A topic that comes up often is how to get into cybersecurity as a career.
For those of us in the industry, we have gotten here from many directions. Some, like myself have been computing since the wild west of computers. I started with computers in 1977 but did not enter the fields as a career until 1996. I was afraid that it would kill my love of the machines. (it hasn’t)
I see three viable paths to Cyber in the market today:
- College
- Military
- Work your way in
Regardless of the path that you take, you need to be taking it for the correct reasons. Choosing cybersecurity roles simply for the dollar is apt to bring you heartache. It is a field of constant change and innovation. The operating systems change, the tools in the environment that you are protecting are constantly changing, upgrading, and hopefully patching. Along with all of the changes in your environment, come the attack vectors and new vulnerabilities that are popping up on a daily basis. If you are just in it for a paycheck it will not take long to get burned out and complacent. Complacency gets your seat canned when some twelve your old kid brings your network to its knees for kicks.
So let’s get into some more detail abut those entry points.
College/University
As soon as you are confident in your cyber desires, start looking for colleges with technical programs. Learn about what they want/need for you to improve your chances of getting accepted.
When you get accepted to a program immerse yourself in it. This is after all a lifestyle, not just a job. Outshine amongst your peers, but do not burn bridges. Those peers that you are nudging out may very well be critical to your success later. They are your support as you travel this path. You are bouncing ideas off of them and if you are wise you are helping them too. This field, while widely varied is small. As an example, I have people from my last couple of roles that I have worked with before. One person goes all the way back to my first paid tech support role. we have worked together at three different employers.
You will want to build a sold foundation in how computers and networks function. There are many technical certifications that you can obtain while you are going through your coursework. As you explore these foundations, it is likely that some aspects speak to your technical soul more strongly than others. While you can come out of school as a technical generalist, it is much more likely that you will be drawn to one or two areas like a moth to a flame. If not… then you may not have found your calling.
With hard work, perseverance, and a bit of luck, you will move that tassel on your mortar board and have head hunters already tapping at your email/phone. Enjoy that degree as it gets your foot in many doors. Sometimes it will be to a role that you are not thrilled with, but it will pay the bills while you add to your cyberskills, gain a network of peers, and get that resume into shape.
Military
While I went to the military, it was as infantry so I did not gain technical skills there. I have however known plenty of my military brothers and sister who did. The jobs that they selected going in (make sure it is in writing!) got them sent to schools that taught them electronics, general computing, cryptography, or cybersecurity itself to help defend our forces.
I am not going to kid you that this is an easy direction, but I missed my opportunity at getting into a good college as I just wasn’t ready for it yet. I needed some growing. Being in uniform is hard, the discipline, formations, chances at combat are not easy for a person to deal with at times. Most of the high tech roles are in safer positions in the world, so there is that.
If you did not get a high tech job in the service, use that GI Bill (or whatever its name changes to over time) to get yourself into college as discussed above. If you can get through what a drill sergeant did to you in basic training, you can get through final exams at the university.
Work your way in
This was my path. I started as a midnight computer output clerk because I knew what the burster and decollator did. I had never run one mind you, but that was better than the others that were trying for the job. I sorted out reports from the laser printer that ran all night. If you took all of the paper and put it in one stack, it would be 20 feet tall or so. It was only somewhat technical, but between that and my computer knowledge from just playing with the darned things for years, I was able to get into a technical support role in a call center. Getting that call center experience built customer services skills in addition to technical skills. Take care in learning how to explain a technical thing to a generation or two older that you are. You need a library of analogies. Folksy ways to illustrate a concept so that anyone can grasp it. You may well have to explain a complex issue to a room full of “idiots”, not that they are stupid, but they are not on the same level that you achieve. There is a very fine line between teaching, and condescending. You will see either understanding in their eyes, or they will glass over as you are leaving them in the dust. Back up and get them involved again so you can get the whole group back on track again. All the while you are working you are keeping your eyes open for training opportunities. Perhaps your employer has a something like CBT nuggets or Cybrary so that you can take classes to add to your arsenal. There are so many free training videos to watch out there. These courses help you seek out that sweet spot that you want to make your specialty. Once you have that target, research the desired skills in job postings so you know what foundations that the hiring managers are wanting. You will find a certification that you can attain, maybe CompTIA A+ is where you start, Getting certifications will show aptitude, desire and motivation. They also so that you have some skill in the testing area which reduces risk for the hiring manager. We used to se a ton of paper certs. Paper certs do not have any real world experience involved, you just memorized some data and took the test. When a certification was accused of being a paper cert, it marked a possible end to corporate interest. Certifications started getting harder to obtain thus were of more value to the managers.
