This post is the second in a series designed to examine the value of generalists in cyber security. This post looks at how one might transition to be a generalist in security. Future posts will be targeted at constructing teams and other topics. Check back each Thursday for the next part.
A disclaimer: there is no single path into cyber security, no algorithm or bootcamp that can get you there. It unfortunately takes a combination of luck and passion. This post won’t necessarily get you a job but it might help you get closer to one.
How does one get comfy in the grey? How does one become a cyber generalist? It’s a weird question to answer for me and honestly it took me a while to think about what I could possibly tell someone that wants to move into cyber security as a generalist. The truth is that it never crossed my own mind, I was incredibly lucky and my own passions happened to align really well with the needs of the industry. However, I strongly believe that cyber is a better place when we have a more diverse and my own journey does highlight some really valuable advice that could be key for someone looking to make a change.
So despite my own declaration that there is no algorithm for getting into cyber I will attempt to boil my experience down to something similar to an algorithm. A set of rules for getting comfy in the grey.
1. Start elsewhere Entry level jobs are extremely rare in security. Unless you’re graduating and are seeking a SOC role or are lucky enough to make it into a graduates program or traineeship it can be really hard for someone to go directly in to cyber. So rule number 1 and perhaps the most important part of being a generalist is that you should start elsewhere. Cybersecurity ultimately protects people and businesses and a key aspect of being able to do that is to understand what you are protecting. Therefore a good place to start is to look at what kinds of threats we care about right now and seek a job in those areas. This could be a role in DevOps, Software Engineering, Machine Learning or Infrastructure Engineering. These roles will do a few things: a) they let you explore your passions, b) they give you the chance to identify and resolve security issues that you can then develop into resume defining items and c) they get you working. Arguably, most of the iconic people in security today didn’t start in security (it didn’t exist) they appreciate diversity and understand that security comes from all places.
2. Don’t do “cyber” certifications first Unless you have a very specific role in mind certifications aren’t really it. Does this mean that you shouldn’t do them? No, but arguably the ROI on most certifications isn’t going to be there early in your career especially if you can manage to get yourself a role where other (relevant) certifications such as the AWS vendor certs could be covered by employers. You should focus on getting relevant experience in the job role that you’re starting in. This could be taking part in your companies security champions program, helping the company identify vulnerabilities (especially relevant for Software and DevOps engineers) and making sure you’re recording and writing down each of these experiences so that when the experience issue comes up you’re able to identify key aspects of your career that answer those questions.
3. Do make your own tools Tooling isn’t everything in security, but it certainly helps out a lot. Identify problems you can solve and write code to fix it. Coding is a skill you need in security, I disagree strongly that you aren’t advantaged by being able to write and design software in security. Even GRC peeps should be writing tools that enhance the delivery of their work. This doesn’t mean they need to be writing a scanner, but they certainly should be creating python scripts or other tools to make data visualisations that will wow executives. Write tools that solve your problems, make those tools open source and get people using them. Why? This will give you exposure to solving problems and vulnerabilities that arise in the day to day maintenance of a product. Ultimately that is what you do in a lot of security roles. You will be constantly identifying and potentially solving problems. If you understand how this works already you are a huge leap ahead of the competition. Furthermore you will have a name! Imagine going to a job role and someone interviewing you uses a tool that you wrote daily. This happens more than you realise.
4. Seek startups and scale ups It isn’t easy getting a security role at an established organisation if you don’t have experience. So start small, get a role at a startup or a scaleup especially one that is very early stage and in an industry vertical you are interested in. This role could be a hybrid role, it could also just be a software engineer or infrastructure engineer. A lot of startups give you a lot of latitude and freedom in the early days. This means you can solve security problems as part of your day job without risk. Furthermore, most startups do not hire security people (although they probably should and a future post will cover this) so there is a distinct chance for you to move into a security role just as the organisation grows. Startups are also the place I have learnt the most, the risk of sink or swim is daunting but it gives you an incredible clarity and freedom that you cannot get elsewhere. Embrace the grey that is inherently part of being an early startup employee and you will be well on your way to getting comfy in the grey.
5. Convert experience into relevant experience Finally and perhaps the most important rule: Experience using the above rules is only valid if it’s relevant. This means you need to be able to translate what you’re doing into security relevant experience. Highlight the bugs you’ve found, identify the improvements you’ve made and speak the language of risk. Security is part of every job role and you can easily highlight the things you’re doing in a way that is relevant to the role you’re seeking. If you can’t? then you need to find yourself a way to do that. This means that you need to seek opportunity (again this is why startups are great) to grow in your current role. Inversely to this, admit when you don’t know something or don’t have experience. Lying isn’t going to get you anywhere, integrity and ethical behaviour is a key part of being a security professional and admitting that you don’t know something isn’t immediately a failure. No one; I repeat, no one understands everything nor is it realistic for people to expect all applicants to know everything. Cultural fit and passion are important markers for the kinds of employers that you want to work for.
Alright, that is enough for now. Check back next week for more. Leave a comment in the social channels if you have any feedback.