"How do I get started in information security?"
Given the steady frequency in which I have observed this same question, I decided to catalog my oft-repeated bits of advice and general thoughts about how to get started.
* This guide is by no means an exhaustive how-to, nor does it represent the best or clearest path to a successful career in infosec. I only hope it can act as a compass for those who are interested in breaking into the field.
What do you want to do? There is a wide variety of infosec-related trades, and though the path into any one of these roles may share some commonalities, there is no one-size-fits-all approach to becoming a cybersecurity professional. For this reason, the first thing I ask is - Do you have an idea of what role specifically you’d like to pursue? If you’re not sure, don’t worry! This is common for those new to the field. A little research into possible positions and titles is easy enough. To do so, I recommend perusing employment sites such as Monster, LinkedIn, SimplyHired, CareerBuilder or simply Googling what you are interested in. Within these job listings you should find not only the titles of potential jobs but also the sought-after skills and general qualities being asked of the respective applicants. During the course of this research, you may stumble across an abundance of job titles which resemble “Information Security Analyst” or “Cybersecurity Engineer”. This sort of job-role-normalization is common but can be misleading as responsibilities for those who wield these titles are often far more specialized and nuanced than the description would have you believe. With that said, many of us in the field do indeed have responsibilities which are more generalist in nature but typically, entry-level positions will ask that applicants have a modicum of skill in a specific domain. In any case, some infosec domains/job titles you may be interested in include security administration, web application security, identity & access management, risk management, policy & compliance, penetration testing, vulnerability management, incident response, reverse-engineering, threat hunting, security architect, security manager and more!
Learning. OK, so maybe you know what you’d like to do in infosec or maybe you don’t - either way, you’re likely going to need to learn some stuff. Across any specific infosec discipline, there are certain concepts or skills that will almost always be useful. I’ve created a list of these fundamental information security domains and would recommend those new to the field begin learning the basics of each. For diving into this list, Google is your friend - simply search for any of those concepts and how they apply to infosec. For a more targeted approach, there is of course a multitude of online resources available. For example, I maintain a list of various infosec-related resources. Even better, check out this massive list of training, both free and paid. If you’d like to read about my journey into infosec and beyond, I’ve catalogued this is great detail. Infosec is great in that you really can learn just about anything online - for free. Where you can’t find it for free, it’s probably available at a reasonable cost. The hard part is narrowing down exactly what you want to learn. But that’s what also makes the field so exciting!
Certifications. In my experience, recruiters, hiring managers, other infosec pros (to some degree) and the infosec industry at large love certifications. Take for example, the CompTIA Security+ certification. The Security+ is a great entry-level cert which can not only demonstrate that you are serious about getting into infosec but it also is a great introduction to a lot of the foundational infosec concepts you will use throughout your career. I think the return on investment in getting this cert is well worth it (I in-fact started out my infosec career with this cert so I can attest to its worthiness). The infosec field has countless certification and training offerings, you need only research what may be interesting to you. For those who are figuring out what certification or training to take next, I’ve personally reviewed a variety of certifications/training courses I have taken over the years. Some popular training vendors are listed below in this guide.
The job search. Job hunting with little-to-no actual relevant work-experience can be a disheartening exercise when many of the entry-level job descriptions you come across require applicants already have several years of experience. This is an annoying paradox of the infosec field - how can entry level positions ask for several years of experience! My advice is to apply to these (entry-level) jobs anyway! You may be surprised to find that hiring managers can be willing to take risks on a less-experienced but highly motivated candidate. It may also be that the job req was written in a way that was far more limiting then the hiring company intended, thus scaring away many potential qualified candidates. I would also recommend not to be afraid of taking an entry-level infosec position that may not exactly be what you you are primarily interested in. Certifications are great, but experience will always be king and getting that first job can be tricky. It is, in my experience, easier to find additional opportunities in the field after getting that first infosec position and getting that first crucial bit of experience on your resume.
