I get asked a lot how to get started in the world of cyber security. In this article I will share my thoughts and experiences learned along my journey.
An old Hindu Proverb states,
“There are hundreds of paths up the mountain, all leading to the same place, so it doesn’t matter which path you take. The only person wasting time is the one who runs around the mountain, telling everyone that his or her path is wrong.”
This saying is very true in the computer security field. Some have no prior experience and go to college for infosec or cyber security majors and enter the field that way. Some have attended college for something completely different. Some have been in other IT fields for years and switched to security. Some have no professional schooling or work experience and are self-taught. Others are a mix of the above.
So, what is the best way to get started in the security field? I have two opinions on this:
My Professional Opinion
I have been in this field a very long time and my professional opinion is that no individual path seems better than others. Success seems to depend on the individual practitioner’s interest, drive and passion for the field, not necessarily their employment background or educational pedigree.
But this is pretty much true through all of the IT world. For example, one of the best IT support co-workers I ever worked with, at one of the top tech facilities in New York, had a Master’s degree in Music!
My Personal Opinion
That being said, my personal opinion is a little different. I started as a desktop technician, worked up into network support and design, then server administration and finally server support before I entered into the security field. I knew how networks worked, was fluent in multiple desktop & server operating systems and had numerous years of experience in corporate IT environments and data centers before I even began my security career.
I personally can’t think of a better overall path than to have work experience in the IT design and support fields before starting your security career. I believe people that follow this path have a much deeper understanding of what is going on in individual systems and the interoperability of the system in the bigger network picture.
This makes it much easier for an offensive security specialist to move from system to system in a target network. It also makes it easier for defensive security specialists to defend large systems from attack.
No matter the path you choose there are several things you can do to help yourself along the security career path.
As with the normal IT field, the security field changes almost every day, so it is good to constantly be a student. There are a lot of outlets to learn from:
- Technical Schools and Colleges
- There are also numerous Security Certifications
- Military Career – There is a big need for military cybersecurity students
- SANS classes are a great place to build your career, they also have free webinars, and a ton of resources on their website
- Pentester’s Academy, Cybrary
- Attack Defense Labs, Capture the Flag (CTF) practice sites & competitions
- Magazines – like Hakin9, Pentest Magazine, etc.
- Youtube training tutorials – Irongeek’s channel is awesome!
- There are tons of technical books & classes available from publishers like Packt, O’Reilly, etc.
- Lastly, Google is your friend – search for security blogs, articles and classes
For example, City College of San Francisco Professor Sam Bowne offers a lot of his class material to the public – https://samsclass.info/
Follow & Network
Find people in the field that do what you want to do and follow their social media accounts, check out their books, blogs, and watch their training or conference videos. Get connected with local security groups – there are multiple groups available. The security groups are normally very open to new comers and those willing to learn.
- Twitter – A lot of security conference attendee planning & commentary are on Twitter
- Instagram – As with Twitter, many security leaders have active IG accounts
- LinkedIn – A great networking and news source
- ISSA – https://www.issa.org/
- OWASP – https://www.owasp.org
- Many other Local Security Groups have regular meetings
Many (not all) security leaders are willing to help people new to the field if they ask good questions. But realize they are very busy and may not answer a common question that you could have easily Googled. Oh, and never ask them if they will teach you how to hack a (an ex-somebody, a relative, the neighbor’s cat) Social Media account, it is a quick way to get blocked and reported.
Get Real-world Experience
Nothing beats real-world experience. There are several options here, internships, military, bug bounty programs, even starting in an entry level position and working up through the ranks. As mentioned earlier, I took the long route. I started with a computer repair tech school, and got a position in a computer support company as a bench tech replacing ICs on circuit boards. I worked up through the ranks by taking every class my company offered, and studying for certifications during lunch breaks.
Along your path I highly recommend being yourself. Having military knowledge, and being a weightlifter & martial artist has really opened up some very interesting security training opportunities for me. I have helped train some very unique groups and met some amazing people. Some of the best in the world at what they do.
Blog your Journey
Lastly, if you don’t already have one, I recommend starting a Blog (or Vlog).
Write about what you like, what you are learning, what interests you. On my blog I simply wrote about the new things that I was learning as I explored cyber security. It wasn’t long before I had a very popular security news site contact me and ask me to write regular posts for them. From there I was contacted by a top security magazine and asked to write articles for them. After I wrote for them for a while, I was asked to join their “beta test” team, a group of individuals that tech review articles and classes for the publisher.
Around the same time, I was contacted by a book publisher and asked to be on their tech review team. Even though I am pretty busy now with writing my own books (6 in total & counting!) and creating training material, I am still on the tech review team for both publishers.
It is a great opportunity to help out people new to the field and provides a great chance to meet & network with other like-minded security professionals.
Not all paths lead straight up the mountain. I personally made several attempts to enter the security field before my dream became a reality. As you progress, you may have self-doubts, and want to give up. This is normal, and usually the strongest when you are starting.