Starting a Career in Information Security

With the demand for cyber security experts so high (over 200,000 open positions in the U.S.), you might ask, “How do you get into the field?”  This question was asked of the security community.  Here is a summary of their advice and a list of resources they provided, which will help you build your security skills and your network within the security community.  Most importantly, hopefully, it will help you land that first step into launching your cyber security career.

Advice from the Security community:

1. Learn the basics:
   • Learn Linux:  Most security takes place at the scripting level, therefore, you need to become extremely familiar with the Linux operating environment.
     • Try to understand how any why the tools in your toolbox work.
     • Run through as many hands-on scenarios as are practical with whatever resources you have access to.
     • Learn with real world scenarios, as theory and practice are not always congruent.
   • Scripting Skills:  Build on basic coding skills (Python, ruby etc) to build tools etc.  This is a big value add for any company’s security group.
   • Learn penetration testing:  Begin to hone your skills and gain knowledge on security by learning the basics at Pentester Academy.
   • Focus on one area first:  Stick with the field you are trying to get a job in and don’t branch to out too much. It is extremely valuable to become knowledgeable about one particular technology “bucket” which security sits on top of such as:
     • Systems
     • Networking
     • Database
     • Application development
   • Build your own lab:  
     • Build/upgrade a desktop PC to at least 16GB RAM, run your choice of Linux distro
     • Build a virtual Pen testing lab including Kali and Ubuntu server and (licensing permitting) Windows server & Desktop OSes as well.
     • Then along with Cybrary and Pen tester Academy courses you can practice and get to know the tools.
     • Develop Python expertise so you can write your own pen testing tools. That will also deepen your understanding.
     • Cybrary video on how to build your own lab:  https://www.cybrary.it/2016/02/s3ss10n-wednesday-build-your-own-pen-testing-lab/
2. Early Career Paths – Anyone just starting a career in security could take one of these routes:
   • Become a QSA or work for a company performing gap analysis. Although this is more compliance and assessments, it will give you exposure to a wide range of environments and implementations.
   • Work as a system administrator or network engineer.  Practical experience in operations is always useful for a career in information security.
   • Learn penetration testing as many companies accept newbies in this field.
   • Start out as an analyst in a SOC or Incident Response area.
   • Focus on Apdev and Web Apps as this is really popular right now because of the amount of exposure at that layer.
   • If your degree is from a US University then look there.  Many Universities themselves are looking for Cyber Security or Information Security staff, and they typically have differing standards than the business or general government field.
   • You may also want to explore working directly with the US government (FBI, CIA, NSA), specifically if you have language skills other than English.
3. Networking:  Never underestimate the power of networking. If there are local ISC2, ISSA, or ISACA chapters, attend a meeting and network.
4. Certifications:  
   • You may want to start off getting some basic certifications which don’t require experience such as:
     • CompTIA Network+
     • CompTIA Sec+
     • OSCP – Offensive Security Certified Professional
   • Once you are experienced, you could further your career by getting these certifications:
     • CISA – Certified Information Systems Auditor
     • CISM – Certified Information Security Manager – Requires more proof of experience than CISSP
     • CEH – Certified Ethical Hacker
     • CISSP – Broad, shallow certification, but best recognized.
5. Training:  
   • Take SANS courses. They are definitely not cheap, and that may be a challenge, but unlike almost any other courses, SANS training is practical and builds strong, real-world skills.
   • Join on-line security communities for a ton of free and paid training opportunities.  Here are just a few:
     • https://www.cybrary.com  – Cybrary offers a tremendous amount of free security content and training.
     • https://www.root-me.org/?lang=en – Hone your skills by playing hacking games.
     • https://www.pentesteracademy.com/ – Highly Technical, Hands-on, Comprehensive Training
     • https://www.vulnhub.com/ – Allows anyone to gain practical ‘hands-on’ experience in digital security.
6. Experience through Charities:  Find Non-Profit organizations who need security help but can not afford traditional consultants.  This shows your ‘giving’ spirit plus hones your skills.  Check out Hackers for Charities https://www.ihackcharities.org/ They pair IT people with charities who need work done. The charity gets their project completed, and you can get a nice recommendation for your resume.

While this is not a complete list of resources, this is direct advice from those who have had to build their security careers the hard way.  Hopefully, this summary gives you a roadmap to get your career kick started in the right direction.