I do a lot of public speaking and frequently get asked for advice on how people can learn more about developing a career in cybersecurity. To provide this information to a larger audience and help answer that question in more detail, I've created this website, which contains some helpful advice no matter your career level.
This would actually take a long time to explain and in ways it's not really important for this site but the following is a very short introduction I use for conference literature.
Trey Blalock is a highly respected Chief Information Security Officer and security researcher who has performed extensive work in almost every security domain for some of the world's largest corporations and governments. Trey has trained thousands of people on advanced security topics. He has managed all aspects of security for one of the world's largest financial transaction hubs, performed hundreds of penetration tests for Fortune 500 companies, and has performed forensics for several high-profile cases such as "Donald Vance vs. Donald Rumsfeld." He also specializes in defending large-scale systems from advanced threat actors. Trey currently serves on several forensic, red teaming, and penetration testing advisory boards and is a frequent guest on television. He has also recently served as the CISO for Coinstar and Cognira.
One problem people who are new to security face is where to start. The field's size almost infinitely compounds this problem; it impacts all areas of computing and many aspects of human behavior, yet people new to the field tend to only know about a handful of the most common types of roles and skills. People also tend to gravitate toward things that seem trendy.
A better solution is to focus on what interests you most and dive deeply into that while beginning a process of learning more about what else is out there. Please think of this as a process of learning more about yourself. I recommend writing down what interests you on a list because you'll want to learn dozens of things before you know it and must eventually decide what comes next on your learning path.
There's also a more important reason: you will learn more about the subject while it interests you than if you took a topic because it was trendy. Let's examine a hypothetical scenario. If two identical people learned a different topic every three months for four years, but one person was learning about subjects they love at 90% depth vs. another person choosing trendy topics that they don't love and only learning them at 50% depth at the end of the four years the security knowledge gap between these two would be huge.
This problem manifests itself in another way as well. When they first get into security, many people want to understand the latest buzzwords and sound like they can talk about advanced issues. So, they skip building a solid foundation in the basics and later make inferior decisions because they aren't knowledgeable about all available options. I frequently see this with entry-level penetration testers; they learn just enough to run tests and get results but have no idea how to defend against the exact problem they are reporting. In many cases, the penetration tester will make a textbook recommendation that could take months for the customer to implement because they don't know the basics of systems and security controls well enough to recommend an alternative solution that would only take a customer minutes to implement. In this situation, the penetration tester with less knowledge leaves the customer more vulnerable for months and can potentially cost them hundreds of thousands of dollars in wasted development efforts.
In a nutshell, the depth of your knowledge of security subjects can directly contribute to the value you provide to your employers or customers. Likewise, a solid foundation in the basics can significantly increase your capability to protect organizations and make it easier to learn new subjects in the future, so please take them seriously.
Security Economics is a vast subject, but what I need to say about this is straightforward. Pay attention to security economics as you learn about new techniques. Just as a single match can burn down a house, a single line of SQL injection code can defeat millions of lines of security defense code. The economics of security frequently involve exponential relationships that can result in massive asymmetries between attackers and defenders. You want to develop an intuitive feel for when these dynamics come into play over time. Understanding this dynamic will help you make better decisions, especially later in your career.
Security requires a different mindset than many other careers. Similar to how Lateral thinking provides people with a different way to solve problems, a security mindset enables people to see where systems can be abused. To help develop this mindset quickly, read or listen to audiobooks by Bruce Schneier. I suggest starting with his book On Security.
As a subset of having a good security mindset, you need to have excellent computer hygiene, including great habits around encryption, password protection, and backups.
