I remember when I learned about careers in cybersecurity, it was mostly by accident. I always knew I wanted to do something with computers and technology but I wasn't sure what exactly that would be. It wasn't until I took an introductory class in college that I learned about cybersecurity and what an interesting and broad field it is!
So, without even going to college you can learn about all of the things a career in cybersecurity has to offer. Asking questions here is a great start! I would say there are a couple simple things you can do to determine if you are interested in this field! And if you already are, there are a ton of free learning tools to start on your cybersecurity journey.
It may seem silly, but YouTube has a very large selection of videos devoted entirely to learning and furthering your education! There are videos explaining basic concepts to complex concepts as well as interesting technology presentations from large conventions or tech summits! The best way to get into it is to just start watching and see what captures your interest because cybersecurity is a very large field with tons of career opportunities!
2) Visit https://www.nist.gov/itl/applied-cybersecurity/nice/resources/online-learning-content
This is the NIST website, NIST is a government agency and this website that they have is dedicated to providing links to educational resources for cybersecurity. Some of the resources are free and others require a monthly subscription but it is a great place to poke around and see what you can find!
Coursera has some free courses if you make an account and some paid courses as well. Coursera has a ton of different videos, classes, and opportunities to earn professional certificates & college credits.
Long story short, figure out your interests in cybersecurity and if you can, start taking 20-30 min every day to learn something new about cybersecurity! It's an amazing field with tons of opportunities!
Best of luck to you!
I’m old. Like super old. Like 36 old. So I thought it might be nice to give back some things which I’ve learnt over the years about InfoSec. Or as we call it now, CyberSec. Which sounds like a really inappropriate IRC moment, if you’re old.
I tweeted a while ago asking people what things they wish they had known before getting into cyber security. I mused on those tweets, and added my thoughts and opinions. Because what the world needs is another blog from somebody you’ve never heard of, right?
Image for post
This was by far the popular thing people tweeted at me, all negative sentiment. People said they did not realise the political arena they would be entering.
So here’s the spoiler: there’s very few jobs where you will be doing security for the sake of doing security. Smart organisations want security to enable them to operate securely, which can mean getting out of the way (which can include products and deployment configs which allow people to get on with working).
Some businesses play fast and very loose with security. It’s actually really rare to see an organisation with anything near good security. For many organisations they just cannot realistically afford to run anything near top security — that crab paste company you’re eyeing a cyber job at needs to make crab paste, not have everybody logging in using triple factor SSH keys.
My view with politics is — usually — I actually enjoy it. Not always. The key for me has been learning to try to influence people gently towards a desired outcome — that might take time and patience — and to know when to get over myself and compromise on something to get a better longer term goal or standing within an organisation. A really key one is listening. Sometimes what you’re proposing really isn’t possible with the resources a department/team/company has. Sometimes what you’re proposing isn’t workable for reasons you’ve never even thought of. Sometimes what you’re proposing is just dumb in the real world. And sometimes the arguments an organisation will present against doing something won’t make sense. The key thing is you’ve listened, and you can go away and figure what to challenge, and how.
But, essentially, if you’re getting into the industry thinking most companies have great security and you’re there to enforce the best possible practices of security and there will be little politics: you may have a bad time. Most companies now recognise cyber security as a key risk; that does not mean it is a key focus of a company. And rightly so. Cyber security aren’t there to make a cyber security company, they’re there to enable a company to get back to being that company.
Cyber is a very broad church
Cyber has exploded. Back when I was a kid it was a bunch of hanging out on IRC and visiting Vegas. The idea you would hire a hacker was laughable to most people. It was a small culture of generalists. At my first job, an oil company, whenever I talked about deploying virus software they would ask me if I meant “anti-virus” software. Yes. Because that was my job. But they were convinced it meant something bad.
Nowadays, some organisations have Risk teams, you have Policy, you have red teams trying to break into companies, you have people sat looking at Splunk trying to figure out what is happening to defend their organisations.
It’s worth keeping in mind most every conversation you have internally in departments will be with somebody who looks at something in a specific way. It’s also worth keeping in mind this with online conversations, too. Lots of conversations online go something like “Just patch!”. Which, from a policy point of view, is absolutely right. From the point of view of the people who actually do the patching at scale and manage the systems operationally, “Just patch!” is a bit like saying “Just phone up Taylor Swift and ask her to be your friend”.
