Cyber security is one of the fastest growing filed in the tech industries and cyber threats are evolving day by day and each and every second five new threats are discovering which cause more damage.
Breaking into cybersecurity is no different than any other career path or profession. In fact, in some ways, we’d even argue that Cybersecurity as a career starting choice is a sensible move because as long as you can satisfy certain requirements, you’ll be good to go!the worldwide need for cybersecurity professionals is expected to reach 6 million jobs — but companies will likely be able to only find 4.5 million people able to do the work.
Also comparitech Provide a good career guide for computer science and technology graduates to start your career towards cyber security
That means there is the potential of 1.5 million jobs — high-paying jobs at that — that can go to anyone with the qualifications. Burning Glass, a job posting site, reports that they had 50,000 postings for candidates with CISSP (Certified Information Systems Security Professional) certification.
So cyber security workers are in high demand, the jobs pay well, and they’re important and critical to safeguarding our society. That sounds to many like an ideal opportunity. But what does it take to get hired and thrive in such a gig? Here are a few things to consider.
Do You Have No Experience With Regards To Cybersecurity?
On the off chance that you have no experience don’t stress. We as a whole needed to begin some place and we as a whole required getting where we are today. Nobody is an island and nobody is conceived with all the vital aptitudes. Period.
Alright, so you have zero involvement and restricted aptitudes… our recommendation, in this case, is that you show yourself some outright basics. Show yourself TCP/IP, programming, coding, markup and the greatest number of advancements as you can! Our #1 guidance for those with restricted experience is to get your head around programmer apparatuses and figure out how to utilize them adequately.
Metasploit, Nmap, and Burp Suite are three incredible cases of stages that can be utilized to perform security testing of web applications and system vulnerabilities. Understanding why there is a defenselessness will sling your insight, certainty and your abilities in having the capacity to distinguish (endeavor) and fix (remediate) ruptures and other “regular” security issues.
On the off chance that you are totally new, we’d recommend viewing the above video by Eli the Computer Guy and afterward observing some quality recordings on SecurityTube. In the event that you can ace certain apparatuses then, you’ll be prepared to begin to put your abilities to great utilize!
Where would you be able to rehearse your self-educated aptitudes? Here are a bundle of assets to make them go:
Once you’ve shown yourself hacking abilities then simply ahead and test them (lawfully) on deliberately made Vulnerable Platforms. The point of these stages that are deliberately helpless is that they permit fledglings and those with constrained digital experience to hone their infiltration testing aptitudes.
- Damn Vulnerable Web Application (DVWA)
- Google Gruyere (Web Application Exploits and Defenses)
- The ButterFly – Security Project
- Compact List Of Over 20 Vulnerable Hacking Platforms
The following objective is to clearly discover a vocation! We would suggest applying for whatever number ‘passage level’ IT occupations as could be allowed since once you have your ‘foot-in-the-entryway’ you can start to move into security without hardly lifting a finger the length of you do what we layout in the following segment.
Cyber Security Jobs Salary
According to comparitech , Cyber Security jobs Paid some interesting Pay scale
Primary Role: Maintains computer system security measures.
US Median Salary: $119,000
UK Median Salary: £72,500
Information Security Officer
Primary Role: Develops and delivers information security and privacy programs.
US Median Salary: $89,000
UK Median Salary: £65,000
Primary Role: Develops and maintains methods that ensure systems are able to withstand disruption, including from natural disasters.
US Median Salary: $88,000
UK Median Salary: £52,500
Primary Role: Provides clients with a needs assessment for computer system security concerns, focusing on vulnerabilities and targeting specific improvements.
US Median Salary: $81,140
UK Median Salary: £47,099
Primary Role: Studies and finds weaknesses in existing cryptosystems.
US Median Salary: $76,470
UK Median Salary: No data
Primary Role: Analyze how and why different malware work.
US Median Salary: $75,000
UK Median Salary: £60,000
Information Security Specialist
Primary Role: Focuses on protecting systems by defining and setting privilege access, allocating resources and setting control structures.
US Median Salary: $71,418
UK Median Salary: £60,000
Primary Role: Investigates data breaches, cyber crimes, or other security-related incidents.
US Median Salary: $70,000
UK Median Salary: No data
Forensic Computer Analyst
Primary Role: Uses available tools to find data on computers and other devices.
US Median Salary: $68,671
UK Median Salary: £62,500
Security Software Developer
Primary Role: Uses different programming languages to develop security-specific software.
