This is a cross-post of a career review from the 80,000 Hours website written by Jarrah Bloomfield. See the original here.
As the 2016 US presidential campaign was entering a fractious round of primaries, Hillary Clinton’s campaign chair, John Podesta, opened a disturbing email. The March 19 message warned that his Gmail password had been compromised and that he urgently needed to change it.
The email was a lie. It wasn’t trying to help him protect his account — it was a phishing attack trying to gain illicit access.
Podesta was suspicious, but the campaign’s IT team erroneously wrote the email was “legitimate” and told him to change his password. The IT team provided a safe link for Podesta to use, but it seems he or one of his staffers instead clicked the link in the forged email. That link was used by Russian intelligence hackers known as “Fancy Bear,” and they used their access to leak private campaign emails for public consumption in the final weeks of the 2016 race, embarrassing the Clinton team.
While there are plausibly many critical factors in any close election, it’s possible that the controversy around the leaked emails played a non-trivial role in Clinton’s subsequent loss to Donald Trump. This would mean the failure of the campaign’s security team to prevent the hack — which might have come down to a mere typo — was extraordinarily consequential.
These events vividly illustrate how careers in infosecurity at key organisations have the potential for outsized impact. Ideally, security professionals can develop robust practices that reduce the likelihood that a single slip-up will result in a significant breach. But this key component for the continued and unimpaired functioning of important organisations is often neglected.
And the need for such protection stretches far beyond hackers trying to cause chaos in an election season. Information security is vital to safeguard all kinds of critical organisations such as those storing extremely sensitive data about biological threats, nuclear weapons, or advanced artificial intelligence, that might be targeted by criminal hackers or aggressive nation states. Such attacks, if successful, could contribute to dangerous competitive dynamics (such as arms races) or directly lead to catastrophe.
Some infosecurity roles involve managing and coordinating organisational policy, working on technical aspects of security, or a combination of both. We believe many such roles have thus far been underrated among those interested in effective altruism and reducing global catastrophic risks, and we’d be excited to see more altruistically motivated candidates move into this field.
In a nutshell
Organisations with influence, financial power, and advanced technology are targeted by actors seeking to steal or abuse these assets. A career in information security is a promising avenue to support high-impact organisations by protecting against these attacks, which have the potential to disrupt an organisation’s mission or even increase existential risk.
- Jeffrey Ladish contributed to this career review. We also thank Wim van der Schoot for his helpful comments.
Why might information security be a high-impact career?
Information security protects against events that hamper an organisation’s ability to fulfil its mission, such as attackers gaining access to confidential information. Information security specialists play a vital role in supporting the mission of organisations, similar to roles in operations.
So if you want an impactful career, expertise in information security could enable you to make a significant positive difference in the world by helping important organisations and institutions be secure and successful.
Compared to other roles in technology, an information security career can be a safe option because there may be less risk you could have a negative impact. In general, preventing attacks makes the world a safer place, even if it’s not clear whether potential victim organisations are providing net positive impact themselves. When a company is hacked, the harm can disproportionately fall on others — such as people who trusted the company with their private information.
On the other hand, information security roles can sometimes have limited impact even when supporting high-impact areas, if the organisation does not genuinely value security. Many organisations have security functions primarily so that they can comply with regulations and compliance standards for doing business. These security standards have an important role, but when they are applied without care for achieving real security outcomes, it often leads to security theatre. It is not uncommon for security professionals to realise that they are having minimal impact on the security posture of their organisation.
Protecting organisations working on the world’s most pressing problems
Organisations working on pressing problems need cybersecurity expertise to protect their computer systems, financial resources, and confidential information from attack. In some ways, these challenges are similar to those faced by any other organisation; however, organisations working on major global problems are sometimes special targets for attacks.
These organisations — such as those trying to monitor dangerous pathogens or coordinate to reduce global tensions — often work with international institutions, local political authorities, and governments. They may be targeted by state-sponsored attacks from countries with relevant geopolitical interests, either to steal information or to gain access to other high-value targets.
