“Where do I even start?
I think I want to pursue a career in information security but there are SO many options.
How do I choose?
How do I make sure I’m making the right decisions and spending my time and energy on things that matter?“
If these questions are buzzing through your mind, please know four things:
- You’re not alone.
- There are no perfect answers.
- We’ve all been there (and sometimes still struggle with similar challenges).
- Working in information security is a never ending learning and development process (both professional and personal).
Many of us graduated or were only newbies when the 2008 financial crisis hit. We know what it’s like to cope with instability and uncertainty and we also know we can figure this out – both individually and as a community.
If the prospects of a dream job may be blurry or dissolving right now, the first healthy step to make is accept this high entropy environment. This is our reality and wishing it were otherwise only depletes and demoralizes us. We’re better off saving our energy for things that move the needle.
Cybersecurity is one of the few sectors primed for post-pandemic growth. Factors such as accelerated digital transformation, the massive shift to remote work, or the increased need for online payments make information security mandatory, both from a compliance and from a business continuity perspective. There are prospects for growth for the industry.
So no matter what draws you to cybersecurity, you definitely have a range of opportunities going forward.
Here are a few honest ideas and resources to help point your efforts in the right direction.
What cybersecurity jobs look like
Job titles and job descriptions vary quite a lot across roles and companies, so rather than using that as a compass to figure out what to start with, take a look at the NICCS Cybersecurity Workforce Framework.
Originally developed by the National Institute of Standards and Technology (NIST), the framework classifies cybersecurity careers into seven categories:
- Analyze
- Collect and Operate
- Investigate
- Operate and Maintain
- Oversight and Development
- Protect and Defend
- Securely Provision.
By reading through these categories, you can start to develop a clearer picture of the type of skills you may need for various roles.
As a next step, you could do some LinkedIn research and see what type of infosec jobs are available. Take a look at the requirements but also take it with a grain of salt. As many cybersecurity specialists will tell you, sometimes companies tend to have excessive expectations.
It’s never too early to get familiar with job offers and how companies and recruiters work.
Additionally, you should also look at infosec pros’ LinkedIn profiles to see how they talk about their work, what they emphasize, and what kind of content they share. What’s more, you can start interacting with them early on and start developing genuine relationships that are instrumental for your career-building efforts.
You get to make it your own
Any honest person who’s been working in infosec for a while will tell you there are no formal paths in this industry.
Yes, there are certifications and courses and the like, but it’s mostly self-education that makes a meaningful difference.
Consider shaping your education to become a T-shaped specialist:
This will not happen overnight but it does help to keep this concept in mind as you continue to gain knowledge and practical experience. Concepts such as this one can come in handy when you have to make choices around your education, job opportunities, and how you invest your most precious, non-renewable resource – your time.
One of the best parts in this industry is that you get to carve your own path and sometimes even create your own job in a way that makes the best of your unique abilities and experience. This may not be clear at first but it will become something you’re grateful for as you go along.
It’s also useful to remember that things change and so will you. What you think you want to do now might not turn out to be what you end up doing in the future. You can grow into a new role and outgrow another.
Keeping a clear, open, and focused mind may prove to be your biggest asset.
Choose to participate
One of the most important things you can do for yourself as you start out in information security is to become part of the community.
You don’t need to start off by having hot takes on trendy topics or by contributing to every infosec Twitter thread out there (and there are TONS of good ones!). It’s okay to sit and watch at first, to find people you want to follow, to figure out whose insights and articles make the biggest difference for you.
Following these conversations will help you acquire not just technical skill but also technical insight by exposing you to a wide range of perspectives and approaches.
As soon as you find your tribe, your corner of the community, start contributing however you can – from a supportive tweet to sharing resources you found helpful, your contribution will make the community stronger and also make you a better specialist – and person.
We’ve felt this first-hand by contributing to the evolution of DefCamp, so we’re no strangers to the experience.
If you’ve never used Twitter before, start with this DefCamp list and go on from there. Your future self will thank you for it.
Cultivate your curiosity
Working in cybersecurity involves a multidisciplinary approach to self-education.
To cultivate your curiosity, we also recommend reading beyond your field. Key concepts and examples from business, psychology, sociology, and geopolitics help you connect the dots beyond your role. These insights can help you articulate your work’s value in business terms. You can also get better at working with your colleagues and spotting things that others miss.
To get the biggest return on your time and energy investment (and for the money you spend too!), consider developing a learning process. Think of how you choose your sources. Create a reliable note-taking system. Maybe even consider writing to share what you learn. It’s still one of the most effective ways our brain learns, especially if you choose handwriting over typing away on your laptop.
Developing your critical thinking will serve you incredibly well no matter how your infosec career shapes up. It gives you a great foundation for troubleshooting and a methodology for sifting out the useful details in your work and environment.
Experience first, certifications second
In the early stages of your career, experience will trump certifications every time.
Without experience, you may end up investing in certifications you don’t really need. Yes, these certifications demonstrate your abilities but you can work your way to – and through – them more effectively if you build a bit of practical experience.
