Where to start in Cybersecurity – Context
Note: I used “Cybersecurity paths” and “where to start in cybersecurity” just so I get good SEO results. To know why, you can read my post Information Security Synonyms.
If you Google “Cybersecurity paths”, “Cybersecurity career” and other similar terms, you’ll find an array of results with all kind of advices all addressed at people already in the field. In this post, I’ll try to explain my take on this subject, but destined for new comers that have no idea where to start.
The Information Security domain is wide, really wide. I used to surprise people in meetings because I would be interested in what they where doing and how they where doing it. In their mind, security was about hackers and viruses. It’s not the case.
A good way to see this, is to search on Google for “cybersecurity mind map”. You’ll find a lot of results like these ones:
It’s important to know that these are incomplete, but they give a good idea on the size of the domain.
But, when looking at all this, it’s normal to ask “where do I start?”. Let’s answer this question.
Where do I start?
This is a big question because there are multiple paths possible. I’ll explain some possible paths based on my experience, but in reality, there is no clear way to get in Information Security. I think the most important thing to have is passion!
Note: notice I wrote “some” paths and not “the” paths!
First I’ll explain the most frequents roles we see in job offers, based on the website https://www.cyberseek.org/pathway.html. Then I’ll explain how these entry roles can lead to the more advanced roles. These parts will be based on my comprehension of the roles and aimed at new comers. It’s important to note that I focus mainly on the technical roles as they are the ones I know, but there are other non-technical roles that exists. For example, you can be a lawyer expert in cybersecurity. I’ll be writing about common roles but it’s important to know that a lot of roles are missing from this post.
I’ll split the explanation by paths so you can jump ahead to the section of your interest:
- First step
- How to get one of these jobs
- The main roles
The principals Information Security roles
As we can see in https://www.cyberseek.org/pathway.html, the InfoSec roles all assume some kind of basic experience in IT. It can be in networking, software development, etc. The idea is that in order to protect systems you must have a good understanding of how it works.
So the first step to start in InfoSec is to get some experience or follow a recognized course in one of the feeder role: Networking, Software Development, Systems Engineering, Financial and Risk Analysis, Security Intelligence. Some people are able to get a job without a degree in some of these roles when they have enough experience through personal experimentation and they are able to demonstrate these abilities. Here is a quick summarize of what these jobs are:
A network analyst will configure devices and computers to make sure they can talk to each others. For example, when you are reading this post through your device, there are multiple devices in-between that need to be well configured so that the communication can flow flawlessly. To get this job, you need to have a good understanding of network protocols. Some experience with vendor devices (like Cisco) will definitely open doors. You will also need to learn to debug network communications.
A software developer is someone who know how to code. Coding is the act of writing, in some form, instructions to a computer that it will then execute. For example: when I was writing this post, I was telling my server (a computer dedicated to serve websites) what text to display and how to display it. To get this job, you need to know at least one programming language. The first one I learned was Java but my favorite ones nowadays are Python and C#. Onece you learn one, the other ones are a lot easier to learn as they all share similarities.
A systems analyst is someone who has a good understanding of code, networking and hardware but do not work specifically in one of these field. His or her job would be to oversee the development of a system that involves one or more of these fields. It could be to oversee the cost, design, staff and timeline implication of a project. Wikipedia has a good and more complete description. To get this job, you need to have a good general understanding of the fields previously mentioned. In other words, you need to know a little bit of everything related to computers and IT.
Financial and Risk Analysis
A financial and risk analyst is someone who analyses what risks faces a company but on the financial point of view. This can be based on the market volatility, laws, environment, within the corporation, etc. I have to say I have no experience on this so the input I can provide is limited. You can find more information here: https://www.investopedia.com/terms/r/risk-analysis.asp. This risk analysis process can be used in Information Security to analyze an enterprise risk.
A security Intelligence analyst is someone who analyzes the threats and malicious actors that threaten a company. Because these change based on the size and field of the company, that person needs to understand how a bad actor thinks. This can be done by monitoring different trends and/or reviewing reports and analysis of companies renowned in this field (there are a few). This analysis can then be used to make informed decision on the priorities of the company.
