Getting Started in Cybersecurity

How To Start and Where to Start to get a Career

Working in cybersecurity is probably one of the most romanticized and stereotyped career fields in Hollywood. Hacker lingo, the dark and edgy techno-punk styles, and the scripted command line chicken-scratch they put up on screens entices many who see it and say ‘I bet that’s fun’ or ‘man they’re smart!’ If only reality were so streamlined and cool. While many roles in cybersecurity do stuff that looks similar to being on screen, mainly our high-speed penetration testers and red teamers, the reality is that much of our job is planning and reporting. All good cybersecurity starts with a plan, where we define our risk by assessing the presence of a threat, leveraging an existing vulnerability, and the likelihood that it will be exploited (minus the effectiveness of our existing security controls to monitor, detect, and prevent such an exploit). Did I bore you yet?

If so, well, then there’s some hope yet that we can lure you into the field. The good news is that getting a role is also pretty easy. Right now cybersecurity continues its year-long reign of being one of the most demanded fields in the U.S. job market. Just looking at data from the Bureau of Labor Statistics on Information Security Analysts, we can see that the ten-year expected job growth is around thirty percent at the time of writing, over 22% higher than the national average. If you also took a gander at that BLS page, you would’ve noticed the average salary too, floating at about $100,000/year, and that’s not wrong. While I started out significantly lower than that number, at $50,000/year as a junior analyst (in a low cost-of-living state), it took me only two years to double that number (with some job hopping and moving to another state.) Even better, I now earn significantly more than even that as a systems engineer in my current full-time role. How about now, you ready to get started?

There’s No Right Way, Just Your Way

To break the ice, I need to emphasize something. There’s no ‘right’ way to go about getting into the industry. For me, it was because I started a more traditional, long route way of working in tech, getting my Cybersecurity degree, and getting certified all at once. This was massively overwhelming (and quite honestly the most depressed I ever was in life) but I was impatient and too hard-headed to realize the damage I was doing to myself. Meanwhile, for others, they are pivoting out of another career field. Then for some, they simply know a guy.

The simple answer to the question of how to get in is that there are too many ways to count, and all of them require a level of effort from you. But you came here for an easy(ier) button, right? Lets try and break down how to get familiar with topics first.

Certify

Certifications are arguably the biggest factor in weeding out the serious professionals from the paycheck hunters. These are quite literally the get-rich-quick scam of getting into the industry and getting noticed fast, but it requires a lot of effort from you, the learner. Most start out with the traditional certification stack from CompTIA: A+, Network+, and Security+. If you’re already comfortable in I.T. (maybe you’re working on your degree or you’ve been working an I.T. job for a while), A+ is more optional than required. If you’re starting fresh, I definitely couldn’t argue against it. I would always recommend Network+ and Security+ though, as they’re far too important of topics and material for entry-level to skip. Networking is the reason cybersecurity exists in the first place, and understanding how people remotely reach out and touch a system is vital to understanding and breaking down attacker methodology. Meanwhile, Security+ introduces what attacker methodology even means. This dynamic duo/trio is a solid platform to stand on for entry-level cybersecurity jobs, and they’re super affordable compared to other cybersecurity certifications, plus the training is readily available from sites like LinkedIn Learning, Udemy, or Professor Messer (who is entirely free by the way). For my readers out there, there are both CompTIA official material and licensed material that go over these certifications as well (some even pair with the course from Udemy/LinkedIn Learning).

What are some alternatives? Well, GSEC is a fantastic GIAC certification that comes paired with a SANS Course (SEC401), the industry standard in certification and technical cybersecurity training. If you can afford it (it’s $7,000 and some change), I would always recommend SANS and their GIAC certifications over any other means of learning in the industry. They are absolutely one of the fastest and best ways to get noticed and hired. That being said, they always come with the extremely high cost, and unfortunately aren’t something that student loans will pay for.

Academia

The good ole’ college try isn’t a bad option for many people who want to get into cybersecurity. My only complaint to college courses on cybersecurity is that often they are just simply certification courses masking as college ones. This unfortunate situation leads many to pay for college that only teaches the same material that they would later just certify in. Would I pay roughly $30,000, the average cost of a bachelors, to have just learning courses on Security+, Network+, CISSP, and maybe a handful of others? Without the voucher for those exams, I would argue no. If the college offers you a voucher though? Absolutely. I’d highly recommend researching the institution you want to attend and see if they offer this kind of program. Some may require you to have an ‘X’ level grade to get the voucher, some only select top students, etc. If you want your money’s worth though, college should be about learning college material and not just copy-pasting certification courses into a program for a single degree and no certifications to boot.

So what kind of program should you be looking for beyond one that’ll get you vouchers? Well Cybersecurity (or the improper Cyber Security) degrees are a great place to start. Some of these are technical, rooted in Computer Science programs. Others are attached to Business Schools. There isn’t a right answer, because honestly both have different approaches but both import very important topics from different angles of business needs to engineering needs. Mine was actually in business, so I got a healthy dosing of ‘holy crap why does this matter?’ Only to work in the industry now for a while and find out that translating the business needs into technical ones is wildly important to get the organization aligned with the security mission.

