So far, we've interviewed Cybersecurity Professionals and asked them their advice on how to start a career in Cybersecurity, and here's what they've said....
This site is managed by Growth Hackers HK, a digital marketing agency in Hong Kong
While the salaries might be on the rise, this isn’t a gig to make a lot of money. If someone wants to get started in security, figure out what appeals to them and then map out how to exploit that to their advantage. The skills are teachable.
What matters are the aptitudes. Are you curious? Tenacious? Able to wrestle with problems that have a lot of moving pieces, some grey areas, and a variety of acceptable solutions? I advise people interested in security to study sales, communication, and leadership. Even in high school and college.
We need these skill sets more than ever – and they’ll serve you well.
I speak to graduates/juniors on a daily basis, whether it’s for an informal chat about the current market or to discuss potential entry level roles they may be interested in. My advice for someone looking to break into the industry would be to use absolutely everything that is available to you. There are always webinars, blogs and online courses available online which I strongly advise people to take part in. Social media is also an excellent avenue for getting involved in discussions about cyber security and recent InfoSec news/incidents.
The Open University also offers a free ‘Introduction to Cyber Security’ course, which is useful for someone wanting a very brief insight into the industry. And of course, getting a degree in a cyber security related subject is always beneficial. The nature of Cyber Security requires you to constantly stay up to date, due to how quickly it’s expanding and developing. Therefore, I always encourage candidates to research and monitor new technology and news.
Just keep trying and never stop! the bad guys don’t stop so why should we. Learn one thing new each day take it slow at first and you’ll grow. the security sector of technology is vast so, to begin with, you might want to figure out what really interests you so the answer below might pertain to you or not but still it’s good to be well rounded that’s what working in this industry requires.
Start by learning your own and other operating systems: Windows, Linux, and Mac OS. Learn how to defend them and harden them, learn what makes them weak and what makes them strong and learn their local language PowerShell for windows and Bash for Linux.
With your gained knowledge about operating systems and how to defend them you should move onto networks. Routers, Switches, Hubs, Firewalls, IDS/ IPS etc. Learn how they work, communicate with each other and other things and how to properly configure them.
Next, depending on what you plan on doing a programming language can go a long way. Most high-end security jobs and even some entry level one’s require you to be able to know how to or at least have an understanding of coding. most popular languages for a job’s in the security industry range from Python/Ruby to C/C++ depending on what you’re doing. Knowing how to make a website via HTML/ CSS & JS is also very helpful. Remember security covers all aspect of technology bad code is bad code no matter where or what it’s written in.
Now the fun part begins, you’ve learned how to defend your own computer and your network. You’ve learned a new programming language or two you can even now automate things with PowerShell so what’s next? this all depends on you… by now you could be ready to be a great blue team member- a person who defends networks and computer systems- with your knowledge of automation and some programming you can be on your way in the industry or you could take it one step further learn how to attack there are many Linux Distros to be used for penetration testing and I’ll leave the research up to you, but most people start out with Kali Linux.
Build up your technical skills based on Network and Web Application knowledge and try to get anyone of the well recognized cyber certifications.
Make sure you learn the latest technologies and techniques.
Three years ago, I play counter strike a lot, and some players do hacker things on it, so I became really curious about it, and Googled “How to hack counter strike”, then after several months, I want to learn how hack a Facebook account, and at that point I discovered that Facebook have a bug bounty program, and research about”what is bug bounty and all” and now I am here.
Don’t directly jump into bug bounty, first try to find some bug in that company who provide only hall of fame because only few hunters participate in that program, so it’s great chance to find some bug.
Try to learn how to code at first! The More you deep into code, The more you can do hacking.
Yep, well I am also learner I am no master that I can guide the New peoples. But yeah, I can tell what I did when I was Newbee. I used to read and understand as much as I can, Read Blogs of Security Researchers. And learn everything from Scratch otherwise you’ll face False Positives. In Web Application Pentesting field there is a great platform to start and to learn also “HackerOne”. Read the Publicly Disclosed Reports from HackerOne and Understand the Exploitations. Learn OWASP Testing Methodology. Read Books and all. Reading and Understanding is the most Important Thing to kick start.
