Do You Have to Know Coding To Work in Cybersecurity?
There's a short answer, and a little longer one
One of the questions I hear the most often when I’m working with students on the MITxPro Professional Certificate in Cybersecurity course, and from people in general who are looking to get a job in cybersecurity, is whether you have to have strong coding (or programming) skills. The short answer is …
No
As with many questions on most any subject, there’s a little more to it than just the flat no. So I’ll break this down a little with a couple follow-on questions:
Q: Do you need to have coding skills to even get an interview? Will your resume get tossed aside immediately if it doesn’t list coding skills?
This is a No, with a qualifier attached. For the majority of cyber job roles, coding skills will not be a requirement - end of story. In some cases it might be a “nice to have” listing in a job description, and/or a skill you would be encouraged to develop over time. But again, those will be less common than roles that don’t require them at all.
Q: Which cyber roles are more likely / less likely to require coding skills?
More Likely To Ask for Coding Skills:
Digital Forensics and Incident Response (DFIR)
SOC Analyst / Engineer - Tier 2, Tier 3 - *not* Tier 1
Penetration tester
Note that these are more likely to ask for coding skills. They will not always be required. For example, a member of a penetration testing team who focuses on physical security or network security will probably not need to have coding skills.
Less Likely To Ask for Coding Skills:
For the less likely roles, I could just say just about everything else. A colleague of mine on the MITxPro course has made the comparison between cybersecurity and the medical field - in terms of the wide range of job types within each of them. I think that’s a fair comparison. With that in mind, I’m not going to say that every cyber job type not listed above will not require coding skills. I will say, again, that the majority of them won’t. Some examples are:
Governance, Risk, and Compliance (GRC)
Vulnerability Management
SOC Analyst / Engineer Tier 1
Another way to gauge or measure this, though from a purely anecdotal perspective: I’ve been working in and around cybersecurity for more than 15 years, and around 90 percent of the people I’ve worked with did not/do not have coding skills at all or only very minimal skills.
But …
There’s a but here; it’s not an “Oh No” sort of but though. It’s a much friendlier sort of but. There are some skills that could be considered cousins of coding that are extremely useful in a wide variety of cybersecurity jobs. The good news is that these are much easier skills to get to grips with and become proficient with.
Being able to write scripts, or at least able to take an existing script and edit it to serve a specific purpose, is one of these. Here’s an example of a basic Windows logon script, and a quick rundown of what it’s doing:
Explanation:
@echo off
turns off command echoing so the commands themselves are not printed.REM
allows comments in batch files.echo
prints the given message.%username%
prints the username.net use
maps network drives.start
launches an application in the background.Blank quotes
""
are used for the window title to launch apps hidden.echo
prints when the script is done.
Another of these cousin skills that is even more useful is developing an ability to work with queries and query languages. These are often even easier to get comfortable with than writing or editing scripts. There is a wide variety of query languages, and the ones you will want to get familiar with will vary by your job role within cyber. A common, or perhaps foundational, example is OSQUERY.
One last qualifier to share on this topic is that coding skills - even in cyber roles that will never require them - will always be appreciated - and will likely get put to good use.
For any of you who are currently weighing up how much attention you need to put on developing coding skills, or have any questions on this topic - please fire away in the comments and I’ll do my best to give you good answers.