How to become a cybersecurity specialist

Though cybersecurity is a relatively new field, it is rising in popularity and demand. In fact, cybersecurity is among the top 20 fastest-growing occupations, with more than half a million openings in the U.S.

And that demand isn’t likely to go away soon. “Security has just gotten more and more important every single year and there is so much work to be done,” says Kunal Anand, CTO of Imperva, a cybersecurity company.

While the role of a cybersecurity specialist may seem technically daunting, it can entail much more than programming. In fact, some cybersecurity roles don’t require a background in computer science—and can still help drive meaningful business decisions. 

If you’re contemplating a career in cybersecurity, here’s a step-by-step guide to become a specialist:

1. Get training
2. Find opportunities for hands-on experience
3. Pursue a certification
4. Determine your specialty
5. Demonstrate you’re a critical thinker

1. Get training

The good news is there’s no one education path to become a cybersecurity speciality; you have options. You can choose to get an undergraduate or graduate degree in cybersecurity or a related field like computer science, but you can also get an industry certification instead—or even go the self-taught route. 

At minimum, everyone should know the basics of computers and understand how to secure them, says Mutaque Ahamad, a professor at the School of Cybersecurity and Privacy at Georgia Tech University. 

“You need to understand the technology for you to be able to secure it,” Ahamad says. “In the context of cybersecurity, it’s networks, and computers and software.” However, for some (but not all) master’s program tracks, you might need a computer science or engineering undergrad degree. Some top programs include Georgia Tech, New York University, Stanford University, Carnegie Mellon University, and the University of California, Berkeley.

But be careful not to pick an academic program just for its brand name; the school should have some level of specialization in cybersecurity. 

2. Find opportunities for hands-on experience 

Practical skills are critical, and some academic programs risk being too theoretical. Increasingly, though, universities are integrating either industry certification or internships into their programs.

“If they don’t add that practical element to it, they’re not doing their students any favors,” cautions Rob Rashotte, vice president of Global Training & Technical Field Enablement at Fortinet, a cybersecurity company. 

And more than a degree itself, recruiters want to see that applicants for cybersecurity roles have gotten some hands-on experience along the way—either in school or a prior job.

“The best is you find someone who’s gone through a four-year degree, or maybe they’ve worked at a company for a few years, that’s demonstrated aptitude through source code,” says Anand, who helps make hiring decisions at Imperva. That means having a GitHub profile or other repository to show off what you’ve built and how you think. Strong, competitive candidates are intellectually curious and have built their own projects. “That sort of thought leadership, you want to see that,” Anand adds.

3. Pursue a certification 

Certifications are a great alternative for anyone not looking to go to school. They can be generalized, like those offered by the Computing Technology Industry Association (CompTIA). Or they can be vendor-specific, like those offered by IBM.

Fortinet offers more than 900 hours of cybersecurity training curriculum for free, Rashotte says, as well as a multi-level certification program. Getting certified “really mitigates risk for hiring managers,” since those skills have been validated by a third party, he adds. “That can really speak volumes on a resume.”

Even for vendor-specific certifications, many skillsets are transferable, so don’t worry about getting pigeonholed. 

4. Determine your specialty

It can be overwhelming to determine what area of cybersecurity to specialize in. 

When it comes to the field, “there’s a lot of breadth,” Anand notes. When you’re just starting out, you’ll likely be a generalist. But as you get further in your career, recruiters like Anand prefer to “see some sort of theme.” Maybe it’s app and data security, or maybe you care about mobile and backend security. Being passionate about one area will show hiring managers you can have an impact there. That’s a competitive advantage. 

One useful guide is the Cybersecurity Workforce Framework developed by the National Initiative for Cybersecurity Education (NICE), a part of the National Institute of Standards and Technology. This framework categorizes various specialty areas and can be for learning more about various specialty areas within cybersecurity.

5. Demonstrate you’re a critical thinker 

Hiring managers are looking for candidates with a fighter mentality who care about keeping people safe “because that cuts across everything,” Anand says. Even those people who aren’t trained in cybersecurity have a shot at a job if they demonstrate motivation to learn.

“That’s what I think so much of cybersecurity is: being diligent, being contrarian to outthink and outmaneuver attackers,” Anand says.

Strong thinkers have a higher chance of being hired despite an atypical background. Two years ago, Anand took a chance on a candidate with a Ph.D. in criminology to fill a role as cyber threat lead at Imperva. 

“I hired her because I wanted to change the way that we think about security,” Anand says. “I personally look for exceptional thinkers.” Since then, this employee has been promoted, he adds.

“It really comes down to their ability to work with people, their ability to problem solve,” Rashotte echoes, “and being able to solve customer problems at a business level.”

See how the schools you’re considering fared in Fortune’s rankings of the best master’s degree programs in data science (in-person and online), nursing, computer science, cybersecurity, psychology, public health, and business analytics, as well as doctorate in education programs and MBA programs (part-time, executive, full-time, and online).