How to Spark Your Journey into Cybersecurity as a Software Engineer

Two Sigma engineers explain how to make the jump from software engineering into cybersecurity and share tips and resources to make the process smoother.

Cybersecurity is an essential and rapidly growing field in today’s digital landscape. From protecting end-user privacy to guarding against the rise of damaging and extortionary ransomware, the need for experienced and motivated security professionals has never been greater. However, pursuing a career in cybersecurity can seem overwhelming. The good news is that breaking into cybersecurity is not as daunting as it may seem, and if you are already a software engineer or similar technical professional, you already have one foot in the door.

In this article, we explain how you can use your existing software engineering skills to successfully spark your journey into cybersecurity, as well as how you can begin to fill in any gaps in your expertise.

A Day in Our Lives

Security is a broad field, and no set of small, personal anecdotes can truly capture the many tasks security professionals tackle every day. That being said, it can still be helpful to hear specifically what some professionals do on a daily basis. To give you an idea, we will dive into what we, Aditi Chaudhry and Madelyn Torres, two security engineers at Two Sigma, work on.

Aditi is a cloud security engineer. She develops tools and processes to maintain a secure public cloud environment. This includes contributing to the direction of Two Sigma’s future cloud products by collaborating with other engineers to develop tools that help the company maintain a robust security posture. One such tool is a cloud-native configuration validation system that scans cloud service configurations every hour and reports violations to account owners. Aditi also consults on secure design with engineering teams that use cloud services.

Madelyn is an application security engineer. Her main role is to engineer a bespoke Static Application Security Testing (SAST) tool that is configured to discover vulnerabilities in the code of Two Sigma’s monorepo code bases. Along with performing traditional engineering tasks such as design, implementation, and testing, she is increasingly involved in discussions regarding internal package management and code base architecture.

Both of us started our careers as software engineers. Though we enjoyed software development, we were both intrigued by cybersecurity. To us, security was an exciting field where we could use our software engineering skills to continue solving complex problems while also getting a deeper understanding of what makes technology break and work.

As we began considering a switch into cybersecurity, neither of us was quite sure how to make the career change. At the same time, we noticed that many of our friends were encountering similar barriers while trying to make the same move. The next two sections detail the biggest challenges we came across and our solutions for addressing them. We hope that others can learn from our experience and have an easier transition into the field.

Security done right is a business-enabler: it allows companies to conduct business in high-risk environments safely.

Challenges in Changing Careers

Software engineers pursuing a career in cybersecurity can encounter a number of different challenges including:

Limited Academic Offerings

The first barrier you might encounter is in academics. Many universities either lack cybersecurity programs or have only a few classes available–often at the graduate level. This isn’t ideal, as undergraduate students may find graduate classes expensive, closed, or intimidating to take. Furthermore, students tend to follow a career path based on the subjects they are more exposed to and that have more developed coursework. The result is that security as a career becomes an afterthought.

Minimal Networking Opportunities

The opportunity to speak face-to-face with professionals makes it easier to enter any career. Unfortunately, it is sometimes difficult to find networking opportunities within security. Typically, security engineers are a small portion of the engineering population at an organization; in some cases, cybersecurity is completely separate from engineering. Thus, at recruiting events or in day-to-day work, security engineers are often under-represented and unknown to applicants.

Non-Obvious Self-Learning Resources

Cybersecurity is a broad field with many discrete domains. For people new to the industry, the best path to start learning about security is not obvious. Though there are many resources available, navigating and prioritizing these resources can be difficult without prior experience or an idea of which domain to pursue.

Intimidating Image

Perhaps the most inimical barrier to entering cybersecurity is its image. Many believe that security exists somewhere between functioning as an unshifting business-blocker and being a puzzling maze of skills, tools, and terminology. The misconception that years of experience and hacking are required to be a security professional can deter people from exploring the field. Lastly, many people consider cybersecurity to be a solitary, non-collaborative field. While these perceptions could not be further from the truth, they contribute, along with the other challenges above, to cybersecurity’s intimidating image.

How We Did It

We both faced all of these challenges on our journeys into cybersecurity–and learned how to overcome them.

Programming

One of the best ways to begin practicing cybersecurity is to integrate security principles into your current software projects. Whether working on a school project that sits at the intersection of security and a specific field, or considering security from the early design stages of a product, basic cybersecurity is prevalent and easy to integrate into workflows. These steps can help you develop a valuable skill set for engineering both in and outside of security.

Reaching Out to Security Professionals

Another early step you can take is reaching out to security professionals. Whether they are faculty at an academic institution or employees at a firm, speaking with current security professionals is the best way to gauge or confirm your own interest. Speaking with security professionals also has the added benefit of demystifying the field, making it less intimidating. Furthermore, you can establish relationships and learn what worked for the others, understand how they got into the field, and consider possible opportunities to explore. Most people are more than happy to talk about their work and would be invaluable assets to someone interested in cybersecurity and navigating the early stages of their career.

Self-Learning

When we first tried to educate ourselves about cybersecurity, we knew there were plenty of resources out there, but we didn’t know where to start. So, we’ve put together an annotated list which you’ll find at the end of this article. Whether you use this or some other list, remember to start small, so you don’t get too overwhelmed by the sheer breadth of the field. Hopefully, exploring these resources will help you determine which areas of security interest you the most. From there, you can begin learning more at a pace that best suits your style.

Transferable Skills

A security engineering position is essentially software engineering in a security context. As a software engineer, you have unique insights into exactly how products are developed, which positions you well to understand how they might be vulnerable. Software engineering students and professionals already possess many skills that are essential in security and cover most of what security employers are looking for, with a small gap that you can fill by following the tips above. These include technical skills, such as debugging, design, and documentation, and non-technical abilities, such as attention to detail, curiosity, and a strong sense of teamwork.

Concluding Thoughts

Security done right is a business-enabler: it allows companies to conduct business in high-risk environments safely. While the field may seem opaque and intimidating to software engineers, it’s more accessible than you might think–especially if you have a strong desire to learn and are willing to steadily build your experience level.

We hope this article gives you the confidence and resources you need to spark your journey into cybersecurity. Whether by subscribing to a newsletter or sending an introductory message to a security professional, start your journey small and take bigger steps as you progress. If you want to read a list of resources and suggestions that we put together, be sure to check out https://github.com/Finaris/tdi-2021.

This article is not an endorsement by Two Sigma of the papers discussed, their viewpoints or the companies discussed. The views expressed above reflect those of the authors and are not necessarily the views of Two Sigma Investments, LP or any of its affiliates (collectively, “Two Sigma”). The information presented above is only for informational and educational purposes and is not an offer to sell or the solicitation of an offer to buy any securities or other instruments. Additionally, the above information is not intended to provide, and should not be relied upon for investment, accounting, legal or tax advice. Two Sigma makes no representations, express or implied, regarding the accuracy or completeness of this information, and the reader accepts all risks in relying on the above information for any purpose whatsoever. Click here for other important disclaimers and disclosures.