If your local college or university doesn’t have this program, here’s a list of great alternatives (in no particular order):

• Information Systems, Business Information Systems, Information Systems Management

• Computer Science, Computer Security, Computer Engineering

• Software Engineering, Software Development

• Information Technology, Information Assurance, I.T. Management

• Network Administration, Networking Management

• Data Management and Analytics

Why Alternatives, you ask? Well, contrary to what many may want to assume, you don’t need a degree in cybersecurity specifically to get the role. I know many who come from the more generalized I.T. degrees, to people who went to college for finance, to people who just didn’t go to college at all; all of them doing very well for themselves in the industry. Don’t overthink it, just go for it if you want it! I know I harped on it earlier, but for many, College is still a fantastic resource for those who prefer the traditional learning environments and nurturing you can get from professors, advisors, and on-staff tutors who teach the courses.

You Need Experience to Get Experience

Work experience is probably a bigger factor than it should be, with many organizations still searching for individuals who’ve had some background in I.T. before pivoting into security. In my opinion this is a huge overshoot, and being a junior security analyst is an entry-level job that a fresh-out-of-college grad could do.

But maybe you want to prepare yourself in I.T. before pivoting into security, and that’s a great solution as well. Spending some time in a helpdesk style role, you could seriously beef up your I.T. problem solving skills, which are vital to working in security (because you’re there when I.T. stuff breaks because of bad actors). You should definitely be looking for these types of roles, which may also help you afford certifications and learn valuable experience about I.T. Operations in an organization. Even better, you may be able to to pivot and network with ITSec professionals in your organization you’re working with, helping you build a relationship that could foster into a role in cybersecurity down the road. This leads me to my next topic though…

Networking, Networking, Networking

I hate how important it is, especially when you’re a nerd like me and just wanna be left alone to talk to a computer instead, but knowing the right people is the difference between getting a job and not sometimes. Building a reputation as someone who is dependable, effective, intelligent, and hands-on is a big piece of getting into the field. The more people you know, the smaller our cybersecurity world gets. I’ve done this full circle dance now for years, having bounced around the industry now a few times and meeting the same people over and over.

So how can you get around? LinkedIn is a great place to start. Being a networking platform and digital resume, you can quickly get contacts and share stories, comment on posts, and interact with people. It also lets you put your entire professional life on your personal profile, which is something I personally do. From my time in the Army Guard to RadioShack, I keep everything logged there to show everything from start to now on how I’ve grown. This works well when you need to fill job applications quickly too since you keep track of jobs and content over time, you don’t start forgetting start and end dates, what you did, etc.

From LinkedIn, I’d highly recommend conferences and conventions. BlackHat, DEFCON, and so many more, it would be difficult to say that you can’t get around and meet people. Participate in events, hack-a-thons, capture the flags, and other things to learn and show off technical expertise and surely you will run into individuals who are hiring and looking at you as a potential candidate. Go bold and wear a ‘free agent’ or ‘hire me’ shirt with a QR code to your LinkedIn or something. Get creative, be confident, and you’ll attract yourself job prospects and connect with people who can get you in the right places.

Finally, put yourself on Job Boards. LinkedIn counts for this, but there are a few more to build a profile on and toggle the ‘Let Recruiters Reach Out to Me’ or the Public visibility option. ZipRecruiter, Indeed, Monster, Handshake, Clearance Jobs, and Glassdoor all are great resources to have profiles on and get your profile out there for recruiters to help do some of the legwork for job hunting.

Right Place, Right Time, Right Uniform

A tongue in cheek to the military mantra about doing the right thing, I love using this phrase to summarize the bit of luck that goes into finding opportunity. Some people believe that when they’re ready, something will land at their feet as consistently as Amazon two-day delivery (in most areas.) However, that just isn’t the case. While the job market is exploding, so isn’t the amount of people who are flocking to be here. Over my career, I’ve applied to well over 100 jobs (if not like 300) in the industry, and I’ve landed just five. Be prepared for this, as it will be soul crushing at times seeing the unth-denial letter. I have ‘we’ve decided to move onto other candidates’ burned into my brain. What I want to emphasize more than anything else though is sometimes its about luck. You’re basically playing the lottery with always-changing odds against you. However, at no cost to you (except sanity and self-image), you can keep playing by continuing to apply. Eventually you will win that lottery, all it takes is a little persistence.

Another saying I love to preach to peers is it pays to be uncomfortable. If you’re trying to pursue a career and make the most money here, you’re not gonna be happy with yourself in a short-term scenario. Now, I’m not saying do what I did and have full time college, full time job, and guard duty all in the same four-year sprint (I’m not naïve to say that didn’t help accelerate me either though), but rather it comes to you in the form of ‘what cost is it worth to you?’ Are you ready to work 12-hour midnight shifts? Can you handle both certifications and college at the same time? These are questions you should be prepared to ask yourself in terms of how far are you willing to go and how much can you handle while you pursue this endeavor. It is absolutely okay to take it slow, and some sacrifices might not even need to be made, but preparing for the idea that the beginning part of this career path is going to be a little burdensome is good to help you map out ways to decompress, ensure you have time for yourself, and not overdoing it (that’s a whole ‘nother conversation to have about working in the industry.)

You Can Do This!

I want to end this by screaming from my mountain top that a career in cybersecurity is possible for you! Anyone can approach this industry with zero experience and turn around in a short period to find themselves in the middle of handling a breach scenario, and I’m willing to put my name behind that. The complexities of working in cybersecurity are broken down tremendously when you learn the basics and learn them well to expand upon and build on more complex and seasoned topics that have roots at that foundational level you already know.

So get out there, do what you feel is the right way for you, and don’t let anyone stop you, bog you down, or tell you you’re doing it wrong because that honestly makes them wrong in my opinion, and if you’re here, well then I hope you at least care a little about what I have to say!