The New Year is a symbolic time of changes, resolutions, the “new job, new me” type of decisions. Many people will reflect on their current personal and professional circumstances and some of them will push themselves towards improving both of those areas in the coming year.
There has been a general shortage of experts in cybersecurity and related fields for several years now. Personally, I think that 2022 can be the best year yet for making a transition into cybersecurity and related professions – for several reasons:
- Globally, there is an increasing number of remote-first vacancies in cybersecurity, infosec, OSINT and threat intelligence;
- The ongoing coronavirus pandemic has solidified and made permanent the transition into a remote (or at least hybrid) working culture for many companies – this trend is very likely irreversible;
- Like the general IT and computer science two decades ago, the cybersecurity industry is now in the phase of a rapid expansion, specialisation, segmentation and branching off – which means creating many opportunities for people from very diverse personal, educational and professional backgrounds;
- As technologies develop and evolve, the demand for people coming into the field at all levels of expertise is growing – this means in particular entry-level positions. When a newly released tool or framework launches, there aren’t many experts – you can be an early adopter and do well in a short period of time;
- Many companies that operate in this general space have been switching their hiring strategies to lowering formal barriers of entry (formal education, expensive certifications, etc.) in favour of the mindset of being eager to learn – especially at the beginner level;
- The recent intensification of cyber attacks, in particularly ransomware, had a side effect of making cyber security and online safety more mainstream.
Despite the occasional (and incorrect) perception that jobs associated with information security and IT security in general are very hard to get into, as well as some more occasional gatekeeping by certain companies, most often expressed by unreasonably written job descriptions, it is very much within anybody’s reach to land a job in infosec, cybersecurity, OSINT, threat intelligence or any other related profession.
This, however, will require a very specific mindset. And some concentrated effort.
Probably a good deal of effort, actually – but it’s all worth it.
General tips and advice
Before delving into the details, I need to emphasise one thing: even though this piece is written in the “tips and tricks” spirit, the goal is NOT to trick anybody into giving you a job in any of the aforementioned areas. Quite the opposite.
This is not going to a guide for bluffing your way into employment or a “fake it until you make it in infosec” guide – and if you thought it would be, you might as well stop reading now.
The idea behind this post is to crystallise certain things that can be of assistance and of benefit to you, in addition to your own hard work, as you navigate towards the dream career you want to have.
Everything here is either based on my own experiences or my own observations, gathered in the last 2+ years since leaving behind a public sector job.
So let’s go.
- Start with an honest assessment of what you know, what you can learn, what you are willing to learn. You should have an idea or a general interest in a specific domain of knowledge – for example, are you more into hardware or software? How practical or how theoretical is your skillset? Is there a topic that interests you and that you could expand your knowledge of – without it feeling like a chore?
- You can do the above by running Q&A sessions in your head, writing this out on a piece of paper / text file or if you are very organised (I wish I was), apply some snazzy corporate practice to this problem – like conducting a SWOT analysis maybe?
- Identify useful networking resources – this might mean attendance at conferences, talks, meet-ups and other industry specific events (online and in real life). Following these things regularly will help you identify the current topics and help you understand who is who in your chosen field you aspire to.
- Create a curated list of websites, blogs and similar resources and follow their content – for example by creating a dedicated RSS feed.
- Create a Twitter account – initially it can be an anonymous one, since you will use it for lurking. But, if you ever intend to create your own content in the future and to build your own brand, you should consider an account that you will use to gain recognition – attributable to you.
- Either way, you should use Twitter to build up dedicated lists of accounts you follow. Cybersecurity, infosec, OSINT and threat intelligence all have very active and helpful communities on Twitter – you can learn from them even without actively collaborating.
- Both theoretical and practical knowledge in any of the above fields can be tested by hands on participation in CTFs, quizzes and various online contests relevant to your chosen domain. These events usually have very few or literally no barriers to entry – and nobody will judge you if you don’t win the top prize.
- Conduct a literature review – it helps to be familiar with books relevant to the topic of your expertise. It certainly does no harm to have read a book or two on the theory of whatever you decided to focus on – especially if you can put it into practice afterwards.
“Content” is a broad term. It doesn’t mean you need to create high quality videos or start your own podcast. At least not straight away. Content creation might mean one or more of the following:
- User generated content from simply participating in discussions, posting questions and answers, debating technical points, sharing experiences, etc.
- Creating a linkable page (for example on Start.me or on Github) listing useful, handpicked resources that you can share with others.
- Open source research and voluntary contributions to various projects – but remember to get credited properly and to highlight the type and the extent of your participation.
- Your own blog or website (or even a Medium page).
