GUIDE: How to start your Cyber security journey ?

Your main guide to Cyber career

"I am an early or mid-career individual undergoinng skills conversion. How can I move to information security ?"

Don’t hesitate to bookmark this page  .

People who usually join PHACK are those who:

  • Are interested in cyber security, but worried that it is harder than coding
  • Want a job in cybersecurity but don’t know if it is the right choice for them
  • See a LOT of “Security Engineer” job offers, are very interested but don’t know how they are different
  • Apply for job offers, but  never get any answers and need help
Purple Hackademy is here to help you. We prepared a detailed guide for you, explaining how to start your cybersecurity journey.
Navigation

Starting from Scratch

If you decided to get into Cyber Security, it is probably because of a good salary, lots of job offers and to become a Hacker. 
If you have absolutely no experience, that’s ok!

Cyber jobs are not only about “how to hack this website?” even it is fun and self satisfying. First, you will choose between 2 main branches: red team and blue team.

  • Red teams are offensive security professionals who are experts in attacking systems and breaking into defenses.
  • Blue teams are defensive security professionals responsible for maintaining internal network defenses against all cyber attacks and threats. Red teams simulate attacks against blue teams to test the effectiveness of the network’s security. 
These red and blue team exercises provide a holistic security solution ensuring strong defenses while keeping in view evolving threats.
 

There are tons of free resources at Purple Hackademy, that will give you the basic knowledge. You just need to start with the fundamentals in Windows, Linux, Network, Cloud and Security.

After that you can move to Penetration testing, Governance, Risk & Compliance (GRC), Network Security, Identity Access Management (IAM), Incident Response (IR) and Forensics are all very rapid-growth areas of security that need great talent as well!

 

GRC offers recently positions for analysts, and sometimes pay slightly higher to meet that premium.

A good GRC analyst is incredibly important to the business side of Information Security, because it requires the ability to translate technical cyber concepts to business value.

Popular jobs

A Penetration Tester, sometimes known as an IT Pen Tester or Ethical Hacker, is normally responsible for probing for and exploiting any IT security vulnerabilities in a clients IT networks, systems and websites.
The fun bit of this job revolves around the ‘ethical hacking’ of the target systems but you also need to produce a professional report for the client.

 

This job may involve developing automated penetration scripts, and using off the shelf tools, to penetrate web based applications, IT networks and computer systems.
The role encompasses the simulation of real world cyber attacks, reporting on results in order that the organisations can use the outputs from the penetration testing in order to improve its IT Security.
The Penetration Tester will need to produce a comprehensive report showing where these identified weaknesses are with suggestions around how to mitigate against them in future.

 

Responsibilities may include:

  1. Planning and performing relevant penetration tests on computer systems, networks or web-based applications.
  2. Designing and implementing new penetration testing tools and techniques that can be deployed during Penetration testing on behalf of the client.
  3. Conducting a physical security assessment of an organisations systems, including servers and networks, ensuring that any unauthorized external physical interference is not possible.
  4. Pinpointing the methods that attackers would use to gain access to the clients systems and underlying data, identifying exploits and weaknesses within the organisations IT Security defences.
  5. Uncovering inadequate security practices, password policies and other human errors using social engineering techniques. Recommending processes and procedures to mitigate against human error in future.
  6. Ensuring that file, directory and login permissions are restricted to those that need access to them and no one else.
  7. Collate all findings together into a formal document with the report highlighting all issues uncovered together with recommended remedial actions that should be taken by the client.
  8. Present the penetration testing findings to all interested parties such as senior IT management, directors and their impacted teams. Explaining the details of the individual findings, where required, and your experience and recommended next steps.
  9. Highlight the project scope and requirements necessary for the organisation to patch, fix and isolate any of these newly discovered IT security flaws. Training, or indeed re-training, of the impacted systems users, may also be necessary. This work should take place alongside the creation of new documentation supporting both new and existing systems going forwards.
  10.  Recommending a process of penetration and vulnerability testing that the organisation could carry out themselves in future. Penetration and vulnerability testing of the live or production environment on a regular basis is necessary in order to maintain a secure environment as new threats and exploits emerge.
  11.  The Penetration Tester should be able to verify the client’s remedial actions, providing feedback and verifying their fixes to any highlighted security issues. Often a final Penetration Test will be necessary to confirm success!

Learn about underlying technology and business models. You want to understand how businesses operate so you can protect them and ensure new regulations don’t hinder company innovation. Grab some good business books and gain business exposure by learning from executives and managers with real-world experience. Study industry best practices , like those from the Center for Internet Security , as well as regulated standards like HIPAA PCI-DSS DISA STIG ISO 27001 SOC2 to understand how to make your organization compliant without negatively impacting productivity.

