I see many posts on social media asking for advice on how to get started in cybersecurity, what certifications to get, etc., so I figured I would write an article with my perspective on those topics.
Cybersecurity as a career
You do not need any formal education, nor any specific certification, to be successful in cybersecurity. Both will help you get noticed by recruiters and passed the so-called HR firewall. Both are artificial barriers to entry controlled by people entirely out of touch and have totally wrong ideas of what is needed. According to some of those folks, you need to have a Ph.D. in cybersecurity and every certification on the planet for an entry-level job. There are many tales about recruiters asking for ten years of experience in technology invented five years ago. I even read a story about a person that was a lead developer in a new field, and the recruiter told them they did not have enough experience in that field and advised them to read blogs on the topic, and pointed them to a blog they wrote.
I have no answer on how to fix this severely broken hiring pipeline. Since the requirements seem totally random, with no basis in reality, I have no one size fits all way to get past this broken system. Therefore, I am going to focus this article on advice assuming this broken pipeline did not exist. Just know that if you see a job posting that seems unreal, it probably is. The problem is not you; it is them.
A thought just occurred to me. I wonder if they are doing this on purpose to test how creative and persistent you can be to get past this block. Both persistence and creative solutions are essential to many cybersecurity jobs. If you need to be spoon-fed the answers, need to have a structured procedure handed to you, etc., there are very few jobs in cybersecurity that would be a good fit for you.
Let me start by giving you a sure-fire way to weed out people dishing out advice but have no idea what they are talking about. These folks advise entry-level folks to get CISSP, OSCP, CISM, or CISA certification. I imagine these folks would go into a high school and advise kids looking for advice on picking a university and field of study, how to write and defend their Ph.D. paper. CISSP, OSCP, CISM, CISA, etc., are not entry-level certifications. These are the pinnacle certifications that are extremely challenging for very seasoned cybersecurity professionals and typically require proof of many years of experience before the certification will be issued, even if you pass the test.
OK, let us switch the tone here, enough negativity. So, what should one do to prepare for a successful career in cybersecurity? The first thing you need to do is figure out which aspect of cybersecurity you are drawn to, as well as what motivates you. Like other aspects of IT, the field of cybersecurity is vast. Here are a couple of pictures to demonstrate just how huge the field is. I borrowed these pictures from the web after doing a web search for “cybersecurity domain mind map” and “cybersecurity color wheel.” There is a ton of information with those search results and variations on them.
As you can see, you cannot just say, “I want to work in cybersecurity”; you need to be more focused than that. What draws you to cybersecurity, which aspect is the most appealing to you. Depending on which area you are most drawn to, different things prepare you. I was once talking to a Lyft driver about what it took to get into cybersecurity. I told him to make sure you knew computers very well, that it was helpful to be good with networking, know how to code, set up servers, etc. He then asked about coding skills, and I told him it was beneficial to know how to do web development and automate things with python. He commented that being a lot to learn. If he needed to know web development, shouldn’t he just become a web developer? I only had a one-word response to that, “sure.”
One of the rumors out there is that cybersecurity is easy money. I find this to be terrible advice. Yes, there is a lot of money to be made in cybersecurity, just like many other high-tech fields, for those that are good at it and manage to be successful. However, I would not say it is generally easy. First, what comes easy to one person is not necessarily easy for another person. Not everyone can be successful in everything. I firmly believe that to be successful in a field, you need to have a drive for that field and find it interesting, if not fun. Second, there is a considerable amount of burn out in seasoned cybersecurity professionals. Depending on your role and the company you work for, the stress level is well above average, and hours are often long. Therefore, I would say that this is not an easy job. It is, though, a job I enjoy very much and something I have always had a passion for.
Here is my take on three of the domains. I am not qualified to speak to any of the others:
- If you have a passion for rules and regulations but getting into the field of law is not for you, or you are currently in the law field and looking for a change, security governess might be for you.
- If you like to take things apart to find out how they work, how they behave when used, and finding unusual usages for things, the offensive sector, aka red sector, might be for you. This field requires you to learn things quickly in a very unstructured way. Drive to learn, figure things out on your own, and unsatisfiable curiosity are essential here. If you need to be taught things, always need a user’s manual, etc., this is not the field for you.
- If you are more of a helper and have a drive for defending people and things, cyber defense and operation might be your field. This is sometimes also called the blue team or defense. Like in the offensive sector, the drive to learn in an unstructured way is very important. You also would need to be very good with computers and know them inside and out. It is tough to defend something you do not understand.
In my opinion, the best foundation for both defensive and offensive cybersecurity is an extensive IT background. IT helpdesk, system administration, and network engineering are all excellent foundation for a successful cybersecurity career. The great thing about cybersecurity, though, is that there is no single or best path. I took the path of IT helpdesk -> data center tech -> network engineering -> cybersecurity vuln mgmt., and I think that is a great path to take. Others have taken entirely different paths and have been extremely successful.
Certification, their need, and usage are hotly debated topics in cybersecurity circles. Most people seem to agree on avoiding EC Council certifications, and CISSP is not an entry-level cert. The only reason to get a cert from EC Council, like, for example, CEH, is if it is mandated by your employer or the academic program you are enrolled in. The only folks that seem to value EC Council are recruiters and HR folks, and I have already made my feelings about their opinions clear.
If you are new to the high-tech workforce and want an edge in job hunting without going the traditional college route, I would start with some CompTIA certifications. I would start with A+, then get both Network+ and Linux+, then go on to Security+. CompTIA offers a lot of great certificates, I would start with those and then add more as time and budget allows.
After working in IT for several years, have some experience in a few of the security domains and are looking to demonstrate your security savviness, at that point, I would look at the certifications offered by ISACA, (ISC)2, and Offensive Security, depending on your specific field of interest. The Cloud Security Alliance also offers a great certification for cloud security, if that is your chosen specialization. When looking at these certifications, make sure you pay close attention to the perquisites to ensure you have the required background and experience. Also, remember these are expert-level certifications.