Much like Hansel, Cyber Security is so hot right now.  The US has almost as many open Cyber Security positions (700k) as there are professionals currently employed in the field (about a million).  But what is cyber security?  And how does one go about becoming a cyber?  Let’s answer those two questions.

What is the cyber, and what kind of jobs are available?

Cyber Security, or Information Assurance, or InfoSec, or whatever is generally involved with protecting computer systems and data from potential threats.  In Cyber Security we talk about the CIA triad a lot — CIA standing for Confidentiality (only the right people see information), Integrity (only the right people can modify information) and Availability (you can get at stuff when you need it).  Your job in Cyber Security is usually, in some form or another, make sure the CIA triad is maintained for certain systems.

Accomplishing this can take several forms, though.  I usually break down potential cyber security careers into the following large buckets:

• Governance, Risk and Compliance (GRC) — policy, audits, management, strategy, etc.
• Blue Team — Protective technology, generally working with an organization to protect themselves or other orgs
• Red Team — Disruptive technology, generally trying to attack other organizations to test their defenses (penetration testing)

You can break career options down a lot more than that (if you want a full breakdown the book “Cybersecurity Career Master Plan” has much more granular classifications), but most entry level roles break into one of those three buckets.  As you progress you could get into architecture or research, but those aren’t really entry-level roles.

There is significant overlap between blue team and red team, as the blue team needs to be familiar with red team tactics in order to defend against them, and red team needs to be familiar with blue team tactics to counter their defenses.  I recently took two certifications, CySA+ (a more blue team focused cert) and Pentest+ (red team focused) and probably 60-70% of the material was the same.

GRC is quite a bit different.  Instead of running technology you’ll generally be performing audits, checking policy and learning frameworks such as CIS CSC, NIST CSF, or ISO 2700X.  Whereas blue and red team people usually come from a technology background, GRC people frequently come from an audit background.

So which path is right for you?  It depends a lot, but in general:

• GRC is great for people who have previously worked in audit, financial, banking, etc.  If you enjoyed those roles and have a love of communication and documentation, and great attention to detail, GRC might be a good path for you.
• Blue team — this is the most natural first step for people who are already in IT on the operations side (helpdesk, networking or system administration).  You will also need to do documentation, but will also spend a lot of time implementing and operating security tools.  You’ll also work with other groups (helpdesk and ops) to help them operate security related tools and frequently work in incident response — handling potential breaches.  Patience, a steady work ethic, the ability to deal with stress and excellent communication are all important.
• Red team — In general I feel red-teamers have a lot in common with programmers.  You’ll need to do some scripting at the very least, you’ll need to spend a lot of time solving complex problems and much of your work is basically quality assurance against someone’s entire infrastructure.  Creativity, patience and tenacity are really important.

How do I get my foot in the door?

I’ve gotten in trouble for making this assertion before, but I’m going to repeat it here: cyber security usually is not an “entry-level position” in IT.  What I mean is, it’s difficult (but not impossible) to come into it with absolutely no knowledge at all.  Entry level in IT is generally helpdesk or internships.  A Jr. Cyber Security Analyst (typically the most junior role we fill) still needs some familiarity with IT.

So the first way to get your foot in the door is to get some general IT knowledge.  You could get a few certs (Network+ or another network cert is REALLY useful in cyber security) and maybe spend a year on a helpdesk getting comfortable with how IT departments function.

You don’t necessarily have to do this — if you have a degree in Cyber Security or some mid-level certifications you could potentially get hired directly into a cyber security role.  But I recommend you have some IT familiarity already.  That will also make getting those certs way easier.

If you have some general IT knowledge I would highly recommend getting come Cyber Security specific certifications.  These aren’t too difficult (depending on the level), buying a book and doing a test is cheap, and they show that you’re knowledgeable and passionate about a subject.  A few examples are:

• Intro security certs: Security+, GISF
• Mid-level security certs: Pentest+, CySA+, SSCP, GCIH
• Advanced security certs: CISSP, CISM, OSCP

Those are just a few examples of the MANY certs that are available.  The intro and mid-level certs have good books, free classes available, and I would consider self-study friendly.  The tests can cost between $200 and $400 (the advanced certification tests can cost a little to a lot more).

Once you have that general knowledge and a little cyber security knowledge you can go for a few roles:

• Jr. GRC Analyst/Auditor — you’ll probably find yourself doing all the gruntwork of an audit (emails, project management, spreadsheets, etc.) but you can get your foot in the door that way and move up.
• SOC Analyst — a SOC is a security operations center.  These are usually run by Cyber Security focused organizations that monitor the security of other orgs (although a large enough business will sometimes run an in-house SOC).  These are great because they’re frequently remote, the pay is decent for a call center job, and it’s a job where the responsibilities are spelled out and there’s plenty of documentation.  The downside is that your first shift will probably be working nights.
• Jr. Cyber Security Analyst — you’ll generally be working with one org, in charge of a few tools such as vulnerability scanning or patch management — this means the skillset you develop will be deep but narrow.  You’ll definitely want to keep working on expanding the breadth of your skillset to make sure you don’t get pigeonholed.

Those are, by far, the most common entry-level positions.  If you already have expertise (such as a sys admin or financial auditor) you may be able to skip the entry level positions, but if you’re pretty new to IT and want to move into Cyber Security, those are your best bets.

You may notice that there aren’t any red team positions, and that’s because it’s pretty hard to find a truly entry-level red team spot.  However, starting on blue team and moving to red is a good way to get into it.

Why are your blog posts always so long??  I want the TLDR

Listen, if you’re reading this you automatically didn’t DR, but that’s beside the point.  Let me lay it out for you in one final numbered list:

1. Get some general IT knowledge through entry level IT certs and potentially a helpdesk position
   1. Unless you’re hoping for GRC, then get some entry level audit experience
2. Get some entry-level cyber security certifications (see above)
3. Target a role as a Jr Auditor, in a SOC or a Jr Cyber Security analyst
   1. If you need tips on writing a good resume to get the role, I wrote a blog post about that too
4. Once you get that role KEEP BUILDING YOUR SKILLSET and move up!  If you want to get a red team position, focus on red team certs, and the same for blue team or GRC

It’s not easy, but it’s not terribly hard either.  It’s possible to get the A+ and Network+ in a few months and get a helpdesk role or SOC role, spend a year working at that job and getting CySA+, Pentest+ or other certs, then in a year or two move into a Cyber security focused role.  It takes work, but you can be solidly on a great career path in less than two years.  That’s as long as getting an associates degree in English, but with uh … a much higher earnings ceiling.  Knot too mock people whith englilsh degrees or anything.  I kind of wish I had one.