How to get one of these jobs
For these jobs, you can be lucky and get a job without a degree if you have some experience and you can demonstrate your understanding, but a good way to start would be a degree of some kind in IT or software development. It can be at a university, and that would definitely open a lot of doors, but it doesn’t have to be. There are a lot of schools that offer good formations. I personally did a bachelor degree in Software Engineering.
When I said there are multiple paths possible, I know people that came from all sorts of background. For example, I know lawyers that now work in Information Security! I mentioned a formation in IT or software development because this is what I know.
If you have questions regarding where to start, if a program is good, or anything like that, don’t hesitate to write me, I can definitely help you find your way in this field!
The main roles
Once you have your foot in the door from one of the feeder roles, there are some key entry-level roles you can have. I’ll write about the ones mentioned on https://www.cyberseek.org/pathway.html but these are mainly technically focused. In reality there are some other non-technical roles where you “only” need global knowledge of the Information Security principles. If you look at the following sites, you’ll see that there are a lot of roles in the field (though there are some overlaps in the roles mentioned in these sites):
- This one is technically focused.
- This one is interesting as they mention some interesting roles like in management. They also have good advices
- This one demonstrate the number of roles (or different name of roles) that exists, but there is a lot of overlap, meaning that some of these are different name for the same role.
- This one is clearly incomplete, but they mention 3 non-technical roles
- This one is a detailed view of what is InfoSec governance and how to do it. This role is non-technical but requires to work partly with technical people.
The roles in this section require basic knowledge of Information Security principles but they allow beginners to start gaining real hands-on experience. Once you get enough experience in these roles, you can aspire to get in a mid-level role. Generally, these roles require 1-5 year in IT and/or a bachelor degree. The idea is that you need to have basic knowledge in IT and InfoSec.
A cybersecurity technician is someone that work at the operation level. They will be responsible to maintain software and devices used by the cybersecurity team, assist users and manage basic alerts. They are the first line of defense. Example of what they maintain are:
- Web application firewall
- Antivirus or it’s more advanced brother: the EDR
- SIEM and it’s alerts
This role is really interesting because you touch a lot of different systems and software. If they see an alert and think it could be an incident, they would call an incident responder to help them.
Cyber Crime Analyst
This role and it’s derivatives are not my expertise, so I’ll rely on someone else’s definition:
Investigates a number of crimes, ranging from recovering file systems on computers that have been hacked or damaged to investigating crimes against children. Recovers data from computers that can be used in prosecuting crimes in court. Computer crime investigators must also write reports for and testify in court. Also may work for large corporations to test security systems that are currently in place. Investigators do this by trying various ways to hack into the corporation’s computer networks. At corporations, computer crime investigators also maximize optimal computer system performance levels.https://online-distance.ncsu.edu/career/cyber-crime-analyst-investigator/
In other words, someone in this role will investigate a cyber incident but will do so with a potential optimal goal of going to court. This involves careful analysis and evidence collection and handling.
An incident responder is a technical person with a deep understanding of how a typical environment behaves that will be able to analyze events when an incident occurs. He/she will then have to understand if it’s a false alarm or if a complete response needs to be done. Because of the amount of knowledge required to be an excellent responder, I would divide this role in two and have one of the two as a mid-level role; that person would be the second line of defense to solve harder incidents.
In my opinion, this role is one that provides a lot of thrill as you are directly in the fire, trying to extinguish it. But because of this, it can also be stressful. This role requires some level of organization because there are reports to be done on what happened, what action was taken to remediate the incident, etc.
In the modern era that we live in, enterprises must legally meet certain security criteria, depending on what information you handle. For example, an enterprise that handles credit cards must meet the PCI-DSS requirements. To make sure these requirements are met, an IT Auditor will do an audit (a PCI audit, in the case of PCI-DSS) of the policies, processes and procedures in place to make sure they meet the minimum criteria.
These roles assume you have good experience in InfoSec. They typically require 3-5 years of experience in InfoSec. This experience is mostly gained through the entry-level roles, but that’s not the only way.
A cybersecurity analyst is a mid-level expert in InfoSec that is able to do all (or most) of the entry-level jobs. A cybersecurity analyst can be asked to handle devices, respond to incidents, etc. They are the second line of defense for an incident. This role is really fun because you get to touch to pretty much all aspects of InfoSec for a single company. I had this role before the one I have right now and I enjoyed it because of the amount of things I learned in a short amount of time.
