BY Lake Sydney02 November 2022, 20:35
Netflix signage next to the Nasdaq MarketSite in New York, seen in January 2022. (Photographer: Michael Nagle—Bloomberg/Getty Images)
An increasing number of cyberattacks means that the demand for cybersecurity professionals will continue to grow. The booming industry is set to reach an addressable market of $2 trillion, according to a new survey by McKinsey & Co, which is putting even greater pressure on companies to fill vacancies.
The problem is that we are already way behind in filling cybersecurity vacancies. There are millions of unfilled jobs around the world, with more than 700,000 gigs open in the United States alone, according to data from Cybersecurity Ventures. People interested in a career in cybersecurity have many ways to start a career in the field, but companies also need to broaden their recruitment processes.
This last problem is one that can be solved, however. The industry needs to make it “easier for people from all walks of life” to get ahead in the field, said Jason Chan, Netflix’s former cybersecurity chief. Fortune.
Chan has chosen the path of self-study and certification, which can be an effective alternative to earning a bachelor’s or master’s degree in the field, and especially for cybersecurity positions that do not require not necessarily have computer skills.
Chan has worked in the cybersecurity industry for approximately 25 years, with a career that began at the US Department of Defense before moving to consulting firms specializing in penetration testing and security system testing. Chan spent the last 10 years of his career building and leading the security team at Netflix, where he also led the IT team. Since retiring last summer, Chan has been advising startups and working as an executive-in-residence at Bessemer Venture Partners, a leading venture capital firm, where he works primarily with cybersecurity companies and infrastructure development tools. cloud.
Fortune sat down with Chan to learn more about how the cybersecurity industry has evolved over his career, his advice on entering the industry for entry-level workers, and his insights for companies struggling with the growing need for cybersecurity.
The following interview has been edited for brevity and clarity.
How to start a cybersecurity career
Fortune: What is your advice for someone looking to enter the industry?
Chan: I think it’s certainly viable to take a more formal route, whether it’s a bachelor’s or master’s degree. I’ve done a lot of self-study myself and gone the certification route, which I think is worthwhile as well. There are plenty of industry certifications out there, so there are tons of things you can do on your own to learn. There are tons you could do formally. When I was in school, there was no cybersecurity curriculum. It’s nice to see many great institutions creating these programs.
But I would say there is still a small gap between what you can learn in school and what you need to be successful as a cybersecurity professional. What we need to do as an industry is make it simple so people from all walks of life, whether it’s a technical self-study school, can come in and be successful because there there are tons of different roles. You definitely don’t need computer training at all. The learning curve is still a bit too high. The on-ramp is still a bit too bumpy for most entry-level roles.
Are certifications necessary to succeed in the field?
To certify or not to certify has been an uphill battle, not just in security, but in technology in general. There are people who devalue them and they think they are just paper and others who, like me personally, think that certifications can be a great way to learn the body of knowledge expected in the domain. It’s not necessarily guaranteed that you’ll get a job, but for me who went down this route earlier in my career, it was very helpful to have a structured way of getting the knowledge. Otherwise, if you rely on knowing people to train you or learn by osmosis, well, when you start, you really don’t know anyone.
You need some kind of mechanism to get some of that knowledge into your brain. So that was helpful to me. I would be wary of anyone foregoing certifications or placing too much value on them. To me, it’s just another candidate assessment factor, but I think it’s a super accessible way to get the knowledge.
What are the important soft skills to have in cybersecurity?
I think we tend to overemphasize hard skills and technical skills. Communication is the first soft skill. One of the things that I think is most important, and I see this a lot with the people I talk to, is that written communication has become so critical now that we’re in a different world of work where we are very distributed and very asynchronous. The ability to be concise and succinct, but also influential in writing is extremely important. Also, technical skills tend to renew, you know, every three to five years.
Advice to companies in defining their cybersecurity needs
What can companies do to better articulate their cybersecurity needs?
I’m always a big fan of pragmatism and practicality and prioritization. You can never do everything right. It’s really about figuring out which are the most important assets and the most critical threats that you think could impact your business. If I think about recruitment and how to attract talent, you have to be able to understand the mindset of the candidate.
When I was at Netflix, there were a lot of positives. It was a fast growing business. It was an interesting space in entertainment. But, at the end of the day, we were entertaining people. It’s a different mission than, say, if you work for the federal government or if you’re in financial services.
Some people in the security field are more interested in protecting high-value, high-consequence environments like national security. Frankly, for those kinds of people, we could never have hired them from there. They were looking for another mission. If I’m thinking about how to convince applicants that Netflix is a good place to work, I would first be honest and transparent about the challenges, which is good and bad, and recognize that people have a lot of different choices.
What should companies do to strengthen their cybersecurity practices?
When you’re just starting out, I would tend to look more at generalists and people with broader experience. Security has become an incredibly broad and very deep field. You’ll have so many individual areas that go really, really deep, and frankly, it’s just impossible to be able to cover the full breadth and depth.
Your first people, you want to have been exposed to a few different areas within the field. This includes things like infrastructure security and incident response or cloud security. As you build a team (assuming your organization is successful and grows over time), early generalists will then aim to potentially move into team leadership roles as you go. as you begin to specialize. I’ve always liked the analogy of crawling, walking, running, meaning there’s a general progression of maturity as an organization or business.
How has cybersecurity evolved over time?
What do you wish you had known before embarking on a career in the industry?
If you think that once you’ve left school, your apprenticeship is over and now you’re going to do your job, frankly, you’re going to be disappointed. You will need to keep updating your own skills as you progress and the industry progresses. With the industry today versus where it was 10 years ago versus 20 years ago, I think you would have a hard time recognizing that. I advise to be open-minded and to be flexible and to understand that it is a journey. You will have to adapt as you go.
What major cybersecurity changes have you seen throughout your career?
When I started in the late 90s, there wasn’t really an industry to speak of. There were a few vendors, but most companies didn’t have security teams. I was just working in general IT. It’s just become a really two-sided industry. You have practitioners. You have a whole ecosystem of robust vendors trying to fix the issues. On the corporate side, there are organizations that are trying to recruit staff. We are behind in hiring. There are probably millions of jobs there.
During my time at Netflix and for 10 years of being hired, I don’t think I’ve ever achieved my hiring goals. There were always roles you just couldn’t fill. Any good candidate probably has five or 10 options for what they could do. It’s really very hard. Very competitive.
What a cybersecurity role looks like at a technology company
Tell me about your time managing security teams at Netflix.
When I started in 2011, Netflix was a much smaller company with 500-600 employees and was really starting to enter the streaming space. Netflix started out as a DVD-by-mail service. If I were to try to characterize my time at Netflix, it was really about change and growth for the company. On the technology side, we were in the process of moving from the data centers that we manage to the public cloud with Amazon Web Services. On the business side, we went from DVD-by-mail to streaming. We were also transitioning from an American company to a global company.
And that leads to all sorts of interesting problems. Probably the biggest change was moving from being a distributor of other studios’ content to creating our own content. So if you think of “Stranger Things” and “House of Cards,” Netflix started to essentially create its own content. So for us on the security side, it went from being a better understood issue to where you’re protecting a consumer Internet service. There are many services that consumers use.
It’s a pretty tough problem, but when you combine being the biggest subscription streaming service with the biggest entertainment studio in the world, it brought a bunch of different challenges and changes. You try to combine the tech culture of Silicon Valley with the entertainment culture of Hollywood. You try to make everything work with a single approach to security, even though you have very, very different cultures. There was always something new.
Discover all Fortune’s degree program rankings, and learn more about specific career paths.