If you’ve stumbled on or were directed to this page, you may be one of the many people asking “How do I get a job working in Cyber or Information Security” or rather where do I find resources. I get this question often and not always from people locally so I put a few notes together. The answer to this question has also evolved as this is my regarding this topic. Check out part 1 and part 2, then come back here.
DISCLAIMER
Your miles may vary on your journey, but ultimately, you are the one driving. Most of the information I gathered is taking least common denominators into consideration and based on what was effective for me. What is most effective for you, and if you find a better approach, use it. . That said, when looking for mentors, make sure you search for answers from more than one person, particularly with the broader topics. Aside from the good advice I’m also speaking from experience with some of the pitfalls.
Resources
It’s been awhile since I’ve posted an article and it shows. After being asked these same questions many times I decided to make a page with some resources, but to be honest, it can be daunting doing all the leg work. Rest assured in a month or so you will probably hear about some “new” training, bootcamp, webinar, or course. There are plenty out there and new ones popping up all the time. As one of my mentors would say “I should be charging to teach this”. Do your own research and don’t jump on the first one right away. In fact, some of those resources have free learning paths. Before committing money, spend a week or so doing as much of the free stuff as possible to see how much effort you’re willing to commit.
Build a homelab
VulnHub
HackTheBox
The Cyber Mentor
TryHackMe
Communities
This one was helpful for me as I didn’t already have experience, but the community aspect of it has been valuable. Note, I said community, not networking. A lot of people shudder at the thought of “networking” in terms of people because it can be tedious, especially when you’re doing it solely for getting a job. For me, I was going to DEFCON and other conferences and events…or as they say, “I was doing this before it was cool…or lucrative”.
I hate to break the news, but this is one of those fields where it helps if you like the work. It’s not a requirement but definitely helps. If you don’t like it, find some people that can embrace the suck with you. You will stumble and fail a lot, but if you’re stubborn enough and learn from trial and error you’ll do just fine. If it’s not your passion but pays the bills it can at the least be a “preferred pain”. I don’t mind helping, but to be more specific I don’t mind helping people willing to help themselves. A lot of people coming into this field see the end result and think “I’d like to do that job”, or “wow you make a ton of money doing <x>” without having an appreciation for the amount of time and effort people put into it. Ok sure some of you know someone that was able to get in or get promoted without certifications, a degree, or even connections but understand those people are not the majority and assume you will need to stand out in some form or fashion.
That being said if you want to do in infosec (or many other jobs for that matter), it helps to surround yourself with others on the same or similar paths. With that in mind, here’s a few things to help. Your miles may vary considering current state of affairs with a pandemic, or other events.
OWASP Chapters
2600 Meetings
DEFCON Groups
Security BSides
InfoSec Conferences
VeteranSec
Those are some events that come to mind that aren’t specific to one location. Find one near you or check out the more common event sites (e.g. eventbrite). Your other option, especially if your location lacks a community is creating your own. I believe the quote from the movie Field of Dreams was: “If you build it, they will come”. This could mean something as simple as starting a conversation at a sports bar, or creating content online in some form or fashion. One goal you should have is to not be the smartest person in the room. If you catch yourself being the “smart hacker person” too often, you will give yourself a false sense of confidence in your skillset comparing what you know to the non-technical layperson. That said if you can explain complex topics in a manner they can understand, you are going in a good direction.
“I’ve done lots of things that indicate I’m good at “
“I know how to do but haven’t done it professionally yet”
“I’m very methodical, a sharp minded, expert troubleshooter” (yeah, ok prove it)
Well, how do you quantify those things? First, realize some of the things you’ve done independently might not be as practical on a company network. For example, running tools you’ve used on hackthebox may not be a good idea as you could break something or end up in legal trouble if you don’t have permission. And heaven help you try to explain how you got a flag at a CTF to an HR recruiter on a phone interview. CTFs while fun can be hard to establish a 1:1 relationship to a lot of jobs. I’ve been interviewed by recruiters in this space that didn’t even know what they are.
That said, if you can articulate how a CTF helped you learn specific skills relevant to the job you’re applying for more power to you. If you have used certain tools, techniques, or procedures to solve a problem whether it be a CTF or building a tool, the easiest way to demonstrate those skills is doing a writeup. Think of these things as an extension of your resume. That said, give your work some care as its a reflection of you. Here are a few examples of what I have in mind.
A tool you’ve been working on
Resources you’ve put together to share
A walkthrough for a CTF challenge you’ve finished
A video walkthrough of something you worked on
Conclusion
There’s plenty of resources depending on where you are. If you are in or near a major city, you likely have plenty of resources at your disposal. For those of you in smaller cities or towns, you will have some legwork to do but it’s not impossible, and you can always meet online. When all else fails, you can also create your own community. The ideal goal would be having more than one person to bounce ideas off of or work on developing skills. In either case you will have a lot of work ahead of you, and for those of you finishing school, I hate to break it to you but your learning and studying have only started. For everyone, the work you put in now will only get you ready to make it to day one of your next role.