US Median Salary: $65,668
UK Median Salary: No data
Do You Have Limited Experience (as an IT Admin) And Want To Break Into Cybersecurity?
A hefty portion of our perusers and understudies are as of now working in IT and are quick to break into IT Security. The uplifting news here is that that is totally conceivable. Here is one moderately strong certainty and we respect all contemplations on this: ordinarily nobody ‘begins a profession in cybersecurity’. It is a great deal more normal to relocate into security than basically begin in the space from the ‘get-go’.
IT Professionals with more broad experience (and preferably organizing) make perfect security applicants. They will, for the most part, have center specialized skills combined with having a strong valuation for all aspects of security furthermore a comprehension of the general population issues around security.
Moreover, a phenomenal cybersecurity applicant will know the business they work in and the business provokes it confronts and will have involvement with corporate framework and ‘governmental issues’.
IT jobs that can lead to cyber security careers include:
- Computer Programmer
- Computer Software Engineer
- Computer Support Specialist
- Computer Systems Analyst
- Database Administrator
- IT Technician
- IT Technical Support
- IT Customer Service
- Network Administrator
- Network Engineer
- Network Systems & Data Analyst
- System Administrator
- Web Administrator
Most Important things which you should focus on:
- Building your Lab.
- Programming skills.
- You are your Projects.
- Networking with Others.
- Understanding the Business.
- Having Passion.
Let’s get started.
Information Security is an advanced discipline, meaning you should ideally be good at some other area of tech before entering it. This isn’t required, but it’s common and it’s ideal. The three areas that infosec people normally come from are:
But let’s assume you don’t have a background in any of those, and that you need to start from nothing. We need to learn you up, and there are three main ways of doing this:
I recommend doing a four-year program in Computer Science or Computer Information Systems or Information Technology with a decent university as the best option. But while you do it you need to be doing everything else in this article.
What you learn in college depends on the class content and your interaction with others, and the content you can likely get many different places. Hanging out and building stuff with a bunch of other smart people is the real benefit of the university.
If you can’t do university you’ll need to learn another way, e.g., trade school or certifications. Any of these will do as long as you have the curiosity and self-discipline to complete what you start.
Here are the basic areas you need to get from either university, trade school, or self-study/certification:
System Administration (Windows/Linux/Active Directory/hardening,etc.)
Programming (programming concepts/scripting/object orientation basics)
If you don’t have a good foundation in all three of these, and ideally some decent strength in one of them, then it’s going to be hard for you to progress past the early stages of an information security career. The key at this point is to not have major holes in your game, and being weak in any of those is a major hole.
They’re quite good at showing you the basics. Here are some examples:
MCP Active Directory
There are great books out there (just Google for the best one) that can show you the basics of a topic quite rapidly. It’s a good way to make sure you don’t have any major gaps in your knowledge.
Programming is important enough to mention on its own.
Let me be clear about something: If you do not nurture your programming skills you will be severely limited in your information security career.
Few important skills,
- C, C++, C# and Java
- Python, Ruby, PHP, Perl and/or shell
- Assembly language & disassemblers
- Regular Expression (regex) skills
- Linux/MAC Bash shell scripting
You can get a job without being a programmer. You can even get a good job. And you can even get promoted to management. But you won’t ever hit the elite levels of infosec if you cannot build things. Websites. Tools. Proofs of concept. If you can’t code, you’ll always be dependent on those who can.
One of the most important things for any infosec professional is a good set of inputs for news, articles, tools, blogs
This has traditionally been done with a list of preferred news sources based on the type of security the person is into. There are sites focused on network security, application security, government security—whatever.
Increasingly, though, Twitter is replacing the following of websites. The primary reason for this is the freshness of data. Twitter is real-time, which gives it and advantage over traditional sources.
Twitter allows you to create (and subscribe to) lists. So if your username is @gbhackeron, you can just append /list/list name to it and tweets from everyone in that list.
My recommendation is to use two main sources:
Building Your Lab
Having a lab is essential. It’s actually one of the first things I ask when I’m looking at candidates during interviews. I ask what kind of lab or network they have at home, and if they reply that they don’t have either I thank them for their time.
The lab is where you learn. The lab is where you run your projects. The lab is where you grow.
There are a few options for lab setups.
1.VMware (or similar) on a laptop or desktop
2.VMware (or similar) on a laptop or desktop that’s now a server
3.A real server with VMware (or similar) on it
4.VPS systems online (Linode, Digital Ocean, etc.)