Professional networking. This is as true for this field as it is for any other and I can’t stress this enough - meeting people, talking with people and expanding your professional network is a great way to discover new opportunities. So create a Twitter account, create a LinkedIn account, check out relevant sub-reddits (or this or this), join an infosec-related discord server or two, go to local meetups, engage with online communities, introduce yourself to your coworkers you don’t normally interact with, go to career fairs, you never know where your next opportunity will come from. (To start, feel free to connect with me!)
About college degrees… Do you need a computer science, IT or infosec-related degree to get a job in infosec? - The short answer is no. The long answer is that a degree can certainly help you stand out in the eyes of recruiters and hiring managers. It can give you a leg up on candidates who don’t have one, it helps you bypass certain hiring filters (filters that would exclude non-degree-holding candidates) and of course the curriculum in a related degree program will likely be helpful in demonstrating experience and relevant knowledge to a prospective employer.
That first job. Starting out in a help desk, software developer or other IT-related role (even if this role is not explicitly “information-security-related”) is a common path for many infosec professionals. These jobs will give you valuable experience in the knowledge areas that are critical for infosec professionals. For example, as a software developer you will learn how to create awesome, functional code. Now let’s say you want to pivot into being an application security professional. That previous experience learning to write code will be instrumental in you learning how to now secure that code. This same paradigm applies to all IT roles - including everything from help desk (learning how to troubleshoot common problems with operating systems) to network engineer (learning to build, maintain and architect IT networks) to database administrator.
Demonstrate and exercise your passion. This can be done in innumerable ways. Create a Github account and commit your own projects or contribute to others. Stand up a home-lab and practice networking, hacking or web development. Create a cloud account and learn about cloud architecture. Listen to infosec podcasts. Heck, create your own podcast! These are just a few ideas. What’s important is that you embrace the field so when speaking with others (for example a recruiter or hiring manager) you can demonstrate your passion and skills which will help you stand out.
Join the community. The infosec community is, I think in total, a friendly, thriving, and dynamic community. There are countless meetup groups, conferences, online forums and more that can be joined. Networking and learning from others in the community helps you accelerate growth and demonstrate your passion.
GOOGLE! Just about everything you could want to learn is available online. With a little motivation, determination and will-to-learn, you can learn just about anything in infosec.
Spin up a “Homelab”. You can get a lot of experience with enterprise-grade tools right from the comfort of your own home. Nessus, Splunk, Burp Suite and Snort are just a few examples of tools used in organizations that offer free or open-source versions of their software you can download and learn to use. Your homelab can serve as a place to hone these skills before ever even applying to your first infosec position.
Fundamental Information Security Domains
The domains below represent my take (generally) on the foundational knowledge areas for infosec professionals. You certainly do not need to be an expert in each but knowing as much as you can in each will ensure you are well-rounded.
- Security Fundamentals (e.g confidentiality/integrity/availability, risk management, least privilege, access control, defense-in-depth, etc…)
- Scripting/Programming (e.g. Python, Ruby, Powershell, Bash, Java, C, C#, etc…)
- OS Fundamentals (e.g. Linux, Windows, MacOS etc…)
- Networking (e.g. TCP/IP, Networking Protocols, Routing/Switching, etc…)
Learning to Google for things is probably the most valuable piece of advice I can give. With that said, I’ve compiled a list of (introductory) resources below which can help you get started on your infosec journey… I also maintain a more comprehensive list of infosec resources if you’d like to take things a step further. Finally, there is an amazing wealth of infosec content out there on the Internet. I’m making an attempt to index that content here.
Where to Learn Stuff
There are plenty of online training/learning sites. Below are some of my favorites. Check out this post for a more comprehensive list!
- Awesome Free Training List - This individual has been maintaining a pretty fantastic list of free resources, everything from training to podcasts.
- Stack Overflow - Can’t figure something out, stack’s got your back.
- YouTube - Believe it or not, tons of great instructional videos here.
- Cybrary - Free IT training.
- edX - Free online courses across a variety of disciplines.
- Pluralsight - Paid online video training but has a vast library of courses.
