Security Roadmap

Today I’ll share with you my thoughts on a career in IT security and give some hints on how to get started.

People fresh out of IT-related studies, or those who are just going to study IT more or less know what they want to do or will learn from lecturers and colleagues. More difficult is for those who change their careers completely. Whether it’s due to career burnout, poor pay, or a desire to try something different. Someone who graduated in English philology, or is a humanist and enjoys new technologies as a hobby, or someone from tourism industry or who graduate international relations course has no idea how to get started. No studies can prepare you for a real job, well, unless you become a lecturer ;) Higher education is just an entry point. Don’t get me wrong, college/university teaches a lot, and is good, it’s just that in the business world you need more than that.

Security Roadmap

Every self-respecting company takes people with higher education, or offers college internships and then immediately hire a fresh mind who, untainted by the job market, will work under the conditions offered, and maybe after many years will realize, that things are better elsewhere. Not always, but often. Companies teach and nurture their young employees and make sure they do well.

Other companies use sneak tactics on freshly pre-trained employees. This especially happens in sectors that require a lot of money and time to specialize an employee for a particular position. That is, for example, how it looks in IT security. Most new employees starting on the first line of defense in the SOC department, after just a few months receive offers from other companies on same/better position. They are juniors for 3-5 months who have gone through a difficult recruitment process, learned the basics for a few months, which are the same everywhere, and begin to be flooded by offers. Anyone who goes to security also goes there for the money, so just offer such a person a little more (still less than current employees on same position) and you have new employee. This is also a tip, if you have your dream company you want to work (or just because it looks awesome in CV), but you are too fresh or without any experience, try anywhere. Literally, prepare yourself very well for the interview, and try to catch work in security where they think you are good, make some practice, do some courses, get experience and then hunt for offer for the company you want. TBH in many times you will be on their target already :)

To be a valuable employee in IT security you have to do mandatory certifications, and collect CPE points to renew those certs that expire, and pay for the next ones. Business drives business. If you are not already in a company that funds all the courses then the prices are scary. If you’ve already managed to get hired, then surely now the company in annual goals requires you to take at least two certs a year. And pay for it.

Making certificates has its pros and cons. At the beginning, they are only pros, because you swallow them (the trainings and certs) all as it goes and you are happy that company is paying you for training sessions and exam thousand of bucks. Also you are almost 5 day out of work on every exam preparation course :) (not doing stupid and boring tickets at work).

If you know what you want to do in cyber security you can choose a path, and explore topics which will help you get dream position, if not, you are going on everything what other collogues goes and maybe you will find then your path.

Cons. Whatever the reasons, at some point you will notice that every course is “the best one” from marketing perspective, and every exam is “the most important one” in you career (more marketing bullshit), and all multiple-choice tests have answers that are correct, according to the respective course manufacturer. Then you start doing course after course, exam after exam, and learn to them by heart just to pass them. Does this remind you of anything? A university, right? Flashback from student days. Huh.

Basic knowledge and theory is important, you can’t be a great network engineer if you do not know IOS/OSI layers, how the packet are built, what is encapsulation, how to calculate network subnets or understand all that fancy things in Wireshark output. You can still be a network engineer at some companies, but not the best one :) So do certs, educate yourself, but do not do a few certs from the same level, just to collect another one. (ohh ok, one exception, you don’t want to get tired, but you are missing some CPE points XD, at first it does not apply to newbies, because your first valid certificates will not expire until 3 years from now anyway).

The most important thing is to take a career path. Computer science is so vast that you will never learn everything, the basics are important to be able to go further and deeper. On top of that, when you get into cybersecurity you find that it’s as vast a field as IT itself.

You won’t become a super malware analyst and at the same time a threat hunter, penetration tester and, in addition, you won’t freely process incidents as incident response. Of course, maybe you’re a genius and can do it all at once at an expert level, but then you probably don’t read this blog and you don’t need my advice.

Start with the basics, preferably with a blue team to know how defense works, what the mechanisms are, how SOCs work. In this department on the front line you are exposed to monitoring, basic analysis, tools and procedures. You will see how all the lines work and how the teams work together. You have also a time to do some entry certs and courses for company money.

In such an environment, you have the best chance of deciding in which direction you want to go. Maybe all your life you wanted to be a penetration tester, but when you saw that bearded, smelly guy in the corner who runs the same scripts over and over again, and writes reports for 100 pages that nobody reads, you’ll come to the conclusion that malware analysis is more interesting and dynamic, or that the incident response is your whole life.

When you will already start building your security career path, this Security Certification Roadmap build by Paul Jerimy can be very useful. It’s a great matrix with all important and recognized worldwide courses which ends with certs. Grouped by difficulty level (Beginner, Intermediate, Expert) and IT security competence area (Communication and Network Security, IAM, Security Architecture and Engineering, Asset Security, Security and Risk Management, Security Assessment and Testing, Software Security, Security Operations). You have links and prices, and for example MICS - Introduction to Cyber Security if for free. It is worth do it before your first cyber security interview.

If some course or cert is missing there, it does not mean it is bad. It’s just that it’s less well known or recognized only locally. Always do your research, peek at your security idols, whether they have such a cert or whether anyone even knows if anyone has made one.

If you use some tools, different companies have their online academies and courses and certifications. If you have no experience with a tool, but want to let your employer know, you know how to use it, do a cert. A good example is Burp.

The best are practical courses, where not only your theoretical knowledge is tested, but also your practical skills, like eJPT one.

Well, and don’t believe the magical marketing slogans that will try to convince you, that if you do a certain course you will get a super job or know everything. All you know and can do is hard work, study and many years of practice.

You might also like to check Security Career Roadmap.

Also attend conferences, exchange experiences with people, talk, listen, enjoy.

Remember that work is often a part of life, but not the most important part.

Yeah, that’s probably all you need to know for good start.

Good luck!