 

Security Consultant – This position will help you gain experience working in IT or IT security , so you can understand the business and broaden your horizons. If you decide that you want to stay in consulting, research what big companies are doing, technology they use, and regulations they’re subject to, then learn how to manage these for them.

SOC Analyst is responsible for monitoring, reporting, and analyzing security incidents reported by our SOC team.

The primary role pertaining to this position is to manage and provide weekly reports for the security incidents, manage the potential security incidents backlogs, analyze and investigate the incidents, monitor the analytics tools and perform alert management and initial incident qualification. He or She  will work in a transversal manner  with SOC , IT security  and IT infra teams.

 

Missions expectations

  • Experience with an enterprise-grade SIEM platform (i.e Splunk).
  • Experience in Security Event analysis & triage, incident handling and root-cause identification, and security tickets management.
  • Specialty in one or more of the following Information Security domains: Cyber Intelligence Analysis, Threat Monitoring, Incident Response, Machine Learning & Artificial Intelligence, Malware Analysis, Computer Forensics, Endpoint Protection, Network Security, Infrastructure Security, Application Security, Platform Security, Identity & Access, Management, Security Education & Awareness, Vulnerability Scanning & Management, and Compliance & Risk Management
  • Excellent team-working skills, and a “can do, let’s get it done” attitude is crucial.
  • A desire to keep learning, extending your skills and pushing the boundaries of your knowledge.

Responsibilities

  • Prioritizing and differentiating between potential intrusion attempt and false alarms.
  • Examples of incidents involve unauthorized access, suspicious services, malware identification, etc.
  • Work within, and ultimately help shape, our response framework for globally scalable cyber defense
  • Provide technical guidance to client organizations to correctly gather relevant data, analyze and respond to cyber security incidents.
  • Contributes to the development and improvement of SIEM control policies.
  • Apply broad security industry, technology, business and professional knowledge to contribute to policy-making and process design.
  • Correlate threat intelligence with active attacks and vulnerabilities within the enterprise.
  • Research and stay current on the latest trends, best practices, and technology developments.
  • Facilitate the integration of threat and data feeds for the purposes of incident response.

Develop and document a standards compliant security framework that can be applied to secure architecture reference models across multiple software products/development teams in distinct geopolitical regions.

Continuously improve, document, and support development teams on the secure deployment tool chain in SaaS and associated processes, moving towards more automation and shorter turn-around times.

Work across multiple development teams to implement and train deployment engineers on how to effectively architect both cloud and on-prem software solutions

  • 5+ years of security work experience in an engineering or software development discipline
  • Focus on computer science, computer engineering, information sciences, information technology, or engineering field with specialization in cyber security.
  • Experience with virtualization and configuration of IaaS, PaaS and SaaS environments and associated software development environments using Microsoft Azure and/or AWS
  • Network Security – can create a local lab network consisting of various components. Deploy services like LAMP (Linux, Apache , MySQL, PHP) stack and research how to secure each element.

    While building, can analyze what issues can arise during configuration and maintenance so you know what to avoid and how to test them when sysadmins hadn’t the time, interest or knowledge to do so.
    Then, focus on PTES (Penetration Testing Execution Standard) Technical Guidelines to discover ways in which penetration testers and hackers can attack your network. Reverse engineer their methods to build proper defenses against future attacks.

This narrow specialization requires focus in at least one field. Become proficient in at least one programming language, framework , and operating system. Then focus on a narrow set of functions in a given product or service. Examples include studying assembly , C programming language, learning how video transcoding works, and identifying weak spots in a library such as FFmpeg.

Software engineers often become security experts. Be proficient in at least one technology stack, then apply all relevant security knowledge to making products safer. Strengthen security across your organization, responding to the demands of your colleagues and customers.

Web App Security Tester – Learn how to code. It’s not necessary, but it is beneficial and it’s usually what separates wannabe experts from true experts. Learn how software stacks work and get a handle on web programming languages like Java, php and their respective frameworks. To break something and improve its resiliency afterward, you should understand how it all works. Once you review all the OWASP resources, you’ll know what to do next

Cryptographer/Cryptoanalyst – If you want to become an expert in this field, I recommend attending a university with strong mathematical and cryptography programs. This is a fascinating field that requires prior and substantial mathematical knowledge.

Chief information security officer (CISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected There are also many other jobs (around 50 specialities) like SOC analyst, Digital Forensics, Threat Hunter etc…

 

There are many jobs within cybersecurity that require specific technical expertise or qualifications.