Some high-impact organisations have confidential, sensitive discussions as part of their work, where a leak of information through a security compromise would damage trust and their ability to fulfil their mission. This is especially relevant when operating in countries with information control and censorship regimes.
In extreme cases, some organisations need help protecting information that could be harmful for the world if it was known more widely, such as harmful genetic sequences or powerful AI technology.
In addition to threats from state-sponsored attackers, cybercrime groups also raise serious risks.
They seek financial gain through extortion and fraud — for example, by changing payment information, ransoming data, or threatening to leak confidential correspondence. Any organisation is vulnerable to these attacks. But organisations that handle particularly sensitive information or large value financial transactions, such as philanthropic grantmaking funds, are especially likely targets.
What does working in high-impact information security roles actually look like?
“Defensive” cybersecurity roles — where the main job is to defend against attacks by outsiders — are most commonly in demand, especially in smaller nonprofit organisations and altruistically minded startups that don’t have the resources to hire more than a single security specialist.
In some of these roles, you’ll find yourself doing a mix of hands-on technical work and communicating security risk. For example:
- You will apply an understanding of how hackers work and how to stop them.
- You will set up security systems, review IT configurations, and provide advice to the team about how to do their work securely.
- You will test for bugs and vulnerabilities and design systems and policies that are robust to a range of possible attacks.
Having security knowledge across a wide range of organisational IT topics will help you be most useful, such as laptop security, cloud administration, application security, and IT accounts (often called “identity and access management”).
You can have an outsized impact relative to another potential hire by working for a high-impact organisation where you understand their cause area. This is because information security can be challenging for organisations that are focussed on social impact, as industry standard cybersecurity advice is built to support profit motives and regulatory frameworks. Tailoring cybersecurity to how an organisation is trying to achieve its mission — and to prevent the harmful events the organisation cares most about — could greatly increase your effectiveness.
An important part of this is bringing your team along for the journey. To do security well, you will regularly be asking people to change the way they work (likely adding hurdles!), so being an effective communicator can be as important as understanding the technical details. Helping everyone understand why certain security measures matter and how you’re balancing the costs and benefits is required for the team to accept additional effort or seemingly unnecessary steps.
Ethical hacking roles, in which you’re tasked with breaking the defences of your clients or employers in order to ultimately improve them, are also important for cybersecurity — but only very large organisations have positions for these sorts of “offensive” (or “red teaming”) roles. More often, such roles are at cybersecurity services companies, which are paid to do short-term penetration testing exercises for clients.
If you take such a role, it would be hard to focus on the security of impactful organisations in order to maximise your impact, because you often have little choice about which clients you’re supporting. But you could potentially build career capital in these kinds of positions before moving on to more impactful jobs.
What kind of salaries do cybersecurity professionals earn?
Professionals in information security roles such as cybersecurity earn high salaries. The US Bureau of Labor Statistics reported that the median salary for information security analysts was over $100,000 a year in 2021.
While you’ll likely have a bigger impact supporting an organisation directly if the organisation is doing particularly important work, earning to give can still be a high-impact option, especially when you focus on donating to the most effective projects that could use the extra funds.
How to assess your fit in advance?
A great way to gauge your fit for information security is to try it out. There are many free online resources that will give you hands-on experience with technical aspects of security. You can get a basic introduction through the SANS Cyber Aces course.
Some other ideas to get you started:
- Try out ethical hacking to understand how hacks work and gain an intuition for security loopholes. Find a tutorial on basic attacks (e.g. OverTheWire, HackTheBox, or a course (e.g. Coursera’s Ethical Hacking Essentials). Read up on high-profile vulnerabilities, and see if there are any guides on setting up a lab environment and exploiting them (e.g. Log4Shell). If you’re studying at a university, it may be easy to join a Capture the Flag (CTF) team.
