How Do I Get Into Cyber Security?
Along with “You can’t say that” and “Hey, how’d you get in here?”, one of the things I’ve been hearing from people recently is “How do I get a career in Cyber Security?” I thought I’d throw my notes from those conversations in a sort of Liber Primus for those interested in moving into Cyber Security — either as a side hustle or a career.
First: what is it you actually want?
I need to be honest — if you’re in it for the money, there’s much better options out there. Work in finance. Become a politician.
Any career option in Cyber Security will come with a heavy burden of boring, dull, tedious work. Writing pentest reports, re-writing your strategy document for the nth time because the client wants it “more aligned” with whatever “strategic vision” they got from a burning bush in a dream. Beyond that, you need to do a lot of research, a lot of reading, a lot of learning, just to stay up to date — if your heart isn’t in it, if you don’t find it interesting and are just about the filthy lucre, you’ll get burned out fast.
You need to be excited. To want to take things apart to see how they work. To sometimes be able to put them back together and have them still work. Or at least, work differently. If you look at something and your first thought is “How does it work?” — or, even better — “How do I break that?” — then you have the mindset to really excel.
The best advice I can give you is to get hold of a copy of Bruce Sterling’s seminal work, The Hacker Crackdown. If you come away from reading that and not wanting to know more, not wanting to start taking things apart and getting involved, then you should look at a career as a compliance auditor or something.
Second: Learn the basics
Some people think Cyber Security is a subset of IT in general. These people are wrong.
If you’re a network engineer, or an Oracle DBA, you probably don’t know much about the self tuning Solaris kernel. Or the communications stack hardware in a 5G phone.
For a career in Cyber Security that’s more than just blow-hard shilling for a vendor, you need to know the basics. All of them. The TCP/IP stack. How does networking work. How do processors work. How do UNIX and Windows work. What’s actually in a mobile phone? A games console? How are they similar — and different — to a PC. How does virtualisation work? What’s cryptography?
The good thing here is that the Internet is awash with resources and information that covers everything you’d want to know. The downside is that companies like Apple and Google have declared war on general purpose computing (ie. your PC), and are going out of their way to make things harder for you to pull apart and work out how they tick. Just look at the iFixIt Repairability Scores. On the plus side, Ebay is awash with interesting tech you can play with.
Third: Great! What do you want to specialise in?
Now that you’ve mastered the basics, it’s time to get really stuck in.
Back in the 80s things were much easier. You had to be a jack of all trades to know what you were doing: a bit of hardware, a bit of phreaking, some coding. If you knew a bit of everything you could accomplish Great Things. Now, though, systems are massively more complex and interconnected than they ever were. You’ve got programming environments so abstracted from the hardware that they autocomplete the code for you. We’re carrying around in our pockets portable computers that would have qualified for the Supercomputing Top500 list 20 years ago.
People can — and do — devote entire careers to hacking just one phone operating system. One programming language. Or specialising in hardware hacking games consoles. Or telephony networks. Or embarrassing Apple. Or Sony.
At this point, you should have a good idea of what you think is ‘cool’. What makes you think “Yeah, I’d like some of that.” Now really dive into that tech. Be part of communities who specialise in it. Read and watch more focused books and courses. Find out what others have done before you, and build on their work.
Fourth: Share. And never stop learning.
I put this last, but actually you should be doing this all through your journey, your career. From the first time phreaks worked out how to get free long distance calls, hackers have been sharing and swapping information — not just passwords and manuals, but what they’ve found, how they did it, what happened next.
There are some amazing communities out there, some fantastic conferences to attend, and years of archives available to dig through. There are also lots of great people in the scene who have lots of interesting things to say and learn.
The really good resources and communities are free. Apart from paying out for interesting and useful books, you shouldn’t be shelling out anything for knowledge — but you should be sharing and giving back. It is, after all, what keeps this job fun.
Finally: build your portfolio
If you want to make a career out of this, you need to showcase your skills to future employers. I’ve interviewed hundreds of people over the years — the worst people were certificate monkeys, desperately job hopping to grab job titles in the hope of justifying more money. The ones I hired were the people who could show passion, experience, expertise. The people who could think through a problem and explain what they were doing along the way.
Write up what you do. Stick it on a blog, a website, or a Gist. Build out a public Github repository to share what you’ve been working on. Commit back to public projects. Talk at conferences. Keep a list of the things you’ve read and watched, and what you’ve learned from them. The BCS has a good tool for this, but do what works for you.
Doing that is infinitely — infinitely — better than rocking up to an employer with your Security+, CEH, and CISSP certifications — and nothing else to show for it. Don’t get me wrong, certifications matter; because at some level you’re going to be asked “So, with all that knowledge, how come you didn’t get X?” — but they should be the icing on the cake, the final garnish on the delicious meal you present to an employer that is your CV.
I look forward to hearing what you get up to.