Similar to a security mindset and data protection, it's important to consider protecting people in several ways. The cybersecurity field has high burnout and depression rates and is known for drug and alcohol addiction problems. More specifically, we lose many great people every year who needed help and support they didn't get. It is essential to prioritize your health and protect the health of the people around you. Because of this, some security conferences have switched to alcohol-free, and we frequently see "In memoriam" dedications at security conferences. To help with this, and life in general, I think it's wise to learn about the following:
Any form of martial arts or self-defense you like
How to avoid burnout. Also, take a Maslach Burnout Inventory Test. (Available for free online)
How to avoid depression. Also, take a Burns Depression Checklist Test. (Available for free online)
You must start building a system for keeping a lifetime of notes, documents, data, and code. Think of this as an extension of your brain. Refrain from getting attached to any formulaic system you see others using or read about online; create something that works great for you. Your process will continuously evolve, and that's a great thing. In the long run, having a good system like this will make you much more productive than your peers.
The following is a list of general security career tips that I provide to a variety of different audiences at different times.
Update your resume monthly (think quality improvements)
Have 2 or 3 versions of your resume
Your search engine resume should be really long. Have a “skills” section at the end for search engine “keyword bingo”
Have a 3-9 page print resume (don’t worry about length)
Have .PDF / .DOC / .TXT versions ready
If you have a website having your resume online is a good thing
Start organizing lists of career goals
Certifications you’d like to have
Technologies you’d like to learn
Projects you’d like to do
Can be anything really, just get these lists going and update them
Create a list of things you love to do. Keep it up to date.
Find causes (anything really) that you care about.
Create a priority list on how you want to spend your time (include non-work things on this) update it often and keep old copies around.
LinkedIn seems to be the job-related social media platform of the moment.
Be VERY aware of the privacy settings on LinkedIn
I recommend avoiding their phone app if you value privacy.
Start looking for mentors
Make sure you don’t limit your career or knowledge to what work or schools teach you. It’s critical that you are constantly investing in your own education (time & money).
Understand that your work or school not only are incapable of predicting technology trends over the next 5-10 year but they are likely to also make some mistakes and send you down the wrong path a time or two. Pay careful attention to what you spend time learning
Worry a lot less about what others think about what you are doing.
Pay attention to who encourages you and who says things that hold you back.
Build your own lab but keep your costs low.
Build your own tools and documents.
Design your own personal knowledge management system (a way for you to store things you learn pong-term).
Understand that it’s more important to be wise than smart.
Plan to spend quality time with your friends and family on a regular basis.
Do read this whole list.
Always prioritize good sleep in your life.
Avoid unhealthy habits & protect your health now (not later).
Consider starting a “consulting company” as an LLC. no matter what age you are
There are many benefits including tax benefits but that’s a long conversation
They may cost a bit of money to start but don’t cost a lot long-term.
Think of it as an additional financial vehicle.
Give yourself a certification and training budget each year. Plan for it.
Teach yourself finance and economics. Managing your money well may provide for really good opportunities in the future. Save for the unknown (good and bad)
Master IPv4 & IPv6 These two technologies will be around longer than most of the other things you are learning.
Pay attention to what skills you learn that will “rot” (Cobol) and fade away vs. those (like math) that will stay around long-term.
Learn about yourself. Do meditation and yoga to learn about your mind and body.
Understand that some teachers are great and others are bad for you. When you are learning something new it’s hard to tell the two apart.
Do projects with others. Don’t worry if they fail you will still learn.
Do some public speaking, at least twice a year (can be anything)(this gets easier the more you do it. Understand that even if you knew everything if you are incapable of communicating anything, then you can’t really provide value.
Communication, of some form, is really important.
Cross-pollinate : Learn about different fields of study
Don’t worry that you can’t consume all the security knowledge out there (no one can but in time you’ll get good at this).
Always aspire to improve.
Getting yourself organized the way YOU want to be organized is huge. You have to do this yourself and help that system “evolve” over time.
If you LOVE a technology let people know about it. This helps you get gigs you love.
Find other people who love what you love & do projects with them
Write more : read “On writing well” by William Zinnser
Rewrite (update your old notes on how to do things from time to time).
In what you produce (including social media comments) focus on quality NOT quantity
Learn graphic design skills when the time is right.
Understand how you spend your time & know what makes you productive.
Avoid unhealthy working conditions. Especially ones that prevent you from sleeping.
