Watching some videos on youtube I came across the following video,
I found it very interesting especially if you are looking to understand how candidates are measured in order to get a job.
The author of the video divided very well the areas needed in order to have a stable career in Cyber,
- Who you know
I totally agree with the author however it is important to establish a timeline of events before you can get to a position in cyber security.
- Degree in Systems Engineering or Software Development
It is very important that you get a very broad knowledge in the computing world and a degree in systems engineering or software development. It will put you through the most valuable training you ever had in your life. The degree goes with you everywhere and it does not expire. Choose your university carefully, I have seen many computer engineering graduates and computer science graduates that only learnt to do some programming, and they went straight to technologies that are being used in the industry such as Windows, Oracle, HP. Although this sounds very good, to get out of uni and get a job soon it is not the best option if you want to keep your value up in the market. These sort of training will get your ready to operate and maintain a specific product however it will not teach you how the solution works from the ground up and you will have to continuously get additional training or recertify. You may be already thinking hang on a second that’s not a degree it’s a vendor/product specific training. You are right but this is a how many degrees are build up today, networking is Cisco, databases is Oracle and server is Windows…
When you choose your university choose one that will get you real engineer/design training in systems. In my days I went through different areas that today are still relevant and allowed me to maintain fresh despite I have not been in the industry for 7+ years. The effort to understand how technology work in such a low level of the design will get you ready for future technologies. After all X86 microprocessor architecture has been out there more than 40 years and the same with internet and its communication protocols.
- Microprocessor design
- Microcontroller/ assembling programming
- C,C++, Java
- Networking below CCNA and up to CCNP level
- Linux and Windows servers
- Operating systems design and programming
- Computing/Memory architecture
All these and more will put you in a good position, a real engineering degree. Today many professionals are out there operating technologies however they do not understand the underlying technology which in the field of Cyber is very important.
Let’s discuss certifications, If I knew beforehand that I want to do cyber security I will definitively would choose CCNA as my first certification even if you are not working with Cisco technologies. The main reason is because everything in internet is networking and Cisco is a leader and its training is second to none in order to go through the basics of TCP / IP communication. In the list above I mentioned networking below CCNA meaning that even before CCNA Cisco there is much more to networking such as physical signaling, signal modulation and flow control to mention some of them and they are not widely mentioned in the CCNA training but still very important to understand. The same happens to internet routing at the CCNP level where you will understand the protocols to route information in a WAN environment.
My next certification would be SSCP / CISSP, many people will argue here but I will tell you why you need a CISSP. Security has transcended beyond technology and it is also a Society, Personal and Business issue. CISSP and its domains of knowledge will help you to understand security as a whole. You will understand how security is applied in an operational environment and managerial level and the difference in both of them closing the gap existing in many organizations between operational and managerial people. Once you have earned the CISSP you will also know in which domain of security you would like to work.
Now, let’s assume and that is the main reason of this post that you decided to work in Cyber or internet security. When you are about to get a specialization I truly believe that SANS is the training to go to. SANS will provide you training that is relevant and up to date to the latest industry developments. Also, their trainers are people who have a broad experience in the industry and they have been in the trenches for a long time. Within SANS you have training for all areas of Cyber you can imagine, incident response, forensics, malware analysis, threat intelligence… and much more. This training will make you a subject matter expert in the area you choose.
It has not been mentioned by the author on the video above and I also think in some sort of way is avoided…as for many of us is a pain. A programming language such as python or perl will help you also. This is more of a secondary tool, the field is rapidly evolving to automation so a scripting language will help you to automate many tasks. Needless to say that if you are in the field of malware any OOP language it is a must.
At this point you may be thinking and what about the experience? well, the experience is the most important however it is only important from a commercial perspective if you are not looking to be a real hacker,fraudster, terrorist,spy or any sort of criminal. I am very critical with the experience and although I think it should be always go in parallel with the timeline of events above described, experience is overrated by the industry. There are many professionals out there who have been in security since the first Antivirus was brought to the market, unfortunately Cyber is much more than signatures today… experience is good but it needs to be taken into consideration with other things such as training and personal traits and curiosity for technology. Experience should have an expiration date if it does not come with relevant up to date training that experience is useless.
Just in case anyone here is coming from HR/Management…
Are certifications worth? should I consider candidates with certifications over people with only experience?
If I had to hire people I would definitively will have both considered but let me put it this way. To mitigate risk I would establish a baseline that my candidates need to satisfy in terms of knowledge for the position he or she is going to take.
Sometimes as it has been happening in more matured fields of computing, people with a good amount of years of experience perform well in their roles. But unfortunately in Cyber security we are not even near that level yet in the industry and I believe certification today has still to gain more consideration when hiring. I also spend some of my personal time doing packet and malware analysis or researching new ttp’s and tools but not because of that I believe I am a subject matter expert since I do not know what I do not know and it is because of that, that industry training will put you at the level where you at least need to start. Industry certifications are a good baseline to build up a good team of cyber specialists.
Last but not least, the most important characteristics you need to have to work in this field and which it has been largely ignored. You need to be a tenacious and passionate person to work today in this field, unless you have landed by chance…
We all have worked with people full of ego, people who think they know everything, people who do not need training. The same happens with the organizations we have worked for or we are currently working, they seem not to understand many aspects of Cyber, they do not understand the level of competencies their employees have or most likely are lacking, neither they understand the value of your training or experience or they cannot understand the difference among IT security personnel or cyber security specialists..
All these challenges are out there and there is no degree, training or experience that will help you to go through it. To improve your life and professional career in this field today it is a must to feel passion for this field and have a high dosis of perseverance to not perish in the journey. If you are looking to do an 8 hour shift go home and look after your family, watch tv or whatsoever this is not your field. I am still trying…