之前，甚至要三思而行。

3.寻找学习网络安全的最佳环境 (3. Find the best environment for learning cybersecurity)

After deciding on the right training and qualifications, it is important to look into the learning environment consisting of a good combination of (1) facilities and equipment, (2) mentors and the (3) wider ecosystem. An ideal situation would be the access to cutting-edge equipment, and device testing laboratories which will give you valuable hands-on experience. The hands-on experience builds into a portfolio which will enable you to articulate your experience at your first cybersecurity job interview.

在确定正确的培训和资格后，重要的是要了解由以下各项组成的良好学习环境：(1)设施和设备，(2)导师和(3)广泛的生态系统 。 一个理想的情况是可以使用最先进的设备以及设备测试实验室，这将为您提供宝贵的实践经验。 亲身实践的经验融入了产品组合中，使您能够在首次网络安全工作面试时阐明自己的经验。

Having access to mentors who will not only provide you with advice or access to networks and opportunities, but have the bandwidth to catch up with you at least every six months would be great to steer you in the right directions. Even if you do not know anyone or cannot access a physical network of mentors, you always have the option to join your local computing peak bodies (e.g. the ACM, IEEE, IET) as a student member if you are a student, or cybersecurity interest groups which may have meet-ups or virtual gatherings.

与导师接触不仅可以​​为您提供建议或访问网络和机会的机会，而且至少每六个月有足够的带宽跟上您，这对于引导您朝着正确的方向发展将是很大的。 即使您不认识任何人或无法访问指导者的物理网络，如果您是学生或出于网络安全的兴趣，您始终可以选择以本地学生的身份加入本地计算高峰团体(例如ACM，IEEE，IET)可能有聚会或虚拟聚会的团体。

Beyond mentor networks, you would aim for an environment which spurs you on to greater heights. For example, you should have access to some regular cybersecurity events, or capture-the-flag competitions (both online and in-person) and test your newly-acquired skills against like-minded folks. It is often at these events or competitions that potential employers lurk around looking for their next batch of talented employees. I use the word ‘lurk’ as they often do not reveal that they are hiring, but are actually participating as industry partners with the hidden intention to spot talent. When I was running the New Zealand Cyber Security Challenge (2014–2018), I was consistently approached by hiring managers from both public and private sectors asking me to (silently) pinpoint the top competitors to them. I witnessed a few job offers made to competitors and organisers, some of whom were my students.

除了指导者网络之外，您还希望获得一个能够将您带入更高境界的环境。 例如，您应该有机会参加一些常规的网络安全活动，或者参加标志性比赛(在线和面对面比赛)，并针对志趣相投的人测试您新获得的技能。 往往是在这些事件或竞赛中，潜在的雇主潜伏着寻找下一批有才华的员工。 我使用“潜伏”一词，是因为他们通常不会透露他们正在招聘，但实际上是作为行业合作伙伴参加，目的是发现人才。 当我参加新西兰网络安全挑战赛 (2014-2018)时，一直招募来自公共和私营部门的经理，要求我(默默地)为他们确定最主要的竞争对手。 我目睹了向竞争对手和组织者提供的一些工作机会，其中一些是我的学生。

4.关注您的品牌和声誉 (4. Focus on your brand and reputation)

In this profession which requires a high level of integrity and code of ethics, your brand and reputation determines your opportunities. Guard it with your life! It is also important to view this career as a life-long learning process, and as a profession just like other occupations (e.g. doctors, accountants, engineers, etc.) Several professional certification bodies encourage their members to clock continuous professional development (CPD) and their emphasis on CPD is a hallmark of their institution quality. When you are starting your learning journey in cybersecurity, be sure to aim for tangible milestones such as real-life experience conducting security tests, leading cyber awareness programs, or even bug bounty programs. Show up at industry networking events, and observe how the most successful do their craft. You may also wish to approach these role models and ask if they could be your mentor. It is key to remember that they are usually time-poor so it will be important to advise the prospective mentor that you only seek their occasional advice and would not be taking too much of their time.

