This is just a collection of pieces of advice I have provided to friends/family/acquaintances over the years. It isn’t an end all list or guaranteed roadmap of how to get a career in cybersecurity, but it is hopefully a start for someone out there!
Keep in mind as I write this, I have only ever been a part of small cybersecurity teams, where ownership is spread around and all hands are consistently sharing responsibilities. The idea that larger companies actually have TEAMS of people dedicated to Vulnerability Management, Incident Response, Threat Intelligence, even, User Training is bonkers to me. That perspective has led me to the conclusion that Security operatives have to either a) know everything or b) Be able to find the answer to nearly everything. Any given morning you may have to review a pull request for a new feature and spot bad ideas before they get to production, and then in the afternoon you may have to be pulling forensic images and diving into incident response.
The number one skill set, for any security person, is the patience and capability to research, read content, and take action based on new information.
There are other things though, that make people much more marketable to recruiters and hiring managers!
College versus Certificates
Both? Both? Both! Both is good— Miguel and Tulio, The Road to El Dorado
Papers matter to A LOT of people. There is a massive movement that hates colleges and thinks certifications don’t actually mean anything, but the people in the movement and the people who are hiring security folks, don’t completely overlap in a venn diagram.
College is a great choice, and having an Associates or Bachelors helps out a ton. It’s only a piece of paper, but you will learn a ton of stuff (if you put in the effort), and some colleges now include certificate courses that help you get a further leg up. Local colleges can often help you network with local people and businesses. Plus, you will be able to network amongst your classmates to develop relationships that can help you down the road.
Certificates can be extremely valuable. SANS GIAC certs are very expensive ($7,000+) but are the best in the business. Recently Wild West Hacking Fest has started offering some other great training courses as well, with much more affordable pricing. Other starter certs are Security+ and CEH. None of these are free though – so don’t worry about these unless you are positive you can get them the first time.
Non-security related intro certs like the: Network+, A+, AWS CCP, Microsoft basic certs, etc.; are very relevant! As a Security operative you have to know what you are talking about and be able to operate on different technologies. You may know how to dig into packets like a pro, but if you are handed a desktop machine and asked to ‘harden’ it, what do you need to do? Being adaptive is extremely important for security folks.
Labs and practice are hugely important – for any field in Technology. If you don’t have a single degree or certification, but can demonstrate that you have hands on keyboard skills then any security team will pick you up. The following questions are critical for a security person:
- Can you google a solution to your problem? Today’s jobs are not really required to memorize every thing you will ever need to know. However, you have to be able to Google your way to a reliable, well thought out solution.
- Can you spin up a Virtual Machine? Do you know what Vmware is? What about EC2 Instances or Compute Engine Instances?
- Build yourself a lab?
- Can you script/code? You WILL need to be able to do stuff in code. Period.
- Can you pull a forensic image from a Linux and Windows machine?
- What is identity lifecycle management? Zero Trust? In today’s fully connected world, identity and authorization is one of the most important controls we have. Security must be keeping an eye on this realm.
- Can you perform a network capture without Wireshark? (lookup tcpdump, can you do it with Powershell?)
- Can you read a packet capture with Wireshark?
- Do you know what CSRF is and how to mitigate it as a risk? (https://www.hacksplaining.com/#_=_)
- Install Burp Suite (they have a free license)- work through their academy.
- Can you detect attacks in logs?
- Can you read – I’m not joking, most days I am either doing nothing but writing code or reading threat reports. Maybe once a week I am actually dealing with an incident/investigation. You have to be able to read efficiently – and understand what you are reading.
- Set up an RSS app – subscribe to Dark Reading, Krebs on Security, and Black Hills Information Security (BHIS)
- Attend BHIS webinars, most are free, and have a shit ton of good info.
My number one recommendation to anyone trying to break into the technology realm, regardless of if you are trying to be in security or not, is to follow along with The Cloud Resume Challenge. That challenge exposes you to a number of different technologies, coding languages, and ideas. Plus, it gives you an amazing platform to build a space for yourself and your own personal brand!
There is no cookie cutter career path in cyber land. One of the best books about cybersecurity in the world is The Cuckoos Egg by Cliff Stoll. Cliff was an Astronomer/Physicist and is now a glass blower. So anyone and everyone can break into cybersecurity if you have the desire! Also, it is probably a good thing to NOT start as a cybersecurity operative, and instead go into operations or development first. Security is about responding to and remediating risk generated by other business units; gaining experience in those other business units helps you to understand how to manage risk better.
Help Desk is a great starting point, especially if you stay with a company and promote up to Security. Help desk sees where users struggle, where there are security gaps in the identity management processes, and other critical pieces of the business landscape that an infosec person simply won’t. They also are probably going to see incidents bubbling up faster than you might think, the perfect example is a Ransomware outbreak when your endpoint protection isn’t working as well as you might like. Help desk will be flooded with tickets about systems rebooting randomly, weird filenames, etc.
You could also start out as a junior network engineer – a great place to get exposure to networking fundamentals and technologies. The OSI model is a bit outdated in our cloud driven businesses today, BUT you will still find reasons to know what a VLAN is, how to troubleshoot network problems, and it gives you a great understanding of how to build better firewalls.
Sysadmin is another awesome spot – you will develop server and software management skills that will help you in the long run. Regardless of what role you have in cybersecurity, you will probably interact with a server somehow. Whether that is collecting logs, hardening, vuln analysis/remediation; you will need to know how to remote into a server and work securely. Hopefully you have a jump box!
Junior developer or and automation engineer are both excellent places to jumpstart as well! You must be able to write code (whether that is ‘software’ code or ‘Infrastructure’ code, doesn’t matter) to thrive in today’s startups and cloud based companies. Particularly in incident response, automation is the key to quickly depriving attackers of resources and eradicating the threat they represent.
Word of caution: Similar to IT – Security is a Business Cost Center. This means that prior to good developers, a business will cut IT and Security – and before IT, Security will probably get cut. We don’t generate business value, we reduce business risk, thus reducing business cost (which in a weird way generates value off paper). Which is the final piece here – you have to understand what generates business value, and how to help the organization to achieve that.
All of the above advice is great and will help you land an awesome job if you give up chunks of your time to invest in your learning. To really land an awesome job though, you must network with people. Build up relationships around the industry, join Slack channels and Discord servers, find forums you can be active in; take the time to manage your relationships as if they were as important as your social media. The cybersecurity industry is like any other, there are a ton of great people and great minds inside of it. Like others though, there are bad apples, and just awful human beings.
Find a few good quality recruiters, and keep your relationships with them cordial and open. If they have opportunities, entertain them and practice your interviewing skills! You don’t have to take a new job, and there is no reason not to treat interviewing unlike any other skill set.
Good luck in your hunt!