How to start a career in cybersecurity? And how to become an expert?
UPDATE as of January 19, 2019: Thanks for the overwhelming response! Because of this article and others, I have been consistently receiving high volumes of email inquiries related to career advice. For online training and certifications, check out some useful links below. The links have coupons in them giving you the lowest price!
It’s the hottest topic featured almost everyday in the news — cyber attacks, security breaches, phishing scams, alleged election hacking, and …the ever increasing demand for qualified professionals. The number of cybersecurity jobs is expected to reach 2 million in 2019. Even though the complaint for “growing demand, and huge skills gap” is being often raised by the employers, don’t let it deter you — I can assure you that it’s good news and the odds are indeed in your favor. Now is the time to start a career in cybersecurity.
Even if you don’t consider yourself too technically qualified, that’s okay — cybersecurity has room for everyone and more so for everyone’s growth.
A little background about myself.
In short, I had a ton of technical and programming experience before entering Cybersecurity.
Longer version: As someone who was always fascinated by computers and technology, I have been coding since the age of 11 — starting in BASIC, Visual Basic and eventually moving up on the ladder to more sophisticated languages like C/C++, Java, PHP, and Python. I remember my first computer being a leased Windows 95 with a 9" floppy disk slot — yes, that old. I was always fascinated by the technology powering those graphical dialog boxes, so-called Installation Wizards, webpages, Internet Explorer crashes, and I started fiddling with these artifacts everyday during regular use of my PC. Most of my days were spent developing simple marquee-laden HTML webpages in the now-extinct Microsoft FrontPage. But one of the largest turning points in my programming journey was introduction to Object Oriented Programming (OOP).
OOP basically forms the backbone of most of the programming in the professional world, especially involving large-scale projects. OOP concepts and related subject matter helped me learn the very fundamentals — data structures, classes, algorithms, pointers, memory management, etc. At the time when most of my classmates were planning on what to major for in college, fortunately, the road for me was already paved out: I knew I wanted to be a Software Engineer—I had already been consulting alongside as a web dev. for hire on freelancing platforms and developed my first parental Internet blocker: NetSelect** (see ** below).
Consequently, the title of “computer expert,” had already been conferred upon me by my classmates, high school teachers and of course, my biased friends and family. However, that would be far from accurate and I’ll tell you a little later why.
Fast forward a few years, after excelling in multiple software engineering jobs — backend, front-end; Arduinos, full-stack development, and getting a feel for the field, my knowledge shortly outgrew my interest for development: I finally got it. It’s about learning a new language, tools and techniques, planning, applying the OOP concepts, solving an abstract problem on a whiteboard, collaborating, coding, debugging, and repeating the process every few weeks.
Don’t get me wrong, I still enjoy developing in my spare time; it’s an indispensable skill any technical professional should have, especially as a means to convey your freedom of expression. But, working at a 9 to 5 job as a Developer started to get old and I needed something more challenging.
After reading a few pages of Kevin Mitnick and Bruce Schneier, and taking advanced college classes on Networking and Cybersecurity, I decided to jump ship to a related, yet entirely different field of technology.
** For technical geeks out there reading this, my first parental control Internet blocker was a very primitive Visual Basic GUI-based application which made use of the Windows ‘hosts’ file to redirect blocked (e.g. adult, social media, etc.) domain names to Google’s server — simply by remapping the DNS entry for the domain name. The “blocker” gave the parents the ability to add selected domains into a blacklist, which would eventually be printed to the permission-restricted ‘hosts’ file.
For your convenience, the rest of the article has been split into two sections to cater to both newcomers and existing cybersecurity professionals.
A. How to start a career in Cybersecurity
After taking a massive dose of hacking books and learning networking concepts, TCP/IP, UDP, Linux, routing, crypto… I was pumped — confident in my knowledge of the fundamentals. I was hoping to find a full-time gig which will finally give me a chance to be a cyber-detective, learn new security technologies, apply my analytic mindset of a developer, and become a beast!
