Cyber security is one of the fastest growing fields in the world right now, and there are many opportunities for talented individuals to find a high paying job in this area. According to the 2019/2020 Cybersecurity Jobs Report from the Herjavic Group, there will be 3.5 million unfulfilled security jobs around the world by 2021.

Many people commonly associate cyber security with hooded hackers and screens with tons of green text. While Hollywood often has a tendency to exaggerate, jobs like the one that Elliot Alderson has at Allsafe Cybersecurity in the television show Mr. Robot are indeed real, and can be highly rewarding.

Many college students that we’ve spoken to participate in CTFs and get certifications such as the OSCP in preparation for a career in penetration testing. Pen testing can be an exciting and fun job for many people. However, it can understandably have barriers to entry, especially for candidates that do not have years and years of experience with application or network security.

The focus of this blog post will be to describe some of the pros and cons of pen testing and other entry level positions that interested folks can consider. We ourselves have gone beyond pen testing and have tackled other areas such as compliance and security awareness.

Pen Tester

Penetration testers are skilled technical professionals who are tasked with finding security related vulnerabilities in a system. Pen testing is something most of our readers are probably familiar with already, so we’ll focus on some of the non technical aspects of the job.

One of the benefits of looking for pen test jobs right now is that there are often many entry level openings at large consulting firms such as Protiviti or Mandiant. These consulting jobs allow you to be exposed to many different environments and technologies over the course of a year, and can even lead to travel around the country, or even the world. In addition, the large resources of these firms often means that you will be working alongside more experienced testers, and will be able to learn from them and hone your skills. Many folks who start their careers at large consulting firms move on to bigger and higher paying roles later on.

Although you do end up learning quite a bit from consulting, there are some drawbacks. In many cases you may end up on a pen test project where your team identifies several significant vulnerabilities. It is fairly common for this to be your last interaction with that client, and you may never know if they ever ended up patching all the holes you discovered. In addition, depending on your firm’s sales pipeline, you may go days or even weeks on end without being assigned to a new project.

Red Teamer

Red teamers are usually pen testers who are not consultants but work full time at the same company. In many cases, red teamers work remotely and rarely travel. Unlike consulting jobs, a red team job might be harder to land given that many companies are looking for experienced candidates who can jump right in and start campaigns that may last several months. Your colleagues might not even be aware that your campaign is starting.

One of the benefits of working with just one company is that as a red teamer, you can potentially be there to see the fruits of your labor, as the company’s blue team should be fixing any identified vulnerabilities over time. At the same time, this could mean that you are not exposed to newer technologies or environments for a while if the company does not rapidly acquire new software or make significant changes to its infrastructure.

SOC Analyst

Most large enterprises have what is known as a Security Operations Center (SOC). A SOC Analyst’s job is to review security related logs to identify indicators of compromise. For example, if an analyst notices that an executive’s account was accessed from a foreign country, the analyst would be responsible for working with IT to lock the account and notify the executive in case credentials were stolen. These jobs are incredibly important, especially in the government and healthcare sectors, where data leakage can result in lives being severely affected.

Many folks who work in or study Information Technology transition to a SOC analyst role given their existing knowledge of computers and networks. They usually end up learning a ton from real, live attacks compared to what students learn in labs and course work. In addition, many SOC analysts move on to other security related roles after a year or so doing SOC work.

Although SOC analysts learn a ton, and play a critical role for many organizations, the job is not for everyone. First off, many Security Information and Event Management tools ingest huge volumes of data sources on a regular basis. Even with significant amounts of time spent on configuration, these tools often produce large amounts of false positives that analysts must spend time parsing. This can be incredibly frustrating. In addition, SOC analysts tend to be under large amounts of stress given their job responsibilities. In fact, most SOCs have a 10–50% staff churn each year.

We hope that this blog post was informative and provided a good overview of the various ways to get an entry level position in security. Many people who start out as a pen tester or SOC analyst often find themselves doing something completely different years later. These are only some of the ways that security professionals start their careers. We’d love to hear about other entry level roles in the comments!

Keep an eye out for part 2, where we will give on an overview of compliance analysts, security engineers, and security researchers.

Cybersecurity: Ways to kick start your career was originally published in The Security Brothers on Medium, where people are continuing the conversation by highlighting and responding to this story.