Image for post
This also swings the other way. I was part of a conversation recently with lots of people at lots of UK companies about how to build a great Vulnerability Management team rather than a good one. A great deal of the people had this opinion; you have a dedicated Vulnerability Management team?! Many organisations are still struggling to resource basic patching. It ties into the broadchurch thing; keep in mind what you see and what the person you’re talking to sees, although in theory you’re looking at the same thing, may look very different depending on their experiences.
The security community is pretty terrible at times
Back in my youth(tm), we would hang on IRC all day, and then meet up at night for drinks. People knew each other’s real life infos when they met. Trusts were formed. Ideas were exchanged. And, well, lots of idiots were around too.
Many of those people got jobs at big companies, or left the industry.
What is left is a weird shell with lots of different angles. Some of it is brilliant. I like InfoSec Twitter, for example, most of the time as I see material I wouldn’t otherwise. I read almost no InfoSec websites; I exist off a diet of animated GIFs and info drops. I try to never take it seriously.
But there’s a weird atmosphere. I think the Infosec community has gradually eroded, and in it’s place there’s a weird dynamic of self importance emerging, especially post WannaCry as companies seek to find talent.
Image for post
There’s a lot of punching and drama I try to avoid, particularly on Twitter. I tend to avoid LinkedIn as it appears to be mostly people reposting articles from the press, where I don’t think anybody involved really understands the thing they’re highlighting.
I think there’s a very real echo chamber, too.
My overall feeling is the InfoSec community is beginning to punch down. We’re punching at users, calling them thick. We’re punching a individual social media people for large companies, calling them stupid. We’re punching each other, too.
Now, you may say “Aren’t you the guy who highlighted flaws at Equifax?” Yes I am. They’re a multi-billion dollar Group of companies. I wrote about how the problems they had with Struts could be avoided. Personally I think it’s okay to highlight how large corporations can do better, without picking on people. But this is something I introspect on a lot.
I think ultimately, for me, the community now takes itself very seriously — perhaps too seriously. Twitter is a fun distraction, it can also be great info, but look at the fact I have 47,000 subscribers on Twitter and realise: that is nonsense.
Prepare to earn your place
Lots of people are arriving into cybersecurity. Which is great because fresh people and ideas are absolutely needed — since I started many of the same problems still exist, which is embarrassing. I think there’s a very real lack of diversity in every sense in our industry.
But here’s the thing. I think the number one quality people can bring to the arena is also experience. That doesn’t mean 10 years experience. That means existing in a job and a company and doing the hard work. If you’re really in there, delivering, doing, you’re going to be valuable and won’t have problems finding other jobs in the future. Commit. Do. Deliver.
It’s also worth pointing out many companies are still early in their cyber journey, and some need guidance. Sometimes, you may have to do things which you weren’t expecting in a role. Sometimes, that’s a bad sign. In many cases, it allows you to break free from the box you’re in and get involved in something great. Sometimes you have to gamble and take the lead. My rule is that if you’re doing something which truly aids an organisation in being secure, you’re doing it right.
Write it. Shoot it. Publish it. Crochet it, sauté it, whatever. MAKE.
This isn’t for everyone, but if you’re looking at getting into the industry, you can start a blog and write. Or learn to code and then publish said code.
You will be surprised how many basic tools in InfoSec still don’t exist. For example, through its product life there was no easy central way to report on events from Microsoft EMET. Companies are doing things like associating .vbs files to Notepad as a way of mitigating ransomware attacks, but nobody has written a tool to do this better.
Back in 1998 one of my friends got a Cobalt RaQ 3 during school work experience at Cable and Wireless INSnet. He made me the admin of the box, I reworked the Linux kernel on it to include security hardening patches (I wasn’t a usual teenager…), and we used it for hosting friends projects. I installed VMware on it, and we deployed a Virtual Machine Linux box with no outbound internet access — which we posted credentials to in IRC channels, and then used tcpdump to packet capture people owning the box. In hindsight, it was one of the early honeypots.
From Dave’s work experience, I learnt invaluable Linux admin and security techniques.
My best advice is find a niche, explore it and write about it. If it goes nowhere, either keep at it if it interests you, or find another niche. Nobody has yet nailed cyber security, so it’s a fertile land to explore. If you’re out there, people will find you for employment too.
Have interests outside security
The burn out is real. You will hit a wall. So have interests outside security.