5.Build an Active Directory forest for your house
6.Run your own DNS from Active Directory
7.Run your own DHCP server from Active Directory
8.Have multiple zones in your network, including a DMZ if you’re going to serve services out of the house
9.Stand up a website on Windows/IIS
10.Stand up a website on PHP
11.Build a blog on WordPress
12.Have a Kali Linux installation always ready to go
13.Build an OpenBSD box and create a DNS Server using DJBDNS
14.Set up a proxy server
15.Build and configure a local email server that can send the email to the Internet using Postfix.
These are the basics. Most people who are hardcore into infosec have done the list above dozens or hundreds of times over the years.
The advantage of a lab is that you now have a place to experiment. You hear about something from your news intake, and you can hop onto your lab, spin up a box, and muck about with it. That’s invaluable for a growing infosec mind.
Now that you have that list going, you can start focusing on your own projects.
You Are Your Projects
This is where the book knowledge stops and the creativity begins. You should always be working on projects.
As a beginner, or even as an advanced practitioner, nobody should ever ask you what you’re working on and you say, “Nothing.” Unless you’re taking a break in-between, of course.
Projects tend to cross significantly into programming. The idea is that you come up with a tool or utility that might be useful to people, and you go and make it.
And while you’re learning, don’t worry too much if someone has already done something beforehand. It’s fun to create, and you want to get used to the thrill of going from concept to completion using code.
The key skill you’re trying to nurture is the ability to identify a problem with the way things are currently done, and then to
1) come up with a solution
2) create the tool to solve it.
Don’t think about how many projects you have. If you approach it that way it’ll be artificial. Instead, just focus on interesting problems in security, and let the ideas and projects come to you naturally.
First, you need a website. Some call this a blog, and that’s fine. The point is that you need a place to present yourself from. You should have an about page, some good contact information, a list of your projects, etc. And again, if you blog then that’s the place to do it.
Ideally, you’d have a good domain. firstnamelastname.com is probably ideal, but many people cannot do that because their names are fairly common. There are other options but choose carefully. You want this domain to remain the same until you die, or get taken into the rapture, or get uploaded into the collective.
Pick something good is what I’m saying. It’s your brand, and your brand matters.
Same with Twitter. Have a good handle. Ideally, firstnamelastname, but if you can’t do that pick a good alternative. Again, this is permanent personal infrastructure, so don’t make it @IHaxYou42.
Once you’ve got a good handle it’s time to start following some folks. There are a number of good lists out there for people to follow in infosec. Use one of those to get you started, and then adjust to taste.
There are a ton of other social media outlets. The other big one you should care about is LinkedIn. Have a profile. Put effort into it. Keep it updated. And only connect with people who you either know or who you’ve had at least SOME interaction with. Adding everyone dilutes the power of the network for you and others.
It’s easy to do too much with social media. Resist that. Focus on your website and Twitter, with some LinkedIn thrown in. I keep Facebook mostly separate, but that’s my personal preference.
I get so many questions about infosec certifications. So many. They come in two forms:
Are infosec certifications really worth it?
Which ones should I get?
Good news: I have answers.
Yes, certifications matter. And so do college degrees. And so does experience. And so does anything else that people think matters.
Let me say this plainly: Things have the value that others place on them.
Certifications don’t have any inherent value. They’re worth precisely as much as people value them. If employers are asking for them at places you want to get hired, they matter. If the places you want to get hired don’t care at all about them, they don’t have value there. It’s that simple.
But let me simplify. This is for beginners, so yes, they matter.
Which certifications to get
Let’s do this by levels:
If you’re just starting out, I recommend you get the following CompTIA certifications:
In this case, I’m not saying that these certs have tremendous value except for the most novice of beginners, but there is value in the study.
Like I mentioned in the education section, certifications have good study materials, and if you get all four of these certifications you will have a decent understanding of lots of basics.
I like to explain infosec certifications like so: You need your CISSP, you should get an audit cert (CISA/CISM), and you should get a technical cert (SANS). So:
Once you have four years of experience in information security, you should have your CISSP. It’s the closest thing to a standard baseline that our industry has. It’s actually better than a computer science degree in a lot of organizations (because so many aren’t learning anything in their time in university).
And finally, you want to get one or more technical certifications. I recommend starting with the GSEC, which is surprisingly thorough. From there you can branch into GCIA or GPEN or GWAPT based on your preferences. But if you just get the GSEC that would be a good way to round out your food groups.
