Content Written By Henry Dalziel, 2020
Welcome To Our Resource Designed To Help YOU Get Started in Cybersecurity
In this resource, you’ll learn that you can absolutely have a career in Cybersecurity.
We’ve created a website and a MUCH bigger (and better!) resource called “Breaking Into Cybersecurity”. Update: I redirected that domain back to this resource. It was simply too much work and unnecessary to keep two sites going that had essential the same content.
Rather than give you a ton of things to read we went straight to the heart of the matter and interviewed a whole bunch of professionals that are working in Cybersecurity and we asked them how they got started!
Starting any type of career can be a daunting prospect.
Very likely we can all agree on two things: do something you love doing, and, it takes time and dedication to achieve your goals.
Breaking into cybersecurity is no different than any other career path or profession. In fact, in some ways, we’d even argue that Cybersecurity as a career starting choice is a sensible move because as long as you can satisfy certain requirements, you’ll be good to go!
This post is for people that:
- Have No Experience With Cybersecurity (Ethical Hacking)
- Have Limited Experience (Typically as an Admin).
- Those That Just Can’t Get A Break
OK, let’s dive into the post and suggest some ways that you can get ahead in Cybersecurity.
First off, let’s just agree that saying ‘a Career in Cybersecurity’ is a bit like saying ‘a Career in Banking’, i.e. it’s an umbrella term that incorporates dozens of niches within the industry. In Cybersecurity we can, for example, talk about digital forensics as a career, or malware/ software detecting, auditing, pentesting, social engineering and many other career tracks. Each of these sub-categories within cybersecurity deserves a separate blog post, but, for the purposes of this piece, let’s focus on some important generic requirements that everyone needs before embarking on a successful career in IT Security.
Do You Have No Experience With Regards To Cybersecurity?
If you have no experience don’t worry. We ALL had to start somewhere, and we ALL needed help to get where we are today. No one is an island and no one is born with all the necessary skills. Period.
OK, so you have zero experience and limited skills…our advice in this instance is that you teach yourself some absolute fundamentals. Teach yourself TCP/ IP, programming, coding, markup and as many technologies as you can! Our #1 advice for those with limited experience is to get your head around hacker tools and learn how to use them effectively.
Metasploit, nmap and Burp Suite are three great examples of platforms that can be used to perform security testing of web applications and network vulnerabilities. Understanding why there is a vulnerability will catapult your knowledge, confidence and your skills in being able to detect (exploit) and patch (remediate) breaches and other ‘common’ security problems.
Where can you learn the skills? Here are a bunch of resources to get you going:
- SANS CyberAces
- Introduction to Practical Hacking and Penetration Testing [YouTube: Eli the Computer Guy]
If you are completely new, we’d suggest watching the above video by Eli the Computer Guy and then watching some quality videos on SecurityTube. If you can master certain tools then you’ll be ready to start to put your skills to good use!
Where can you practice your self-taught skills? Here are a bunch of resources to get you going:
Once you’ve taught yourself hacking skills then go ahead and test them (legally) on purposely made Vulnerable Platforms. The aim of these platforms that are purposely vulnerable is that they allow novices and those with limited cyber experience to sharpen their penetration testing skills.
- Damn Vulnerable Web Application (DVWA)
- Google Gruyere (Web Application Exploits and Defenses)
- The ButterFly – Security Project
To recap and summarize the above, the key objective for those that are interested in starting a career in cybersecurity but have zero experience, is to teach yourself the fundamentals and better still, to become proficient in learning how to code, program and use specific tools that are mentioned above so that you can confidently implement and use them in the field.
The next goal is to obviously find a job! We would recommend applying for as many ‘entry-level’ IT jobs as possible since once you have your ‘foot-in-the-door’ you can begin to migrate into security with relative ease as long as you do what we outline in the next section.
Do You Have Limited Experience (as an IT Admin) And Want To Break Into Cybersecurity?
Many of our readers and students are already working in IT and are keen to break into IT Security. The good news here is that that is entirely possible. Here is one relatively solid fact and we welcome all thoughts on this: typically no one ‘starts a career in cybersecurity’. It is much more common to migrate into security than simply start in the space from the ‘get-go’.
How To Start A Career in Cybersecurity
Professional Cybersecurity Trainer and Coach
While the salaries might be on the rise, this isn’t a gig to make a lot of money. If someone wants to get started in security, figure out what appeals to them and then map out how to exploit that to their advantage. The skills are teachable.
What matters are the aptitudes? Are you curious? Tenacious? Able to wrestle with problems that have a lot of moving pieces, some grey areas, and a variety of acceptable solutions? I advise people interested in security to study sales, communication, and leadership. Even in high school and college.