- Guest blog posts, Medium articles, Twitter threads, Github repos or any online publications about the subject matter of your choosing.
- An online portfolio of your own research and documentation (even beginner level attempts count), explainers of analysis or methodologies, or even your own notes you took when studying for a cert.
- Your own presentations, walkthroughs, video tutorials showing you tackling a problem connected with whatever subject matter you are going to specialise in. Or maybe just sharing your experiences about an industry entry-level exam you recently passed?
Networking and community participation
- Create a LinkedIn account – just remember to keep it professional. Use it to network like there’s no tomorrow – this includes joining some already established groups dedicated to topics of interest.
- Identify whatever other media you think you might find useful (Reddit, Discord, Telegram, YouTube etc.) and join groups, chat rooms and communities on those.
- Reach out to people who are respected / experienced in the industry – don’t be a stranger! What is the worst thing that can happen if you ask a question and receive no reply? If there is somebody you respect or admire a lot, you can make inquiries about a mentoring option – or just some advice. The majority of people in those communities are very helpful and approachable.
- Find suitable venues where you can volunteer to present on topics you know well – even the basic ones. There will always be a demand for reinforcing the basics since there will always be new people looking to enter the field as absolute beginners.
- I mentioned participating in CTFs and various contests. You can also participate in them on the other side of the fence – as a judge or an organiser. This opens up many avenues for networking opportunities and identifying new people to learn from (or learn with).
- Volunteering with organisations even very loosely associated with the subject matter is seen as a worthwhile, noble and commendable past time (for example, promoting computer literacy among kids or the elderly). It’s not for everybody, but remember that one of the best ways to learn something really well is to teach it to other people.
- Experience of any kind is valuable – even unpaid, like volunteering, an internship or some kind of “digital apprentice” hands on work – still counts as experience!
Specific tips & tricks
- Number 1 rule – practical skills and applicable knowledge beat credentials, certs, academic qualifications and stuff like that. If a Udemy course for 15 euro can teach you hands on skills – go with that first. You can always pursue academic education down the line.
- Identify key terms and concepts from the specific field of your choice. Make a list of these concepts and be able to explain them with confidence if needed. Examples: killchain, APT, intelligence cycle, TCP/IP, MITRE Framework, salting hashes, etc. The list goes on, depends on what you focus on.
- You don’t have to study for a cert and do the exam to be able to use its curriculum in order to organise your knowledge. Want to learn about cybersecurity but unsure where to start? The Security+ curriculum will show you the way. All you need is the discipline to self study.
- Pick a desired specialty with no barriers to entry and spend time on it hands on. For example, email header analysis – you can learn to do it using free resources alone (start here).
- Get familiar with OWASP – their methodology, their Top 10, their free tools and more.
- Can’t afford a 10k SANS course? Try out their free resources fist. And remember – price is what you pay, but value is what you get.
- If interested in vulnerabilities and how to mitigate them, check out CVE Mitre or Exploit DB – see what the current most frequently encountered / discussed topics are.
- If interested in malware analysis, set up a home made lab using REMnux or FLARE virtual machines (just be careful to practice proper host separation – or use a separate, dedicated machine).
- If digital forensics is your thing, try the free Autopsy forensics toolkit or a specialised Linux distro – CAINE. Next, take an old USB stick, upload some files and photos to it, delete them – and then try to retrieve everything using the above software and the free online tutorials like this one.
- Some useful hacking-related YouTube channels are listed in this Twitter thread.
- TCM Security Academy has some useful, hands on and affordable training opportunities.
- Pick an inexpensive or a completely free tool and specialise in it. Learn all you can about it – and then pass this knowledge on to others. I did this myself with Shodan. Everybody has to start somewhere.
- For practical simulations and other hands on practice try one of these resources allowing you to have a go at exploits in controlled environment: Hack The Box, TryHackMe, VulnHub.
- The initial expertise in threat intelligence can be self taught at the basic level. You can start reading about domains, IP addresses, file hashes, indicators of compromise and so on using free resources only. Start with Virus Total and Alien Vault, then see where you end up.
- In a mood for some hands on OSINT? Practice on geolocation quizzes.
- Heard of a newly popular scam or fraud tactic? Dig into it more and document what you did – example here. Not only will you learn some new things, but you create a record of your own competence with this kind of hands on analysis.
- Try the dedicated OSINT Jobs website – not only for current vacancies but also for interviews with people who work in OSINT to get their take on how they got to where they currently are professionally.
- Last and not least – don’t forget those soft skills! Being a person who is easy to work with is a skill very much in demand, and not that commonly encountered!
Alright, that’s it for 2021 folks.
Over and out, see you next year.