NOTE: I actually recommend doing CISSP, then GSEC, then CISA/CISM. CISSP is the king, and then get your technical out of the way. Audit just rounds you out nicely.
There are a ton of other specialized certs in information security as well. The Offensive Security folks put out some great ones, and the European penetration testing certs are excellent as well. If you’re going to be doing pure pentesting interviews, and you don’t have much experience to show you’re good, then these are absolutely worth looking into.
Then there’s CEH. It’s there, and people sometimes ask about it, so you might as well get it just to have it. But don’t brag about having it; that could go poorly for you in many circles.
Best pen testing certifications
1. CPTC – Certified Penetration Testing Consultant
2. CPTE – Certified Penetration Testing Engineer
3. CompTIA – Security+
4. CSTA – Certified Security Testing Associate
5. GPEN – GIAC Certified Penetration Tester
6. OSCP – Offensive Security Certified Professional
7. CEH – Certified Ethical Hacker
8. ECSA – EC-Council Certified Security Analyst
9. CEPT – Certified Expert Penetration Tester
When evaluating prospective InfoSec candidates, employers frequently look to certification as one measure of excellence and commitment to quality. In this article, we take a look at five InfoSec certifications we consider to be leaders in the field of information security today:
- CompTIA Security+
- CEH: Certified Ethical Hacker
- GSEC: SANS GIAC Security Essentials
- CISSP: Certified Information Systems Security Professional
- CISM: Certified Information Security Manager
This year’s list includes entry-level credentials, like Security+ and GIAC Security Essentials, as well as more advanced certs, such as the CEH, CISSP, and CISM. We also offer some additional certification options in the last section, as the field of information security is both wide and varied.
Network with Others
Alright, so now we have some education, we’ve got a lab going, we’re working on some projects, we’ve got our website and Twitter popping off, and we’re papered up.
Now you need to reach out and talk to some folks. Again, you can and should have been doing this all along, but if you haven’t been it’s definitely time to do it.
Watch who’s coming to your website. Watch Twitter for interesting interactions. Reach out to those people. Start conversations. Go to where they’ll be and interact with them in person. Go to Vegas for Blackhat and DEFCON week. Lots of infosec people there to talk to.
Find a mentor
This one is almost worth its own section, but I’ll just put it here. Find someone who has a style that you like and asks them to mentor you. Email them. Call them up.
Do our research beforehand. Make sure you’ve done the stuff in this writeup first. Don’t come at them without having put the effort in.
Make it as easy as possible for them to help you and you’re not likely to be turned down. One thing I’ve seen in infosec is that people are extremely willing to help others who are eager to work and are just getting started.
Offer to intern
Offer to intern with someone. Offer to do their dirty work. Write scripts for them. Edit their blog posts. Help them sift through data. These things can help and may lead directly to an interview or other types of hookup for you in the future.
Conferences are a way to do a few things in the industry:
See what new research is being done
Catch up with your other infosec friends who live far away
Present your own thoughts, ideas, and research for others to consume
For #1 you really don’t have to go to a conference. Most talks—especially the really good ones—are made available immediately afterwards, so you can just pull them off the website.
That doesn’t help with #2, though, and most infosec veterans after around 10 years on the scene are mostly going to conferences to see their friends. The talks basically serve as a setting for doing so rather than the centerpiece—especially since they can just get the talks online.
But for newcomers to the field talks can be an invaluable way to learn about the infosec culture. Here are a few I’d recommend considering:
If you’re just starting out, you should definitely go at least once to DEFCON. It’s basically a parody of itself at this point, but that’s just because it’s become so popular. Victim of its success and all.
Before DEFCON every year is BlackHat, which is a bit more professional (and expensive) but is also still decent for new people to attend.
A few of these includes:
In addition to these traditional types of conferences, you should be signing up locally with your OWASP chapter. Start by just attending the meetings and soaking everything in, and then offer to volunteer to help out, and then—when you’re ready—ask to give a talk yourself.
Understanding the Business
This is a facet of development that many (most?) technical people lack, and it severely limits their ability to participate in conversations above a certain level.
Here’s the basic rule: For the business, everything comes down to money. Money in, money out. So all the work you’re doing with your risk program, or your vulnerability scans, or your new zero-day exploit—that’s all way below the area of focus for the business.
Businesses want to quantify risk so they can decide how much should be spent on mitigating it. You should be prepared to speak about how much risk is present (in dollars), how much money it’ll cost to mitigate that risk in various ways, and what (if any) residual risk will remain.