- Play around with security tools. Wireshark will inspect the surprising variety of network traffic on your computer, and Burp Suite Community can go deeper into web requests. Scan your home network for vulnerabilities with Nessus Essentials.
- Set up your own infrastructure. Host a virtual machine. Build a web server and secure it. Try installing Elastic Stack and Zeek. Get the AWS Free Tier and poke around the cloud administrator settings.
Having a knack for figuring out how computer systems work, or enjoying deploying a security mindset are predictors that you might be a good fit — but they are not required to get started in information security.
How to enter infosecurity
Entering with a degree
The traditional way to enter this field is to study an IT discipline — such as computer science, software engineering, computer engineering, or a related field — in a university that has a good range of cybersecurity courses. However, you shouldn’t think of this as a prerequisite — there are many successful security practitioners without a formal degree. A degree often makes it easier to get entry-level jobs though, because many organisations still require it.
Aside from cybersecurity-labelled courses, a good grasp of the fundamentals of computer systems is useful. This includes topics on computer networks, operating systems, and the basics of how computer hardware works. We suggest you consider at least one course in machine learning — while it’s difficult to predict technology changes, it’s plausible that AI technologies will dramatically change the security landscape.
Consider finding a part-time job in an IT area while studying (see the next section), or doing an internship. This doesn’t need to be in an information security capacity; it can just be a role where you get to see first-hand how IT works. What you learn in university and what happens in practice are different, and understanding how IT is applied in the real world is vital.
In the final year of your degree, look for entry-level cybersecurity positions — or other IT positions, if you need to.
We think that jobs in cybersecurity defensive roles are ideal for gaining the broad range of skills that are most likely to be relevant to high-impact organisations. These have role titles such as Security Analyst, Security Operations, IT Security Officer, Security Engineer, or even Application Security Engineer. “Offensive” roles such as penetration testing can also provide valuable experience, but you may not get as broad an overview across all of the fronts relevant to enterprise security, or experience the challenges with implementation first-hand.
Entering with (just) IT experience
It is also possible to enter this field without a degree.
If you have a good working knowledge of IT or coding skills, a common path is to start in a junior role in internal IT support (or similar service desk or help desk positions) or software role. Many people working in cybersecurity today transitioned from other roles in IT. This can work well if you are especially interested in computers and are motivated to tinker with computer systems in your own time.
A lot of what that you’ll learn in an organisational IT role will be useful for cybersecurity roles. Solid IT management requires day-to-day security, and understanding how the systems work and the challenges caused by security features is important if you’re going to be effective in cybersecurity.
Do you need certifications?
There are many cybersecurity certifications you can get. They aren’t mandatory, but having one may help you get into an entry-level job, especially if you don’t have a degree. The usefulness varies depending on how reputable the provider is, and the training and exams may be expensive.
Some well-regarded certifications are CompTIA Security+, GIAC Security Essentials, OSCP Penetration Testing, and Certified Ethical Hacker. Vendor and technology certifications (e.g. Microsoft or AWS) generally aren’t valuable unless they’re specific to a job you’re pursuing.
What sorts of places should you work?
For your first few years, we recommend prioritising finding a role that will grow your knowledge and capability quickly. Some high-impact organisations are quite small, so they may not be well-placed to train you up early in your career, because they’ll likely have less capacity for mentorship in a range of technical areas.
Find a job where you can learn good IT or cybersecurity management from others.
The best places to work will already have relatively good security management practices and organisational maturity, so you can see what things are supposed to look like. You may also get a sense of the barriers that prevent organisations from having ideal security practices. Being able to ask questions from seasoned professionals and figure out what is actually feasible helps you learn more quickly than running up against all of the roadblocks yourself.
Tech companies and financial organisations have a stronger reputation for cybersecurity. Security specialist organisations — such as in consulting, managed security providers, or security software companies — can also be great places to learn. Government organisations specialising in cybersecurity can provide valuable experience that is hard to get outside of specific roles.