We need these skills sets more than ever – and they’ll serve you well.
Lead Cyber Security Recruitment
I speak to graduates/juniors on a daily basis, whether it’s for an informal chat about the current market or to discuss potential entry-level roles they may be interested in. My advice for someone looking to break into the industry would be to use absolutely everything that is available to you. There are always webinars, blogs and online courses available online which I strongly advise people to take part in. Social media is also an excellent avenue for getting involved in discussions about cybersecurity and recent InfoSec news/incidents.
The Open University also offers a free ‘Introduction to Cyber Security’ course, which is useful for someone wanting a very brief insight into the industry. And of course, getting a degree in a cybersecurity-related subject is always beneficial. The nature of Cyber Security requires you to constantly stay up to date, due to how quickly it’s expanding and developing. Therefore, I always encourage candidates to research and monitor new technology and news.
Just keep trying and never stop! the bad guys don’t stop so why should we. Learn one thing new each day take it slow at first and you’ll grow. the security sector of technology is vast so, to begin with, you might want to figure out what really interests you so the answer below might pertain to you or not but still, it’s good to be well rounded that’s what working in this industry requires.
Start by learning your own and other operating systems: Windows, Linux, and Mac OS. Learn how to defend them and harden them, learn what makes them weak and what makes them strong and learn their local language PowerShell for windows and Bash for Linux.
With your gained knowledge about operating systems and how to defend them you should move onto networks. Routers, Switches, Hubs, Firewalls, IDS/ IPS, etc. Learn how they work, communicate with each other and other things and how to properly configure them.
Next, depending on what you plan on doing a programming language can go a long way. Most high-end security jobs and even some entry-level ones require you to be able to know how to or at least have an understanding of coding. The most popular languages for a job are in the security industry range from Python/Ruby to C/C++ depending on what you’re doing. Knowing how to make a website via HTML/ CSS & JS is also very helpful. Remember security covers all aspects of technology bad code is bad code no matter where or what it’s written in.
Now the fun part begins, you’ve learned how to defend your own computer and your network. You’ve learned a new programming language or two you can even now automate things with PowerShell so what’s next? this all depends on you… by now you could be ready to be a great blue team member- a person who defends networks and computer systems- with your knowledge of automation and some programming you can be on your way in the industry or you could take it one step further learn how to attack there are many Linux Distros to be used for penetration testing and I’ll leave the research up to you, but most people start out with Kali Linux.
Security Analyst at Paladion
Build up your technical skills based on Network and Web Application knowledge and try to get any of the well recognized cyber certifications.
Cyber Security Researcher
Make sure you learn the latest technologies and techniques.
Security Researcher at Hackerone
Three years ago, I play counter-strike a lot, and some players do hacker things on it, so I became really curious about it, and Googled “How to hack counter strike”, then after several months, I want to learn how to hack a Facebook account, and at that point, I discovered that Facebook has a bug bounty program, and research about “what is bug bounty and all” and now I am here.
Don’t directly jump into bug bounty, first try to find some bug in that company that provides the only hall of fame because only a few hunters participate in that program, so it’s a great chance to find some bug.
Try to learn how to code at first! The More you deep into code, The more you can do hacking.
Bug Bounty Participant
Yep, well I am also learner I am no master that I can guide the noobs. But yeah, I can tell what I did when I was Newbee. I used to read and understand as much as I can, Read Blogs of Security Researchers. And learn everything from Scratch otherwise you’ll face False Positives.
In Web Application Pentesting field there is a great platform to start and to learn also “HackerOne”. Read the Publicly Disclosed Reports from HackerOne and Understand the Exploitations. Learn the OWASP Testing Methodology. Read Books and all. Reading and Understanding is the Most Important Thing to kick start.
Intelligence Analysis Masters Student
To self-learn and investigate on their own account as much as possible and to be open-minded about the roles and positions they can take within the Cybersecurity world because you can learn a lot and even more than you expected in a role that you didn’t even know you could enjoy.
Senior Cyber Security Consultant
It’s really hard to translate a business trying to make money through cybersecurity into a theoretical, or even practical sense in a pre-work context. That’s simply the truth – you don’t come in knowing how to consult, write business-excellence reports or make calls on what you should say to a customer asking you to make calls about their security posture.
What you can do, however, is expose yourself to some things which make this transition a super easy one, allow you to learn quickly and get the job in the first place by proving it to the interviewers.
If you’re applying for cybersecurity in general (technical such as penetration testing, or general such as GRC), become aware of the landscape. This includes the people (Twitter, Linkedin, Facebook groups), the current events and info (blogs, daily news, hacker cons) and the skills (CTF’s, wargames, competitions such as CySCA).
