So you want to work in cybersecurity?

There’s never been a better time to become a cybersecurity professional. Whether you’re working for a bank, startup, government organization, or running your own business, cybersecurity as a career means you’ll always be in demand. But how do you get started and what do the plethora of jobs actually involve? I spoke to four people working in the sector to find out more.

It’s well established that there’s a shortage of skilled workers but this doesn’t mean everyone is suitable. Tyler Reguly, manager of security R&D at Tripwire notes: “There’s a lot of misunderstandings and misinformation, there are still people who want to go into cybersecurity because they think movie magic is real cybersecurity. Having a solid foundation grounded in reality is a key first step.”

How did you get started?

People join the sector through a number of ways. For example, Roger Grimes, data-driven defence evangelist at KnowBe4 was originally an accountant and CPA:

“I was horrible at being an accountant. At night and every free second of my day, I was learning about computers, hackers, computer viruses, and how to fight them. It was my hobby that I obsessed over (and still do 32 years later).

One day, I realized I was in the wrong profession. I quit my accounting job without having another job…but by chance answered a phone on the way out of the office (with all my things in a box), that ended up being my next employer, where I taught computers and learned more about computer security.”

What skills are in demand?

Apostolos Giannakidis, Principal Security Architect & Strategist at Waratek notes the demand for cyber-security professionals with application development skills: 

“This is because developers typically lack an understanding of application security and often introduce vulnerabilities in their code that could compromise their systems.  In the last several years, new trends have emerged such as Shift-left testing and DevSecOps that require the involvement of security testing earlier in the application lifecycle. This means that the security team is typically included from the initial stages of the design of an application up until the development and functional testing of the final product. This agile approach has been found to help release secure software on time and with less cost.”

A few skills that are very high in demand according to Apostolos:

• DevSecOps, Secure CI/CD pipeline
• Container (Docker) Security
• Cloud Security
• Threat modelling
• Threat intelligence
• Security code reviews and secure coding practices
• Python

Cesar Anjos, a security analyst at Sucuri believes that demand is also growing in whitehat hacking. ” A good example of this is  bug bounty programs, they make this field very easy to get into if you already have the knowledge and anyone and jump into it even as a side job, it’s great to get hands-on experience.”

What does it take to work in security? 

Dedication and Problem Solving: Tyler notes that problem-solving and critical thinking are key.:

“You need to look at a problem and figure out a way to solve it. When interviewing people, we always include problem-solving questions to test how well people do, if you can’t solve problems and think critically, this probably isn’t a profession you should pursue.”

Good verbal and written communication is a must according to all interviewees. Apostolos shared: 

“Security is something that management teams typically do not understand because it tends to be too technical and cryptic. A good security professional needs to be able to communicate and translate complex technical security issues into a language that is understood by business managers and executives.”

Trustworthiness: Roger notes: “A boss and organization need to know “they aren’t going to use the information they learn to harm the organization. I’ve hired people who have done illegal hacking in the past, but if I didn’t get a great sense that all that nonsense was behind them, I didn’t hire them no matter who they were.” 

Ability to Think outside the box- Cesar shared: “I think the most important thing is to be able to think outside the box even when the box is huge, have lots of patience and have an interest in the field.”

How to get started? 

As Tyler shared: “Cybersecurity is just a broad field that there’s something for everyone, regardless of your interests… so look for something that fits well with the fields you’re interested in.”

Apostolos suggests:

• Invest time in understanding the inner-workings of exploits. Aim to identify new vulnerabilities (CVEs) and build your own exploits: “The industry does not need another script-kiddie that only downloads publicly available exploits from the Internet and launches them.”
• Invest time in learning how to write secure code in more than one language.
• Set-up your own personal lab and experiment with known exploits and ways to protect against them.
• Audit the source code of popular open-source projects in GitHub and try to find security flaws and zero-days.
• Join Twitter and stay up-to-date with the latest news in infosec and appsec.

Roger suggests:

You can’t be a great defender if you don’t learn how hackers hack. Learn how to be a good penetration tester/ethical hacker. Again, there are lots of resources to tell you how to do this, including articles, books, and forums. Download a good Linux distro built for hacking like Kali Linux and start hacking. You don’t have to learn Linux to hack, but 90% of the best hacking tools only exist in Linux, so a good general computer security person knows how to use Linux plus at least one other OS platform (e.g., Microsoft Windows, Apple OSX, etc.).”

However, when you hack, always hack ethically. Never hack anything without the explicit permission of the owner/manager: ” There is no gray area to this rule. If you hack against something you do not have permission to do so, you are hacking illegally or unethically. Don’t start off on the wrong foot. When you start learning how to hack with success, there can be a certain allure to want to test your skills out on public websites and private computers you don’t have permission to. Don’t fall victim. One illegal hacking event can cost you a career.”

Tyler suggests reading blogs from companies that interest you:

” Learn what their employees are doing by the work they write about; watch their job postings and learn skills that match up with those postings.”

All interviewed shared the value of networking and conferences and the value of talking to others in the sector.

Resources

Academic qualifications aren’t compulsory and should be considered in light of their ability to provide up to date knowledge and the connections of the institutions with the industry.  In regard to specific roles Apostolos recommends:

• Penetration testing: OSCP and GIAC GPEN certifications would be much more valuable rather than having an MSc degree from a not-so-reputable academic institution.
• Application developers with an interest in security would benefit from courses such as the CSSLP – Certified Secure Software Lifecycle Professional.
• Those who are interested in cloud security would benefit from courses such as the CCSP – Certified Cloud Security Professional.
• Additionally, all major cloud providers such as Google, Microsoft and Amazon offer training on their cloud offerings, including security training.

Tyler recommends No starch press for a plethora of hands-on resources.

Apostolos  also recommends the “awesome lists” on GitHub offer resources for courses, training, books, and capture-the-flag challenges for information security professionals:

https://github.com/onlurking/awesome-infosec
https://github.com/joe-shenouda/awesome-cyber-skills
https://github.com/fabionoth/awesome-cyber-security

Sucuri also has some great resources:

• https://blog.sucuri.net
•  https://labs.sucuri.net/.