To self-learn and investigate on their own account as much as possible and to be open minded about the roles and positions they can take within the Cybersecurity world, because you can learn a lot, and even more than you expected in a role that you didnt even know you could enjoy.
It’s really hard to translate a business trying to make money through cybersecurity into a theoretical, or even practical sense in a pre-work context. That’s simply the truth – you don’t come in knowing how to consult, write business-excellence reports or make calls on what you should say to a customer asking you to make calls about their security posture.
What you can do however, is expose yourself to some things which make this transition a super easy one, allow you to learn quickly and get the job in the first place by proving it to the interviewers.
If you’re applying for cybersecurity in general (technical such as penetration testing, or general such as GRC), become aware of the landscape. This includes the people (twitter, linkedin, facebook groups), the current events and info (blogs, daily news, hacker cons) and the skills (CTF’s, wargames, competitions such as CySCA).
Most web developers show up with a portfolio of websites they’ve designed for their interview – what about a hacking portfolio? My perspective of this would be a github account with a tool or script you’ve made, or even a list of hacker tools you’ve tried or used in CTFs. A list of CTF events and some of your favorite challenges and why, how you solved it and how it might be fixed (writeups). Possibly you’ve tried your hand at Bug Bounties – put down your findings and explain why they might be important. Most importantly, take advantage of your two feet and get yourself to a hacker conference – the people you meet there will become friends for life and will certainly welcome you into the community. Many incredible opportunities, experiences and learning can come from human interaction.
Finally, I would say apply for positions. Go to the interviews and learn what they’re looking for, what you may be missing and ask for feedback. If you can demonstrate learning from a few failed interviews, this equally demonstrates your persistence with say attempting a buffer overflow that won’t work the first ten times. Connect with people on LinkedIn – ask them questions, ask questions on quora, soak everything up like a sponge.
Finally, start learning linux. It’s not an absolute must some may argue, but it demonstrates your ability to learn technical concepts and provides powerful functionality for when used (and quite often). You want to gain experience with many tools, concepts and software that might not even relate to security – one day you might be testing it and wish you knew it better. Understand how things work and then you can start working towards exploiting it.
Find an area within info sec which is in high demand.
The first thing that does not despair, is a very wide world and can be complicated. But with desire and effort is taken. Otherwise, it is necessary to have a base of everything that compose the computer science, systems, programming, networks, etc.
Stay updated with new exploits, methods and CVE’s.
A desire to learn.
Knowing computer security implies knowing the technology in deep. And this implies A LOT of hours learning, EACH day. If you love it this won’t matter to you, but if you don’t you will fail. Another important thing; the University won’t help you very much, you have to study and practice by yourself.
Try to learn at least one programming language that might be Ruby, Pythod, PHP etc. Build your own computer and security lab(Virual) using old PCs, your own wireless router with firewall, network switch, etc. Practice securing the computer and network, then try hacking it. Participate in cyber security contests and training games. e.g. Wargames. Look for vulnerabilities on open source projects and sites with bug bounties and document your work and findings. Have knowledge about OS, Network controls or devices, Protocols, Ports. Additionally how Cryptography function works etc.
To break something, you need to know what it is build upon. For that, the first step is information gathering. In the first step of every smaller or large assessment, a researcher should know about the architecture of the system and sufficient information on what the blackbox system is built upon. After having necessary information, the next step is to identify the potentially targetable endpoints or inputs. I believe, the more inputs your application have, the higher chances to getting hacked. The third step should be testing or fuzzing & the last one should be exploiting. If everything is planned well, then success is inevitable. There is a thin line between White Hat Hacking & Black Hat Hacking, I suggest new comer researchers to first ask the organizations / clients whether they are comfortable with them pentesting their network and then proceed.
Be aware that there are a number of qualifications out there at the moment which may not necessarily get you employed in the sector. Contact companies which you are interested in working with and find out what they are actually looking for / would recommend.
Take the first steps to learn programming! The first and foremost tool to become a hacker. Start with Python/ C language. Then next take a grasp on basics in networking and database. Enrol in online video courses from Cybrary/ Security Tube. These helps you learn a lot. Download Vulnerable Web apps/ mobile apps into Virtual Machines and practise them with Linux OS (preferably Kali). The more hands-on, the better you grow! Learn from great hackers posts from Hacker-One and bug-crowd.