Most web developers show up with a portfolio of websites they’ve designed for their interview – what about a hacking portfolio? My perspective of this would be a Github account with a tool or script you’ve made or even a list of hacker tools you’ve tried or used in CTFs.
A list of CTF events and some of your favorite challenges and why, how you solved it and how it might be fixed (writeups). Possibly you’ve tried your hand at Bug Bounties – put down your findings and explain why they might be important. Most importantly, take advantage of your two feet and get yourself to a hacker conference – the people you meet there will become friends for life and will certainly welcome you into the community. Many incredible opportunities, experiences, and learning can come from human interaction.
Finally, I would say apply for positions. Go to the interviews and learn what they’re looking for, what you may be missing and ask for feedback. If you can demonstrate learning from a few failed interviews, this equally demonstrates your persistence with says attempting a buffer overflow that won’t work the first ten times. Connect with people on LinkedIn – ask them questions, ask questions on Quora, soak everything up like a sponge.
Finally, start learning Linux. It’s not an absolute must some may argue, but it demonstrates your ability to learn technical concepts and provides powerful functionality for when used (and quite often). You want to gain experience with many tools, concepts, and software that might not even relate to security – one day you might be testing it and wish you knew it better. Understand how things work and then you can start working towards exploiting it.
Find an area within infosec that is in high demand.
IT Security Analyst at INDRA
The first thing that does not despair, is a very wide world and can be complicated. But with desire and effort is taken. Otherwise, it is necessary to have a base of everything that composes computer science, systems, programming, networks, etc.
Security Analyst at Nota
Stay updated with new exploits, methods and CVE’s.
Senior Information Technology Security Consultant
A desire to learn.
Knowing computer security implies knowing the technology in deep. And this implies A LOT of hours learning, EACH day. If you love it this won’t matter to you, but if you don’t you will fail. Another important thing; the University won’t help you very much, you have to study and practice by yourself.
Umesh Gorakh Hande
Try to learn at least one programming language that might be Ruby, Python, PHP, etc. Build your own computer and security lab (Virtual) using old PCs, your own wireless router with a firewall, a network switch, etc. Practice securing the computer and network, then try hacking it. Participate in cybersecurity contests and training games. e.g. Wargames. Look for vulnerabilities on open source projects and sites with bug bounties and document your work and findings.
Additionally how Cryptography function works is also very useful to learn.
Independent Security Researcher
To break something, you need to know what it is built upon. For that, the first step is information gathering. In the first step of every smaller or large assessment, a researcher should know about the architecture of the system and sufficient information on what the black box system is built upon. After having the necessary information, the next step is to identify the potentially targetable endpoints or inputs.
I believe, the more inputs your application has, the higher the chances of getting hacked. The third step should be testing or fuzzing & the last one should be exploiting. If everything is planned well, then success is inevitable. There is a thin line between White Hat Hacking & Black Hat Hacking, I suggest newcomer researchers to first ask the organizations/clients whether they are comfortable with them pentesting their network and then proceed.
Be aware that there are a number of qualifications out there at the moment which may not necessarily get you employed in the sector. Contact companies which you are interested in working with and find out what they are actually looking for / would recommend.
- Consider joining a cyber security-related association so you can network with experienced members of the industry.
- Consider joining cybersecurity LinkedIn groups.
- Manual Source Code Review (C,Java,PHP,JSP/Shell)
- Consider attending Cyber Security conferences.
- Consider going through The Cyber Highway. This would help students understand what businesses need to do at a basic security level to protect themselves better.
Take the first steps to learn to program! The first and foremost tool to become a hacker. Start with Python/ C language. Then next take a grasp on basics in networking and database. Enroll in online video courses from Cybrary/ Security Tube. These help you learn a lot. Download Vulnerable Web apps/ mobile apps into Virtual Machines and practice them with Linux OS (preferably Kali). The more hands-on, the better you grow! Learn from great hackers posts from Hacker-One and bug-crowd.
Founder, CEO at Hack In The Box
Pick a research area that interests you (reverse engineering, exploitation, application security, malware) and learn everything you can about it.
Founder & CEO at MedMee
Well this is a kicker.
If you are trying to break in just for fun while harming someone or some entity or organization, I wouldn’t support that and I would advise you rather do it with their permission (permission to break in here means you found a loophole and now you are just seeing how far can this escalate without harming the system’s integrity and how to come up with a patch eventually). This way would earn you respect and experience and even $$ in most cases, so it’s a win-win situation.
