April 12, 2023
Hello all the great people out there who are a part of or will soon be a part of our fantastic industry! This article will serve several purposes; To give practical guidance to people trying to enter the industry and put into written verbiage a series of relatively successful videos I recently released to tackle this same topic, which you can view here: Get Into Cybersecurity
I want to start by saying you can do this! And not only that, you can be great at it. Maybe even a leader in the industry eventually. Have you run into things like not knowing where to start? Have you started only to find out that as you search for jobs, you don’t see any that are entry-level? Do you feel like you might not be smart enough to enter this exciting, fun, and sometimes challenging field? Well, let’s address those challenges together right now, and let us put them to bed. These things can mostly be squashed by doing the following items in the following order;
- Research the industry and the different job roles in making sure you find some things in roles that genuinely interest you.
- After picking some areas, research those areas in a more in-depth way to find out what the requirements are for those roles.
- Pick a focus and start tackling the requirements to enter that role.
- Reach out to mentors and others seasoned in the industry.
- Start training for that role. Repetition is key.
- Go after your job.
Research Different Areas And Job RolesThere are certainly a wealth of different types of jobs in cybersecurity, and probably one to fit most people perfectly if you look around. The problem is, how do you identify and connect yourself to those roles. One thing is sometimes asking other cybersecurity professionals where to start is not the ideal move. Now I’m speaking of this from first-hand experience because I was guilty of this myself for some years. The typical scenario goes like this;
Kim: Hey Bob, I want to get into cyber, and since you’re deep into cyber, I want to know how to get in as well.
Bob: Oh great, well see what I do is I work in reverse engineering, and I reverse engineer malware for an incident response practice. And the way I started was just looking at basic code and understanding it. So you should probably start with first understanding basic code and programs, then learn to reverse those and work your way up to more advanced programs.
Kim: But don’t I need to learn how to code first?
Bob: Yes, so take some introductory programming courses first and then work your way into reversing. I’ll mentor you!
A couple of months later the Kim has realized she hates coding, or even trying to learn it. This coding stuff is not at all what she thought she was getting. And now she’s questioning her ability to join cyber at all! Let’s examine some key missteps here; First, Bob’s first question should have been to ask Kim what it is she wanted to end up doing. If she didn’t know the answer to that, then that means she’s probably not researched the industry enough or hadn’t researched deep enough to understand what she wanted to do. Secondly, Bob made a critical mistake a lot of us have made when advising newcomers; Being to biased toward our roles in the industry. Bob meant no harm, and he probably loves his job, but that job was in no way what Kim wanted to do. Secondly, Bob does primarily code level reversing, but there’s a whole part of malware and reverse engineering that does not involve code at all. Not all reversing is code reversing. So my message and advice for you newcomers is to make sure you research job roles and what those people do. I’ve taken the liberty of highlighting some positions in this video: First of Two Videos Showing Cyber Roles. Watch both videos on those roles. For those of you who are already experts in our industry, try not to be so quick to make doing cybersecurity be defined as what you do. Again, I once wanted everyone to be a penetration tester, so I was the first person I know of the be guilty of this very thing. If you’re Kim in this scenario, realize that you shouldn’t decide on what you want to move into based on 30 minutes of Googling different job roles. It will take more time than that usually if you dig deep enough and are thorough in your research. Realistically, if you wanted to know what a penetration tester or threat hunter does, then just one of those roles will take more than 30 minutes of research, reading, watching videos, and other general research. For example, if I told you that the slick hacks you see in movies make up less than 5% of the time a penetration tester spends on the average penetration test, then your view of that role or desire to do it may or may not change. The key is to know the role.
Find Out What The Requirements Are For Your Desired Role__ This is a good opportunity to seek out people on platforms like LinkedIn and kindly ask for advice on what those requirements are and what they mean. You might be surprised how open we are to answering those types of questions. Now that you’ve researched the role well enough to know what it is you want to do, I recommend spending some serious time figuring out what the role requires of you. Also, pay close attention to what it is the specific role is asking as far as skills and knowledge base. For example, if you pick a role like Information Security Auditor and one of the requirements says “familiarity with tools like Nmap,” that phrase will have a completely different meaning if the job role is Penetration Tester. One role will expect that you know what Nmap is, and another will expect you to be able to perform and demonstrate how Nmap is utilized in a penetration test. So while the description may be similar, the actual expectations could be different. Don’t forget about location requirements, citizenship, background, and all these other things. This is an excellent opportunity to seek out people on platforms like LinkedIn and kindly ask for advice on what those requirements are and what they mean. You might be surprised how open we are to answering those types of questions. __
Reach Out To Mentors And Others In The IndustryAs a person who gets anywhere from 25 to 30 of these types of messages per day in my LinkedIn inbox alone, let me make some suggestions that may get your further;
- Don’t feel shy about asking. We want to help!
