In this blog, our newest addition to the team, Rehan Bari, discusses his experiences breaking into the industry…
I’m going to discuss one of the most debated topics on social media with regard to cybersecurity: Breaking into the cybersecurity industry. “There is a shortage of people in this field”. You must have heard that everywhere too, right? It might be the bigger picture, however it may not be in the junior position or the specific role you are after. This is usually met with “How can one get experience if no one is willing to give a newcomer a chance?” After all, it is experience that will let you move up the ladder and fill the positions which have shortages.
The other debate is the hiring of managers vs entry-level job seekers – “The job description for a junior role is too demanding!” I have come across junior roles which require 2/3 years of experience, which leads back to the first debate! In all fairness, there is no need to over complicate it and all I can say on this matter is, where there’s a will, there’s a way.
This blog isn’t about the debate though, it’s about what I believe you need to know and can do to break into this industry based on my own experiences. I didn’t come from an IT background and I had no commercial experience, I just compensated for that with hard work and passion.
What is cybersecurity?
Let’s break it down. Whenever someone mentions cybersecurity your first thought is hacking. The majority of people don’t realise how much more there is to it. Cybersecurity is all about protection, it’s about protecting computers, servers, networks, mobiles and everything in between from compromise, so naturally there are different sectors within this field. Ok, so you have decided you want to a job in cybersecurity. You should now be researching what role within cybersecurity you want. Different roles require different skillsets.
I had a lot of advice from people to try and go for SOC analyst roles to get your foot in the door and then move to the sector I wanted to. I felt that I should concentrate on the skills for the job I wanted as that will motivate me to keep studying and working hard.
Qualifications & Certificates
First of all, let’s clarify that there is no right or wrong way. What certificate you need or don’t need will also depend on if you are already coming from an IT background or not. If you have a degree related to IT or if you already hold an IT related job such as digital forensic, network engineer, web developer, or a programmer, etc., the transition into cybersecurity should be smoother. For example, if you are a programmer you might be able to notice or know what vulnerable code looks like. Or if you are a network engineer you already have one of the core skills that is needed for a successful cybersecurity career. In this scenario, you should be looking at the missing skills you need and also the more advanced certificates to polish off your CV and make you a top candidate for the role.
If you don’t have any experience in IT, it is really important to get the basic core skills. I went with CompTIA certifications. I found that Network+ and Security+ helped me get the grasp and it laid down a solid platform for me to build upon. You will notice that a lot of junior role interviews in cybersecurity will ask network-based questions.
Unfortunately, it is tough to make a transition to the cybersecurity sector without an IT background, especially if you work full time or going back to full time studying is not a viable option for whatever reason. This does not mean it’s impossible though! With the amount of study material that is out there such as courses on Udemy or various online training academies, all you need is dedication and determination!
In my opinion the ideal path to follow is to get certifications in core skills (security & network), learn a coding language such as python, and then dive into paths made for specific roles. I chose to pursue eLearnSecurity’ eJPT, however there are many good courses out there.
This is probably the toughest part. After getting the certifications and building a good-looking CV, most people struggle because every hiring manager wants the candidate to have some sort of experience. You may not be able to get the “commercial” experience as you haven’t got a job in the field, but you can gain some sort of experience.
I will concentrate more on pentester type roles in this section based on my own experience.
There are loads of websites out there now that can help you polish your skills and learn new techniques. Websites such as Hack The Box or Try Hack Me are excellent to test yourself. These websites will also help you strengthen your basic skills such as moving around a Linux terminal, picking up shortcuts and commands that will make you efficient and faster. There are loads of different labs with difficulty levels for beginners to experts to do on these websites. This is a good starting point, work your way up, and focus on labs that you may find yourself weaker in. I would suggest starting with Try Hack Me, I find it a lot more user friendly and easier to learn from.
Networking! This isn’t exactly gaining experience, but networking helped me significantly in landing a job. Being active on LinkedIn or Twitter will help show off your personality and your achievements. You will also come to people’s minds when they see a job that is suitable for you. I had a lot of connections on LinkedIn tagging me in posts or sending me private messages regarding jobs and in the end, that’s what helped me secure a job. Another good thing about social media is the posts that are being shared, it helps you stay in the loop with the latest news or someone may share a really good cheat sheet that could be handy. So be active, show interest, and showcase your passion.
Try blogging/vlogging, whatever you feel comfortable with. Consider your website as an extended CV, it’s the perfect place for future employees to see how you think and what your mindset is during certain scenarios. I blogged fairly regularly (once a week) throughout the eLearnSecurity certificates. I would write about what I did in the previous week regarding the course or labs, what I would struggle with, or how I went about a problem. This helped me demonstrate my determination and problem-solving. I also did course and exam reviews. I am not saying you have to blog about a course or exam, you can blog about anything cyber-related. It’s not easy to show who you are through just a CV, use your initiative, and show them what sets you apart from the rest.
Gaining experience is not easy and nothing can replace the experience you will gain from an actual job, but you need to do whatever you can. Be creative and catch the attention of others, see what the job descriptions are for the role you want, and try to gain those skills.
So, you may not have all the technical skills that are required for a job due to lack of experience, but most employees will not only be looking at technical skills, especially for a junior role. Basic character skills are also very important. For junior roles, the hiring company will think has this candidate got the right attitude to learn? Self-motivation to keep improving? The drive to put in the extra yard? Technical skills can be taught and most companies who are advertising junior roles are aware of that, for them its more about personality traits. Why should they invest in you?
Communication is key, not only in cybersecurity but in any job! Every job in the world will require you to have good communication skills. When a company hires you, you become a representative for the company, so they need to make sure that your attitude and behaviour are appropriate. Characteristics like punctuality, task management, responsibility are all transferrable skills. These are core skills that are needed to succeed in any field, so if your CV lacks technical skills don’t stress but make sure that you can showcase the transferable skills through previous jobs that you have held.
I hope this has helped you gain a better understanding of what you can do to break into the cybersecurity field. If you’ve just managed to get into cybersecurity and are looking for a challenge, why not try out our Lin.security virtual machine, designed to help improve your Linux privilege escalation skills?
I wish you all the best and good luck!
In.security was formed by Will and Owen, two cyber security specialists driven to help other organisations stay safe and secure against cyber threats and attacks. After having worked together since 2011 in several former companies, they each gained considerable experience in system/network administration, digital forensics, penetration testing plus training. Based in Cambridgeshire, but operating nationally, we can provide a range of services and training for businesses and individuals alike. Read more about our services below:
- Penetration testing
- Vulnerability assessments
- Build reviews
- Red team testing
- Phishing assessments
- Password auditing
- Cloud security auditing