And, guess what? I’m still learning.
One thing that intimidates most professionals arriving from non-CS or Engineering backgrounds is their lack of technical knowledge in the cybersecurity space. And, the reason I have mentioned my entire story as a Developer prior to making the bold switch, is to dispute that belief.
Given my background and skillset, I was hoping I would be a star in the cybersecurity space, starting Day 1. Granted I have been the go-to guy in the Development space and someone who had a pretty good grasp on the security concepts, starting in Cybersecurity was a clean-slate experience, even for me!
You do not need to be skilled: As long as you are dedicated, have a grasp on the basics and are committed to learning, doors will open for you.
Before jumping on to the useful tips given below, you should take some time; take a deep breath and truly analyze your interests and goals — what do you see yourself doing as a Cybersecurity Professional? And if so, given your current strengths and weaknesses, what would you change?
If being a real-time detective; an active defender is your thing — for example, breezing through the alerts and phishing emails coming in every few minutes, analyzing the systems, logs, and concluding if it’s just another false alarm or indeed a malicious event in progress, go for a Security Operations Center (SOC) role. If you would rather, passively hunt for intelligence and upcoming threats e.g. by monitoring the news, industry-specific mailing lists, and security advisories, you may be fit for Threat Management. If you are a former Developer-turned-Hacker with a tendency to be curious, fiddle with and “break” things, go for Penetration Testing (aka Cybersecurity Assessments) — although a fair word of warning: a lot of pen-testing jobs turn out to be contractual gigs, rather than full-time roles. Penetration Testing is also an industry with a significant legal liability, due to the potential to cause unintentional damage to the infrastructure or disrupt operations in production environments. It is therefore a smart idea to keep your curiosity under control, unless you can afford to retain an expensive lawyer or to lose your job. ;)
Finally, if would rather stay away from the technical side of things to focus on policymaking, legal compliance, enforcement, and management there’s an entire subset of InfoSec. called Governance, Risk management, and Compliance (GRC) or sometimes, “Security Assurance.” For you this means, being a liaison between the business managers who want their company to be, say, PCI-DSS compliant or HIPAA-compliant, and the technical guys who are going to perform the actual implementation of security controls.
And of course, depending on the organization you choose to work for, there may be other uniquely interesting roles which combine the security and developer skillset e.g. reverse engineering, researching, testing, dissecting malware and reviewing vulnerabilities at the source code or assembly level in software.
Thankfully, after much trial-and-error, I have landed my dream-gig: the perfect hybrid between Cybersecurity and Software Development at Sonatype. My day-to-day tasks as a Security Researcher include reverse engineering open source software to carefully hunt for vulnerabilities. As researchers, we are therefore able to provide the critical intelligence that powers our security products, at a much higher precision than solely relying on automation which actually generates a lot of false-positive noise. In this way, I get to apply my Developer skills as well as the Hacker mindset by analyzing open source software code for security flaws.
But, the journey isn’t always as straightforward and bear in mind your first job may not exactly be what you have in mind (I speak from experience).
Now, for someone looking to jump-start their cybersecurity career, here are some useful tips:
- Decide on where you want to be. Are you good with the technical side of things, or would you rather focus on the business, regulatory side? And, if so, what are the necessary skills — at the basic, fundamental level which you plan on achieving, before applying to your first Cybersecurity job?
For some, this may be simply a Bachelor’s degree in IS/IT/MIS/CS/SE, or a beginner-level certification. For others breaking into the space from, say, a Political Science background, especially those leaning towards the GRC-side, there may be other means to bridge the gap, in addition to certifications.
Would you prefer to start in the private sector at a junior-level role (this is usually the route most professionals pick) or go for a government-role?
It is therefore important to identify where you want to be, and what will you need at a minimum to start your journey.
- Get your fundamentals right. Expanding further on the previous point, get a basic understanding of Networking and Security fundamentals — this will help you greatly in landing your first job. You may go for a recognized (paid) certification, e.g. those from CompTIA, (ISC2), EC Council, etc.
