One of the most common questions I get asked and a question I also find myself asking is “What certification do I need” or “What skills do I need” to get into cyber security. In an environment that apperas to change at break neck speed, new techniques and methodologies seems to appear everyday and it would seem daunting to keep up with all these changes.
In this post, I will be addressing the new graduate or someone who is thinking of changing careers. I will be sharing from the point of view of a security enthusiast who did a career change into cyber security.
A quick outline of the path that I took into cyber security. I graduated with a Diploma in Information Technology, final year specialisation in Game Development. I did game development for a while before joining a law enforcement organisation where I served for just under 8 years. During this time I took up a part-time Bachelors Degree in Computer Science and Cyber Forensics. Parallel to that I attained my CEH and CHFI certificates from EC-Council. Upon graduating I joined a MSSP as a SOC Analyst before becoming a NOC Engineer. And as of writing this post, I am now working as cyber security researcher and have attained the ECSA from EC-Council.
This first thing I want to address is certificates. No other career field places such emphasis on certification as a requirement to entry as much as the IT field. Sspecially more so for cyber security. When taking a quick look at job descriptions, it would probably seems that getting a start in cyber security is hopeless. With a whole slew of certifications being listed as either a requirement or a “good to have”.
My advice would be to take such requirements listed in a job description with a large pinch of salt. Yes, such requirement lists are used by HR to quickly prune the list of candidates but at the end of the day, it is the interaction with the interviewer that matters. More important is, can you work with the team you will be joining? What do you bring to the team, in terms of skills and personality?
That is not to say that certifications are not important as evident from me having certifications myself. Certifications are used to show competency of a certain skillsets at a certain level. That is why some if not most certification programs have tiers. The question is more of what certification makes sense to what you want to do. The worst decision would be to rush and take a certification course. Certification courses should be chosen after much consideration especially taking into account the high cost of taking them, both financially and time committment.
When looking at certificates, plan out what it is that you want to do or achieve. Does the certification advance your career? Do they either validate your knowledge or skillset or allow you to gain new knowledge or skillset? Are you taking a certification because it is what all the cool kids are taking? When deciding on a certification, go through a list of questions to help you evaluate.
- What is the standing of the certification?
- What domain(s) does this certification cover?
- Does this certification help me in my current domain or the domain I aspire to?
- Does this certification help me in advancing my career?
- Am I validating my knowledge or skillset?
- Am I learning new things from this course?
- Is this certification vendor specific or vendor neutral?
From the above list, I would like to bring your attention to two specific questions; “Does this certification help me in my current domain or the domain I aspire to?” and “Is this certification vendor specific or vendor neutral?”. I will dive deeper into the first question when I talk about “domains” in a while. The question about vendor specific certification is a very important question that not many people are asking. Just like in the development space, having certifications in a specific programming language or technology stack means that you are an expert in that particular language or stack and that most likely mean that you have specialised in them. This can be a dual edge sword, in that it means you can command a higher compensation but only in situations where that specialised skillset is employed.
In cyber security, you would not be specialising in languages, but in using a particular suite of tools, software and hardware from a vendor or provider, both paid and open-source. Before you choose which vendor based certification to go for, do your research. Identify which vendor is the most prevalent not only for the domain that you wish to get into but also within the country you are going to be working in.
Notice that I recommend that you should find out what technology stack a country might prefer. Why is that? Well, it is because laws and politics unfortunately do influence to a degree which vendors are preferred over another. So if you are decide on a vendor specific certification, make sure that it’s valuable where you plan to work at.
A vendor “neutral” certification usually covers domain specific knowledge and skillsets that can be applied to any software/hardware stack that is being used. I would advise going for vendor neutral certifications first and then vendor specific certifications once you are on your way in your career.
Skillsets are another questions that I heard a lot about. When asked about considering joining cyber security as a possible career, a lot of responses revolve around the need to learn and acquire a lot of knowledge as a major stumbling block. There seems to be a fear that there is too much to learn to even get in and that once in, there is too much to learn to keep up.
My take on this is that you should not worry yourself into a corner. Yes there is a minimum level of knowledge and skillsets needed but that level is not unachievable as many perceive. In fact some of you may already have the required skillsets, just that you are not aware that they are applicable.
There are two categories of people that I wish to address when talking about skillsets. The new graduate and the career switcher. Let’s address the new graduate first and then the career switcher.
If you are a new graduate, do not be afraid of your perceived lack of skill or knowledge. The breadth and depth of cyber security means that there is no possible way to be an expert in all of them. There is why when we took a look at certifications, there are skill specific certificates which themselves are tiered.
The coursework that you have gone through is enough to get started in a career in cyber security. Be it as a Tier 1 SOC analyst like how I started off as, or as a security engineer, doing network and system installation and administration. The key is that you must learn, absorb and internalise what had been taught to you. It is these fundamental skillset and knowledge that will be the foundation for you to build upon and gain more advance skillsets and knowledge.
For those looking for a career change, never and I cannot stress this enough, never discount all the experience and knowledge that you have attained. Cyber security has so many domains and believe it or not, there is a need for cyber security in the domain that you already are in.
Don’t believe me? Here are some examples. You are a network or sysadmin or say a frontline IT support. You probably know more about the internal workings of the system than most cyber security people because you have to deal with it day in and day out. You know the quirks and edge cases. You probably had to deal with a weird case that you came up with a solution for. When responding to an incident, DFIR or CERT team look for people in these roles when they reach the scene. Because if it’s anyone who can quickly guess where there is a hole or a where things are, it’s them.
Are you a plant engineer? Do you do automation? Guess what the next next hot thing is. It’s ICS/SCADA systems. OT works in fundamentally different way than IT. You already have a huge lead in terms of knowing the operational needs and nuances involved in implementing security in industrial systems and plants. You understand that in industrial systems, physical safety and up time is paramount.
So for those looking for a career change, perhaps what you are looking for isn’t too far from where you are now.
Lastly let’s talk about domains. In cyber security there many domains covering from endpoint protection and recovery, malware analysis, threat intelligence, social engineering, and networking and so forth. The skills needed for each domain not only defer but the same domain have different skillsets and requirements depending on the industry and field it is applied.
The needs and requirement of a legal IT system is different than that of a production plant. The compliance requirements when dealing with personal information of minors for a school system differs from that of a system in financial system. So there are many places that you can apply yourself, and not to restrict yourself in the “traditional” roles.
So what do I mean by “traditional” roles? I am sure you have heard of Red Team and Blue Team. But having just two teams can be very narrow. This article “Infosec Color Wheel”, introduces other roles in terms of other colors. When talking about cyber security careers, most would think of hacking. Well yes, that is one role, and the most well know in the public’s eye. But there are also those whose work are not as glamorous but are as essential if not more.
There are the green teamers, who ensure that the services you rely on and use stay up and are available. They also ensure that the data you transact do not get stolen when in transit and at rest. There are the yellow teamers, secure coders who design code frameworks and best practices to ensure that applications are safe to use. There are the orange teamers, the counter part to the yellow team, who tests the codes to ensure that they are not vulnerable.
Hopefully, in your search for a career in cyber security, you would look beyond the “traditional” roles and look out for opportunities in the other “colors” where you can apply yourself.
Now that I have come to the end of this post, I hope it has helped you in some way. Perhaps I have managed to help you decide on what certification to take or maybe hold off one that you had planned for. Perhaps I have helped you look at the skillset and knowledge you already have in another light. Perhaps I have shown some opportunities in roles you have never considered or heard of.
At the end of the day, everyone who are in cyber security have the same aim. Keeping systems and the people who rely on them safe.
See you on the other side.
- Aelindgard