Pick a research area that interests you (reverse engineering, exploitation, application security, malware) and learn everything you can about it .
Well this is a kicker. If you are trying to break in just for fun while harming someone or some entity or organization, I wouldn’t support that and I would advice you rather do it with their permission (permission to break in here means you found a loophole and now you are just seeing how far can this escalate without harming the system’s integrity and how to come up with a patch eventually). This way would earn you respect and experience and even $$ in most cases, so it’s a win-win situation.
If you are one of those Black Hats, I suggest you to slowly put on new White Fedora, it’s about time you did that.
Yeah, Cyber Security is become more and more complicated. In my junior high school hoodtime, many people use hacker tools can hacks anyone computers, but nowadays, various new technologies (IoT & AI)and the emergence of new attack vectors,this is Challenges and opportunities for all the industry not just cyber security. So keep learning is the right way,and finding the right way to learn is another right way and stay hungry, stay foolish.
Like any indutry, cybersecurity offers a large panel of jobs and personal development oppportunities. Identify your strenghts, your career objective and know in which field where you can perform the most: technical, marketing, sales, management, consulting. Whatever your field of expertise, cybersecurity is moving fast and is demanding. It requires to continuously learn and keep pace with changing situational needs. Last but not least, do not forget the “why” (not only the “what” and “how”). It’s a current trap I often see with people getting enclosed in their high-expertise and loosing the sense of purpose.
Read basic network or CCNA, Security+, Basic Linux, CEH.
Just Go with your passion, Be updated with latest technology, exploits, methods, research with your innovation, checking out POCs of others will make your process to break anything easier.
Stay curious. Learn to master logic and critical thinking. Cyber Security is an endless learning and you should learn everyday. Master the basic and fundamentals starting from Operating system, basic networking stuff, basic programming techniques and analogy, web programming and some basic database command and queries. That would help you to understand how computer works from different perspective and it would be essential to learn security with this strong basic knowledge. In our current IoT (Internet of things) set up, cyber security is a fast pace module where in everybody is involve and everybody can be a target. Also consider to expand your network, attend conferences nearby, do not hesitate to ask questions from the experts and try to get a mentor. I always use this quote whenever I want to clarify something: “When in doubt, just ask.
Do some certifications.
Think about the value you can bring (IT, networks, business, communication skills…)
Start by focusing on one thing (forensic, malware, pentesting etc) and master that.
Get relevant experience in system/ network administration first.
It was all part of career plan. I would say I took it as a hobby. as I grow watching some hacking movies. I was inspired to enroll in the same field and luckily I was able to follow my passion.
Try to focus on one domain at first to kick start and do some certifications for that and apply for same post. Don’t run for money, just gain experience and money will follow you (off-course if you are good).
Proper Focus on Programming Langauge: php, perl, python, etc. Also knowledge of Linux platform is must better you go for Kali Linux and other open source based latest security focused distros.
Learn how to learn as this field is wide and ever changing. The easiest way to ensure that you are learning and retaining information is to try everything in a hands-on manner. While you are doing that make sure you document. I recently did this workshop/ talk for people at OWASP Bangalore (GitHub) and may be useful on how to get started.
Don’t depend upon certifications, but merit and aptitude.
Passion and motivation is the most important but you need time. The knowledge is easy to find.
Know Networks!! and then you will flow over Security!
If anyone wants to start their career in the cyber security domain they must realize that it is a very larg.subject and you cannot be an expert in each domain but you can aquire necessary knowledge and learn specific expertise.
Self-learning in free time and perseverance. If you dont love security and computers, dont enter on this market, you will get bored very soon (some attacks and tasks are very technical and complex).
Think broadly about your skills, network like mad, ask everyone what they need or desire and apply yourself to the most important demands you feel passionate about. Don’t get hung up on any job, everything is worth a try, everything teaches you something. Offer your services to everyone. Summarize your experiences constantly and remember that people only give work to the really busy people.
My advice is to learn something new everyday, that’s my philosophy. All the passionates of cybersecurity are lucky because security is not a job fur us, it’s a real hobby and we just need a pc to train our skills and learn something new. Fortunately we also have so many information sources like blogs, academies, tutorials, "free hacking tools". So look for your first cybersecurity job, make of security your hobby and keep forming you and that’s all, be patient and your cybersecurity career will build itself.
