So You Want To Get Into Cyber Security
If you find value in this story, consider making a donation to the [HS]2 program. It prepares a group of first-generation and/or low-income students of color to succeed in college by empowering them with STEM-based skills, a family of driven peers, and a space to see the light and power in their own voices. Even $1 helps by demonstrating broad support to larger institutions considering donations.
I often get asked for a half-hour meeting by people who are interested in getting into security. It’s in demand, pays well and, let’s face it, has an element of cloak-and-dagger that’s intriguing. After surveying some colleagues who take these calls too, we all start with the following questions in some capacity:
- What about security are you interested in?
- Why is that interesting?
- What skills do you have that overlap with security?
If you want to actually get paid to do cybersecurity work, let’s skip straight to the meat. You’ll have to transition from fantasizing about it to actually providing value by knowing things. Unless you’re using brute force and luck, you’ve got to know how something works before you can break it creatively.
The single best piece of advice I have is lean into technical matters. The second best piece of advice is don’t be afraid of you computer.
That doesn’t necessarily mean you have to know how to code and solve problems with code, but the more technical you are the more problems you’ll be able to understand or solve. Or break! Cybersecurity is no different than any other field in that regard. It’s just problem solving.
Before getting into what to do, let’s get clear on one thing: Do not pay for certifications like CISSP, SANS or Certified Ethical Hacker. This is not a value judgement against certifications; they are simply not stage appropriate for someone new. You can get a better knowledge base for free. If you wind up landing a decent job, odds are the company will pay for you to get those certifications. So save your cash and your time. (Someone pointed out SANS does offer scholarships to women, veterans and people of color so maybe look into that.)
Security can feel like Law or Medicine because the breadth is so large. Using your time wisely is key. So where should you begin?
- YouTube: Look up Kali Linux, Metasploit, Wireshark, password crackers, rainbow tables, Wireshark, packet sniffing, botnets, malware and just keep clicking on every video that looks interesting. What you need most is an inch-deep understanding of technical hacking techniques, tools and the ability to explain any of that during an elevator ride with someone. This should be equal parts fun, terrifying and exhilarating.
- Udemy: You don’t have to know how to solve problems with code or scripts to be useful. However, you should absolutely know how that stuff works from hands-on experience. Sign up for a Python or Javascript course and commit to finishing it. Just.Keep.Going. Regardless of whether you actually go into security, you will be more qualified wherever you wind up know some of that stuff. My first entry into coding was Violent Python. As cool as that books sounds… start with a basic class first. I didn’t understand Python or what they were using it for in that book so it turned into a double heaping of imposter syndrome. Learn one thing at a time.
- Security Engineer Interview Questions: Over a couple years, I wrote down and organized every security engineer question people posted on glassdoor.com from interviews. They’re organized into themes. Open up a google doc or your blog, research the questions and write them down. Each thing you learn turns into more frosting on your security cake.
- OWASP Juiceshop: What does that acronym mean? Look it up! Then see if you can make the thing work and/or find the vulnerabilities. YouTube is full of excellent solutions for this. Very fun.
- Capture the Flags: These are contests where you either defend, hack or do both. Check out Tryhackme and Hack The Box.
- SOC 2 Type II: Look up what a SOC 2 Type II report is and read one start to finish.
- Password Managers: Learn how to use 1Password, use it everywhere and then teach someone else how to use it like your parents or best friend. If the people are older and using Apple devices, teach them how to use Keychain. Along with 2FA, it’s the single best way to prevent being hacked. And you will learn a TON about security teaching others about it.
- Colleagues: If you’re already working somewhere, make friends with the IT team, security team or whomever is in charge of that stuff. Be candid, tell them you want to get into security, and you’d like to help them with their toil work no matter how rudimentary it is. They could all use some help. I transited from customer support to Security Engineer in just six months based solely on my willingness to answer the same questions over and over in security questionnaires a CTO hated answering.
- Titles: Research, write down and define the different job roles in security. What does a security engineer do? What is the difference between a security engineer and a security analyst? What is a CISO?
If you get frustrated, that’s okay.
Maybe you can’t get Heroku (uh, what’s that?) to work in Juiceshop. You’ve downloaded Wireshark and… don’t know what to do. Whatever it is, reach out to a friend who knows a little about tech and they can probably get you unstuck. Or just close the tab and move on to something else.
Momentum is the most important thing initially. Keep going forward no matter what direction. There are no wrong turns in the beginning. At some point, you’ll wind up back at the thing you were stuck at with more context and you’ll be able to get through it.