Our core belief is that education and knowledge are essential to evolution. Our team constantly learns and gets new certifications, but we also value practice – a lot!
How to get experience when you’re just starting
There are a few ways you can close the practice gap and start getting your hands dirty (while keeping your white hat clean). Options include:
- Volunteering for projects in the industry → helps you get to know people who might lend a helping hand or open doors in the future
- Participating in CTFs → there are plenty out there for all experience levels
- Trying your hand at bug bounties → The Internet Bug Bounty is a great resource to bookmark
- Experimenting with all sorts of infosec challenges on CyberEDU.ro → a free platform featuring 100+ exercises developed for and used in international ethical hacking competitions.
In terms of formal education, you can start slow, since there are over 50 online cybersecurity courses – both free and paid – that help you build your know-how and practical skills.
Once you’ve focused a bit more on a particular professional course, you can start looking at certifications such as:
- EC-Council – CEH, CHFI, LPT
- Offensive security – OSCP, OSWP
- ISC2 – CISSP
- ISACA – CISA and others.
Basic skills you really need
While infosec jobs come in many colors and sizes, they do share a fundamental layer of technical knowledge and skills. There are 3 elements that combine to give you must-have abilities:
Knowledge of networks
Working in cybersecurity involves at least basic knowledge of networks, routing, switching, VLAN concepts, subnetting, and the like.
The CCNA training and certification will help you understand routing and switching and master the basics.
Once you feel it’s time, you can advance to network security concepts – algorithms, security configurations for various devices, encryption, etc. This will give you a competitive advantage over other cybersecurity professionals in the market.
“The really intriguing thing about InfoSec and hacking in general is how they draw heavily from knowledge of all sorts of IT subjects. It’s difficult to understand attacks, malware traffic, or intrusions without a firm understanding of network ports, protocols, and architecture. Similarly, it’s difficult to understand malware or identify system compromises without a firm understanding of operating system architecture, hard drive construction, or programming fundamentals.”
Lesley Carhart, one of the most well-known infosec specialists in the biz
Basic computer knowledge
Besides networks know-how, you also need to know how users’ environment works, from the basics of memory management to folder sharing concepts, to permissions or different types of system access. Understanding how ports and system firewalls, IP assignment, or registry items work is equally essential for any infosec role.
If you’re going into memory forensics, system hardening, access management, penetration testing, or other infosec verticals, this knowledge will prove invaluable both in the short and the long term.
Learn at least one computer language
Experienced cybersecurity practitioners agree that coding knowledge is a key missing skill in the industry.
As industry veteran Daniel Miessler says:
“If you can’t code, you’ll always be dependent on those who can.”
While working with others and cultivating team spirit is essential, not being able to drill down to code can become a bottleneck in cybersecurity workflows.
Most industry pros suggest that opting for one of two languages – Python or C – will get you far.
Ask for more than just programming advice
Industry insiders know cybersecurity is a process, not a product. We believe it’s even more than that – it’s a mindset!
So as you progress in your infosec journey, don’t forget to ask for more than just technical advice when talking to peers, colleagues, or mentors.
It’s equally important to ask them for feedback or help with building your resume or working with recruiters. You may be surprised to discover how common your fears, worries, or frustrations are among more senior specialists.
“Being able to sit next to someone and troubleshoot with them, or code with them shows you exactly what the work looks like even after 20 years of experience.
You still google “what was that parameter that showed the time elapsed in hours?”.
You still refer to the RFC, or the manual, or to that one Stack Overflow post you discovered three years ago and bookmarked.
You still slice a list incorrectly when moving from one language to another.
And you still overlook simple settings or skip steps when you’re under pressure.
Watching people push through difficult issues was invaluable for me.
I learned how they think about the most likely cause of a problem. I saw them sketch topologies out on a paper because trying to work through a packet loss problem in their heads would have made them overlook obvious things. I saw them use checklists. I stole the checklists. It was great.”
Alexandra Stefanescu, Tech Officer at Code for Romania
What it’s like to work in cybersecurity (part I)
What’s more, it helps to cultivate industry awareness. Pay attention to changing attitudes and trends, to how companies see and position themselves in terms of cybersecurity.
Keep an eye out for changes in job dynamics using resources such as this heatmap.
Your mindset and ability to strengthen it will give you a solid foundation to rely on as your role, job, and circumstances change – along with the whole world around them.
Extra resources for your infosec journey
There are extraordinary resources out there for motivated learners like you. We wanted to suggest a few we know stand out based on quality and insight, so you can continue your journey.
- Daniel Miessler’s guide for a successful infosec career (his entire blog, hid podcast, and all the resources he creates are excellent)
- Peerlyst’s free ebook, Beginner’s Guide to Information Security Kickstart your security career with insight from InfoSec experts, by Limor Elbaz, founder and CEO of Peerlyst
- Lesley Carhart’s “Starting an infosec career” series (parts 1-3 are available here, with links at the end for parts 4-7).
Remember, the quality of your input influences the quality of your work/results/progress. Learn from the best and you can accelerate your development in more ways than one.