Once you’re skilled up, the main thing to look for is a place that is doing important work. This might be a government agency, a nonprofit, or even a for-profit. We list some high-impact organisations here. Information security is a support function needed by all organisations to different degrees. How positive your impact is will depend a lot on whether you’re protecting an organisation that does important and pressing work. Below we discuss specific areas where we think additional people could do the most impactful work.
Safeguarding information hazards
Protecting information that could be damaging for the world if it was stolen may be especially impactful and could help decrease existential risk.
Some information could increase the risk that humanity becomes extinct if it were leaked. Organisations focussed on reducing this risk may need to create or use this information as part of their work, so working on their security means you can have a directly positive impact. Examples include:
- AI research labs, which may discover technologies that could harm humanity in the wrong hands.
- Biorisk researchers who work on sensitive materials, such as harmful genetic sequences that could be used to engineer pandemics.
- Research and grantmaking foundations that have access to sensitive information on the strategies and results of existential risk reduction organisations.
Contributing to safe AI
Security skills are relevant for preventing an AI-related catastrophe. Security professionals can bring a security mindset and technical skills that can mitigate the risk of an advanced AI leading to disaster.
If advanced AI ends up radically transforming the global economy, as some believe it might, the security landscape and nature of threats discussed in this article could change in unexpected ways. Understanding the cutting-edge uses of AI by both malicious hackers and infosecurity professionals could allow you to have a large impact by helping ensure the world is protected from major catastrophic threats.
Working in governments
Governments also hold information that could negatively impact geopolitical stability if stolen, such as weapons technology and diplomatic secrets. But it may be more difficult to have a positive impact through this path working in government, as established bureaucracies are often resistant to change, and this resistance may prevent you from having impact.
That said, the scale of government also means that if you are able to make a positive change in impactful areas, it has the potential for far-reaching effects.
People working in this area should regularly reassess whether their work is, or is on a good path to, making a meaningful difference. There may be better opportunities inside or outside government.
You may have a positive impact by working in cybersecurity for your country’s national security agencies, either as a direct employee or as a government contractor. In addition, these roles may give you the experience and professional contacts needed to work effectively in national cybersecurity policy.
If you have the opportunity, working to set and enforce sensible cybersecurity policy could be highly impactful.
Want one-on-one advice on pursuing this path?
If you think this path might be a great option for you, but you need help deciding or thinking about what to do next, our team might be able to help.
We can help you compare options, make connections, and possibly even help you find jobs or funding opportunities.
- Podcast: Nova DasSarma on why information security may be critical to the safe development of AI systems
- Mitigating catastrophic biorisks — a talk by MIT professor Kevin Esvelt about why advanced information security is important for reducing biorisks
- Information security considerations for AI and the long-term future — an Effective Altruism Forum post by Jeffrey Ladish and Lennart Heim
- Podcast: Bruce Schneier on how insecure electronic voting could break the United States — and surveillance without tyranny
- Security Mindset and Ordinary Paranoia — an analysis by Eliezer Yudkowsky of the Machine Intelligence Research Institute
- OK, So I Need Security. Where Do I Start? — a white paper by Lyde Andrews of SANS
- How to build a cybersecurity career — a blog post by Daniel Miessler, an infosecurity professional with more than 20 years of experience
- Information security careers for global catastrophic risk reduction — an Effective Altruism Forum post by by Claire Zabel and Luke Muehlhauser of Open Philanthropy
Notes and references
- This account is based on public reporting of the incident in outlets including Vox, Vice, and CNN.↩
- “‘This is a legitimate email,’ Charles Delavan, a Clinton campaign aide, replied to another of Mr. Podesta’s aides, who had noticed the alert. ‘John needs to change his password immediately.’ With another click, a decade of emails that Mr. Podesta maintained in his Gmail account — a total of about 60,000 — were unlocked for the Russian hackers. Mr. Delavan, in an interview, said that his bad advice was a result of a typo: He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an ‘illegitimate’ email, an error that he said has plagued him ever since.” See The New York Times.↩