Want to get a job doing something in Information Security but not sure how to get into the industry? Here are some quick pointers to help you formulate a plan.
Build Some Foundational Skills
It's a good idea to build some general IT skills up first. This will give you a solid foundation to develop security skills. You can start by picking any one of these skills below to study. You don't have to be good at all 3 but understanding one in a deep way will go a long way at understanding security concepts later. And will give you an edge when trying to hunt for problems in your particular area of knowledge. So pick one that attracts you and get good at it.
You're going to be learning a lot, so you might be interested in the free course Learning How to Learn: Powerful mental tools to help you master tough subjects.
ProgrammingLearning a programming language is a great way to get started. First of all building things is fun and rewarding. But knowing how to code will help you understand how programs work better, where problems might occur, and how to develop tools on the fly.
Free Python Course
Pretty much all malware is code.
System AdministrationIf you have a firm grasp on operating systems, domain controllers, VMWare, or other enterprise grade software it will help you understand where security holes might be found or exploited.
You can practice by setting up VM labs and start building new operating systems and configure them to talk to each other and work together.
Free Linux Course
Free System Administration Course
Free SQL Course
Pretty much all malware affects applications or operating systems.
NetworkingHaving a good understanding of TCP/IP, routers, switches, firewalls, and DNS is very helpful at understanding information security. Here you'll be looking at how packets and information moves from one computer to another which will show you where things can be manipulated or go wrong.
Free Network+ Course
Free Networking Essentials Course
Most malware today spreads via TCP/IP connections.
Get Trained Up
Trying to find your way in Information Security can be disorienting and confusing. If you have a good guide or mentor they can show you what to focus on and study. If not, getting trained up either through a school or certification can be helpful at just showing you what's out there. Getting a degree is fine and good but can take years to complete and be expensive. A degree typically makes your ceiling higher for what roles you could top out at. For instance it's usually required to have a degree to be a CISO. Certifications aren't required to get an entry level job but are a quick way to show your commitment in this new career and give you some skills along the way. Certifications typically take a few weeks or months of study and then you can take the exam to be certified. You can find online courses to train you or in person classes.
Security+This certification is a good introduction to IT Security. It will tell you what types of exploits there are, how to use them, how to mitigate against them, and it teaches you about cryptography. It's more of a general introduction into security concepts.
Free Security+ Course
CEH/Pentest+The Certified Ethical Hacker and Pentest+ will teach you what different exploits are and what tools can be used to execute those exploits on different systems. It teaches a wide variety of tools that can be used which means it's just helping you get a little familiar with a lot of different attack techniques.
Free Penetration Testing, Incident Response and Forensics Course
CCNA/CCNA-SecurityThe Cisco Certified Networking Associate certificate will give you a much more in depth understanding to TCP/IP networking. And a follow up exam CCNA-Security will show you how to secure networks with routers and switches and explain the potential attacks that can be used if you don't secure them properly.
Free CCNA Course
You could go right from getting certified to job hunting. But I encourage you to take your studies slow and practice the tools more thoroughly. Challenge yourself and explore new concepts on your own that interest you. The more studying you do for fun and on your own the more you can solidify the knowledge you're learning along the way. You can also skip getting a cert all together but if you do that you can't skip practice. You need to prove you have the skills to do the job.
GithubMaybe you were getting into programming earlier and want to keep working on programming and security at the same time. You could develop some tools to help you be a better security person. These could be scanners, detectors, probes, or you could develop your own exploits. If you develop something, publish it to Github to show what you're working on and share it. If you can't think of something to make check out some of the other open source security tools you may have already used and consider contributing to them on Github. By getting under the hood and building security tools will give you a deeper understanding of how things work. Talk: Why I Write My Own Security Tooling with James Forshaw
Book: Black Hat Python
CTFsCapture the Flag (CTF) challenges are fun to play. Basically someone has created a vulnerable system and hid a flag somewhere that you aren't supposed to be able to see. If you can find an exploit to get to the flag you pass the challenge. This is hands on hacking and will really hone your skills. If you get stuck there's plenty of walk-throughs out there that you can watch how someone else tackles these kinds of problems and you can follow along to learn how it's done.
