Why the Fundamentals Rule in Cybersecurity
From catching bad takes, to breaking into the industry, the fundamentals must not be ignored
I often see this question asked: “How can I get into cybersecurity?” Not only is this an exciting question to hear, but it’s also less complicated than you might think. In my opinion, the answer is simple: master the fundamentals.
This goes beyond just trying to get into cybersecurity, though. This is also not a task that ends once you land your first job. While the foundational aspects of the industry will remain relatively unchanged long into the future, maintaining mastery can be a challenge when also balancing learning more advanced topics that tend to evolve at a much faster pace. To make it worse, we’re only human, and studies show that, on average, humans forget 90% of what they learn within a week of learning it.
Mastering the fundamentals and making routine pit-stops to rehash what you’ve learned is essential and it can help not only in discerning good cybersecurity perspectives online from bad ones, but also in reinforcing the advanced concepts to stay ahead of the industry.
Discerning What You Read
By now, most of you reading this article have some form of a social media presence, and on those social media platforms, you may follow some cybersecurity personalities. If you don’t, you should. There are some phenomenal researchers that routinely post about their research and experiences and it can be a fantastic place to network. That said, social media can also be a terrible trap where those new to cybersecurity can end up following the wrong types of accounts and learning all the wrong things.
With a strong grasp of cybersecurity fundamentals, which we’ll talk about towards the end of this article, you can better discern who is posting legit research, and who is posting fluff. This isn’t to make you suspect that most of what you see is fluff, however, there exist spaces in the cybersecurity community that are much more sensationalized than others. Being aware of those spaces and having an appropriate level of skepticism can go a long way.
There are some specific elemental concepts that are frequently ignored and the research done proves to be flawed. Being able to identify when something is a vulnerability as opposed to a feature, understanding the spectrum between security and business continuity, and knowing the CIA triad and what those elements truly mean are all extremely important.
I want to make a note about reacting to posts where the fundamentals are ignored and the rest of the research is, therefore, unsound, because I don’t want anyone to interpret this article as a call to action to expose “bad takes”. Every piece of research, however valid or flawed, is a learning opportunity. Even if research is based on unobserved fundamentals, it still gives an opportunity to learn about how things work, how researchers choose to navigate those functions, and what that navigation reveals.
With a strong grasp on the essentials, you can also see through the oft-said web of cybersecurity buzzwords and get to the core of a thesis or assertion about products, stories, and statements. Buzz words sound cool, but when you understand their meaning and the role they play, you’ll be able to move past flashy pitches and ask the more specific questions that you might want to ask when vetting things online.
Breaking Into Cybersecurity
Nailing down the basics is important for more than just staying out of online drama. You’re probably reading this looking for a way into cybersecurity, and this is exactly the way in: nail the fundamentals.
The effort put into first getting the aforementioned topics down, then those in the next few layers will get you close towards getting a certification like the CompTIA Security+, which is a fantastic and affordable entry-level certification (not an ad, I actually believe in this pathway).
Getting a certification like that helps show potential employers that you have the foundational topics down and are ready to start delving into more advanced and applicable material. Pairing a certification like that with some real-world experience in the form of full-time work or internships can go a long way. If either of those aren’t options, then making a home lab and finding projects can help as well.
What Fundamentals to Learn First
It can be a challenge to find the right point of entry to begin your studies. If you’re coming in completely fresh with no IT experience, it might help to first start with networking fundamentals. I refer to the topics covered in exams like the CompTIA A+ and Network+ as guidelines because they cover material that’s expected to be known before attempting the Security+, and those are topics that you absolutely must understand before diving into security concepts.
Without a firm understanding of networking and how computers generally work (you don’t have to be the next Alan Turing), you may encounter difficulties when mapping out the flow of events that occur in something like a Man-in-the-Middle attack, or a DDoS. No, you don’t have to actually pass or even take the A+ or Network+ to know the material, as long as you do study and know it before moving on.
Once those are down, you’re ready to dive into the security sphere. In my opinion, learning things like the CIA triad first help contextualize where the rest of the cybersecurity concepts you’ll learn fit in. Some of the topics like Business Continuity / Disaster Recovery may not seem like they’re related to cybersecurity until you completely understand the role of Availability in the CIA triad.
Another thing that might be helpful to know is the spectrum between business continuity and security. This is often not talked about until you actually get into the field and start working with non-infosec people that have a job to do. Oftentimes, security comes at the price of productivity, and accepting risk may be part of the risk model an organization chooses to take in order to keep business flowing.
Apart from knowing about how to assess risk and why certain business leaders may choose to take certain positions with their risk model, it’s important to remember the very reason that cybersecurity exists is to keep businesses going. Organizations wouldn’t invest so much money into cybersecurity if all it did was slow business down. In some cases, additional security measures must exist to protect the people and infrastructure, however, there are other times where you’ll have to adapt to the environment and provide better security in some areas to compensate for inherently weak security in others. It’s not fun and it’s often quite frustrating, but that’s the job.
There are so many other key concepts to nail down before moving forward and it can be quite intimidating. Fortunately, there are some fantastic folks out there providing excellent content for free that you can leverage to learn everything. For me, Professor Messer was a great resource I leaned on when studying to take the Security+, and I know his content has played a pivotal role in many other people’s cybersecurity journeys. He also has content on A+ and Network+ material.
Nailing the fundamental concepts in cybersecurity is clearly important. It will not only help you discern if the things you’re reading online are legit or not, and it can also help you break into the industry for yourself. While cybersecurity can be challenging, it’s not at all something you have to go into alone. There are fantastic cybersecurity professionals that you can network with on sites like LinkedIn, Reddit, and Twitter that will be more than happy to help you in your journey (as long as you Google it first).
Beyond that, Google and YouTube are fantastic resources that, when leveraged, can lead to a substantial amount of learning and professional growth. As you continue to dive into the fundamentals, take note of the resources you’re using so you can recommend them and pass them on to other aspiring professionals along the way. As we all continue to mature in our careers, let’s keep a strong grasp on the principles of cybersecurity and continue to help others in their journeys.
Be sure to check out my YouTube channel where I cover cybersecurity topics, news, and Security+ material. Also follow me on Twitter @sec_studio, where you can tell me about how you passed the Security+!