A cybersecurity analyst will also be asked to manage user awareness campaign (like phishing), choose the best fit for the company between multiple products (like an antivirus, a password manager, etc.), and many other tasks.
A cybersecurity consultant is a mid-level expert on a wide array of domains to help and advise clients (like the cybersecurity analysts in other enterprises) on cybersecurity subjects. A consultant can help find a strategy to mitigate a problem, review configurations, mitigate a vulnerability, select a product between multiple providers, etc. In this role you’re not part of an enterprise team but you provide your diverse expertise to your clients. The positive point is that you get to see many way of doing things and learn from it. The negative point is that, because you don’t go in the details as much as the cybersecurity analyst, you need to compensate on your own time or assume you won’t gain deep knowledge as quickly as an analyst on some specific subjects. In other words, a cybersecurity consultant covers more broad but in less depth.
In my opinion, it is a great role if you’re curious to learn as much as possible on many different subjects. You’re essentially paid to learn and then use this knowledge to advise your clients.
A penetration tester also known as “pentester”, is someone that’s hired by enterprises to test the security of their network, applications, implementations, websites, etc. They use techniques used by hackers and then provide their clients with a report that explain where and how they were able to exploit a vulnerability, and they explain how to fix them. Enterprises use their services so they can patch the vulnerabilities before an malicious attacker can exploit them.
This job is really interesting and fun because you get paid to hack things. I had this job a few years back and I really liked it! It’s important to know that a good pentester is highly technical. That’s because to understand how to bypass or hack something, you need to understand how it works and how you can modify the intended behavior to make it do something unintended. The natural evolution of a pentester is to be a Red Teamer, which isn’t discussed in this post.
A cybersecurity manager is someone with manager skills but adapted to the cybersecurity context. This last part is important because that person could be asked to make decisions that would have an impact on the security of the enterprise. For example, that person could be asked to choose between accepting a risk or displacing resources towards a problem that needs to be resolved timely; and accepting a risk is not something that should be done lightly. The cybersecurity manager is the link between the technical teams and the upper management.
In order to get this role, you need a lot of experience in management and a lot of experience in cybersecurity. It is frequent to see technical persons from the mid-level roles move to this job at some point. This job is one of the jobs that could lead you to the Chief Information Security Officer (CISO) role, although in some enterprises where cybersecurity is not represented in the upper management, this is the highest role.
A cybersecurity engineer is the natural evolution of the cybersecurity analyst or consultant. It is a senior role that entails a lot of experience in cybersecurity, focused mainly on the technical aspects. In that role, you get to be the main advisor for less experienced teams to guide them towards the best solutions. Because of the changing nature of technology, you need to keep learning and stay ahead of the news so that role is ideal for curious people.
The name “engineer” is important in this role title: because of your experience, you could be asked to help developer teams and operation teams find the ideal solution to a problem and how to do it securely. This role is the “Sec” in “DevSecOps“.
A cybersecurity architect is a senior role that requires a lot of knowledge. An architect needs to have an in-depth understanding of a wide area of domains, both technical and non-technical, to be able to design secure systems, evaluate where these systems could fail and mitigate these risks. In other words, a cybersecurity architect’s knowledge is both broad and in depth. That role also requires continuous learning of the new trends and technologies. The persons in this role need to be able to explain complex concept in a simple manner because they need to communicate the architecture to the management.
This job is one of the most challenging one because security is hard. But it’s also one of the most interesting and rewarding for a technical person.
As you can see, the cybersecurity field is large, challenging and super interesting. As we can see in the news, this field is recognized as being more and more important so we will see an increase in demand for these roles.
I understand that it can be daunting to choose this path but I can reassure you, as long as you have passion, there is nothing to fear. Once you start in this path, you’ll discover that the community can be generous.
Note: If you find some people in the community to be judgmental, like someone saying something along the line of “RTFM“, don’t mind them. Some people like to flatter themselves by being elitist but in reality they mostly lack self confidence. If it happens to you, you can always write to me, I’ll be more than happy to help you.
If you like my blog and my posts, please consider donating!