How to start a career in cybersecurity?

On average, once a month, I receive an email asking me how to start a cybersecurity career. I always try to answer individually, but I do not break down to the extent and depth I would like due to lack of time. Because more people are interested in a cybersecurity career, I decided to answer in more detail and devote the whole article to the topic.

Not only did I talk about my journey, but I also asked my friends and colleagues about cybersecurity to share their experiences. I wondered how they got to IT security, their source of information and how much time they devote to the field. In this article, I share what I found.

Before you decide on a career in cybersecurity…

Here are some answers that may be useful.

How much IT knowledge should I have before I get into cybersecurity?

The starting position of the questioners is very different. Some have years of experience in IT. Others are still looking for their profession, or they want to change it radically.

I first managed servers, networks and easily programmed for years. Only then I moved on to computer security. I feel that this previous training helps me a lot. When reading new materials, I do not have to look at how the essential technologies work (e.g., IP, DNS, AD, VPN). I just need to extract from the text what to pay attention to or how technologies are being misused. It saves me time, and at the same time, I remember things better (I have something to build on).

On the other hand, I know colleagues who have jumped straight into cybersecurity. For example, Pavel Matějíček (spajk.cz) [only in Czech] or Marek Jílek (interview “At the Round Table” – U Kulatého stolu) [only in Czech]. Both are very good in the field, although they have not spent years managing networks and servers before.

I think that previous experience is beneficial, but not necessary. Simultaneously, there are “young” technologies and directions (e.g., Docker, MS Azure), where we all start on the same starting line.

How much money do I make?

If you are primarily motivated by money, I am unsure if you are choosing the right one. Surprisingly, not because I want to moralize. I just think it is not the field with the best price/performance ratio. You really must spend a lot of time on IT security (see the next chapter), and it will take time for you to make a living from it. To not give up on the way, I think it is necessary to like this field.😊

Looking at wage averages (e.g. Salaries in the Czech Republic in 2020)[only in Czech], we learn that the salary of a “Security Engineer” in the South Moravian Region is 40-80 thousand CZK gross [1543-3085 EUR]. The developer’s salary (3-5 years of experience) then 50-80 thousand CZK gross [1928-3085 EUR]. What is the salary in your country? It seems that wages are balanced. Yes, I know it is necessary to take it with a grain of salt – these are wide ranges, without further information, and the survey’s accuracy is also a question.😊

When somebody is interested only in money, I would say that it will be easier and faster as a programmer.😊

In the future, I expect people’s salaries in IT security to grow faster than programmers. More and more professionals are and will be needed – as the world begins to realize that cybersecurity is essential. At the same time, becoming a good hacker/defender means more study than a good programmer (I hope you are not stoning me for it 😇).

How much time do I have to sacrifice?

How well do you want to be? I consider the field of IT security to be very extensive. There are specializations by “industry”, e.g., infrastructure, web applications, cloud, industrial networks, embedded devices. Also, there are disciplines in specific technologies such as Active Directory, Microsoft Windows, GNU/Linux, Microsoft 365. I think one person cannot know everything.

The second “difficulty” is the development of the whole industry. New technologies are constantly appearing, or other versions of the current ones are being released. Once you stop educating, you will not be instrumental in the field in a few years.🙁

I spend about 10 hours a day working, plus all the holidays and almost every Sunday. A week, I use it for my company schedule, technology development, consultations. Holidays and Sundays are then used for enlarging knowledge. I have the space to try new things during them, watch lectures, and experiment in various ways. Despite all that time, my list of literature and courses to watch is longer and longer. For example, I did OSCP certification on weekends and holidays.

Many of the colleagues I meet at conferences have a similar view. They devote all their free time to their hobby/work.

Of course, one learns even during regular work. It is just a matter of how fast and how far anyone in the industry wants to go. IT security is not a field where you take a week-long course and understand everything.😊

As a reasonable starting point, I see that one must like IT security and does not take it as persuasion to learn, but as fun, playing, testing.

Where to start a career in cybersecurity?

I am sure you will be pleased now – you do not need a 💰 of money to get into IT security.

• You will find a gigantic portion of quality content on the Internet, which is available for free.
• A primary home computer is enough to virtualize (simulate) the entire network, or you can use free online labs.
• Most programs offer free trials.

I would like to have all this available when I was 13 years old.

Some may say: “Well, yes, but I’m just getting started, and I don’t understand these X articles/technologies/websites yet.” In that case, take it as a “signpost” to what to learn. Whenever you do not understand something, find out more about it through Google. Alternatively, you can try a free “Internet privacy and security course” that covers the basics.

Webs and blogs

There are several good websites where you can find out what is happening in the IT security world. There are also a few good blogs where various researchers share their findings and discuss their practices.

Below I share an up-to-date list of blogs and sites I follow. Ideally, to follow, use some “aggregation” service, which will summarize everything for you in one place. It will be more convenient than browsing the web after the web.😊 I use Feedly.com, and you can import my entire feed through https://feedly.com/i/cortex. Every morning on the way to work, I read most of the news.

