Gabriel Esek’s route to cyber began where a lot of tech careers do — at an IT help desk.
From there, he worked his way up the tech ladder, through network administration and engineering, learning as he went about the components of enterprise systems and their vulnerabilities.
“I just never had the confidence that I had what it takes to break into cybersecurity,” said Esek, who is now a level three cybersecurity engineer in the security services department at cybersecurity firm Arctic Wolf.
The skills and confidence Esek cultivated as a network specialist gave him a leg up when he pivoted to cybersecurity early last year. A trifecta of certifications — CompTIA’s A+, Network+ and Security+ — were the icing on the cake.
Cybersecurity is a broad field with many niches that are at once embedded in and distinct from the larger IT world. Understanding networks components — the hardware that comprises IT systems — is fundamental to cyber. With certifications training, it can be relatively easy to cross the natural bridge between network admin and security.
“If you're good at networking, you understand routing and filtering, and you probably understand firewalls and VPNs,” said Ed Skoudis, president of the SANS Technology Institute, SANS Fellow, and founder of cyber consulting service Counter Hack. “These are all amazing and useful building blocks of cybersecurity infrastructures.”
Network professionals typically learn the OSI seven-layer stack model for system connectivity, said Skoudis, who also got his start in network admin.
“Understanding how that stack works helps with understanding how things are happening from a security perspective,” Skoudis said.
The cyber talent challenge
Recruiting and retaining talent is a challenge throughout tech. Nearly 3 in 5 of the more than 1,400 IT professionals surveyed in June for Spiceworks Ziff Davis’ 2023 tech budget trends report, said their companies are having trouble finding IT talent.
The stakes are particularly high in cyber. The average cost of a data breach reached an all-time global high of $4.35 million this year, according to IBM’s analysis.
Most companies see cybercrime as a top threat, and more than half of security and IT executives expect an increase in ransomware attacks over the next year, according to a recent PwC study.
“Now that businesses are more digital than ever, being compromised with cyber breach is huge. It can literally bring down your business,” said Curtis Johnstone, distinguished engineer at Quest Software and a Microsoft MVP.
Tapping into network admin to source potential cyber talent in-house would be good news for many organizations, particularly for midsize enterprises, which rank cybersecurity as a top priority and may have a harder time recruiting than larger companies.
Demand = dollars
Esek’s journey from IT desk and network admin to cyber isn’t unique.
Petr Sidopulos, cybersecurity operations architect for the Teacher Retirement System of Texas, got his start as a webmaster for the Texas Army National Guard.
Sidopulos worked his way through IT support and server administration to cyber, earning the GIAC Security Essential Certification and numerous other cyber credentials.
“I did not need any certifications to get into cyber in 2012,” said Sidopulos. “But my on-the-job results and the certifications gave me the knowledge and experience to progress into my [current] role.”
Esek and Sidopulos said inherent interest drew them to cyber, and both leveraged network experience, coupled with certifications, to advance in a field plagued by workforce shortages.
For professionals with the right credentials, it’s also one of the better paying fields in IT. Certified Information Security Managers is the second highest paying IT certification, according to Skillsoft’s survey of more than 2,500 tech professionals, and Certified Information Systems Security Professional ranked fourth. Each credential commanded average annual salaries above $150,000.
While it may require a salary bump, there are advantages to drafting talent from within, according to James Stanger, CompTIA chief technology evangelist.
“To get the right cyber person, you have to have somebody who knows the endpoints and how those endpoints talk to each other,” Stanger said. “It's also easier to train somebody who knows your company, its processes, and its culture well.”