A Graduate’s Thoughts: How to Get Started in Information Security and Cyber Security

Information security (Infosec) and cyber security is currently a hot topic. I’ve had countless people ask me how to get started, what certificates they should get, what they should do, how much they spend and so on.

The aim of this article is to provide you with a number of tips to equip yourself to get started in the information security industry.

Notes:

• This is a long article. You can skim the headline points if you want but this has taken me hours of writing and years of learning I’d recommend taking the 10–15 minutes to read it.
• I’ll be referring to infosec since cyber security is a component of it.
• I haven’t been in the industry too long but, I’ve helped and guided countless others through it.
• I don’t have all the answers and I’m still on my own learning journey.
• I’m not a professional writer.
• This is the advice I wish I had been told but learnt the hard way.
• My views are my own and do not reflect my employers.
• I asked others for their advice which has contributed to this article. You can see the full thread here.
• If you have any questions feel free to ask me on Twitter.

# 01 — You REALLY Have to Want It

Show your passion! Show how much you want it!

Infosec is a competitive field. Completing a degree/certificate or just knowing a thing or two isn’t enough. You live and breathe infosec. It should light a fire in you, you don’t want to shut up about it and drive your friends and family mad about it.

When looking for a job, the person interviewing you will clearly see the passion within you. If you’re trying to enter the industry because it’s in the limelight or you heard it pays good money… you’re in the wrong place.

Passion plays a key part in the industry. Being a whiz bang coder, hacker, or walking encyclopedia is great. But if you don’t possess the passion, drive and mindset it will be hard to come by a job. Your passion and parachute engineering mindset are what an employer is looking for. They don’t care you don’t know 8 languages or every function of AWS but rather how you handle a situation and how you adapt to it.

# 02— Just Start!

You don’t need a rack server at home with 2TB of RAM, or the perfect laptop, or that one sticker everyone has, or $1,000 of cloud computing credit. Don’t make excuses!

• Don’t know the perfect strategy? Just start trying! Even if you’re wrong, you’ll learn from your mistakes.
• Don’t know the answer to a question? Start researching for it before seeking help from others
• Don’t take shortcuts: It doesn’t work in this industry albeit very tempting when first starting off.
• Don’t have the finances? There’s a huge amount of free resources available now. I’ve listed a few below later in the article.
• Don’t have the time? Make it a priority and build a micro-habit of infosec, even if it’s reading 1 article a day.

There is no one way to skin a cat and no one way to begin. Faith summarises this well below.

# 03 — Be the Dumbest Person in the Room

Always strive to be the dumbest person in the room. When I read Ego is the Enemy I heard a quote that changed the way I think.

“Do you know the secret of the true scholar? In every man there is something wherein I may learn of him; and in that I am his pupil.” — Ralph Waldo Emerson

The smartest person in the room is the only one in it incapable of learning. You’re probably wondering what I mean by that. Always be learning… never stop. You can take away knowledge and expertise from everyone you’ve ever met. My dad was so proud of graduating university. The first time he showed me I could tell it was a prized possession. I said to him “What if someone steals it”. He said to me “They can take the piece of paper. I can get another one. But they’ll never take the knowledge up here *points to his head*”.

The dumbest person in the room often seeks the most discomfort. Humans dislike seeking discomfort. We simply don’t like change. There’s a rare breed of people who do and these are the dumbest people in the room. A good example is Yes Theory they often go on extravagant adventures to seek discomfort. Being the dumbest person in the room is a choice. The dumbest person in the room is ok with failure. They’ll get up again and give it their best. By possessing this mindset, it brings massive advantages to your personal growth. If you think you’re the smartest person in the room how are you going to learn? I’ve listed some tips below:

1. Ask questions:

• Why are we doing something this way?
• How can we achieve this more efficiently?
• What is the ultimate goal/outcome?

When you ask questions, you’ll:

• Learn to solve problems in new ways
• Learn new skills
• You’ll push yourself further
• You’ll remain engaged in the conversation

2. Listen more then you speak. My brother always said to me “No one asked for your opinion.” Stop providing your opinion in every situation. Carefully listen and ask a lot of questions to further inform yourself. Provide your opinion if prompted or necessary. This is something many people struggle with including myself. You were given two ears and one mouth… you should use them that way.

3. If you’re undertaking higher education (college/university) go beyond the course and learn. These courses are designed to give you a start. There is not enough time in the world to give you an insight into every nook and cranny of the industry. These are designed to give you a head start in the industry and go out to continue learning. For example. if you’re learning Python at university don’t just rely on the course. Go take an online course, build and debug programs for yourself, automate a task at home using Python.

4. Ego is the Enemy. Ego blinds you. You can’t motivate yourself if you already think you’re the best. If you think you’re the best you’ve already lost the battle. Be honest with yourself when you get interesting results. Everyone is an expert in something. There is a fine line between confidence and ego and knowing that line will keep you humble in your learning. Take the opportunity to learn and grow from them. Someone with knowledge you don’t have has fallen 1000 times over to hand it to you on a silver platter.

