Breaking into Cyber Security

A basic primer on starting a career in info sec

Anthony Isherwood

5 minute read

Starting Out and Setting Expectations

Everyone is at a different place in life. Some are bright eyed and bushy tailed right out of college, while others might be jaded with the job they've held for the past 20 years and want a change. It's important to remember that it doesn't matter where you're at or what you know. I've had many conversations with people who were intimidated by cyber security. Who see the field as full of industry SME's who understand technology on levels they could never achieve.

The reality is a lot less glamorous. Most people that I've met in this field aren't technical rock-stars who know everything about anything. Most are just people who enjoy the work, have passion for the field, and need an income. As long as you're a hard worker and willing to learn, cyber security is a pretty easy field to get into. All you really need is a good mindset and set some goals for yourself!

The Mindset

Cyber Security is all about self improvement. There will always be something you don't know or can improve on. You can't learn something once and rest on that knowledge for your whole career. You have to constantly be adding to your knowledge and skill set. You'll need to be mentally adaptable. If an ever-changing field seems like something you're interested in, cyber security can definitely be for you.

Self confidence is another facet of a good mindset. Back to my initial point on setting expectations, no one reasonable is going to expect you to know anything incredibly complex for an entry level position in the field. Most of what people look for are some kind of technical competence and the willingness to learn. Just by reading this, you most likely already have the willingness to learn, and gaining enough technical know-how for an entry level security position can be done in a couple dedicated weekends. Don't let your lack of knowledge hold you back from entering the field. If anything, embrace it as a plus! All a company needs to know is if you can learn on the job. Take confidence in that.

Getting those knowledge gains

Ok so you have a good mindset and attitude, now what? You need something practical. Something tangible to really dig into. While perhaps a bit tedious, my suggestion is to start with basic theory and work your way up to hands on projects. Depending on how familiar you are with certain topics, you can skip the associated suggestions.

I'm going to list out generic certification material, some of which may not be directly relevant to security but you'll need an broad understanding on how everything works. I would first recommend just googling any topics you're fuzzy on. Personally, I have learned quite a bit from reading certification books, even if I didn't take the test. Also, other sites such as Cybrary.IT are incredibly helpful in getting the theory down to foster some general understanding.

  • Networking = Net+ and CCNA
  • Security = Sec+ and CYSA+
  • Windows = Any book on Windows Server Administration (caveat: i'm a bit fuzzy on Microsoft certifications. I've never taken one)
  • Linux = Linux+ and LPI

I'd like to keep this recommendation list small. I can list out books, courses, and videos all day long but I think that'd be missing the point. Just make sure you have a good general understanding enough to proceed with hands on tasks. Here are some ideas!

  • Setup a home file server
  • Add on a web server
  • Add on an FTP server
  • Setup an Intrusion Detection System
  • Run nmap and OpenVAS scans and look at events generated in the IDS
  • Setup a vulnerable test server and exploit it

If you can manage to get all that configured and setup, you'll have more hands on experience that some people I've actually worked with who've held various security titles.

If you would like any more help with the theory or hands on practice, let me know and i'll update the post with some more ideas!

Setting Goals and Milestones

Taking all this into consideration, you should have some idea of where you need to start. You now need to set some time lines. Figure out when you want to get all this accomplished. When do you want to land that first job? How much time are you able to spend per week? What's a realistic road map? I can't really answer this for you, but it's an important step to work through.

You will definitely want a Security+ certification from Comptia. In the process of learning theory and all your hands on work, you should be making some progress with a good Security+ book and taking practice tests. This is an entry level certification which will help you stand out from all the other people applying.

I would also recommend documenting all your accomplishments on some form of portfolio website. You can write posts on how you setup your home server and/or IDS and talk about various security skills you've learned. This is a great way to add to your resume with minimal effort.

Once you grab your Sec+, get a good portfolio setup, and have a clean resume, you're more than ready to go. While you don't need a Sec+ or portfolio to start applying, it will definitely help your starting salary. Who doesn't want more money?