How do I get into Cybersecurity?
I’m often asked questions such as, “How do I get into Cybersecurity?” or “How do I get from an IT role a cybersecurity role?”. This is a copy/paste, with a few edits, from previous emails.
Bottom Line up Front (BLUF)
I’d lean towards a shorter/cheaper tech degree in the field you want to go into (ex. cybersecurity) and spend a ton of personal time gaining experience and a few certs. However, not having a 4-yr degree will limit you to a subset of employers.
If you can spell cybersecurity (without a space) you’re already ahead of half in this industry :-).
First, what specific area of cybersecurity are you leaning towards? Incident response, Forensics, Cryptography, Analyst, Detections, Vulnerability Management, Penetration Testing, Red Teaming, etc.? That answer can help me give you better advice. Note: It’s not uncommon for a single person or team to perform two or more cybersecurity functions or even general IT functions, so don’t limit yourself too much when learning.
Second question, what type of organization do you plan to work for? Government, financial, non-profit, tech company, etc.? Certain companies (ex. in the financial sector, government contracting, etc.) require a 4-yr degree for even entry-level positions because of regulations they fall under. In almost all of those cases, they require a 4-yr bachelor’s degree…so a 4yr computer science degree would automatically be better than a 2-yr associate’s in cybersecurity…even for a cybersecurity role. Note: I personally think those policies are silly as a degree means almost nothing in terms of “Can you function in this field?”. That is all starting to turn around (i.e. see Pres. Trump’s executive order about skills over degree for fedGov jobs).
Regardless of field and degree choice, here are some things you can start doing right now that will help with getting a job in this field. These are things you can either place on a resume and/or bring up during interviews that will help you.
The Cybersecurity field requires a ton of ongoing research and learning (probably more than just about any other field). Keeping up with the latest attacks/defenses comes through Google alerts (ex. “breach”, “hack”, etc.), conferences (your local BSides conference is probably about $20 to attend), Twitter (see who I follow for examples – @redeemedHacker), etc.
What if I…?
Also, you want to demonstrate diligence, creativity, determination, curiosity, patience, ambition, problem-solving skills, and most importantly, never having a “that’s not possible” mindset. For example, every phone system, server, web app, etc. I installed, stood up, created, etc., I asked myself three questions:
- How do attackers typically get in?
- What other ways can I think of to get in or what would happen if I tried X?
- How do I prevent, detect, and respond to that? This is what separates those who simply “maintain” the security of an organization and those that push security further and make it better.
In mature organizations, managers/leaders are looking for the above. That’s how I rated people when I was at USAA, and how I do with my own company. Example: https://penconsultants.com/interview1. Schooling, past job roles, certs, etc. matter very little compared to one’s ability to perform in those areas, as evident by any experience such as what they did on their personal time. In fact, what they did on personal time mattered more to me than work time because it demonstrated they lived/ate/breathed security, and they weren’t just doing it for a job.
Many organizations still, unfortunately, look at traditional things – schooling, past roles, certs, etc. Some refer to this as an “HR firewall”…you never make it to the hiring manager because you don’t have all the boxes checked. With that said, and to give you a better shot across all organizations, I would definitely focus on certs and experience in addition to whatever degree you choose.
Certifications vary widely depending on what branch of information technology or cybersecurity specifically you want to go into. For example, someone in compliance may get a CISSP, but outside of that role, it’s almost worthless. For my role (penetration testing and red teaming), the top certificates are CEH, GPEN, OSCP, PNPT, etc. I’d need to know more about your interest to help advise the best certs for you. Here’s some general guidance:
Certs differ based on cyber track:
- Blue / defenders / Monitoring and detection
- SANS/GIAC: GCIH, GCIA, GMON / GCED
- EC-Council: CND, CSA
- Red / attackers, pentesters, etc.
- TCM: PNPT
- Offensive Security: OSCP / OSCE
- SANS/GIAC: GPEN, GWAPT, / GXPN
- EC-Council: CEH / LPT
- CompTIA: PenTest+
- IACRB: CMWAPT, CPT / CEPT, CRTOP
- Web specific
- https://portswigger.net/web-security – excellent (free) training and (nearly free) certification
- IR, Forensics, threat hunting
- SANS/GIAC: GCFE, GCFA, GNFA, / GREM, GASF, GCTI
- EC-Council: CHFI, CTIA
- IACRB: CCFE, CCTHP
- Security management / Audit
For experience, be it at school, on personal time, an internship, etc., a good security practitioner will be strong in the following areas: systems administration, network administration, and programming – at least one scripting language, one fully compiled language, and one in just-in-time compiled language. In addition to those things, it’s important to gain experience with the security aspects (ex. on personal time). Participate in CTFs, hack vulnerable ISOs (more on that below), setup and use various open-source defense tools (ex. ELK, Moloch, pfSense, security onion, osquery, etc.) See: https://github.com/meitar/awesome-cybersecurity-blueteam
Determine what area(s) of security you want to go into and practice, practice, practice. At minimum, regardless if you go blue or red, you should know web app security and networking, as nearly everything interfaces with web services, over a network, nowadays.
Become very familiar with OWASP as a starting point. Regardless of the specific branch of cybersecurity you go into, OWASP is fundamental. Example: Become familiar with at least two things:
- Portswigger’s Web Security Academy (mentioned above)
- https://github.com/webpwnized/mutillidae. There is a video showing how to install this in Ubuntu running in VirtualBox. It has built-in helps for each section. There are also a lot of other tutorials online that others have put together. You probably want to have a 2nd VM running Kali linux to attack this one with.
Other sites and resources to check out:
- live version: https://hack.me/101163/mutillidae-23101.html
- DuckDuckGo for more:
Why so much focus on offensive?
I mentioned the red/hacking side of things a lot above. Those recommendations are valid regardless of your path. You have to understand what you plan to defend against. If you go the blue/defensive path, you will always want to focus at least 10-20% of your time and training on the red side (throughout your entire career). And, vice versa if you go the red path.
Once you start getting comfortable with things, start posting code to github/gitlab, blogging, etc. to demonstrate that you are involved in the security space. Hiring managers will look for those things as evidence you are involved.
Internships are a good way to not only gain some experience, but to also get your foot in the door somewhere. Obviously you’ll need at least some level of experience prior to that, but I would strongly consider this about mid-way through your education path (ex. a year or two from now). There were several people I worked with at USAA and NSA that started off as an intern which later turned into a job offer for full-time employment.
Where to start?
For my generation, it was starting off in IT and moving into a security specialization. Nowadays, people start directly into information and cybersecurity. I would personally recommend you still start out in IT as a system or network administrator for a few years and focus on security topics.
Okay, that was a ton! Hopefully some of it helps.
Featured image is a derivative work from the following images: Tumisu @ https://pixabay.com/illustrations/mentor-startup-mentorship-advice-2062999/