As I move towards my goals of becoming a CISO, I realize the path that I have taken to become a Sr. Cyber Security Specialist is not like everyone else’s. As a matter of fact, everyone else’s path is different from every other path — and it should be.
The story about my path is for another day, however, I do want to address the struggles that people are facing when trying to break into Cybersecurity; the more you read about it, the more overwhelming and daunting it can become.
Cybersecurity: What is it?
Definition: The practice of protecting internet-connected systems and data from cyber-threats using various methods.
I would like to address is that Cybersecurity is not all about pentesting or hacking. In fact, hacking should always be referred to as “authorized penetration testing” which is under “Risk Assessment” (aka Active Defense), but it’s not everything. It would be a mistake of think of cybersecurity as a single career path.
See mindmap of Cybersecurity roles and career paths:
This doesn’t cover everything, and the map is based on the creator’s personal view (Henry Jiang — post and mindmap file can be found here: https://www.linkedin.com/pulse/map-cybersecurity-domains-version-20-henry-jiang-ciso-cissp/); it is missing specific control categories unless they are important enough to stand on their own. Example: IDS/IPS, firewall, DDoS Remediation — these can be included under Security Ops, Detection, and Prevention.
Note: You do not have to be an expert in every subdomain of Cybersecurity!
Starting in Cybersecurity
Cybersecurity offers a wide variety of opportunities for both technical and non-technical individuals; Doing security well requires a mix of technology, sociology, law, politics, and organizational sciences. And to do security well, you don’t necessarily need a Cybersecurity degree or 10 years of experience in tech.
I recommend the next few steps to all new beginners:
- Develop a broad understanding of IT in general. The more you know in each area, the better you will be able to understand the workings of each team and problems you encounter. Read everything you come across — I have a short list of blogs and articles you might want to save:
Websites & Bloggers:
· Krebs on Security / briankrebs / https://krebsonsecurity.com/
· IT Security Guru / https://www.itsecurityguru.org/
· Security Weekly / https://securityweekly.com/blog
· Naked Security / https://nakedsecurity.sophos.com
· Daniel Miessler / Daniel Miessler / https://danielmiessler.com
· Graham Cluley / https://grahamcluley.com
· Troy Hunt / https://troyhunt.com
Check out this reddit community (and their wiki)! https://www.reddit.com/r/cybersecurity/
- Make sure that you love to learn! You can check out some courses on these platforms:
- Design your own home lab. Learn, test, grow, break, and rebuild.
For example: (other ways of building a lab are available, but this is something I have personally done) Download VirtualBox and create 2 VMs; 1 web server, and 1 database. Link the two together to create a website that can display items from the database.
The reason I say this is so you learn to research, try new things, find resources, and learn how systems & tools work and interconnect before you can secure them.
- Certifications are great and should be pursued but only once you know which area in cybersecurity you are interested in. You also do not need to sit the exam; you can simply use the study material to learn a new concept. If you want to know which certificate is best, research for your desired topic and ask questions.
- Get involved in the community. This includes contributing to the conversations, contributing to open source projects, speaking at conferences, conduct research and share (create a blog), etc.
- When picking a cybersecurity career path, identify your interests and strengths, and be honest with yourself. I recommend listing our your preferences (ex: policy writing, and people management, or networking and app development) which will help pinpoint the type of roles you’ll want to focus on.
- When focusing on your technical skills, don’t forget about your soft skills! You need to be able to work well with a team.
Although this can’t be considered as a guide to winning that Cybersecurity position you’ve been aiming for, I hope it comes to some use to those starting out and needing a small light of hope.
Cybersecurity is a very rewarding field to work in; I hope to see you all here soon!