- Do at least some research before you reach out.
- Be concise and to the point.
- I’ve produced a decent amount of content here on LinkedIn. Check some of it out! You might get some of your questions answered sooner that way.
- Tell us what you’ve decided you want to do, why you have decided it and why you think you’d be a good fit for the role you’ve chosen. If you have these answers already, it will help us give you more specific and personalized guidance.
- Spend some time every day working on your dream of moving into a certain role. Even if it’s 5 minutes dedicated to just thinking about nothing but your next move.
Overall, the general consensus I’ve gathered from my own feelings combined with the discussions I’ve had with others who are my peers in the industry is that we all want to help. Most of us have been there and it took some time. We would like to share the mistakes we made and help you not make the same ones. Even if you don’t reach out to me specifically, find others.
Start Training For Your Desired RoleI believe one of the most useful things I did when starting my career was to list out all the certifications and other things I needed to obtain in a spreadsheet, then at my own pace, knock those things off one by one. It wasn’t then about getting as many as I could as fast as I could. It was much more about trying to make sure I understood the material I was supposed to understand. I’ve always had a fear of not knowing enough, or not knowing what I am supposed to know about a topic. So as a result of this brain tick or whatever we want to call it, I always train obsessively. Even to this day. When I have to do a presentation or teach a class, I prep as if I’ve never taught it before. A big portion of you will already know that most of my visibility in this industry came from penetration testing, exploit development and training. I’ve taught Certified Ethical Hacking courses since 2004 and when I teach one today, I prep as much or more than I did the first time I taught it. And I attribute a big part of my success to that. So you must prepare for the role you want to have. When learning for your certifications go deeper than the textbook or test prep does. Understand applicability to what it is you’re learning. There is going to be a need for both rote learning and conceptual learning. Rote learning is most simply described as pure memorization. And as much as some scholars frown on it, there is some value there. Memorizing certain commands, or facts about a process can help you execute basics without having to put a lot of conceptual thought into it. This gives your brain the room to use those deep thinking conceptual muscles to innovate and apply your techniques in new and novel ways. So list our your certification and required skills, and get to work on making those things part of your mental universe. One project I’m involved in, Infosec Skills is a perfect environment for you to do this, whether you’re trying to become a non-technical policy, procedure or management person in cybersecurity or you’re trying to be the next great hacker. Getting a good rich and multi-discipline environment to practice in will be key. And of course I believe the environment I helped create is the best in the world for that! 🙂
Go After Your Desired RolePursue your role as if it’s the most important thing in the world to you. I mean aggressively pursue it. When you submit resumes, follow up until you get a response. Be adamant but nice and humble about trying to find out reasons you were not offered an interview when you didn’t get the position you applied for. Then gather yourself, look at what you learned through this application process, and start that process again. While this pursuit is happening, you should still be training like there’s no tomorrow! Keep preparing. One of my favorite quotes is “Luck is the meeting of preparation and opportunity”. And what I always add to it is you don’t control the opportunity always, but you do always control the preparation. So overdo that. This way when the opportunity arrives, and comes face to face with your preparation, you will absolutely kill it!
As I mentioned in the beginning of this article, I have an in-depth video series going into detail about all these things. Please check them out and subscribe to my channel, it will greatly help me keep producing quality content and no charge. Subscribe here: My Youtube Video Series On Entering Cybersecurity As A Complete Beginner. Next we’re going to get into some specific job roles.
Job Roles, Certifications, And Salaries Oh My!And if you are interested in one of the main projects I’m working on and one of the things I’m most excited about, check out Infosec Skills. Use my discount code of evans50 (all lowercase) and get yourself a 50% discount!
I hope this article has helped and inspired some of you. Remember, whatever skill level you’re at, even if you’re an absolute beginner, just start today. You’ll get there as I truly believe anybody can do this with the right amount of preparation, training and will. I look forward to feedback and hearing about your entry into the industry!