# 04—There are No Barriers to Information Security Anymore

In the past, it was hard to come by information regarding infosec. Information was scattered and often lacklustre. Until recently, this has changed. There is plenty of fantastic content out there now regardless of which part of the field you’d like to enter. A lot of this content is free or relatively cheap for the quality of work available. There are no barriers into the industry anymore. If you’d like a test computer, you can now boot up a VM locally or in the cloud. If you’d like security tools the FOSS community has an alternative for any type of software available on the market.

Listed below are a few of my favourite content creators/courses:

• PentesterLab (PentesterLab also publishes some great articles regularly)
• The Cyber Mentor (His Udemy course is fantastic)
• HackerSploit

This list is not comprehensive whatsoever. I’ll create a separate list later for those interested.

# 05 — Explore All the Possible Pathways Available

Pop culture and TV shows like Mr Robot and certifications glorify offensive security. Don’t get me wrong it’s cool but every person who tells me they want to enter the field tell me they want to be an ethical hacker/penetration tester. Just because someone is in the infosec field this doesn’t mean they’re a l33t haX0r or browses the dark web at night just because. There are plenty of jobs and fields ranging from appsec to threat hunting and many more! Don’t be afraid to try different areas of information security. You never know what you’ll like until you try it! Explore your options and don’t rabbit hole yourself in one specific area either.

There 👏 are👏 other👏 jobs👏 than👏 pentesting

SheHacksPurple explains this better than I ever could. I’ve linked her article down below.

Jobs in Information Security (InfoSec)

# 06 — Find an Internship

This point is aimed more towards university students. To complete degrees (In Australia at least) it’s quite common to perform a project over a semester or complete a Work Integrated Learning (WIL) component. This is hands down one of the best ways into the industry. This gives you a large chunk of time to learn, grow, make connections and prove yourself. It’s not uncommon to get a job through this avenue if you’ve proven successful (In fact this is how I scored my job).

If you’re unsure where to start reach out to your university/educational institute or reach out to people in the industry and see if they’re willing to take you on. A noteworthy point, however, is if it’s an unpaid internship (Which it commonly is) you’ll still have to work additional hours at a paying job. This isn’t an easy task, but I assure you it’s 100% worth it if you can pull it off.

# 07— It’s Impossible to Know Everything

A jack of all trades is a master of none. As a newcomer, you want to make the world your oyster and absolutely immerse yourself in every possible aspect and know every little bit about everything. While the ambition is admirable, you’ll often come across experienced people who have been in the field for 5, 10, 20+ years who know a lot more then you do.

This will inevitably at some point leave you feeling a bit down. It’s important to remember they have plenty of experience behind them and it’s just the start of your journey. Pick something to specialise in, something you truly enjoy in information security.

Please don’t be that person that just says, “Yeah I want to work in infosec”. I’ll often ask a large number of follow-up questions including “What do you enjoy the most/What do you primarily want to focus on?” and I often receive “Oh yeah you know… infosec”.

I heard my friend Ricki once give a valuable piece of advice.

Don’t just think about the industry. Think about the job you want and the skills you need to get there.

# 08—Build a Network, Make Friends and Use Social Media Effectively

Contrary to belief, you don’t have to be the smartest person in the room. A common saying is “It’s not what you know but who you know”. When I was starting my second year of university, I vividly remember telling my mum the following:

“I’m not the smartest person at university… I’m going to spend all my money this year and go attend conferences and network instead. I don’t know how to do a lot of things, but I know how to talk to people”

I didn’t realise at the time, but this was invaluable. Over the last 8 years, I’ve been a professional photographer. It really improved my ability to approach people and rapidly strike up a conversation in comfortable and uncomfortable situations.

Frankly, I had no idea what I was doing. All I knew is this was what everyone did and a valuable place to learn and take in the atmosphere. I started meeting people through friends and random encounters. The more conferences I attended the more I started to see the same people. Through familiarity and random conversations, these people quickly became my friends. The same friends are the people who look out for me the most, help me improve, and care for me.

You’re probably saying in your head right now “Well how do I get started?”

1. Go to conferences and meetups. If you’re in the APAC region you can check out APAC Conferences and APAC Meetups.
2. Make a Twitter and LinkedIn account and actively engage with the community.

You’ve met all these fantastic people at meetups/conferences. You got along with a few people who share mutual interests. Don’t lose that connection!

1. Ask them if they have a Twitter or LinkedIn account and follow them.
2. Start engaging in discussion. These platforms are made to be engaged in this way.
3. Follow people and topics you admire.

Social media is a great way to be informed of current events, find new tools and techniques to complete something. You don’t have to stop at Twitter and LinkedIn if you enjoy tools or coding make a GitHub account and be active (Employers LOVE this).