For those of you on a budget, check out some (cheap and free) courses on websites like Udemy, Cybrary and Udacity.
- Online Training: When it comes to picking online courses from a credible source or digging deeper into the subject, I definitely recommend checking out Nathan House’s courses on StationX. Having over 24 years of experience, the guy knows his stuff well, gets tons of awesome reviews and explains the basics in a clear and concise manner for both beginners and seasoned professionals. Go for one of his beginner courses first, or the VIP Bundle. I personally have the VIP Bundle as it provides year-long access to 75 of his courses for one fixed fee — for beginners, pros and those preparing for CompTIA certifications. The VIP bundle catalog is also periodically updated with fresh material and courses, which is very beneficial in learning new skills from time to time! Please note, I don’t recommend anything without trying it for myself first.
- Additionally, I personally went onto the DHS-FEMA’s partner university (Texas A&M University) to grab my first few certs in Digital Forensics, Software Security and Network Assurance. These are rather rudimentary and chances are if you took any security classes in college, you know a lot of it already. The best part? These are free, offered online, great for first-time learners and endorsed by the U.S. DHS!
(Yes, you get to brag about that on your LinkedIn).
- Do not let certifications hold you back.
As a caution, under no circumstances should you “wait” on a certain certification unless your first job absolutely requires you to in its description. Getting a certificate is a means to upgrade your knowledge and to demonstrate your commitment towards learning, but a lack thereof shouldn’t hold you back. I have seen countless of my peers and colleagues make this mistake — “I will go for that SOC job, once I have that CompTIA certification.”
How about, self-teach yourself the fundamentals, watch some videos, and learn the rest on the job as you work in-parallel towards your certification goal? Given the job market these days, a lot of the companies are actually preferring bringing new grads or inexperienced hires as Junior candidates (with 0–3 years of experience) and training them, in-house, rather than waiting on the right skilled professional to come in. If you are lucky, they may even offer to pay for your certification, as a lot of companies do.
- Imagine and expect less of your first job. It is only natural to imagine big and expect that your first cybersecurity job, out of college or your previous role will be perfect, especially given all the buzz around the topic — both in the news media and in the CIA-themed movies. You will, however, be happier if you expect less and are open to learning. My first cybersecurity job was at a large global trading and technology firm and even though the work was related to cybersecurity, I personally found it dreadfully boring as more of an IT/Networking “ticket monkey” job. Nevertheless, I learned a lot of new skills in the security controls space working with a talented team of security pros.
- Read, listen, watch, and talk: Surround yourself with knowledge. Make it a daily goal to learn something new: it could be as little as spending 2 minutes of your day on browsing through StackExchange watching a TED talk, signing up for an MOOC course, following an industry-specific mailing lists, e.g. Krebs on Security, Schneier, or US-CERT. If you want to go a step further, attend cybersecurity conferences, such as DEF CON, Blackhat, etc. In my experience, attending conferences seems to be more of common, recurring trend among professors and Ph.D. researchers than for industry professionals.
- Be proud of your littlest accomplishments — it’d sure be nice to be the next Bruce Schneier, Mark Zuckerberg or to be the founder of the next Quora, but it is far more realistic to complete that training, get that CEH cert., or land your first cybersecurity job, as an example.
B. How to become an expert in Cybersecurity (or in whatever you do)
The prerequisite to becoming an expert in cybersecurity or in any other field is give up that idea altogether; to stop focusing so much on being an expert and instead shifting your focus towards being a lifelong learner — a student, and a contributor.
When you commit yourself to being a learner, you are laying the groundwork towards ensuring an eternal thirst for knowledge. And, to achieve. The dynamic spontaneously throttles your ego, and protects you from hampering your intellectual growth, by settling for a mere title: ‘Expert’.
With that mindset, before you know it, people will start approaching you as the ‘expert’ on that subject. And as an added bonus, the more you learn, the more you are able to teach, get feedback on and engage in productive, intellectual discussions with other scholars.
