We recently asked our members who volunteer to engage with the ISC2 blog about their entry into cyber and what advice they have for those interested in joining the field. These stories help us see a few unique career trajectories and how they are navigating entry and gaining experience in the cybersecurity industry. In part one of this blog, we are sharing members with three years or less of experience in cybersecurity.
Do you have advice for incoming cyber professionals? Weigh in on the ISC2 Community conversation “How to start a career in cybersecurity?”
I found my first position at a college placement fair. I began working as a software engineer building a digital security platform. My main role was to design the backend for secure authentication and authorisation for mobile apps. It was more of a software developer job, but I had to learn a lot about security concepts to be able to design and develop systems.
While working as a software engineer, I cleared GSEC and became an Associate of ISC2. My first security role is the one I hold now, Senior Cyber Security Specialist at Cyble, a dark web monitoring and cybercrime mitigation company based in Atlanta. I had about two and half years of experience as a software engineer when I started my first cybersecurity job. I found this job through LinkedIn and my first job and certifications helped me land it. In my current role, I have the opportunity to work in all the security domains like Risk Management, Network Security, Secure Software Development, Software Testing, User Awareness, etc. I read about these domains when I was preparing for my CISSP exam, but this role allows me to implement the concepts in real-life and in a challenging environment.
My advice to someone starting in cyber is to begin as a generalist, don't start with a trending niche. Learn the basics of everything under cybersecurity purview, find your interest and then become a specialist. Don't study for the certification just to pass the exam, understand the concepts. Remember certificates get you an interview, a deep understanding of foundation, passion and willingness to learn get you the job. Connect with people who are already in the field, people are willing to help you to get ahead in your career. Just connect with them and politely ask them for guidance. Do not be scared of a title. If you want to reach out to a CISO, just reach out. If you want to talk to a VP, just reach out. Don't be afraid to reach out to people, and more importantly, do not be afraid of applying for that job whose qualification criteria you do not match, just apply.
I was cautious of job descriptions when I first started looking for cyber positions. I did not apply to roles just because I did not check all the boxes. No one can check all the boxes. The recruiters are understanding enough even if you do not meet one or two requirements. As per my experience, what they are looking for is someone with a strong understanding of basics, a passion for security and a willingness to be a lifelong learner.
Prior to my first information security job, I had experience in the domains of networking/communications security, systems/applications security, auditing and cryptography. I had no cyber security degree or active certifications and gained contacts via the industry through networking and sharing my thoughts and work.
My first contractor position was to set up log management and log collection within a secure environment encapsulating Windows, virtual machines and databases. In this role, I learned that the field could get extremely specialized. This position meant learning a lot about the security events in general and a lot of in-depth learning of the specific Windows-based security events to monitor. That work also helped me start to gain an understanding that security needs to be able to work with other departments, such as legal or HR, in order to be applicable throughout the organisation.
When I first started freelancing, my rate was low. One of the hurdles to entry as a freelancer was learning how to properly set a rate, invoice clients, etc. During this time, it was hard to set aside a budget to pay for my own certifications because of the cost and time. I ended up getting book bundle offers for reading and relying on free resources to learn. I also looked out for free workshops, for example when a learning centre wanted to trial out their all-day DevSecOps workshops, I signed up.
I was self-employed for personal reasons, but if I could change my approach to entering cyber I would seek my first full-time cyber position within a company. I would also try to see if there were any more particular cyber security domains that would interest me early on, as in the beginning I wasted my own money on certification programs, not ISC2 related, and I ended up not pursuing that particular domain.
KimThanh Liauw, CISSP | United States
Prior to my first role in cybersecurity, I had seven years of IT experience, where I started from the bottom up, from IT Supported Coordinator to Support Specialist. I was with NTS when the IT Director saw my drive to be in security and he promoted me to Information Security Administrator. I already had a small understanding of the field prior to holding the position as I graduated with a B.S. in Information Security. However, thanks to holding the position, I was able to lead and work with consultants on cloud implementations, which opened up my knowledge more on cloud security.
My advice for those starting out is not to be afraid to start from the bottom of IT. You can't do security if you don't understand the basics. It takes time to understand and really get the full grasp of how things are interconnected. I still don't know everything, and I don't think anyone does. However, you need a foundation to build on.
I would not change anything about the way I transitioned into cyber, it helped me get the position without having connections or a certification. I encourage you to keep researching and keep learning. Security and IT are constantly evolving. When you stop learning, you will become out of date and will not be able to secure the environment.
If you or someone you know is interested in taking the first step toward a career in cyber, visit the How to Get a Cybersecurity Job page on our website. In this virtual guide, we lay out five components to a successful cybersecurity job hunt.
To get your career started and prove to employers you have the problem-solving skills, strategic thinking and the drive to be a successful cybersecurity professional, register for FREE Entry-level Cybersecurity Training + Certification Exam today!