Never be afraid to quit a job. Keep money just so you can walk when you want and stay free.
Pay attention to your health and quality of living.
Invest in yourself. Good investments in yourself can pay back in orders of magnitude. Especially when you look at the return over a 10+ year period.
Who are the people who are probably the best in the world at what you want to learn. If you were to Inverse plan what you think their career path was to get there what did they have to learn, do, or be a part of to get where they are. What could they have done better ? What else could have been done that wasn’t attempted ?
A good understanding of statistics is your friend Python and R are also helpful.
Avoid doing things “because that’s the way they’ve always been done” always re-learn what the best way to do something is and if you think it can be done better invent something new.
Find a mentor that you really like & who can challenge you. The reason this is important is you need someone who can tell you which pieces you are missing and prevent you from getting stuck. They can boost your career
Master the art of being self-taught.
Teach your peers. As a team we can learn much more than each of us reinventing the wheel in our learning process.
Understand that Information Security is in its infancy and that it’s going to keep continuously evolving
Learn to keep your mind focused on the highest level of security / highest quality solutions / Most efficient solutions even if the job you are currently working at has you working on something else or culturally isn’t up to the task.
Develop some non-computing non-security hobbies (in addition to your geeky ones). Things like hiking, weight-lifting, woodworking, learning a musical instrument, or any kind of non-technical craft can be a great for your brain and helps prevent burn-out long-term.
Good drawing/whiteboarding skills are really useful don’t underestimate this.
Excellent Visio skills / Word / HTML / 3D modeling / VR …. These amplify your ability to contribute.
Refer your friends to people. Become a “connector” of people for all sorts of things.
Master the basics. People focus too much on wanting to be experts quickly and want to talk like experts about advanced topics but experts don’t skip mastering the basics. This of learning as martial arts & master the basic moves first.
Become a mentor to others on any topic you want.
Be a super dependable friend to those who are close to you.
Pay attention to upcoming technology standards but understand they don’t all make it. Maybe start here https://www.ietf.org/rfc.html
WireShark
TCP/IP
IPTables
Snort and Bro (play with Security Onion)
Basic Routing and Switching (getting a Cisco CCNA would be useful)
Linux
BASH Shell Scripting
RegEx
Python 3 ( Note: Language recommendations change from year to year and if there’s another language that really grabs your attention go for it.)
HTML
CSS
Javascript
Spend a year digging deep into each of the ones above one month at a time.
Note: If you’re looking for more advanced skills than the list above try the following:
Apache Spark
Elk
The economics of security
Really understand PKI
Blockchain based projects
Create your own threat intelligence feed
Understand how geo load balancing DNS works
Master mod_security
Do an IoT project using AWS IoT
Master MetaSploit
Configure web servers that can recover in under a second after a DDoS or DoS attack ends.
Automate removing Known Files from a forensic dump. Ideally automate full processing of an image for certain forensic events.
Run your own web server / harden it / watch the logs / install mod_security / setup and IDS like snort or Bro. Learn how to do packet capture, performance tuning, incident response, and forensics on it.
If you don’t have a linux system at home setup a VM or look into getting a Raspberry PI and setting it up (they are super inexpensive): https://www.raspberrypi.org/products/
Setup a Pi-Hole server (black hole for Internet ads and some malware servers) at home https://pi-hole.net/ Maybe point it to the Quad-9 network when asked.
Setup and get familiar with the tools on Kali https://www.kali.org/
Create a web-scraping tool that does something fun or useful for you.
Watch all the videos on this site: Iron Geek Security Conference Videos
Create a useful, but small, piece of code and post it on GitHub or your own site. Make it public and ask for feedback.
Create a few “on-line” projects of some kind that you can use to show people your skills or interests. Even a blog or web page would work. But be wise about your posts (Note: you can be wise, creative, and fun at the same time.)
I recommend finding a local mentor if you can but I also provide mentoring services for people at all skill-levels. The important thing is to find one you like. Having multiple mentors for different subjects is wise too.