Another arena for training is your local user groups. If you are in a decent sized town up to a megalopolis, you will have groups of people gathering to discuss their areas of common interest. It could be networking, coding, hacking, or may other topics. Watch for them, they are often free and meet monthly or even more often. This is not only a way to gain knowledge, but meet people with experience that they will be apt to share with you.
A larger venue for meeting people in the cyber security area is your local B-Sides. I have been attending my local B-Sides for years. It is a cyber security oriented gathering. Some are looking for work, others are hiring managers. They tend to be held in larger cities around the country and even world. The one in Portland Oregon (near where I live) is free. I do donate (and get the nice badge and normally a t-shirt.) to help support the cause. It is not cheap to run but it is quite fun and there is so much to learn in the presentation tracks, vendors, and peer to peer knowledge sharing.
If your budget is a little more forgiving, you can attend DefCon in Las Vegas. The cost for DefCon 30 (2022) is $360 for the four day hacker convention. I had a great time at DefCon24 and look forward to going again. Your badge will get you into plenty of parties also so if you have a significant other joining you, you will want to get them a badge as well since they do not have +1 privileges.
A convention on my bucket list is BlackHat. This one is spendy and high end, so unless you have deep pockets, I hope that you have an employer that will foot the bill. If that is a case, then you already have the skills and role to not need to learn form this page, but may be qualified to submit articles to post here. (let me know if that is the case)
Another avenue to working your way in was (in humor) missing a meeting. The situation was that you were not present to decline the boss’ nomination to the new tech role. You knew how to use AOL, or a computer in general better than other in the office. The next thing you knew, you were the new network administrator trying to figure out how a network is build and maintained. During that time, we only ran antivirus software to protect the network. Oh we had passwords, but they were written on post-it notes on or near the computer. Yes, we have come a long way.
Working your way in requires patience and an eye for opportunity. You are watching for another role in the company that takes one more step up the ladder. After you have enough time under your belt and you keep your online resume updated with your role and skills, you will start getting tapped by head hunters.
A cautionary note on head hunters, they are commonly looking for someone to work as a contactor. This can be a great opportunity, but you can get trapped into the contractor game. I have known very good cyber analysts that moved out of a W-2 role into contracting (against the advise of his peers). Contractors often take home more money, but do not have the benefits or security that W-2 roles have.
This paragraph may become dated quickly. Build a LinkedIn profile and keep it updated. Please use a permanent email address like Gmail that is different than your daily use email address. Our email addresses have history stored around the web. Keep this one clean, business use only. This is the address that you use for LinkedIn, Monster, Indeed, GlassDoor etc. and configure your phone to get that email. Our local unemployment office teaches to accept LinkedIn connections with all headhunters (recruiters). This is part of building your network. When these recruiters start to annoy you with all of their attempts to connect you with their various clients, you can bet that your skills are becoming attractive. Watch the wages being offered, the location, will they pay to move you, or other perks. Being a married man with a home, I am no longer looking for relocation. For the younger and single crowd, there is nice money to be had, allowing you to travel the world.
If you have a story that you would like to tell with other interesting paths into the Cyber Security family, please let me know.