The best jobs are never advertised. These are usually offered to connections or referrals from other stakeholders. The only way to achieve this is by having a personal network, to begin with.

# 09— It’s 2020 You Have No Excuse to Have a Bad Resume and Cover Letter

Bad resumes are a pet peeve of mine. Instead of writing a paragraph I’m going to list a bunch of Do’s and Don’ts

Do

• Pick a nice template (they’re not hard to find).
• Include volunteer experience on your resume.
• Include your skillset.
• Include a cover letter (Even if they say it is optional, cover letters are a must!)
• Inform your references you’re applying for a job.
• Focus on what you have to offer the organisation.
• Grab the readers attention immediately.
• Personalise your cover letter — try to be original and use personal examples, not just buzzwords.

Don’t

• Include every job you ever had. (Working at McDonalds at 16 isn’t relevant to information security)
• Provide a poorly formatted 6-page resume.
• Use the same cover letter for every job (They know… and they won’t read it)
• Don’t include a photo (They’re going to look at your LinkedIn profile anyway)
• Don’t include your full address (Suburb/general vicinity is fine)
• Include personal information such as your marital status, Birthday, passport number etc. (Especially in the security industry).
• Assume you will get the job

# 10— Contribute to the Community

The information security space doesn’t exist without a community focus. The infosec space relies on love, passion, and hard work of the community that surrounds it. Conferences like BSides which offer low-cost high value are all volunteer based. Open-source software like VLC media player relies on countless individuals providing a better experience for you at no cost whatsoever.

This is a fantastic way to get your foot in the door and do some good at the same time. Not sure how to contribute?

• Work on a personal project: This is a great way to upskill yourself. You may think the research you did isn’t that great or innovative. That doesn’t matter it allows you to explore new areas, gain new skills, and you may interpret it differently to those in the past. This can be some code you wrote on the weekend or a project you did at university or even a problem you encountered and how you solved it.
• Present your personal project: Seriously, just present it. I know it’s scary, and hard to do. You’re scared of the imposter syndrome that goes along with it going to a meetup/conference. “It’s not that innovative” “I’m under skilled” “It’s honestly not that great.” People don’t actually know this. Everyone has knowledge gaps and may find what you accomplished fascinating. By presenting your project it will help you make a name for yourself while showing others some original research you’ve conducted. Without the encouragement of friends (Specifically evildaemond) I never would have presented my first conference talk at BSides Melbourne.

Credit: Austin Center for Design

• Contribute to forums: If you can provide your expertise in forums like Slack channels, discords and websites like Reddit please do. I often receive a large portion of my daily news/things to try from forums.
• Pay it forward: You may think you don’t know much but if there’s something you can help someone with offer your advice/expertise!

# 11 — Soft Skills Are Even More Important Than Technical Skills

Infosec has a heavy technical aspect no matter which role or part of the industry you may be in. This often leads to most people being more technical then soft skill oriented. You can be a technical prodigy, but if you can’t interact with others and uphold certain values you’ll struggle to get hired. My old head of school used to tell me:

“If I had two candidates for a job where candidate A is a coding genius but lacks soft skills. Or candidate B who has good soft skills and is decent technically I will always hire the one with good soft skills. Soft skills aren’t easy to learn. But I can send the person with good soft skills on a course for $5k and they’ll come back with both”.

This really struck a chord with me and I remember it vividly to this day. Good soft skills often consist of the following:

• Strong ethics and values
• A good attitude
• Effective communication
• Ability to work in a team and work by themselves when the need arises
• Critical thinking
• Ability to communicate to stakeholders

# 12— Try to Gain IT Experience Before Infosec Experience

Possessing IT experience isn’t essential but a massive help in the infosec field. Personally, I believe one of the most success defining traits of successful infosec professionals is because they have prior experience. Security didn’t truly exist until recently it was just a small responsibility of someone in IT. Up until then most people were system administrators, working the helpdesk, or in some other area.

Prior IT experience (in any form) is invaluable. If you can manage to work in an IT environment like helpdesk or building solutions. I assure you the experience you gain will build the foundations of your infosec career. By understanding how something is built/managed/maintained you’ll in turn know how to break it in an offensive capacity.

# 13— Find a Mentor (Unofficially or Officially)

I don’t see mentors as essential but rather a guiding light. You may gain a mentor officially by seeking one out through friends, or social media channels like Twitter (great place to look for one). However, I’ve never been fond of the idea of actively seeking a mentor out but rather coming across them. This could be your boss, a friend, family member, or a member of the infosec community. You don’t need to have regular one on one meetings every week or pay one but rather have that person in your life.

A mentor doesn’t always need to be asked but will happily talk to you, guide you, and help you out in times of need.

Key qualities in a mentor include:

• They inspire you!
• They provide clarity and maintain accountability
• They help you set Specific Measurable Attainable Realistic Timely (SMART) goals
• They help you sharpen your skills
• They offer you guidance and insight from experience to prevent you from making mistakes they once did