Keen interest to learn about ongoing security related events/issues/breaches/new technologies. Initially taking cyber security related courses which are freely available (for example, cybrary.it) and find the area you enjoy the most. And finally, start working in a place where it will be related and at the same time you can expand your knowledge in future.
You must have analytical and logical skills. How to determine bad and good? How to choose a good company. Whom to trust and whom not to etc…After some point of time in our field, it is must to have self-learning skills as no one will be mentoring you for your whole life. You read, you create environment, you test, you write blog this is simple approach for learning new things. Give priority to your search. First find youtube videos, if you can’t then go for google and find any website link, article if not then find that in darkweb, torrent or deepweb (only if torrent is legal in your country). If you follow this approach you will be a good Penetration Tester after 1/2 years.
Instead of going for classes, look for finding solutions on your own through resources available online. Read blogs, keep an eye on Security trends on twitter, follow security channels like reddit(netsec), news.ycombinator, and also if possible join a local security meetup chapter to keep yourself motivated and networking.
Basics should be clear: if the person is not having there basics well placed then its a bit difficult to clear the interview process.
Today there’s plenty of information about cybersecurity on the Internet. My advice is to read as much as you can and to take specialized training courses. Some of them are really expensive, but if you have the lucky to get a job on cyber security after that, then it’s worth it. Other recommendable path is to join the graduate program that some companies in UK are offering.
Go with the flow, as nothing comes and lands into your hands. You need to put your best foot always forward and believe in yourself, by putting “trust in your core talents, following of your passions sincerely with focus and commitment, and silencing all your fears and facing all roadblocks head-on in resolving them.
Be well rounded and like computers. You need to like tech and be prepared to immerse yourself in tech not just at work. You also need to have an investigative personality and like solving puzzles.
Go for it, if you have an interest in a subject, keep persuing it – it took me 24 years to finally get into the role – although, to be fair, for a large part of that time the role didn’t exist.
If you make up your mind and are sure you want to venture into this field then just go for it. Don’t be discouraged by the many drawbacks and disappointments you will encounter; for example when I was starting out I go into contact with Concise to do a presentation on Forensic readiness, sent the video, and then didn’t hear from them; would have expected some feedback at to improve on the presentation, but nothing and that was darn right disheartening, could have even at least just told me to get lost and that would have been polite and encouraging. That almost made me give up hope, but I didn’t subsequently I got other platforms that were interested and some of work were included in their top rankings. That example is not nearly the tip of the iceberg of what you would run into. Don’t feel you can only progress in your career by getting a job, before that you can build yourself and experience by doing things on your own to help improve your employability; and who knows, you may even become the employer and build your own empire.
Don’t ignore the “people” side of computer forensics because it’s in a technology field. To do the job really well, you need to understand people as much as you understand the technology, because if you don’t, you won’t know the right “questions” to ask of the computer you’re examining. My education and training in sociology, psychology, and investigation is just as relevant to my skill as a computer forensic examiner as my education in IT.
At the start of your career I would suggest that you spend time understanding the Networking, OS, Basic Programming, Tools, Cyber Law, IT/ Evidence Act, Hacking modules and more for additional skills. Try to use all opensource, shareware’s tools and benchmark as per efficiency and learning purposes. Read blogs and white papers resources, videos webinars from vendors. Forensics and Cyber security professionals need deep experience and classified information and in this domain no one is an expert.
I would always suggest to start for the basic to advance for any stream relate to Cyber security instead of just learning Tools, i.e. Computer Forensic, Penetration Testing, Malware Analysis, Security Analyst etc. Learning basics or fundamentals gives you a strong foundation and then moving to the tools and practicing these will help you with ‘real life’ scenarios.
Get your hands dirty!
Nowadays, it seems that certifications are required by hiring : if you have time and money, knowledge is always welcome!
To enhance your career in cyber security, you have to work for increase your skills, think about the technology, update yourself from time to time, start with CEH and CHFI courses also for the basic skill set in this domain and practical closer is much required.
These are skills that the professionals have referred to.