Debunking Myths: How to Get Started in Cybersecurity?

In the past few years, I keep getting more questions about how to dive into cybersecurity, mainly:

1. What are the best learning resources?

2. Do I need certificates to land a job?

3. Which certificates or University courses would you recommend?

4. Should I work first in general IT?

5. How to transition my career to cybersec?

6. What career path would you suggest for someone who just finished University/BA?

7. How to get started in hacking?

8. What are the necessary basics that one should know before starting with cybersec?

9. How to land a job?

10. What are the salaries in the industry compared to development/engineering?

I have chosen the 10 most frequent questions that I will try to address from my personal experience working for at least a year or more in each of the following three Cybersecurity Domains:

1. Red Teaming — Offensive Security and Penetration Testing

2. Blue Teaming — Security Engineering and Application Security

3. Security Management — Governing Information Security

Since the idea is that this article will remain relevant in the next few years, the entire article will have a more general tone. Cybersecurity is changing so rapidly that it can be daunting from time to time to keep up with current affairs.

Although there are many exceptions in the industry, the basics from the following domains will stay helpful in the time ahead:

• networking

• operating systems

• development

• communication, soft skills.

The ABCs of Cybersecurity Careers / Major Cybersecurity Prerequisites

The key points behind any successful cybersecurity professional are absolute focus, devotion, and discipline. To keep the direct resources list to a minimum, for starters, I’d recommend the book Confident Cyber Security: How to Get Started in Cyber Security and Futureproof Your Career (Confident Series). It covers the absolute basics thoroughly and presents cyberspace to readers in a clear way.

Further, based on the area of interest, I would never suggest a theoretical approach in the industry that changes at a fast pace. The theory and the basics, however, should not be skipped. The best way is to do real-life exercises and go back to the basics for every topic the reader is unfamiliar with. If done properly, it is the most practical, functional, and comprehensive learning method.

Open Solutions and Constant Practice

To start hacking and, again, to keep the number of resources to a minimum, I would recommend CTFs and challenges that do not have a single solution but just a hint or a topic to research. This will build up a try-harder mindset and help you prepare for your future role, where there is no clear solution to the task, but one has to be found.

An example of a platform that releases new active boxes/machines each week is Hack The Box. It does a great job of keeping you up to date while also covering the ABCs. In a serious company that can test a candidate’s actual knowledge, their certificate or university degree should not play any role.

We also put those requirements in the job description — within the nice-to-have section — but this is never the primary requirement. Also, there is no need to have another role and switch careers later.

The junior analyst’s job is a perfect starting point in any cyber security domain. This person should be familiar with all the topics that help during the daily repeatable tasks; might be just an ideal way to start.

Career Shifts and Cybersec

In career transitions, the best way is to use the existing expertise and learn how that domain can be secured. For example, a software developer who is used to reading code and implementing the software development lifecycle can quickly discover the OWASP ASVS and OWASP code review guides and land a job in the Application Security domain.

There is no universal truth here. A rule of thumb is to start learning every day and applying to any position for a starting point. The more experience (practical non-paid projects can count as experience, too), the better the chance to land the next job.

First Cybersec Experiences

If I were to land my first job now without any experience, I would go through job descriptions and focus on what I want to do as the first step.

The second step would be to launch my own blog and discuss exciting, game-changing industry topics weekly. For example, if the topic were cloud security, I would go through some DevOps bootstrapping bootcamp with AWS, think about the offensive security way, and make a vulnerable environment on purpose. This is a common learning technique that can help both the blue team and the red team side — to have both perspectives on how the attackers think and how to secure the whole environment.

Let us say that you do not have any experience and/or certificate/university to highlight your skills for an incident response analyst position. Your resume should include all the practical knowledge projects that you went through. The technical team analyzing your CV will value these things more than a specific certificate, especially if those resources are the same as those they used when starting their own careers.

For another example: when we are hiring a new web app penetration tester — if someone has done all the exercises on the PortsWigger Labs, this might be a good indicator that the candidate is ready for a technical interview. The №1 tool being used today is BurpSuite, and the labs are going through most of the existing known bugs/vulnerabilities with that tool. The same principle can be applied to any domain.

Lastly, the salary should not be the primary reason for going into any field. Still, as in any business, if there is a high demand and a lack of people, the salaries will be higher than in some other industries, which is currently the case.

Conclusion

To sum up, this concise article has debunked the myth that it is hard to work and find a job in the Cybersec domain. We have provided some simple examples that focus on something other than expensive commercial resources: handy general advice and what to look for when you are googling (the most important skill) and researching a particular role type.

Keep it simple, implement dedication, discipline, and passion into work, and do practical exercises every day, and you will smoothly dive into the right career path of your choice.