With the demand for cyber security experts so high (over 300,000 open positions in the U.S.), you might ask, “How do you get into the field?” Over the years we have posed this question to many experts in the security community. Here is a summary of their advice and a list of many, many FREE resources they provided.
REALITY CHECK: Here are a few words of advice before you jump in and get started.
- Cybersecurity is hard and very technical. All of the easy-to-identify hacks have already been addressed.
- If you don’t love learning, pick another field. Cybersecurity changes every day and requires extensive and continuous studying to stay on top of all the creative new threats hackers dream up.
- Companies will not throw jobs offers at you because you say you are interested in cybersecurity and worse, they often won’t look at you even if you have a cybersecurity degree. No, they want experienced people who can make an immediate impact. Therefore, to land your 1st job, you will need to ‘break’ into the security job market. This usually comes through internships, volunteering (i.e. helping secure a non-profit), or direct networking.
If you are still interested in a career in cybersecurity, here is some great advice from the Security community:
- READ, READ, READ:
- Here is a great Intro to Cybersecurity although it is a little dated (2017), it describes many of the fundamentals you will need to know.
- Sign up for Cyber newsletters to stay up to date on current threats and trends. Some of my favorites include:
- Learn to Hack:
- Learn Linux: Most hacking takes place at the scripting level, therefore, you need to become extremely familiar with the Linux operating environment.
- Try to understand how and why the tools in your toolbox work.
- Run through as many hands-on scenarios as is practical using whatever resources you have access to.
- Learn with real-world scenarios, as theory and practice are not always congruent.
- Learn penetration testing: Begin to hone your skills and gain knowledge on security by learning the basics at Pentester Academy.
- Scripting Skills: Learn basic coding skills (i.e. C Shell, Python, ruby, etc).
- Focus on one area first: Stick with the field you are trying to get a job in and don’t branch to out too much. It is extremely valuable to become knowledgeable about one particular technology “bucket” of which security sits on top such as:
- IT Systems
- Networking
- Database
- Cloud
- Application Development
- Build your own lab:
- Build/upgrade a desktop PC to at least 16GB RAM, run your choice of Linux distro
- Build a virtual pentesting lab including Kali and Ubuntu server and (licensing permitting) Windows server & Desktop OSes as well.
- Then along with Cybrary and Pentester Academy courses you can practice and get to know the tools.
- Develop Python expertise so you can write your own pentesting tools. That will also deepen your understanding.
- Here is a step-by-step guide on how to build your own lab: How To Create A Virtual Penetration Testing Lab At Home – Ehacking
- Learn Linux: Most hacking takes place at the scripting level, therefore, you need to become extremely familiar with the Linux operating environment.
- Networking: Never underestimate the power of networking. If there are local ISC2, ISSA, or ISACA chapters, attend a meeting and network – and keep going. One visit will not generally yield results. Those that are consistently showing up will reap the benefits of the membership.
- Certifications:
- You may want to start off getting some basic certifications that don’t require experience such as:
- Network+
- CompTIA Sec+
- OSCP – Offensive Security Certified Professional
- Once you are experienced, you could further your career by getting these certifications:
- CISA – Certified Information Systems Auditor
- CISM – Certified Information Security Manager – Requires more proof of experience than CISSP
- CEH – Certified Ethical Hacker
- CISSP – Broad, shallow certification, but best recognized.
- You may want to start off getting some basic certifications that don’t require experience such as:
- Training:
-
- Take SANS courses. They are definitely not cheap, and that may be a challenge, but unlike almost any other courses, SANS training is practical and builds strong, real-world skills.
- Join on-line security communities for a ton of free and paid training opportunities. Here are just a few:
- https://www.cybrary.com – Cybrary offers a tremendous amount of free security content and training.
- https://www.root-me.org/?lang=en – Hone your skills by playing hacking games.
- https://www.pentesteracademy.com/ – Highly Technical, Hands-on, Comprehensive Training
- https://www.vulnhub.com/ – Allows anyone to gain practical ‘hands-on’ experience in digital security.
-
- LinkedIn Courses:
1. Become an Ethical Hacker – https://lnkd.in/gMF798eN
2. Footprinting and Recon – https://lnkd.in/gA64a7HN
3. Scanning Networks – https://lnkd.in/gj-hu9XZ
4. Enumeration – https://lnkd.in/gV6AqCRg
5. Vulnerability Analysis – https://lnkd.in/gPxM2CdZ
6. System Hacking – https://lnkd.in/gaK_Qc24
7. Malware Analysis – https://lnkd.in/gCcrkRAu
8. Sniffers – https://lnkd.in/g_XD8Bmc
9. Social Engineering – https://lnkd.in/gatK3cCA
10. Denial of Service – https://lnkd.in/gjzjcYmC
11. Session HiJacking – https://lnkd.in/grT8EbQP
12. Evading Firewalls – https://lnkd.in/gra9UhWZ
13. Hacking Applications – https://lnkd.in/g37DgZQN
14. Hacking Wireless – https://lnkd.in/gcJjpmpG
15. Hacking Mobile – https://lnkd.in/ggQY5dPX
16. Hacking IoT Devices – https://lnkd.in/gx_WiJVv
17. Learning Cryptography – https://lnkd.in/gmVvKGFa
18. Cloud Computing – https://lnkd.in/gNqPkXZD
19. SQL Injection – https://lnkd.in/gXCFtHwm - Experience through Charities: Find Non-Profit organizations that need security help but can not afford traditional consultants. This shows your ‘giving’ spirit plus it allows you to hone your skills.
- Check out Hackers for Charities https://www.ihackcharities.org/ They pair IT people with charities who need work done. The charity gets its project completed, and you can get a nice recommendation for your resume.
- Early Career Paths – Anyone just starting a career in security could take one of these routes:
- Assessor: Become a QSA or work for a company performing gap analysis. Although this is more compliance and assessments, it will give you exposure to a wide range of environments and implementations.
- System Engineer: Work as a system administrator or network engineer. Practical experience in operations is always useful for a career in information security.
- Pen Tester: Learn penetration testing as many companies accept newbies in this field.
- Analyst: Start out as an analyst in a SOC or Incident Response area.
- Application Development: Focus on AppDev and WebApps as this is really popular right now because of the amount of exposure at that layer.
- Work for your School: If your degree is from a US University then look there. Many Universities themselves are looking for Cybersecurity or Information Security staff, and they typically have different standards than the business or general government field.
- Federal Jobs: You may also want to explore working directly with the US government (FBI, CIA, NSA), specifically if you have language skills other than English.
While this is not a complete list of resources, this is direct advice from those who have had to build their security careers the hard way. Hopefully, this summary gives you a roadmap to get your career kick-started in the right direction.
About Tim Howard
Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST-based security assessments.
In addition, he has a passion for helping CISOs develop Higher Performing Teams through coaching, by creating interactive CISO Forums, and by helping them create highly-effective team cultures.
With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.
He also teamed up with Lyndrel Downs to launch Cybersecurity DIVAS to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.
Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University.
Invite Tim to connect: www.linkedin.com/in/timhoward
You may want to start off getting some basic certifications which don’t require experience such as:
Network+
CompTIA Sec+
OSCP – Offensive Security Certified Professional
Once you are experienced, you could further your career by getting these certifications:
CISA – Certified Information Systems Auditor
CISM – Certified Information Security Manager – Requires more proof of experience than CISSP
CEH – Certified Ethical Hacker
CISSP – Broad, shallow certification, but best recognized.
I would argue that the OSCP and CEH positions should be switched, due to depth, difficulty, real world application and recognition.
Jack you are correct!