Even though I have, on multiple occasions, been referred as an ‘expert’ by technical and non-technical folks alike, I refuse to accept that title because the truth is, I do not know everything and there is no end to knowledge — just look at how fast technology is evolving everyday. There are new programming languages, algorithms, researches, frameworks and not to forget, cyber attacks, appearing everyday. I therefore prefer to be called a learner.
Even the Senior-most guy at any organization or that Security expert whose blog you are following, wouldn’t be a know-it-all, either. For most of us, it’s humanly impossible.
Given all that, here are a handful of useful tips that will help you gain expertise in the cybersecurity space or any field:
- Don’t be an expert, ever. Be a perpetual learner. Like I said, make it your goal to learn something new everyday — certifications, YouTube videos, blog posts, Facebook, whatever medium (pun intended) you choose and find comfortable absorbing information from. It’s okay for others to call you an expert once they think you are there, but settling for the mere title means jeopardizing your own learning.
- It’s okay to be wrong: as long as you are willing to learn. This is another reason why it’s better to be a learner. It’s okay to be wrong as long as you are willing to accept it, learn from it and move on. Let’s face it, even the President would likely never achieve a 100% approval rating — regardless of which party they may represent. :)
Same goes for the industry ‘experts’: Just look at the blog posts of the famous personalities who are leaders in their field. You will likely find mixed opinions in the comments section — some will readily agree, others will oppose. The important part of the learning process is not to gauge public approval and to shape your knowledge and opinions entirely based on that “feedback”, but rather to expose yourself to alternative, diverse views, which is what learning is all about. Engineer Joe might find method X better applicable than method Y to build a bridge and doesn’t have to agree with Engineer Jane’s method Y, but the opposing views surely stimulate an intellectual dialogue, provide more insight to the readers and to both of them, for different use-cases.
- Learn, Teach and Learn. And, do it like a beast! Knowledge transfer is meant to be a two way street. Whatever you learn, spread it and be passionate in doing it — tweet it, talk to your peers about it, write blog posts on it, and if you’re into public speaking, go out there and speak at the nearest technological Meetup, or at your alma-mater, and even better, at a TEDx talk (unless of course, you can get into the TED)— not only will it help you strengthen your image and be recognized as an industry-leading expert, it’ll open doors for you to: (a) learn new things from the casual discussions and receive constructive feedback, and (b) potentially pave out new career paths to diversify your income streams. You could eventually venture out into being a part-time author on the subject, a TV commentator, an expert court-witness, a paid public speaker, an online Adjunct professor, an online course instructor… just to name a few examples.
- Imagine your ‘expert’ and what would they do. For the purpose of goal setting and motivation, it often helps to imagine one or two public figure(s) you look up to, and to mimic their professional ethic: how would they have handled a challenge, what would they do — and it helps even further to be playful about it. That figure doesn’t necessarily have to be in the same industry as you and can be fictional. For me personally, it has been Olivia Pope from the political TV drama Scandal — a fictional Washington-based fixer who is considered an ‘expert’ in what she does. In case you are curious, the show and the character are an exaggeration based off of the real-life Crisis Manager & Lawyer, Judy Smith. The playful example adds levity while helping me with the goal setting aspect.
- Give respect to get some. Last but not the least, and I’m going to quote this one from another article: “You’re never too important to wipe down a table yourself.”
Bottom line, don’t be an asshole; that pompous guy with a massive ego, a sense of self-importance and entitlement. Knowledge can be learned but respect has to be earned and the latter needs to be a two-way street.
Once you have applied these concepts in the cybersecurity space, or in whatever you do, before you know it they will start referring to you as an ‘expert’ — although you and I both know to better use the term, ‘learner.’ ;-)
Due to popular demand, I have written Part II of this article geared towards what certifications to get and how to prepare for them:
How to prepare for cybersecurity certifications
The complete cybersecurity guide to preparing for certifications like CompTIA, OSCP, CISSP, et al.