Your Path into Cybersecurity

I’m often asked how should one get started in Cybersecurity. I could probably write a multi-page article on this, but TLDR. However, here are 10 tips when considering a career in the field.

 

  1. Ask yourself - can I work well under pressure and can I deal with the ebbs and flows of a highly dynamic industry?

  2. Understand Networking. Prior to the term “Cybersecurity” and universities offering a major for the field, SMEs (Subject Matter Experts) came from Networks, Infrastructures, etc. and had a keen interest in Security. You can’t protect a network that you don’t understand.

  3. Familiarize yourself with the many disciplines in the field - It is hard for me to answer questions about getting into the field, when one does not have an idea of the area in which they’d like to focus. Do you want to be offensive or defensive, project focused, or on the front-lines, reactive or proactive? Guess what? There are also areas that are not technically focused. For a list of disciplines within the field, check out the Cybersecurity Workforce Framework.

  4. Build a base level knowledge bank across several disciplines of Information Security - Then hone in on a particular discipline. Know enough about a particular area of the industry, to where when people need help, they come to you.

  5. Learn to say “yes, but…”, instead of no! This is something I learned from a close friend who was in sales. He always said “yes, but”; even when he did not quite know how he would deliver. This ideology forces security folk to think beyond the innate security components and understand the business, and what it would take to put forth a business driven, but security focused product/service.

  6. Yes, coding is important. I’m often asked, “Do I need to know how to code to work in Cybersecurity?” The short answer to this is yes and no. It all depends on the area of InfoSec in which you are interested. Either way, it will only help. In many disciplines of the field, it will be a powerful skill. Your skill level can also very and that is ok. As defenders, we have many doors to secure, so automation is key - we need all the help we can get. Your coding skills can be very beneficial in this area. If you are a responder, analyzing malware will be a necessity, so understanding it beyond dynamic analysis is very helpful. As a PenTester, you will use code to craft exploits or white scripts to make your offensive activities more efficient. These are just a few areas in which those coding skills could be put to use. If you are wondering what language you should learn - I would hedge my bet on Python. Check out Learn Python and Python for Security.

  7. PoC your Skills - Oh you got skillz?! Create a project - whether it be community focused, specifically for work, or for your own internal arsenal. This will allow you to gain a deeper understanding in the area, work through some real world issues, testing and implementation. Not only could it be beneficial to your upskilling; but it could also act as proof to a prospective employer or client that you know what you claim.

  8. Stop being such an introvert, already! I know it is hard, but in this industry, like many others, it is mostly about who you know. Building that community allows one to learn and share, to build courage, trust and keep connections open and warm for when you need them. Check out security related events on Meetup and follow-up some cool people on Twitter - here is a list. Also, check out The Power of Weak Connections.

  9. Mentor and be mentored - I believe in the saying “ be somebody before you say you need somebody. This boils down to proving yourself and bringing something to the table before expecting it from others. People in the industry are more than willing to help those that also prove themselves to be resourceful.

  10. Be a lifetime learner - This industry will require consistent drive and a love for learning. The beauty of it all, is that most of what you need to know or would want to know is available free of charge on the interwebz. The community is full of folk who are interested in contributing, so there is always opportunity to learn from others and in turn, provide your contribution. People tend to ask, “Do I need certifications?” I’m of the mindset that thought providing questions can be more powerful than answers. So, what are you trying to achieve by getting a certification and what is the potential value of attaining it? Are they helpful - yes, they can be. If you earn the right certification, it can prove to the world that you are knowledgeable in that particular area. However, that is not the only way to prove your skillset. Certs also tend to be expensive. But expensive is relative. So, for example, if a $5k training and cert yields you a $10k raise, its is more than worth it. What is the opportunity cost? That is what you should consider. I have 5 certs, so it is safe to say, I think they are valuable. However, mine were all employer paid - so the decision on worth, if self paid is much different. Check out SANS, for a list of training opportunities and the accompanying GIAC certifications.


 

You may have to fight a battle more than once to win it

- Margaret Thatcher