How Two Guys Made Their Way Into Security After College

by Kevin Qiu and Mark Rossmair

It seems like every time you turn on the news, hop on Twitter, or open your email, you hear about a new breach. Uber, Equifax, and Marriott, the list goes on and on. Then there’s the biggest one of them all, Yahoo, which had 3 BILLION compromised accounts.

You’ve also heard about the skills shortage, the high salaries, and the cool stuff that security folks do. According to the U.S. Bureau of Labor Statistics:

“Demand for information security analysts is expected to be very high, as these analysts will be needed to create innovative solutions to prevent hackers from stealing critical information or causing problems for computer networks.”

Growing demand, high salaries, and cool problems to solve. Awesome! So how does one get a job in this field exactly? After fielding numerous questions from friends and family members about how we got into security, and why we’ve stayed, we decided to write a blog post about it.

These days, many students study some form of STEM major like Computer Science when we decide to go to college. CS jobs tend to pay well, allow you to build cool things, and require you to solve engaging and complex problems.

I too was in the same boat as many of my classmates in college, but decided that I wanted to travel and see more of the world after I graduated. I then went into tech consulting, which still allowed me to hone my technical chops, all while traveling all around the country working on different things. Security was a natural focus point for me, given that I was already pretty comfortable with computers, and consultants in the field were high in demand (and still are!).

I’m not gonna lie, some parts of consulting absolutely sucked. There were 6 AM flights every Monday, 12–14 hour work days during crunch weeks, and hours and hours spent formatting reports and aligning shapes in PowerPoints. You name it, I’ve done it. But it wasn’t all bad. I got to talk to executives, exploit a huge Windows network, and see parts of the country I never would have gone to otherwise. And yes, if you’re wondering, Omaha, Nebraska has some amazing steaks.

I remember telling myself I’d try out this security thing for 2 years, and go back to making software at some big tech company after that. It’s been several years now and I haven’t looked back since.

KQ

I’ve always been interested in security in one way or another without really knowing it. I was that kid at 10 years old writing .bat files on the computers at the Dell kiosk in the mall to continuously crash their computers. In college at first I wasn’t sure what I wanted to do, until I realized that this joy of breaking things could lead to a career.

My first real step getting into security professionally was getting an internship at Protiviti, which was my first choice at this stage in my career, because, let’s be honest, who doesn’t want to get paid to hack? This was a great place to learn the entry level skills I needed to become an offensive security professional. When I worked for Protiviti, I got to work on a few cool projects, but I’ll never forget the first time I got domain admin. When I was working on a pen test for a college client, I was able to get a foothold with an easy metasploit exploit. After that it was just a matter of pivoting through their network and dropping passwords. When I saw the DA password dumped to my screen I couldn’t have been happier. It was quite the rush for a little script kiddie!

After my internship, I became extremely involved in the security community because of the awesome stuff I was able to do at Protiviti. I co-founded two clubs at my school and started a CTF team. I put a lot of work into creating cool demos and labs for other students. I also became a regular at Philly’s biggest security meetup, PhillySec. Being part of the professional security community not only helped feed my security itch, it also wound up helping a lot down the line. People knew about my passion for security and looked out for me whether it was applying to jobs or inviting me to small conferences. Getting involved was one of the best choices I ever made.

Looking for a full time job was an interesting experience for sure. I had decided that I wanted to try the blue team side of things. I must have applied to over 100 positions, digging through Linkedin, Ycombinator, and compiling a huge list of companies I would want to work for. I got pretty guerrilla about it, finding emails and numbers to recruiters. I was entertaining a few offers but nothing super interesting came up initially. After a lot of interviews and searching, I landed my first gig at AppNexus in NYC, which was not only the position I wanted but also in my top location!

My path wasn’t as straight and narrow as it may sound here. There was a lot of work put in and a lot of soul searching along the way before deciding to hop head first into security. Effort and determination were key to getting where I wanted to be.

MR

If you’re in the field and are reading this, we’d love to hear about your story as well. Some of you’ve been finding exploits since you were a kid messing around on your first computer. Maybe you got into security years into your career, or maybe you’re just starting out in your first job. If you liked this and have other things you want to hear about, let us know in the comments!

How we breached our way into security was originally published in The Security Brothers on Medium, where people are continuing the conversation by highlighting and responding to this story.