In short, try to have numbers for things, and try to think in terms of risk and mitigation vs. specific vulnerabilities and other security details.
The 10 Coolest Information Security Careers
1 – Information Security Analyst
This information security job involves assessing the effectiveness of Information Security policies and pointing out vulnerabilities or lack of controls to mitigate a given risk. The security analyst will work with every department in the company to make recommendations for improvements and craft detailed design documents for them to implement. This position has become commonplace with the advent of ISO 27001, Sarbanes-Oxley and similar regulations and compliance frameworks.
Where to look for a job: basically, every company dealing with information requires an Infosec Analyst.
2 – Incident Responder
Those employed in this information security career will monitor computer systems for security breaches, report and document such breaches and implement appropriate countermeasures. The incident responder will also undertake protective and corrective measures when a security incident is discovered.
Where to look for a job: These professionals are usually found at the SOC or network monitoring department of data centers.
3 – Network Security Engineer
Network security engineers are responsible for developing, maintaining and troubleshooting computer network security systems, configuring security hardware and software and preparing security reports. These professionals possess deep knowledge of communications protocols, network routing, packet and content filtering. That’s how I started my career, a couple of years ago…
Where to look for a job: Almost every company with a medium/large sized network infrastructure. For small companies, do expect the network administrator to wear this hat.
4 – Malware Analyst
This information security career involves reverse-engineering malicious software such as viruses and spyware in order to determine how they attack computer systems and how they spread as well as define signatures that could indicate their presence within a system. This profession requires a deep knowledge of high and low-level programming languages.
Where to look for a job: Security Software makers.
5 – System, Network, and Web Penetration Tester
This job involves attempting to penetrate systems, networks, and applications in order to detect their vulnerabilities so that companies can correct flaws and improve their security. The tester must be able to identify flaws in security and bring up possible solutions, as well as providing suggestions on how to better allocate security resources. This information security career is also known as white-hat hacking, ethical hacking and pentesting.
Where to look for a job: Information Security services providers and consultancy companies, major organizations where security is paramount (banking, financial, health).
6 – Forensic Analyst
The professional holding this position analyzes computer systems to identify who is the responsible for the misuse of a system, or to detect whether a certain application was used to commit a crime. His task doesn’t end there: the forensic analyst is responsible for preserving, documenting and interpreting computer evidence subject to legal rules and guidelines.
Where to look for a job: Information Security Services Provider and consultancy companies, major organizations where security is paramount (banking, financial, health, etc).
7 – Information Security Forensics Expert
This information security career involves analyzing the aftermath of a systems security breach by hackers in order to determine how the breach occurred and which of the company’s systems may have been compromised.
This position requires security professionals with updated forensic and reverse engineering skills, as well as an awareness of the latest methods of exploiting system vulnerabilities.
Where to look for a job: Information Security services providers and consultancy companies, government agencies.
8 – Computer Crime Investigator
This is one of the most glamorous information security jobs as the job holder assists police and forensic investigators with crimes involving computers or with aspects of a criminal investigation involving computers. The computer crime investigator uses advanced technologies to analyze evidence.
They will also help law enforcement officials in recovering deleted, hidden or encrypted data from a hard drive which may be of value to an ongoing investigation. It’s also very probable that security clearance will be required if you want to become a Computer Crime Investigator.
Where to look for a job: Law enforcement agencies, Information Security consultancy companies.
9 – Information Security Architect
Information Security Architects are the professionals thinking on the big picture: They need not only be aware of every piece of technology deployed within the business architecture but also understand how and why all of these components interact with each other to achieve the objectives of the enterprise.
The architect is involved (or at least should be, but we know how real life is…) at the early stages of any IT project to design and implement the security policies required to protect the integrity, confidentiality, and availability of the information on an end-to-end basis.
10 – Chief Information Security Officer
The responsibilities of this information security career are enormous, as CISOs are in charge of an organization’s entire computer security system. The CISO will also oversee the company’s entire network of people who safeguard a company’s digital security, from systems security officers to software and hardware vendors.
Their responsibilities may also include identifying a company’s digital protection objectives and defining allocation of resources based on priority areas, as well as overseeing the investigation of security breaches and incident response planning. Depending on the country, CISOs are legally liable for a company’s Information Security health.
These are some of the important practices for beginners to start, A perfect way to Start and Strengthen your Cyber Security Career.