How do I get into Cyber Security?

This is a question I hear and see very often. There’s lots of advice from individuals with a much greater licence to share than I, however here’s my two cents!

To start with, it can be broken down into:

• Immersing yourself in the industry
• Learning the basics
• Possessing an inquisitive nature

Getting immersed in the industry is very easy as resources are abundant, and I’m a firm believer in learning via osmosis. The only issue is, you need to be mindful not to overwhelm yourself; this threshold will be different for everyone. My advice would be to build up slowly (a handful of twitter feeds and podcasts). There is a lot of duplication between resources and platforms, at times it can be helpful to hear a different perspective on the same issue, but this should be limited for the most effective use of your time.

• Podcasts — SANS Internet Stormcenter, Cyberwire Daily, Risky Business, Security Now, Darknet Diaries just to name a few (I would personally start with the first two, then build from there)
• Twitter — The best start point is to google ‘best cyber security twitter feeds’, over time you will pivot out from content they retweet, if you read a blog that captures your interest, see if that person has a twitter feed
• Blogs/White Papers — Every security vendor/consultancy has a blog, three that I would start with are SANS, FireEye and Crowdstrike; tools like feedly or medium can be used to aggregate resources
• YouTube — I normally utilise YouTube for a very specific topic. The SANS Institute channel has a great repository of content from industry leaders (and links to more focused SANS channels)
• SANS — Strictly, they sit within all four categories above, however the sheer number of free resources (including online conferences in 2021) deserves an honourable mention! https://www.sans.org/security-resources/?msc=homepage

If you have a sysadmin or help desk background, the basics of operating systems and networking will already be established. For those coming from a non-technical background (I was in this category) you’ll need to build a solid technical foundation. I can boil the basics (I’m over simplifying here…..) down to a combination of:

• Networking and architecture (TCP/IP, OSI model)
• Operating System fundamentals (Windows, Linux)

Use a combination of the resources above (YouTube, etc.) to start drilling down into the two points. You will naturally pivot into more specific topics such as authentication, particular protocols, file systems or web applications from those two building blocks.

Possessing an inquisitive nature is a core component of working in the industry; I can liken it to a toddler asking ‘why?’ more times than humanly possible. Inquisitiveness is a key trait that ensures you keep learning, and provide the best quality service to your customer/organisation. When immersing yourself in the industry and learning the basics, there will be many new terms, acronyms and concepts. My advice would be to note them down, then research them one by one (google and twitter are your friends here!), over time technical resources will begin to make more sense. Don’t be afraid to reach out to anyone within the industry for guidance, but please ensure you exhaust your own research avenues to prevent any negative experiences!

When you get further down the road, a few more factors come into play:

• Identifying your ideal role
• Soft skills
• Certifications

Now you’ve been drinking from the ‘fire hose’ of information, identifying your ideal role in the industry will provide you with more focused information for consumption. The easiest way to do this, is to decide whether the blue/defensive or red/offensive aspects (over simplifying again!) of Cyber Security appeal to you the most. Searching job boards can assist with this decision (although this is not absolute!). The role responsibilities should give you an idea of which jobs interest you; there are numerous sub-disciplines within the two aforementioned categories (I’ll caveat that by saying, a well rounded blue-teamer will have practical knowledge of offensive techniques, and vice versa — however Rome wasn’t built in a day).

Soft skills are arguably more important than technical acumen. You could be a reverse engineering rock star, but if you can’t communicate your findings, it’s all for nothing! In my opinion, all soft skills relate to effective communication (all forms of verbal and non-verbal). Two common case studies are, communicating technical content to non-technical stakeholders*, and getting approval from the wider business to implement security initiatives. Knowing and understanding your audience and their expectations is key when deciding the best method of communication, the format and content; you will rarely achieve perfection at the first time of asking, so don’t fret!

Unless you work for a security vendor, it’s very unlikely that the majority of your organisation will have a firm grasp of Cyber Security. To that end, a large number of interactions must be framed with business impact/risk. These interactions are also the perfect opportunity to ‘educate’, the manner in which this is done can be the difference between a stakeholder* seeing Cyber Security as a blocker or an enabler to their role. The latter can result in them becoming a security advocate, sharing their new found knowledge with their immediate team, and possibly bringing undetected security issues to your attention (many call this the force multiplier effect).

The subject of certifications is of much debate, arguably, possessing Cyber Security certifications will increase the chances of your CV/Resume making it through the initial automated and/or manual filtering. One of the main issues with certifications is cost; SANS are without doubt the industry leaders, however the cost of their courses and associated certifications are prohibitive unless sponsorship is received from an employer. The most important factor, is being able to show a potential employer that you have the passion to work in the industry, without bankrupting yourself! Popular ways of achieving this happy medium, include courses offered by CompTIA and EC-Council. I have been involved in the hiring process on many occasions, for a variety of entry and experienced roles. The most important things I want to see from any candidate, regardless of seniority, is their passion for the industry, and their ability to apply knowledge to role related scenarios.

If you’ve read this far, thank you! I’ve tried to keep the content as concise as possible, whilst ensuring the information is useful and most importantly actionable.

Any constructive criticism and/or ideas for future content are more than welcome. I’m aiming to follow this with another blog focused on ‘CV/Resume and Interview preparation’.

*by stakeholder I mean anyone in the organisation; someone from HR, another part of IT, or a member of the board.