Part III: Breaking into Cyber Security. Hard but Possible.
We left the last blog with answering the question of 'Why Should I even get into this field now?'. Now let us discuss how you can break into this field. This blog is a little bit longer due to the many links and websites and certifications, so be patient. This list is not exhaustive.
Where and how does one get into this field? Now that we've established what it is and why it's needed, let's talk about the different ways you can get involved.
I've broken this section by type education and type of work. I'll include links within the section. Let's start with education path. Academic educational path and Certification educational path.
The Cyber security career path can lead into two paths: technical expert or governance/management leadership. The journeys of these paths intersect at different points (meaning some skills are foundational to both paths). Both paths can lead to fulfilling, challenging, and lucrative opportunities. Let's start - in no particular rank of importance - with governance/management leadership.
Governance/Management leadership within cyber security means that these individuals focus on aligning business strategies and policies with information security policies. Within this path, you obtain an understanding of the policies and procedures, laws and regulations that drive people within an organization to behave a certain way. In some instances you develop some of the policies and procedures. You regularly interface with business senior management and, depending on your level, board of director - who, by the way, determine if a CEO retains his or her job or not. Here are a few certifications that fall within this realm of governance/management. This is not exhaustive, but these are the most common. Please comment if I've missed some.
CISSP - Management - A certifications that validates that you can design, implement, manage, and report on cyber security programs and frameworks. Obtained by CIOs and Info security Officers who must report to business leadership.
(source: https://www.isc2.org/Certifications/CISSP)
CISM - Validates expertise in information security governance, incident management and general risk management. It is similar to the CISSP, but geared toward governance. The CISSP is geared more toward nuanced and esoteric details. These details are translated to business risks and recommendations are made.
(source: https://www.isaca.org/credentialing/cism)
CISA - Certification that demonstrates a person's ability to audit, control, monitor and assess an organization’s information technology and business systems. Auditors normally obtain this certification to validate their understanding of system controls in the contact of the business.
(source: https://www.isaca.org/credentialing/cisa)
PCI - Certification demonstrates a person's ability to recommend and validate requirements for PCI compliance. In short, PCI is a standard developed and managed by leading credit card companies that merchants have to adhere to if they process a certain level of credit card transactions. This certification is geared more toward data security best practices and solution recommendation and less on computer hacks and malware. PCI standard and certification comes in different flavors. For example you can be certified as an approved scanning vendor, internal security assessor, qualified security assessor, etc. who assess and validate compliance, in order to help merchants successfully implement PCI standards and solutions.
(source: https://www.pcisecuritystandards.org/program_training_and_qualification/)
Again there are others that lean more toward governance but these are the more common ones I've come across in my experience. Not let's talk about the technical expert route.
Individuals in this domain have a very deep understanding of networks, operating systems and databases, understand one or more programming languages well, and are constantly on the hunt (or creating) new vulnerabilities. The individuals understand technical details that very few people in the business know or could understand. These individuals can create offensive and defensive cyber security tools, for instance, to analyze massive amounts of data and determine patterns. Up to know the exams for the certifications I noted above are based on written exams. More are based on selected case studies, testing a candidates understanding of concepts in the context of a business scenario. The certifications I list below require practical, hands on exercises to achieve certification.
CSX-P - Cyber Security Practitioner. This is a relatively new certification developed by ISACA (probably to compete with the CEH or GIAC, which I will explain later). ISACA notes this as "first and only comprehensive performance certification testing one’s ability to perform globally validated cybersecurity skills spanning five security functions – Identify, Protect, Detect, Respond, and Recover – derived from the NIST Cybersecurity Framework. ". Meaning candidates have to demonstrate cyber security skills in a live, proctored, virtual environment. The exam has no multiple choice questions, just graded tasks.
(source: https://www.isaca.org/credentialing/csx-p)
CompTIA (Network+, Security+) - This is where it begins. This certifications "validates the baseline skills necessary to perform core security functions and pursue an IT security career. " Focus here is on implementation of system architecture and security features.
YouTube video on CompTIA Security+ full course: https://youtu.be/O4pJeXgOJDs
https://www.comptia.org/certifications/security
C|EH – Certified Ethical Hacker - certifies that the individual understands how to develop the latest hacking tools, techniques, and methodologies used by hackers and information security professionals to lawfully hack an organization. The EC-Council has added many more technical certifications on its website
https://iclass.eccouncil.org/our-courses/certified-ethical-hacker-ceh/
Please note the EC-Council has many more technical trainings available. You can take a look at their list here
https://iclass.eccouncil.org/our-courses/
CPENT - Certified penetration testing - Another certification from the EC-Council. This is the next step after one gains their C|EH. his certification validates that you have the knowledge and practical real-world knowledge to perform a penetration test in a network. Getting this means you know how to write your own exploits and penetration tools.
OSCP - Offensive Security Certified Professional is an ethical hacking certification offered by Offensive Security that focuses on teaching candidates penetration testing methodologies using the Kali Linux distribution. Source: https://en.wikipedia.org/wiki/Offensive_Security_Certified_Professional
https://www.offensive-security.com/courses-and-certifications/
GIAC - Global Information Assurance Certification founded by the SANS institute. These are well renown certifications in particular within the Government and Finance sectors. These are also more expensive than the other certification options and offer many more sub paths. These sub paths can get overwhelming if you're not sure where to start yet, hence the reason I put this last. Here is the road map as there are many paths within this segment.
https://www.giac.org/certifications/get-certified/roadmap
More detailed breakout is below:
https://www.sans.org/cyber-security-skills-roadmap/?msc=hpslider1
Again, this list is nowhere near an exhaustive list of technical certifications but these are more common certifications.
Let us stop here. Wow....you got through this blog..congrats! Now let's answer the final question oh how you become successful in this field. The punchline: keep practicing, books can only take you so far.