If you are one of those Black Hats, I suggest you to slowly put on new White Fedora, it’s about time you did that.
Security Researcher – China Cyber Security (CETC 30th Institute)
Yeah, Cyber Security becomes more and more complicated. In my junior high school good time, many people use hacker tools can hack anyone’s computers, but nowadays, various new technologies (IoT & AI)and the emergence of new attack vectors, this is Challenges and opportunities for all the industry, not just cybersecurity. So keep learning is the right way, and finding the right way to learn is another right way and stay hungry, stay foolish.
Cofounder & CEO at Premedit
Like any industry, cybersecurity offers a large panel of jobs and personal development opportunities. Identify your strengths, your career objective and know in which field where you can perform the most: technical, marketing, sales, management, consulting.
Whatever your field of expertise, cybersecurity is moving fast and is demanding. It requires to continuously learn and keep pace with changing situational needs. Last but not least, do not forget the “why” (not only the “what” and “how”). It’s a current trap I often see with people getting enclosed in their high-expertise and losing the sense of purpose.
Cyber Threat Hunter & Penetration Testing
Read basic network or CCNA, Security+, Basic Linux, CEH.
Ethical Hacker | Security Researcher | Entrepreneur | Speaker
Just Go with your passion, Be updated with latest technology, exploits, methods, research with your innovation, checking out POCs of others will make your process to break anything easier.
Senior Security Engineer
Stay curious. Learn to master logic and critical thinking. Cyber Security is an endless learning and you should learn everyday. Master the basic and fundamentals starting from Operating system, basic networking stuff, basic programming techniques and analogy, web programming and some basic database command and queries.
That would help you to understand how a computer works from a different perspective and it would be essential to learn security with this strong basic knowledge. In our current IoT (Internet of things) set up, cybersecurity is a fast pace module wherein everybody is involved and everybody can be a target. Also, consider expanding your network, attend cybersecurity conferences nearby, do not hesitate to ask questions from the experts and try to get a mentor. I always use this quote whenever I want to clarify something: “When in doubt, just ask.”.
Information Security Consultant
Do some certifications.
Think about the value you can bring (IT, networks, business, communication skills…)
Start by focusing on one thing (forensic, malware, pentesting etc) and master that.
Principal Threat Intelligence Analyst at RedSocks Malware Labs (Bitdefender)
Get relevant experience in system/ network administration first.
Risk Management Specialist at Reliance Industries Limited
It was all part of the career plan. I would say I took it as a hobby. as I grow watching some hacking movies. I was inspired to enroll in the same field and luckily I was able to follow my passion.
Senior Associate Consultant at Paladion
Try to focus on one domain at first to kick start and do some certifications for that and apply for the same post. Don’t run for money, just gain experience and money will follow you (off-course if you are good).
Founder | CTG Security Solutions
Proper Focus on Programming Langauge: PHP, Perl, Python, etc. Also, knowledge of the Linux platform is must better you go for Kali Linux and other open source-based latest security-focused distros.
Co-Founder Appsecco | Ex OWASP BLR Lead
Learn how to learn as this field is wide and ever-changing. The easiest way to ensure that you are learning and retaining information is to try everything in a hands-on manner. While you are doing that make sure you document. I recently did this workshop/ talk for people at OWASP Bangalore (GitHub) and may be useful on how to get started.
Security Operations & Threat Intelligence Practitioner
Don’t depend upon certifications, but merit and aptitude.
Jefe de Proyecto en Bankinter Global Services
Passion and motivation are the most important but you need time. Knowledge is easy to find.
Cyber Security Professional
Know Networks!! and then you will flow over Security!
Information Security Consultant
If anyone wants to start their career in the cybersecurity domain they must realize that it is a very large subject and you cannot be an expert in each domain but you can acquire the necessary knowledge and learn specific expertise.
IT Security Engineer
Self-learning in free time and perseverance. If you don’t love security and computers, don’t enter this market, you will get bored very soon (some attacks and tasks are very technical and complex).
Think broadly about your skills, network like mad, ask everyone what they need or desire and apply yourself to the most important demands you feel passionate about. Don’t get hung up on any job, everything is worth a try, everything teaches you something. Offer your services to everyone. Summarize your experiences constantly and remember that people only give work to really busy people.
Roberto Pérez Raba
Cybersecurity Systems Analyst
My advice is to learn something new every day, that’s my philosophy. All the passionates of cybersecurity are lucky because security is not a job fur us, it’s a real hobby and we just need a pc to train our skills and learn something new. Fortunately we also have so many information sources like blogs, academies, tutorials, “free hacking tools”. So look for your first cybersecurity job, make of security your hobby and keep forming you and that’s all, be patient and your cybersecurity career will build itself.