Good CTF sites to get started with are:
LabsFor me, I love being hands on while learning. Having a lab to play in and practice in is where I get my super powers. It allows me to stage attacks and simulate problems which prepares me for real incidents. The nice thing too is old servers and networking equipment is cheap. You can pick stuff up for $5-$50 per device. You can get an old computer and set up VMware ESXi or you could just use VMware Player or VirtualBox on your own computer and create a lab for free. Building out labs and practicing on them will teach you really important things that classes seem to miss and you'll get stuck on really basic stuff. It's ok, it's all part of the process. Learn to figure out things that you don't know. Talk: How to Build a Home Lab
Get a Job
Technical recruiters look for 1 of 3 things to pass your application to the hiring manager. Experience, Certs, Skills. If you've done the stuff above you have all 3. Which is more than enough to get a job in this field. You could skip 1 or 2 of these items and still be called in for an interview. There are a lot of ways to get started in this field.
Analyst/TechnicianSecurity Analyst or Technician roles are typically good entry level positions for starting your career in IT Security. These roles typically train you on a set of procedures to follow and you are to report any dependencies you discover. This could be monitoring systems for alerts, auditing systems to verify their configuration is correct and logs don't show anything wrong, or applying configurations to system. A Security Operations Center (SOC) is a great place to get started in. This is like command central where you'll be monitoring systems for alerts and it'll expose you to what types of problems arise and how to address them.
Junior Penetration TesterPenetration testers are people who try to hack into systems to show they are vulnerable. It typically requires more skills and experience to get a job as a penetration tester, but you may be able to find a junior level role that's looking for people to do more routine and basic things. Such as running periodic password audits, setting up scanner tools, and building reports from security audits.
System Administrator/EngineerWhile the typical system administrator is good at setting up the software on servers, there is sometimes a need for a security minded person to make sure the systems are secure. This could be a network security engineer or someone who applies updates and patches to systems. We also see roles for cloud security engineers too, which are people who secure cloud infrastructure. Here is where if you were getting your CCNA or practicing sysadmin stuff previously you can apply your skills.
Once you start your career there are so many places you can go next. It's really hard to see them when you're just starting though. It's like climbing a round hill. You have a really hard time seeing the top but the higher you go the more you can see of the top.
Promotions and RolesThere are many roles in cybersecurity. You can be on the incident response side of things, the attack side of things, or auditing, or management, reverse engineering, malware research, or digital forensics. On top of that you might specialize in wireless, or data centers, or industrial control systems, or automobiles. There are a million directions to go. Once you settle into an entry level role, you'll start to get an understanding what other roles consist of and figure out where you want to go next.
Sharing KnowledgeI'm a big fan of sharing the knowledge you have with the world. Along the way I hope you start a blog and just write about what you've learned, how to use certain tools, what gotchas to watch out for, and how to solve problems that you were particularly stuck at. You might start a YouTube channel to demonstrate certain things you know, or even write a book or course on a subject. If you can do something like this it helps you become more known in the community which will make it easier to find another job if you ever need to. Building your reputation outside your immediate workplace is helpful to your career.
Never Stop LearningThis is a field that the learning never stops. Even if you get a doctorate degree or the highest level certifications there are, you still will be faced with new threats and new systems that you'll need to get familiar with. Embrace the never ending learning. At first you'll feel underwater and you are having a hard time catching up to everyone else. But at some point you'll feel confident with what you know and be ready to take on new challenges.
This is the short version. The original version was a 40 page ebook I wrote but never finished. Hopefully this gives you a good idea of what the roadmap looks like to get a job in cybersecurity. It's a field that's always changing and evolving too, with new roles and skill sets emerging out of thin air sometimes.
Here are three books that may guide you into an InfoSec Career (with Amazon affiliate links).