How To Start A Career in Cybersecurity

Starting any type of career can be a daunting prospect.

Very likely we can all agree on two things: do something you love doing, and, it takes time and dedication to achieve your goals.

Breaking into cybersecurity is no different than any other career path or profession. In fact, in some ways, we’d even argue that Cybersecurity as a career starting choice is a sensible move because as long as you can satisfy certain requirements, you’ll be good to go!

This post is for people that:

Have No Experience With Cybersecurity (Ethical Hacking)

Have Limited Experience (Typically as an Admin).

Those That Just Can’t Get A Break

OK, let’s dive into the post and suggest some ways that you can get ahead in Cybersecurity.

First off, let’s just agree that saying ‘a Career in Cybersecurity’ is a bit like saying ‘a Career in Banking’, i.e. it’s an umbrella term that incorporates dozens of niches within the industry. In Cybersecurity we can, for example, talk about digital forensics as a career, or malware/ software detecting, auditing, pentesting, social engineering and many other career tracks. Each of these sub-categories within cybersecurity deserves a separate blog post, but, for the purposes of this piece, let’s focus on some important generic requirements that everyone needs before embarking on a successful career in IT Security.

Please skip to the section that most suits your experience and situation:

Do You Have No Experience With Regards To Cybersecurity?

If you have no experience don’t worry. We ALL had to start somewhere, and we ALL needed help to get where we are today. No one is an island and no one is born with all the necessary skills. Period.

OK, so you have zero experience and limited skills…our advice in this instance is that you teach yourself some absolute fundamentals. Teach yourself TCP/ IP, programming, coding, markup and as many technologies as you can! Our #1 advice for those with limited experience is to get your head around hacker tools and learn how to use them effectively.

Metasploit, nmap and Burp Suite are three great examples of platforms that can be used to perform security testing of web applications and network vulnerabilities. Understanding why there is a vulnerability will catapult your knowledge, confidence and your skills in being able to detect (exploit) and patch (remediate) breaches and other ‘common’ security problems.

Where can you learn the skills? Here are a bunch of resources to get you going:

SANS CyberAces
Concise Free Cybersecurity Course Directory [Over 30+ FREE Courses]
Introduction to Practical Hacking and Penetration Testing [YouTube: Eli the Computer Guy]

If you are completely new, we’d suggest watching the above video by Eli the Computer Guy and then watching some quality videos on SecurityTube. If you can master certain tools then you’ll be ready to start to put your skills to good use!

Where can you practice your self-taught skills? Here are a bunch of resources to get you going:

Once you’ve taught yourself hacking skills then go ahead and test them (legally) on purposely made Vulnerable Platforms. The aim of these platforms that are purposely vulnerable is that they allow novices and those with limited cyber experience to sharpen their penetration testing skills.

Damn Vulnerable Web Application (DVWA)
Google Gruyere (Web Application Exploits and Defenses)
The ButterFly – Security Project
Concise List Of Over 20 Vulnerable Hacking Platforms

To recap and summarize the above, the key objective for those that are interested in starting a career in cybersecurity but have zero experience, is to teach yourself the fundamentals and better still, to become proficient in learning how to code, program and use specific tools that are mentioned above so that you can confidently implement and use them in the field.

The next goal is to obviously find a job! We would recommend applying for as many ‘entry-level’ IT jobs as possible since once you have your ‘foot-in-the-door’ you can begin to migrate into security with relative ease as long as you do what we outline in the next section.

Do You Have Limited Experience (as an IT Admin) And Want To Break Into Cybersecurity?

Many of our readers and students are already working in IT and are keen to break into IT Security. The good news here is that that is entirely possible. Here is one relatively solid fact and we welcome all thoughts on this: typically no one ‘starts a career in cybersecurity’. It is much more common to migrate into security than simply start in the space from the ‘get-go’.

IT Professionals with more general experience (and ideally networking) make ideal security candidates. They will generally have core technical competencies coupled with having a solid appreciation of all facets of security and also an understanding of the people issues around security. Furthermore, an excellent cybersecurity candidate will know the industry they work in and the business challenges it faces and will have experience with corporate infrastructure and ‘politics’.

Try And Identify The Key IT Skills You Need To Take The Next Step
To transition into cybersecurity, clearly set-out the skills you need to enter the profession, and specialization. Take a good look at security challenges your company or industry faces (an excellent place to start is the OWASP Top Ten). There are many core skills that are applicable to all verticals, whilst some organizations will have specific security challenges (i.e. think healthcare for example with regards to patient data). Research industry security standards and regulations, e.g. ISO 27000 as well as specific standards such as PCI-DSS.

Think About The Technology
Have a think about the type of technology associated with your desired career-move into Information Security. For instance, does your company uses Cisco or Oracle hardware and systems, and if so, perhaps take a look at specific Cisco or Oracle Security Certifications since they do demonstrate competency.

Think About People Management And Your Presentational Skills
Here’s a crucial bit of info that folk tend to forget: your presentation skills! If you are serious about working in cybersecurity at a senior level you will have to present security-specific strategies to non-technical staff most likely at the board level. If you can weave this into your sales patter when seeking to move into IT Security, i.e. you appreciate that presentation and management skills are vital, then your CISO or otherwise will likely be impressed with your forethought.

Show Them The Money!
Assist your employer reach their agreement to move you into security by illustrating the risks to the organization and the potential cost of implementing protection against the cost of getting breached. As long as you can demonstrate that the cost of training you is cheaper than the alternative – data (customer data) breach, ICO fines, embarrassment to shareholders etc – then your employer will very likely agree with you.

Offer A Contract
Employers are worried that if they go ahead and train one of their IT Networking guys (for example) with a CISSP Certification, then that individual will get headhunted by a rival and they’ll lose out. So, mention that you will promise that on payment of your training fees you’ll stick around for a minimum of six months. Obviously this is dependent on your existing employment contract.

Are You Finding It Difficult To Get A Break?

Keep going. If you are finding it difficult to get your career off the ground then go ahead and watch this inspiration video then come back to this page.

If you are determined, patient and willing to put the hours in you will succeed.

Make sure that in your downtime you learn how to use Hacking Tools (notably nmap, metasploit and other commonly used pentesting tools and frameworks) whilst specializing in certain skills/ niches. If you are still feeling a little lost then we suggest you go ahead and take a look at our: “70+ Tips To Help You Get Started In Cybersecurity” here.

In Summary

If you are just starting out your career in IT and are interested in Ethical Hacking/ Pentesting and indeed any profession within cybersecurity then you have chosen an excellent career choice. According to the Bureau of Labor Statistics there are more than 210,000 cybersecurity jobs in the U.S. that are unfilled, and postings are up 74 percent over the past five years! Furthermore, the demand for positions like information security professionals is expected to grow by 53 percent through 2018. Please show me another profession or industry with those numbers!

As cybersecurity threats evolve, demand will also increase in tandem, and in many cases regulation makes a team of security staff a legal requirement, not just a ‘good business idea’. You’ve made a wise career choice, now make it happen!

Let us know your thoughts. Are you working in cyber already? How did you get your break?