Rick Deacon is co-founder of Apozy, a cybersecurity tech company he launched in 2012 that specializes in browser defense. Prior to that, he worked as a pen tester for several years. But while Deacon's background is now solidly in the "security veteran" category, the career actually began as a hobby for him years ago.
"I'm deeply familiar with how to go from nothing to something," says Deacon. "My background involves very little schooling. I started hacking in the sixth grade, slowly working my way up through opportunities discovered and chances given."
As Deacon's experience can attest, there are multiple ways to get started in cybersecurity. And while the well-publicized skills gap means the cybersecurity jobs market is often described as hot, with 0% unemployment, one only has to check social media to find complaints from entry-level security professionals who are having a hard time getting started.
What are some best practices for newbies and hopefuls to consider as they start down the path of a security career?
Network with Experienced Security Pros
It's tough right now with face-to-face opportunities off-limits and conferences on hold, but it is critical to find ways to interact with experienced security veterans who can offer advice and introduce you to opportunities. For now:
- Attend online virtual events, conferences, and webinars. "Join these online events and take advantage of them to learn," says Deral Heiland, IoT research lead at Rapid7. "Also, ask questions to the speakers and also take advantage of the network forums that are created to meet and interact with security professions."
- Use social networking services. Another avenue while we wait for COVID-19 restrictions to lift is with social networking. LinkedIn has many professional security groups, including the Information Security Community, Advanced Persistent Threats (APT) & Cyber Security, The Web Application Security Consortium, and the Information Systems Security Association (ISSA) Discussion Forum. All are worth joining to make connections.
- Join online communities. "Newbies should also consider joining online communities such as WeAreHackerz, WoSec, etc.," says Chloé Messdaghi, chief strategist at Point3 Security. "Having a good community to gain guidance from is so important."
Once COVID-19 restrictions are lifted and conferences begin to start back up in person, be sure to attend and interact with people.
Find a Mentor
Those looking to get into the cybersecurity should seek mentorship from someone in the field with several years of experience, says Jon Helmus, manager of pentest community at Cobalt.io.
"With everything online, it is easier than ever to get mentorship from experts in the field who can help guide newcomers on a path to success," says Helmus.
- Think locally, act online. Much like with networking, SAS CISO Brian Wilson advises turning online to find mentorships given an invitation to grab coffee isn't on the table right now. "Seek out mentorship opportunities via local security organizations, like regional ISC(2) chapters, or check out cybersecurity-focused Meetup.com groups," he says. "Amid the pandemic, most have gone virtual and many of these are free.
- Check out "Mentorship Monday." The cybersecurity community is quitesocial on Twitter and Reddit at /r/cybersecurity, /r/netsec, or /r/netsecstudents. In fact, /r/cybersecurity recently started "Mentorship Monday," where prospective security pros can ask questions or seek advice.
Hands-on experience is so important when applying for jobs in security, and the initial way to get it is often with volunteer work or an internship. It can be at your current place of work or at one of the many conferences that take place throughout the year.
- At conferences: "I strongly recommend that people just starting out volunteering at and attending conferences such as BSides," Point3 Security's Messdaghi says. BSides events are a collection of loosely associated events in many cities, often held concurrently or near major security events -- like BSides San Francisco and the RSAC conference. "It gets their feet into the hacker community and culture, which they need," Messdaghi says. "I volunteered at BSides Las Vegas a few years back, and it changed my career and life."
- At cyber ranges: Another option is volunteering at a cyber range. "There are many virtual cyber ranges that simulate breaches and teach participants how to solve problems," says Joe Vadakkan, global security services leader at Optiv Security.
- To help not-for-profit organizations: Infosec pros can lend their expertise to organizations that don't have the funds to pay for their own. Several new volunteer organizations have sprung up during the COVID-19 pandemic to help support the increasing needs of healthcare, first responders, and others. Learn more about some of these, like the Cyber Threat Intelligence League, here.
Get Certifications (They're Not Essential, But They Help)
A perpetually controversial topic, certifications are an element of the professional that are endlessly debated.
"When you're just getting started out with no prior experience, a certification can get you in the door," says Dr. David Brumley, CEO and co-founder of ForAllSecure and a professor at Carnegie Mellon University.
- Get a cert in a subject that matters today. Everyone knows about the CEH and the CISSP, but this very unique year has caused organizations to reconsider what security skills are most important. Check here for a list of brand new and red hot certifications.
And while many employers might not necessarily require them, they can't hurt either.
"A mentor once told me about degrees and certifications, 'While they might not open any doors, they will make sure none are closed,'" says Jerry Gamblin, director of security sesearch at Kenna Security.
Figure Out Your Focus and Make a Plan
If you think you really want to get into a security-specific career after some time in IT, it's time to carve that down into a focus, SAS's Wilson says.
"There are many different areas of cybersecurity – build it, break it, protect it. With a variety of paths to choose, take time to research what you want to do," he says.
Deacon echoes Wilson. "In my opinion, people new to security need to understand the fundamentals of their particular niche - and pick one,” he says.
Once you have figured that out, design a plan for yourself that identifies goals for now, later, and several years from now, advises Helmus.
"Write out a short-term plan [one to two years], midterm plan [three years], and long-term plan [five to seven years]," he says.
Just Do It
The first step for those passionate about a career in security is to simply start working on it at home or current workplace, Deacon says.
"If you're in an IT role that isn't cybersecurity but is open to ideas, try shadowing the security folks and provide them with novel ideas where you can," he says.
In fact, many of the security pros The Edge spoke to for advice on getting started in security touted the benefits of a general IT background before considering a security specialization.
"My strong-held personal belief is that great security professionals start in customer support or help desk roles," says Gamblin. "It allows them to be hands-on with standard technology like desktop OSes, office tools, and helps them develop empathy for end users."