Finding Your Feet in Cyber Security: Part 1Digissllc
Rewind three years, I was fresh out of the university, undecided on what do with my bachelor’s degree and knew next to nothing about Cyber Security. Truth is, like the average Nigerian graduate, my knowledge was limited to what I had learned in the classroom. In school, I was only ever interested in network functionality, implementation and security, and had never made any serious efforts outside of class. My curiosity about hacking computers led me to Cybrary (was almost free at the time) where I embarked on a journey to learn about ethical hacking and penetration testing (story for another day!). This culmination of self-study, multiple setbacks and the drive to learn provided me the bedrock needed to get where I was going.
I have barely just gotten my feet wet in the massive ocean that is Cyber Security, but lately, I’ve been asked quite frequently on how to get started, so I figured to turn it into a blog post. The following suggestions are as per my experience so far and the things that worked out for me. My two cents on this subject should only serve as a friendly advice rather than an ultimate winning formula.
Before diving into Cyber Security it’s extremely important to identify which specialty or work role interests you, because, in numerous ways, cyber security is similar to engineering or healthcare. There are so many different paths you can specialize in, from digital forensics and incident response to penetration testing, security governance or security awareness. (trust me, there are way more than you think.)
This step is the most important and commonly overlooked in building a solid cybersecurity foundation. There are lots of nice resources out there that can lead you in the right direction, a few honorable mentions are the NICE Cyber Security Workforce Framework and Cyberseek Cyber Security Career Pathway website. The trick here is to identify what KSA’s (knowledge, skills and abilities) are relevant to the work role or specialty you’re interested in.
For example, being knowledgeable about computer networking, Windows/Linux OS administration, and Basic scripting (python/bash/perl/ruby/golang /powershell etc.) are key to becoming a skilled penetration tester, likewise having a good grasp of cyber laws, standards and regulations as a GRC (governance, risk and compliance) guy is very important.
My point is when you have no destination there’s no direction…
Congratulations! You’ve come this far, I hope at this point you’ve identified which path you wish to embark on because none of what I’m about to say would be relevant if you haven’t. That said, let’s talk about obtaining cybersecurity knowledge for a wannabe security (analyst, engineer, auditor, incident responder, vulnerability analyst, consultant, architect etc.).
If you’re looking at venturing into a technically oriented cybersecurity path, basic IT administration and networking should be at the top of your to-do list. I pretty much had both of these pre-requisites covered as my undergrad degree was focused on computer networking while I gained IT administration knowledge during summer internships. For non-technical cyber security enthusiasts, even though you won’t need a lot of IT administration and networking knowledge on the job, life would be a whole lot easier with them in your knowledge arsenal.
Remember, in your quest to obtain knowledge Google and YouTube are your best friends. There’s an endless list of YT channels and resources that can provide you with the much needed knowledge for FREE!!!, all you have to do is search wisely :). And oh if you have the cash to splash you can sign up on INE, Cybrary, Pluralsight, Udemy, Coursera or EDx to learn basic IT administration and Computer Networking.
Let’s talk about certs…
One of the fastest tracks to learning the fundamentals of cybersecurity in an organized manner is through entry level certification “training”, it’s an approach that helped me develop my high level cybersecurity knowledge over a short period of time.
However, It’s important to note that the end game is to gain knowledge and becoming “certified” should only serve as a secondary incentive.
I usually recommend this step to people who have a basic background in IT and also because discipline in this field can be quite daunting mostly due to that fact that there are lots of resources out there, but enrolling for a certification training will keep you on track and provide you with the much needed direction and discipline to stay focused and motivated.
In terms of budget friendly training and/or certification that’ll add value to you, I personally recommend Cyberation’s Cyber Defense Analyst (CDA) training and CompTIA Security+. Cyberation is the cybertalent development affiliate of Digiss LLC where I work, so I’ll try not to be salesy here. Some of our students who are Security+ certified will tell you that the difference in quality and (workplace) relevance is night and day. The knowledge and certification that you will acquire from CompTIA Security+ will give you a very good chance of landing an interview, but the knowledge, skills, abilities and confidence that you will get after the Cyberation’s CDA training will help you excel at an interview and hit the ground running on the job. While CompTIA Security+ would easily win in a popularity contest, Cyberation CDA is the future of cyber security training because of its work role-based model, practicality, relevance, and mentorship elements. The training goes above and beyond what CompTIA security+ covers and includes a lot of practical cyber security challenges where you will gain familiarity with some of the tools of the trade. Cyberation also has its own certification program, which like CompTIA Security+, is recognized by the US National initiative for cybersecurity careers and studies (NICCS), and aligned with the NICE cybersecurity workforce framework
Another step that played a major role in helping me establish a foothold in cyber security was mentorship. it’s weird but my mentor was totally unaware he had a mentee till I had been over a year and a half in the industry. While I never officially reached out for his approval to be his mentee, I’ve been carefully observing and following in his footsteps from a distance, The takeaway here is;
“Find someone who matches your goals, not your existing skills and follow them”.
In addition, I strongly believe that limiting mentorship to solely one-on-one relationships is highly confining — mentorship can come in different shapes and forms. For example, Experienced and knowledgeable security professionals are often at conferences, meetups, and other industry and networking events. As far as I know there are two major cyber conferences in Nigeria (Naijaseccon hosted by Naijasecforce and Cybersecure Nigeria hosted by CSEAN), while on the international front events like DEFCON, DERBYCON, Blackhat etc. lead the way. When you have the time, plan to attend any of these industry events, join cyber security forums on Telegram, Discord, Slack, Facebook, Reddit etc. and make the most of any opportunity to network with and learn from people of interest & like minds.
If you’ve always had the desire to get started in cyber security, don’t allow education, work experience or background determine your career path or limit your options. Play to your strengths and regardless of what your background may be, as long as you have passion, drive and the desire to keep learning, you’re on the right path.
Never lose that zest to advance your cyber security knowledge, skills and abilities with every opportunity that presents itself. It’s a big price to pay, but once you start to hone your skills and begin to develop a network of people, trust me, you’ll get noticed and the opportunities will surely come.
I believe this article is a great primer for anyone looking to get into cyber security, and yeah, I’ll be publishing more articles on this subject with emphasis on specific work roles and career paths in cyber security.
If you have any questions or suggestion, feel free to contact me 🙂 Take care!