Technical Manager, Cyber Security (Secure-IT/SIEM Practice) at Jolera Inc.
Keen interest to learn about ongoing security-related events/issues/breaches/new technologies.
Initially taking cybersecurity-related courses that are freely available (for example, cybrary.it) and find the area you enjoy the most. And finally, start working in a place where it will be related and at the same time, you can expand your knowledge in the future.
You must have analytical and logical skills. How to determine bad and good? How to choose a good company. Who to trust and whom not to etc…After some point of time in our field, it is a must to have self-learning skills as no one will be mentoring you for your whole life. You read you create an environment, you test, you write a blog this is a simple approach for learning new things. Give priority to your search. First, find youtube videos, if you can’t then go for google and find any website link, article if not then find that in the dark web, torrent or deep web (only if the torrent is legal in your country). If you follow this approach you will be a good Penetration Tester after 1/2 years.
CTO at Neotas Ltd
Instead of going for classes, look for finding solutions on your own through resources available online. Read blogs, keep an eye on Security trends on twitter, follow security channels like Reddit (netsec), news.ycombinator, and also if possible join a local security meetup chapter to keep yourself motivated and networking.
Security Consultant at Payatu Technologies
Basics should be clear: if the person is not having there basics well placed then it’s a bit difficult to clear the interview process.
Senior Security Consultant en NCC Group
Today there’s plenty of information about cybersecurity on the Internet. My advice is to read as much as you can and to take specialized training courses. Some of them are really expensive, but if you have the luck to get a job on cybersecurity after that, then it’s worth it. Another recommendable path is to join the graduate program that some companies in the UK are offering.
Dr. Burzin P. Bharucha
Go with the flow, as nothing comes and lands into your hands. You need to put your best foot always forward and believe in yourself, by putting “trust in your core talents, following of your passions sincerely with focus and commitment, and silencing all your fears and facing all roadblocks head-on in resolving them.
Certified Forensic Examiner
Be well rounded and like computers. You need to like tech and be prepared to immerse yourself in tech not just at work. You also need to have an investigative personality and like solving puzzles.
Global Project Manager at MSAB
Go for it, if you have an interest in a subject, keep persuing it – it took me 24 years to finally get into the role – although, to be fair, for a large part of that time the role didn’t exist.
If you make up your mind and are sure you want to venture into this field then just go for it. Don’t be discouraged by the many drawbacks and disappointments you will encounter; for example, when I was starting out I go into contact with Concise to do a presentation on Forensic readiness, sent the video, and then didn’t hear from them; would have expected some feedback at to improve on the presentation, but nothing and that was darn right disheartening, could have even at least just told me to get lost and that would have been polite and encouraging.
That almost made me give up hope, but I didn’t subsequently I got other platforms that were interested and some of the work was included in their top rankings. That example is not nearly the tip of the iceberg of what you would run into. Don’t feel you can only progress in your career by getting a job, before that you can build yourself and experience by doing things on your own to help improve your employability; and who knows, you may even become the employer and build your own empire.
Don’t ignore the “people” side of computer forensics because it’s in a technology field. To do the job really well, you need to understand people as much as you understand the technology, because if you don’t, you won’t know the right “questions” to ask about the computer you’re examining. My education and training in sociology, psychology, and investigation is just as relevant to my skill as a computer forensic examiner as my education in IT.
At the start of your career, I would suggest that you spend time understanding the Networking, OS, Basic Programming, Tools, Cyber Law, IT/ Evidence Act, Hacking modules and more for additional skills. Try to use all opensource, shareware’s tools and benchmark as per efficiency and learning purposes. Read blogs and white papers resources, videos webinars from vendors. Forensics and Cybersecurity professionals need deep experience and classified information and in this domain, no one is an expert.
Ronak Gajendrabhai Patel
I would always suggest starting for the basic to advance for any stream related to Cybersecurity instead of just learning Tools, i.e. Computer forensics, Penetration Testing, Malware Analysis, Security Analyst, etc. Learning basics or fundamentals gives you a strong foundation and then moving to the tools and practicing these will help you with ‘real-life’ scenarios.
Renaissance Technologist | CEH, ISO27001LA, CCNA CyberOps
Get your hands dirty!
Nowadays, it seems that certifications are required by hiring: if you have time and money, knowledge is always welcome!
Information Security Manager at Advanced Structures India
To enhance your career in cybersecurity, you have to work for increasing your skills, think about the technology, update yourself from time to time, start with CEH and CHFI courses also for the basic skill set in this domain and practical closer is much required.