在这个需要高度诚信和道德准则的行业中，您的品牌和声誉决定了您的机会。 用自己的生命守护它！ 同样重要的是，应将此职业视为终身学习过程，并与其他职业(例如医生，会计师，工程师等)一样视为职业。几个专业认证机构鼓励其成员推动持续专业发展(CPD)他们对CPD的重视是其机构素质的标志。 当您开始学习网络安全之旅时，请务必瞄准切实的里程碑，例如进行安全测试的真实经验，领先的网络意识计划甚至是漏洞赏金计划。 参加行业社交活动，并观察最成功的人如何做事。 您可能还希望找到这些榜样，并询问他们是否可以成为您的导师。 重要的是要记住，他们通常时间紧缺，因此，建议准导师您只寻求他们的偶尔建议而不会花费太多时间是很重要的。

5.记住将其转发 (5. Remember to pass it forward)

Over time, if you follow the steps above, I am confident that you will achieve an amazing and rewarding cybersecurity career. When/If you are blessed to have the amazing career in cybersecurity, and have achieved some significant milestones, it is time to pass on the blessing to others. Find time to think about how you can help others who need the extra help in cybersecurity. For example, you could volunteer to create cybersecurity awareness programs for not-for-profits, schools, or organisations representing disadvantaged sectors of society. Also, try to be on the lookout for opportunities to mentor someone. It may turn out to be the best investment of your time.

随着时间的流逝，如果您按照上述步骤进行操作，我相信您将获得令人赞叹和令人振奋的网络安全事业。 当/如果您有幸在网络安全领域拥有出色的职业，并取得了一些重要的里程碑，那么该是将这种祝福传递给他人的时候了。 抽出时间思考如何为需要网络安全方面额外帮助的其他人提供帮助。 例如，您可以自愿为非营利组织，学校或社会弱势群体的组织创建网络安全意识计划。 另外，尝试寻找机会指导某人。 事实证明，这可能是您这段时间中最好的投资。

入门资源 (Resources to get started)

This article is a summary of a 1-hour free webinar I gave to an Australian audience through the Australian Computer Society (ACS), and it was the really encouraging feedback from the webinar that inspired me to pen this article down — with an aim of reaching a wider and global audience. This is also a way for me to do step 5 in the above tips.

本文是我通过澳大利亚计算机协会(ACS)向澳大利亚听众提供的1小时免费网络研讨会的摘要，正是网络研讨会的真正令人鼓舞的反馈启发了我写下这篇文章-旨在覆盖更广泛的全球受众。 这也是我执行上述提示中的步骤5的一种方式。

Besides my article, you may wish to look at the following free resources:

除了我的文章，您不妨查看以下免费资源：

1. Read the National Institute of Standards and Technology (NIST) National Initiative for Cybersecurity Education (NICE) Framework (SP800–181)

   阅读美国国家标准技术研究院(NIST) 的网络安全教育国家计划(NICE)框架(SP800–181 )

2. If you are a visual person, try playing and exploring with the Career Pathway sections of the Cyberseek.org website. While the jobs listed are USA-centric, it gives a good overview of the possibilities and relative salary ranges of the different types of cybersecurity jobs.

   如果您是个有远见的人，请尝试与Cyber​​seek.org网站的“职业道路”部分一起玩耍和探索。 虽然列出的工作以美国为中心，但它很好地概述了不同类型的网络安全工作的可能性和相对薪水范围。

3. The resources page on the NICCS website.

   NICCS网站上的资源页面。

4. If you are in Australia, you can try this great and free resource, ASD CyberEXP, by the Australian Signals Directorate designed for high school students (and teachers) to experience what it’s like to work in some of the cybersecurity roles.

   如果您在澳大利亚，则可以尝试由澳大利亚信号局提供的这一免费的出色资源ASD Cyber​​EXP ，该资源旨在为中学生(和教师)提供一些网络安全职位的工作体验。

I wish you all the best with your cybersecurity career, and if this is useful to you, I encourage you to pass this information to others, and if time permits, write to me with feedback or suggestions.

我希望您在网络安全事业上一切顺利，如果这对您有用，我鼓励您将这些信息传递给其他人，如果时间允许，请给我反馈和建议。