Netflix’s former cybersecurity chief on breaking into the high-demand industry

The trouble is that we’re already steeply behind in filling open cybersecurity positions. There are millions of unfilled jobs worldwide, with more than 700,000 open gigs in the U.S. alone, data from Cybersecurity Ventures shows. People interested in a career in cybersecurity have plenty of ways to kickstart a career in the field—but companies must also broaden their recruiting processes. 

The latter problem is one that can be fixed, however. The industry needs to make it “simpler for folks from all different backgrounds” to get a head start in the field, Jason Chan, the former cybersecurity chief of Netflix, tells Fortune. 

Chan took the self-study and certification route, which can be an effective alternative to earning a bachelor’s degree or master’s degree in the field—and especially for cybersecurity roles that don’t necessarily require a mastery of computer science.

Chan has worked in the cybersecurity industry for about 25 years, with a career that began at the U.S. Department of Defense before he moved on to boutique consultancies doing pen testing and security systems testing. Chan spent the final 10 years of his career building and leading the security team at Netflix, where he also led the IT team. Since retiring last summer, Chan has been advising startups and has been working as an executive in residence with Bessemer Venture Partners, a top venture capital firm, where he works primarily with cybersecurity firms and cloud infrastructure developer tools. 

Fortune sat down with Chan to learn about how the cybersecurity industry has changed throughout the course of his career, his advice about breaking into the industry for entry-level workers, and insights for companies grappling with the growing need for cybersecurity.

The following interview has been edited for brevity and clarity. 

How to start a cybersecurity career

Fortune: What is your advice for someone looking to enter the industry?

Chan: I think it’s certainly viable to pursue a more formal pathway, whether it’s a bachelor’s degree or master’s degree. I myself did a lot of self-study and I took the certification route, which I think is also valid. There’s a lot of industry certifications, so there’s tons you can do on your own to learn. There’s tons you could do formally. Certainly when I was in school there weren’t any cybersecurity programs. It’s been nice to see a lot of great institutions create these programs. 

But I would say there’s still a bit of a gap between what you can learn in school versus what you need to be successful as a cybersecurity professional. What we need to do as an industry is to make it simpler for folks from all different backgrounds, whether it’s technical self-study school, to be able to come in and be successful because there are tons of different roles. You certainly don’t need a computer science background for all of them. The learning curve is still a bit too high. The on-ramp is still a bit too bumpy for most entry-level roles.

Are certifications necessary to be successful in the field?

To certify or not certify has been a long running battle in not just security, but in tech more broadly. There are folks that devalue those and they think they’re just paper and other folks who—like me, personally—think that certifications can be a great route to learning the body of knowledge that would be expected for the field. It’s not necessarily guaranteed you’re going to get a job, but for me having gone that route myself earlier in my career, it was super helpful to me just to have a structured way of getting the knowledge. Otherwise, if you’re relying on knowing people to train you or learn by osmosis, well, when you’re starting out, you don’t really know anybody.

You need some kind of mechanism to get some of that knowledge in your brain. So it was helpful to me. I would be wary of anybody who writes off certifications or who puts too much value in them. To me, it’s just one other factor of evaluating the candidate, but I think it’s a super accessible way of getting the knowledge. 

What are important soft skills to have in cybersecurity?

I think we tend to overemphasize hard skills and technical skills. Communication is the number one soft skill. One of the things I think is most important, and I’m seeing it a bunch with folks I talk to, is written communication has become so critical now that we’re in a different work world where we’re very distributed and very asynchronous. The ability to be concise and succinct, but also influential in writing is incredibly important. Plus, technical skills tend to turn over, you know, every sort of three to five years.

Advice to companies figuring out their cybersecurity needs

What can companies do to better articulate their cybersecurity needs?

I’m always a big fan of pragmatism and practicality and really prioritizing. You can never do everything right. It’s really about figuring out what are the most important assets and the most critical threats that you think could impact your company. If I’m thinking about the hiring side and how do I attract talent, you have to be able to understand the candidate’s mindset. 

When I was at Netflix there were a lot of positives. It was a fast-growing company. It was an interesting space in entertainment. But, at the end of the day we were entertaining people. That’s a different mission than, say, if you’re working for the federal government or if you’re in financial services. 

Some people in security are more interested in protecting high value, high consequence environments like national security. Frankly, for those kinds of folks, we were never going to be able to hire them from that. They were looking for a different mission. If I’m thinking about how to convince candidates that Netflix is a good place to work, first off I would be honest and transparent about what the challenges are, what’s good and bad and recognize that people have a lot of different choices.

What should companies be doing to build up their cybersecurity practices?

When you’re first starting out I would tend to look more at generalists and folks with broader experience. Security has become an incredibly broad field and very deep. You’ll have so many individual domains that go really, really deep, and frankly it’s just impossible to be able to cover the entire breadth and the entire depth. 

Your first few folks, you want to have been exposed to a few different domains within the field. This includes things like infrastructure security and incident response or cloud security. As you build a team (assuming your organization is successful and that it grows over time), then those initial folks who are generalists will then have a focus potentially to move into team leadership roles as you start to specialize. I’ve always liked the analogy of crawl, walk, run—meaning that there’s a general progression of maturity as an organization or a company. 

How has cybersecurity changed over time?

What do you wish you had known before committing to a career in the industry?

If you think that once you’ve left school that your learning is done and now you just go and do your job, frankly, you’re going to be disappointed. You’ll need to continue to update your own skill set as you proceed and as the industry proceeds. With the industry now versus what it was 10 years ago versus 20 years ago, I think you’d have a hard time recognizing it. I advise being open-minded and being flexible and understanding that it’s a journey. You’re going to need to adapt as you move forward.

What major changes in cybersecurity have you seen throughout your career?

When I started in the late ’90s, there wasn’t really an industry to speak of. There were some vendors, but most companies didn’t have security teams. I was just working general IT. It’s just grown and matured into an industry really on both sides. You have practitioners. You’ve got a whole robust vendor ecosystem trying to solve problems. On the corporate side, there are organizations trying to staff. We’re behind in terms of hiring. There’s probably millions of jobs out there.

During my time at Netflix and hiring for 10 years, I don’t think I ever met my hiring targets. There were always roles you just couldn’t fill. Any great candidate probably has five or 10 options for what they could do. It’s really, really tough. Very competitive.

What a cybersecurity role at a tech company looks like

Tell me about your time managing security teams at Netflix.

When I started in 2011, Netflix was a much smaller company with 500-600 employees and really just starting to get into the streaming space. Netflix started as a DVD-by-mail service. If I were to try to characterize my time at Netflix, it was really about change and growth for the company. On the tech side, we were moving from data centers that we manage to the public cloud with Amazon Web Services. On the business side, we were going from DVD-by-mail to streaming. We were also going from a U.S. company to being a global company.

And there’s all kinds of interesting problems that that brings about. Probably the biggest change was going from being a distributor of other studios’ content to creating our own content. So, if you think about “Stranger Things” and “House of Cards,” Netflix started basically creating its own content. So for us on the security side, it went from a more well-understood problem to where you’re protecting a large-scale consumer internet service. There’s a lot of services that consumers use. 

That’s a hard enough problem, but then when you combine being the largest subscription-based streaming service with also being the largest entertainment studio in the world, that brought a bunch of different challenges and changes. You’re trying to combine the Silicon Valley tech culture with the Hollywood entertainment culture. You’re trying to make it all work with a single approach to security, even though you have really dramatically different cultures. There was always something new. 

Check out all of Fortune’s rankings of degree programs, and learn more about specific career paths.