• Blogs:
  • ALTAIR.blog
  • Bill’s blog
  • Decoder’s blog
  • Fox-IT International blog
  • GCITS
  • Malwarebytes Labs
  • Ondřej Ševeček
  • PS C:\Users\itm4n> _
  • Troy Hunt’s blog
  • Vitali Kremez
  • Wilbur Security
• Webs:
  • BleepingComputer
  • Fire Eye Threat Research
  • Seclist – Full Disclosure
  • Krebs on Security
  • Sophos – Naked Security
  • The Hacker News
  • The Register – Security
  • Unit42
  • Wired – Security Latest

Lectures:

On YouTube, you will find channels with lectures from international conferences (admission often costs a lot of money) or instructional videos from world-class experts utterly free of charge.

I also like that I can watch the recordings of the lectures quickly (I usually watch at speed 1.75), and I can skip familiar passages:

• Black Hat
• Black Hills Information Security
• DEFCONConference
• Hacktivity – IT Security Festival
• IppSec
• RSA Conference
• Shakacon LLC
• TROOPERScon
• Wild West Hackin’ Fest

CTF or hacking games

Test the learned theory in practice. Various CTF (capture the flag) games are best for this. These represent a virtual “shooting range” where you can legally try hacking. You can look forward to various difficulties and carefully prepared assignments that simulate authentic environments very well.

Today, one of the most famous hacker games is probably “Hack The Box” (direct access is free). Entire virtual machines are waiting for you, containing both vulnerabilities (different levels, a new machine every week) and individual tasks from various categories (cryptography, steganography, reverse engineering, web apps, app cracking). The creators play with it perfectly, including gamification. I spent a few hundred hours on HTB.😊 I consider other interesting hacker games:

• Bandit – OverTheWire
• gf0s Labs
• Root Me
• Hack Me
• Hacker101
• HackThis
• VulnHub
• CTF Time

Some CTFs are designed in the form of a competition (or a multi-round tournament). Competitors compete to see who finishes first or who collects the most points. Last year I played “The Catch 2020” from Cesnet and “Holiday Hack Challenge 2020” from SANS.

Hacking games are good for learning, not just for training. You will often come across a new technology/technique/application, for which you only must read a lot to manage it.

Courses and certification

Those who do not like to study alone can enroll in the course. If you need to see the goal in front of you, you can study for the certification. But you must have some money saved for safety courses and certifications. And often not a little. I wrote a separate article about certificates: “My view of IT certification MCSE, CCNP, ECSA, CHFI, OSCP“

Alternatively, check out Coursera.org, where you can find quality courses for free. Personally, I have not tried any IT Security course there. However, I studied „Bitcoin and Cryptocurrency Technologies“at Princeton University, and it was great.

Where do you find a job in cybersecurity?

When it comes to looking for a job, I do not have much personal experience because I have only worked for one company my whole life (www.patron-it.cz)[Sorry, we only have the website in Czech so far]. So, I share what I saw and heard from friends:

Since there is a lot of interest in “security guards”, I assume that finding a new job will not take you too long. You can start with websites advertising vacancies such as jobs.cz. If you are looking for your “dream company”, where you would like to work once, look at their website and not be discouraged by the fact that they are not currently looking for anyone. I would proactively write to them (I say this from the position of employer). You can also see interesting job offers on the “hackthebox.eu” website, which I have already mentioned. The more “points” you win there, the better job offers you will unlock.😊

Network at offline conferences, participate in various “hacking” competitions, publish your own research on your blog/podcast/Twitter/LinkedIn. This will increase the probability that someone will contact you with an exciting non-public job offer.

You can also work as a freelancer hired for projects. Or a “bounty hunter” who makes money by discovering vulnerabilities in companies that have a “bug bounty” program (e.g., through the Hackerone.com platform).

Conclusion

Definitely – in any case – the most important thing is TO START!!!

Many people end their careers in planning and dreaming. It is a shame. Just go for it. After a few days/weeks, you will feel whether with each new knowledge you grow hungry for others, or you will find yourself procrastinating like during exams.😊

Do not worry. Many people have been in the industry for a long time and are ahead of you. New technologies are constantly emerging that are very different from the existing ones. We all find ourselves on the same starting line. For example, managing “on-prem” solutions is quite different from working “cloud” solutions. Many administrators understand Active Directory well, but Azure Active Directory is an entirely different matter (different management principle, authentication protocols, administration tools). Similarly, it occurs to me that DevOps is evolving very fast (e.g., “containers”).

IT security is a challenging field due to the amount of knowledge you need to acquire. However, if it catches you, it is a great hobby that you will enjoy and earn excellent money.

Have fun. I will be happy if you share your experiences, interesting comments, and observations.

Martin

Do you like topics, I write about?

It is not necessary to periodically visit my blog to check if there is a new article. Subscribe below for notifications. You will be the first one who will know about new article.

Leave this field empty if you're human: