As a security professional, you’ll have a range of career options across many industries. You won't likely start out as a pentester or a security architect, so how do you get your foot in the door? There’s no easy answer, but think about what path you want to follow.
There are many areas of security to pursue: network security, information security, application security, red teaming, pentesting, security development, or information security management. Because it’s impossible to be an expert at everything, focus on an area and do it well. Think ahead five to 10 years to your dream security career then look for starter IT jobs that will supply you with the right skills.
Career paths could include a role in NetSec, InfoSec, AppSec, penetration testing, red teaming, security development, or management.
NetSec
Most network security (netsec) professionals will begin their career by moving over from the network engineering side. Their main responsibilities will be to maintain gear, respond to alerts and triage and response. Network security professionals need to be skilled in PCAPs, comms, protocol analysis, and network IOCs (IP, DNS).
InfoSec
Information security (InfoSec) is a set of strategies for managing the processes, tools and policies necessary to prevent, detect, document and counter threats to digital and non-digital information. Information security experts begin their career as system admins or coming from other IT roles. If you choose to go after an InfoSec role, you’ll be responsible for supporting systems, dealing with malware, and triage and response activities. You should be skilled at host-based, forensics, host IOCs (hashes, files, reg entries).
AppSec
Application security, or AppSec, is what a company does to protect its critical data from external threats by ensuring the security of all the software used to run the business, whether built internally, bought or downloaded. Application security helps identify, fix and prevent security vulnerabilities in any kind of software application. If you choose a career in application security, you should have a background in development / QA, or release engineering. Your day-to-day activities will include code maintenance, and finding security flaws. You should (almost) be a pro in security implementations, SDLC, and OWASP Top 40.
InfoSec Management
Where do CISOs come from? No one really knows for sure. But if you choose to move into information security management, you need to have an IT Management or Systems Management background, with strong technical understanding, management savviness and natural leadership qualities.
Pentesters and Red Teamers
Attackers continue to evolve and develop new attack mechanisms, making it increasingly difficult to defend the systems and crucial for companies to take active measures to protect their assets. In many cases, this means confiding in skilled pen testers who can think like the attacker to look for vulnerabilities in less traditional ways and undergoing a complex security posture assessment, scanning and securing network segments based on the risks they represent. As a skilled pentester, your day-to-day duties will include scanning attack surfaces, finding vulnerabilities, and possibly exploiting them.
Red Teamers are an independent group that challenge an organization to improve its security posture and effectiveness. Companies hire and train Red Teamers to provide a representative threat to the business and penetrate. You can be an expert in all technologies, however if you can’t think creatively, if you can’t find ways to bend the accepted rules, then you won’t succeed. Being an awesome Red Teamer requires the right mindset.
Security Developers
If you choose to be a programming guru or security developer, you'll typically work for an agency, a cyber-security company, or boutique consultancies (think zero-day shops). You will need to cultivate niche/narrow/deep technical skills. You'll be in high demand, creating new tools for malware and intrusion detection, traffic analysis, and ensuring that security measures are baked-in to the software your company creates.
The right mix of skills
The ideal cyber-security candidate has a specific blend of technical and people skills. Most employers will look for certain technical skills:
- You truly are grounded in IT fundamentals: networking, systems administration, database management, Web applications.
- You’re knowledgeable of day-to-day operations: enterprise storage, networks, physical security, users, server equipment, applications.
For soft skills or people skills, most companies will look for candidates who:
- Can effectively communicate with non-techy people and work well in teams.
- Understand the business.
- Enjoy solving complex puzzles and problems.
Is it your passion? Involve and learn.
All cyber-security experts share a deep interest in how technology works. This is critical. You need to know exactly what you’re protecting and why things are insecure. So, self-directed learning is important.
Teach yourself to code and learn a variety of coding languages: C, C++, C# and Java, Python, Ruby, PHP, Perl and/or shell, assembly language & disassemblers, regex skills, or Linux/MAC Bash shell scripting. Build a computer and security lab using old PCs, and your own wireless router with firewall. Then practice securing it and hacking it. Participate in contests and training games like capture the flag competitions (CTFs).
Create an open-source project or discover vulnerabilities in open-source projects and sites with bug bounties. Document everything. Break stuff. Don’t be afraid. When you’re a student, your school projects are mostly about building things. Don’t stop there. Have some fun. Take free online cyber security courses.
A successful career in security takes a certain mindset. Do you have an unfailing interest in philosophy, warfare, physics, and math? You must be able to think of security from all points of view. Gain as much experience as you can, learn your craft, think creatively, have fun and you’ll be on your way to a successful career.
