In the ever-evolving world that is Cyber Security, it can be extremely confronting to decide where to start. Choosing between the enormous list of certifications, programming languages, university degrees and ever-growing list of CTF’s to start with is a daunting task for anyone, however it should not be this difficult. As I see it, there are a few options to choose from when first starting out which should help towards that entry level position, which then you can later choose to branch out to specialist areas and become a master at. Consider cyber security for a moment like a “trade”, where you have plumbers, electricians, carpenters, etc. It’s very much the same thing in Cyber Security where you have pentesters, incident responders, SOC analysts, reverse engineers, etc. So, which direction should you take and how do you get there? Let’s begin with the absolute basics by breaking this down into 3 sections; Certifications, Experience and Home Labs/ Self Learning.
A quick google of “how many cybersec certifications are there” brought back roughly 270 certs to choose from. Knowing which of these to choose from is definitely tricky, but as I see it, there’s a better place to start other than certifications which is a degree. Now again, there’s many degrees to choose from but if I had to pick 2, I'd recommend the computer science or cyber security bachelor degrees. In both of these formal education pathways you will learn all of the fundamentals that you need to know without specifically specialising in any of them. If formal education is not your “thing” or possible for you to do though, there are 4 certifications I would recommend, and also recommend to those who have completed a degree. The first of these certifications is the CompTIA Security+. This certification is designed to give you that basic understanding of a blue team environment while lightly touching on pentesting. The next one is the CCNA by Cisco, which is designed to give you that fundamental knowledge of how networks work and move data across systems. This is absolutely vital information for a cyber security professional and is often a stepping stone into the industry, which I’ll touch on later. The third certification is the OSCP, which is aimed solely for those of you who want to be ethical hackers or pentesters. It is probably the number 1 certification that I see requested in job adverts, surprisingly even so with blue team analyst roles. The fourth certification is the CySA+ certification from CompTIA. This certification is aimed more towards the blue team side of certifications focused towards (as the name implies) Cybersecurity Analysts.
I’m going to say this one louder for the people up the back; EXPERIENCE IS KING! In this industry, the one thing that recruiters always complain to me about when I put forward potential candidates is that they don’t have enough “industry experience”. While this can sound a lot like a chicken and egg situation where you need experience to gain a job but also need a job to gain that experience, it can seem like a strange thing to ask for, however experience can come in different ways. From joining meetup groups and networking with other students or current industry professionals to building your own home labs that prove certain skillsets, to gaining experience from internships, experience is not something that is only reserved for the job applicants who already have years of experience working professionally in IT, although this would certainly help if it’s possible. A point worth mentioning here though is that the most common transition job into Cyber Security in Australia is from network engineers or systems administrators, which if you look back to one of the certifications I mentioned earlier is that exact stepping stone – the CCNA certification. So what I'm saying here is that if you think perhaps you might like to play the field a bit first and do sysadmin work or network engineering, gaining that CCNA is almost 100% necessary to eventually jumping ship into the cyber security industry.
Home labs and self learning;
We have covered my top 4 choice of certifications and we went through what sort of experience is needed, but what about something else that can potentially showcase your skills without having to fork out a whole lot of money or time? Home labs and CTF’s are the answer to this question. I recently made an example home lab on my YouTube channel where I discussed the golden ticket of home labs, where you build an attack defense system using raspberry pi’s. The idea is that you have one to attack, one to defend and one in the middle logging all of the traffic. This idea showcases that you understand both sides of the red and blue team coin and that you also have passion for the industry, which after experience is the most sought-after soft skill recruiters and hiring managers look for when hiring new recruits into the industry. There are various other avenues you can explore with home labs depending on where your interests lie, but that depends on you and which direction into the industry you want to take. On the topic of self-learning, there is of course CTF’s or “Capture The Flag” learning possibilities through sites like tryhackme.com or pentesterlab.com, which are becoming increasingly popular learning platforms because of their gamified approach. They are a great way to learn for sure, with the only downside of being that they don’t really give you that “real world” experience, although definitely worth pursuing for an awesome learning experience.
To wrap this up, I'd like to highlight that cyber security is still somewhat in an infancy stage within Information Technology and the requirements, learning tactics and job titles on offer change fairly rapidly, which makes it one of the most interesting and exciting industries in the world. Get yourself out there, dive in and join in on the fun! I’ll see you on the other side.