I play video games — my Xbox Live account is 16 years old, which is older than most of the people I play against. I play games like Sea of Thieves, a game which requires voice communication and team work to sail a pirate ship. That’s actually helped me with communication skills, as — for example — there’s no on screen map, so you have to tell people which direction to sail in using compasses, and make sure people are motivated to continue otherwise they just quit.
I also play racing games — I have a full steering wheel setup, despite not having a driving license in the real world. Why? Risk and reward. I’ve crashed and burned by taking risks. I’m now better at judging when to brake.
I guess what I’m saying is other interests can help inform your work — while making sure your head isn’t in one space all the time. If you’re only looking at one thing, you will lose the bigger picture.
There is no set path into InfoSec
This debate flares up on Twitter all the time, with people (including me) saying ‘Get a job on a helpdesk’, and others saying ‘No that’s dumb, get a job straight in InfoSec’. The truth is, there is no set path here and the industry is changing so quickly that paths exist now which didn’t exist 5 years ago, and those may not exist in 5 years if there’s an industry bubble pop. Ultimately: show your worth, show you care, and always be yourself. Unless you suck.
Communication skills matter
Work on how you present things. We live in an age of information overload, so if you’re working with somebody who realistically doesn’t care about what you’re saying — for example, security isn’t their job — try to clearly communicate your thoughts. Often with as little detail as possible, unless they ask for it. And engage people. I do things like lean down at desks when talking to people so I’m below their eyeline, so appear submissive — in my first job they sent me on body language comms courses.
Ultimately, remember, you’re the security person. Your opinion matters, but so does an auditors. Help people see value in concepts and they will see value in you.
Not just technical people are needed
That’s right, cyber needs more humanity and people skills. Desperately. There’s way too many bearded Linux dudes like me. The precious resource which people don’t yet value is people with, well, people and business skills.
Cyber can be hilarious. Over the past two decades I’ve been situations people wouldn’t believe. During the WannaCry weekend, while Marcus was trying to fix things (and dodge press by jumping over his garden wall), I sat on conference calls I will likely never detail laughing more than I’ve ever laughed before. It was serious stuff for the UK government, it was ridiculous and fast moving and I didn’t sleep for days.
The day the Locky ransomware first appeared in 2016, I registered a DGA’d domain for it at lunchtime and streamed the failed victims to music from Taylor Swift. Wired Magazine called me for an interview about that. At the time I worked for a company which made bloater paste.
I’m just an idiot with a website, and you’ve just read this, so this industry is hilarious. Enjoy it and all the politics and amazement.
1) Acquire an undergraduate degree in Computer Science. Take courses in this field if the Univ is offering it.
2) There are specific exams to pass test for a certified hacker. Do the research and pass as many as you can.
3) Finally, seek internship if you know any of theses languages- C or Python or Go.
4) Have a respectable GPA 3.3+ if you want to get an internship.
5) Cybersecurity field is concentrated in CA, WA, CO, VA and MA. Consider going to school there so you get internship.
The Cyber Security field is very broad so my first steer would be to decide what do you have an interest in (you need to enjoy what you do), and what skills do have that can be of value to an organisation. For example, a role as a pen tester is very different to that of a sales representative or a Cyber Project Manager.
Depending on the type of role you focus on, I would then suggest you try and get some work relevant experience or internship - that will standout on your CV/resume. Employers always want to see and match your experience to their challenges.
Additional, relevant qualifications are always going to help. Formal qualifications are great, though there are so many options in the public domain these days for Cyber basics style courses etc. all the way up to fully accredited qualifications.
From the perspective of as sales person, I can tell you there is continual growth and complexity in the market, so some good benefits (pay, culture etc) are offered as it is a very competitive market for organisations to find good people. Once you have some experience on your CV/resume (you may need to start on a low package to "break in" to the industry) then you have some real value to leverage and you can develop yourself in the industry. I have worked for 3 Cyber organisations so far, and all of them offer good opportunities to develop, train, move roles, work remotely and flexibly (even before Covid), and earn very good money etc.
There is usually ample opportunity for development and training and I would advise to take that up whenever possible.
Good luck and all the best!!
First, I would do some due diligence and research the field you're looking at. What areas of it interest you? What about it is motivating you? What areas/skills/education do you need and what gaps exist for you? Are there barriers to entry - ie, a certain degree is required or specific security levels?
You should have to have a good understanding of the roles and responsibilities involved, these questions will help you get started.