- Microsoft Virtual Academy - Free training from Microsoft.
- NIST Special Publications - Computer Security Resources from NIST (take a look at SP 800-53). Can be dry reading, but it will help you talk the talk.
- NIST CSF - The Cyber Security Framework. More reading from NIST.
Stay Up To Date
Infosec is a fast-moving field. Keeping up to date on everything going on is a large part of being a successful infosec practitioner. The resources below can help you keep track of it all…
- RSS - I like to use Feedly to manage my RSS feeds.
- Reddit - Front page of the internet and a great place for security news (and plenty of other stuff).
Learn to Code
Coding is SUPER important for security professionals. So go learn some!
- Github - Create an account, create code, share code and contribute to others code!
- W3Schools - Learn the web and how to develop.
- CodeSignal - Coding challenges, brought to you!
- Codeacademy - Free site to learn coding.
- Python.org - Official Python site.
- Official Python Tutorial - Python tutorial from python.org.
- Ruby - Official Ruby site.
- Rubyfu - Enhance your Ruby-fu.
- Bash Scripting Tutorials - Bash scripting tutorials.
- Free eBooks from Github - Free eBooks from Github.
You’re likely going to be using one or more OS’es to secure the same or other OS’es. In other words, you should probably learn about OS stuff.
- Windows Tutorials - Learn about Windows.
- Powershell - Do everything in Windows, from the CLI!
- Ubuntu - Popular open source workstation-class Linux distribution.
- Kali Linux - Download Kali, learn security tools, learn Linux.
- SS64 Command Line References - Assorted command line references.
Packets. Segments. Datagrams. Data. It moves from place to place and knowing how that happens is pretty useful.
- Nmap - Available in the Kali distribution - Learn network scanning and a little TCP/IP while you’re at it!
The Internet. Ever heard of it? It’s full of web apps!
Fancy yourself a Mr. Robot-type?
- VulnHub - Test your might against vulnerable VMs developed by the community.
- Metasploit Unleashed - Hacking tutorial by the guys at offsec.
Certs. Love ‘em or hate ‘em, they can be helpful.
- CompTIA Security+ - Entry level certification but provides invaluable entry-level knowledge to the field of infosec.
- SANS - Fantastic cybersecurity training but very expensive.
- OSCP - Practical penetration testing training (and highly regarded certification in the industry).
- CISSP - Need to improve resume? This cert can often help.
- eLearnSecurity - Practical, hands-on infosec training. They have a great catalog of courses.
The cloud is just someone else’s computer right? Well if you’re putting stuff on someone else’s computer you should probably learn to secure it even better.
- AWS - Heard of the cloud? AWS can give you your own chunk of the cloud to play in.
- Azure - Microsoft is also in the cloud game.
- Google Cloud - Not to be outdone, Google. Also in the cloud.
- A Cloud Guru - I personally recommend this online training for learning more about the various cloud platforms. (It is a paid service!)
- The Shellsharks Podcast
- Getting Into Infosec - This is my favorite podcast recommendation for newcomers to the field.
- Black Hills Information Security - A great podcast with lots of technical stuff.
- StormCast - Podcast from SANS with daily information security news.
- Brakeing Down Security
- Security Weekly
- Defensive Security
- The Southern Fried Security Podcast
- OWASP Podcast
- Security Now!
- Purple Squad Security
Other Getting Into Infosec Guides
Don’t take it from me! Check out some of these other guides.
- How to Build a Cybersecurity Career - A prescriptive guide from Daniel Miessler.
- Getting Started In Information Security - Thoughts on getting into the field from Endgame.
- How to Get Into Cybersecurity Regardless of Your Background - A guide for all, from Springboard.
- Infosec Newbie - A collection of resources, courtesy of mubix.
- How to Get Into Information Security - A guide from the guys and gals over at Black Hills Information Security.
- Getting Started in Cybersecurity with a Non-Technical Background - A guide from the one and only SANS.
Thanks for reading! I hope the guide was useful in some way.