You may have recently heard of my involvement in Marcus Carey’s Tribe of Hackers. It’s a wonderful complication of advice, stories and security tips from experts all over the world. You can find more details here https://www.threatcare.com/tribe-of-hackers/
Now, I can’t tell you how many times a week people ask me, so Andy how do I get started in security? I have to say, actually its easier right now than ever, and it pays good money. On saying that you need to understand that security is simply a topic. It’s an industry employing hundreds of thousands of people who are engaged in both defensive and offensive security. In this article I plan to help you get through the mist and present you with a selection of possible career paths within the industry. I’ll cover the article through a format of questions and answers. Hopefully you’ll find this of interest, and of course if you do please sign up and / spread the word. Ok, so here we go:
1 How do I get started in Security?
Firstly, ask yourself what area of security are you interested in? For example, Programming / engineering, hacking, management, forensics, troubleshooting, teaching etc. See there are a lot of career paths and options to choose from. Each of these has its own specific set of skills and certifications.
2 Then understand what security is and is not.
Security is not simply hacking, it’s an immense business, filled with many options. So a good starting point is essential, For information security, CompTIA’s Security + certification is excellent. In the past it was frowned upon, but in recent years it’s really come into its own and is recognised to be a great starting point. You don’t need to spend thousands on formal courses either. There are thousands of free on-line resources to get you started. Everything from You Tube videos, to presentations, white papers and books. You can find details here details on the certification here https://certification.comptia.org/certifications/security
3 Do I need to have undertaken a formal education to gain a career in Security?
No, absolutely not. Of course, although it’s useful. This is one career where experience counts. Believe me you can pass all the exams on paper, but when you’re in the real world, its experience that counts, and despite what you might think, the bullshitters don’t last long in this game. The other piece of advice here is learn what interests you. Don’t try to be someone that you’re not. You’ll never become an expert that way. There’s that word again, expert! I hate that word; in fact, I don’t think there is such a thing. We’re all learners here and believe me in this industry, a little humble pie goes along way.
4 So, what’s next?
Once you get past the security awareness and generic security training, you’re going to want to specialise. For example, if you’re interested in hacking you might think about a career in either offensive or defensive security. For this, you need to have to have a logical mind in terms of working with hacking tools. Being able to Analyze data for potential anomalies can be tedious, so patience is a virtue, as they say. If you fancy development, there are an enormous plethora of opportunities. However, a solid understanding of programming languages is essential, Pearl, C++, Java, Ruby etc. The good news is that if you’re new to development, their’s a mountain of free stuff out there. Here’s a starter for ten https://learntocodewith.me/posts/code-for-free/
Now, as I said earlier, there are many other paths. If you have an analytical mind you might enjoy a career as an ethical hacker or as a forensic specialist. The Certified Ethical Hacker CeH programme is an excellent place to go if you’re interested in both offensive and defensive hacking. You can find details here https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/ This could even lead you into a career in penetration testing. For a career in digital forensics and incident response, there are a number of educational institutions offering degree’s in this area. Now, you might say, sure that’s great if you’ve got the time and the money. But the good news is that there are a number of self study and certification options. EC Council offer https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/
The Computer Hacker Forensics Investigator CHFI is just one of a number of certifications in this area. The other is SANS, they also have an excellent programme, details here https://www.sans.org/courses/incident-response-digital-forensics
5 What if not an overly analytical type of person, is there still a career for me?
Oh, my goodness, absolutely. Information Security Management is one of the fastest growing career paths. Cybersecurity of course pretty much covers many of the topics above, however information security is a huge area of interest. It covers not just planning and the management of security, but also looks at topics such as incident response management, disaster recovery, human resources security management and physical security. ISC2 offer a range of certifications, of which the CISSP, or Certified Information Security Professional is considered to be the Rolls Royce of the industry. In recent time they also offer a range of certifications on cloud security which are proving to be very exciting and popular. You can find details here https://www.isc2.org/
6 Any final pieces of advice?
Understand that in today’s world, training and certification doesn’t have to cost the earth. Sure, the exams may cost you a bit. But that effort and that piece of paper can work wonders for your income. Don’t listen to the doubters who say you’ll never do it, screw them, right? Believe me I left schools with nothing. I put myself through University. So, if I can do this, then so can you. Set yourself defined goals and take baby steps. Rome wasn’t built in a day. Good luck!
I hope you found the article interesting. Please feel free to subscribe and i'd love your feedback. You can also visit me on Twitter @AndyMalone
(c) Copyright 2019 Andy Malone