 

However, there are as many cybersecurity ‘adjacent’ roles or generalist roles where some knowledge of cybersecurity is needed to perform the role, but cybersecurity technical skills are not required. If, for example, a company requires someone to run cybersecurity training and awareness within your organization, this typically does not need a cybersecurity qualification, but rather the emphasis should be on competencies needed to develop and manage effective and efficient training.

 

Technical skills are not always the most important needed by hirers. That’s why we have analyzed hundred of job offers to assist you to learn ONLY what you need to get the job that MATCHES your profile.

Experience

Experience is a bit of a wild card sometimes, but still quite helpful. There’s something about knowing I can hand off a project to someone who can run with it autonomously that I absolutely LOVE! However, this is usually more indicative of a level 2 or 3. Experience for a level 1 is usually gathered in non-security positions. Help desk is the perfect place to start — Network/Server engineer, Systems Administration, and any type of infrastructure (Linux, Windows, etc) are incredibly helpful as well. For instance, if you understand networking, you can learn to understand the vulnerabilities quickly — but often, the learning curve isn’t security, it’s learning the networking portion! This applies with applications, protocols, bash, Python, and just about anything else. Therefore, any IT experience is really helpful. Definitely put it on your resume (more on that later).

The first step is to start somewhere, learn, practice and make experience. You would start with either TryHackMe.com or by checking out some books in your local library for the Security+ exam. (Note that the Sec+ has other requisite knowledge as well, such as the Network+). Put a plan together, or find a mentor and ask their help putting a plan with some resources together.

You can learn an awful lot from TryHackMe.com,

Soft skills in security

What do the hirers expect from you ?

  • Being rigorous, autonomous and have a sense of responsibility.
  • Your ability to listen and communicate is an asset in the follow-up of exchanges with the various project partners.

Completing your career path at Purple Hackademy in a limited time (full time learning if you can) will help you to become rigouros, as you will respect our deadlines for each module.

Autonomous can be acquired thanks to the exercices where you will practice with us, and get our certification as an achievement.

Education

The need for formal education is strongly debated within the community, with strong arguments on both sides.

Indeed it is always helpful to have formal education. Some companies have said they don’t require it — but that doesn’t mean it’s not a “plus 1” either.

For a level 1 position, a Bachelor’s (or at least an Associate’s) in some sort of Comp Sci discipline. because obtaining a BS tells that you’re capable of staying focused long-term and have at least demonstrated knowledge that meets some sort of minimum criteria of the subject matter.

Is this true in reality every time? Of course not and you be hired people without them.

To be clear, an education rarely factors into the actual hiring decision. But it factors heavily into the interview decision (meaning if you don’t have one, you’re less likely to get an interview. But if you get past the screening stage and land an interview, it’s an even playing field to me).

No offense to the self-taught here, but if a Hirer is staring at 100 resumes, he has to find some sort of filter to reduce it to a manageable level.
Naturally, I will going to look for the most qualified. All other things equal, this is not ideal filtering — but it’s still the best method out there is to to sort out the top 10.

The problem is that nowadays HR are using bots to make pre-screening easier by incorporating analytics to make predictions about candidate fit and quality. So if you don’t know how to build your curriculum, you will never selected during the pre-screening phase !

Event you don’t have a degree, it is still possible to HACK the HR process and being screened, then selected… with an “Hack The HR Bot” strategy, meaning identifing the key skills and acquiring them to pass the pre-screening phase, going through the screening phase and get the interview.

That’s why Purple Hackademy is the right place for you, because you will learn any of those skills:

  • Starting a github, blog and creating valuable, shareable content
  • Have submitted exploits on Public exploit repository websites
  • Creating social media content about security
  • Writing at least ONE white paper or ebook
  • Podcasting
  • Running webinars
  • Joining relevant forums, groups and subreddits
  • Influencer Security marketing
  • Have built Scripts & tools

Mandatory Rules to Follow before Applying

If you don’t have any of these three, don’t start applying yet. Instead, review the “Starting from Scratch” section and spend your energy wisely by preparing for your first certification and building the foundational knowledge. Keep in mind that it often takes a year or two to get ready for the first entry level role, depending on one’s time and motivations.

It’s better to apply for 10 jobs correctly than 100 jobs incorrectly. Or you will just lose your motivation & energy.

Finding Opportunities

The best time to find a job is before you’re actually looking for one.

Networking/building relationships is the best method to finding a good job by a WIDE margin. A few hours ago, a friend of mine texted me that a very good company had about a dozen openings, and they’re paying referral fees to existing employees to help fill them. The more people you know and talk to, the more likely you are to come cross these sorts of scenarios.

The best way to BEGIN marketing yourself and networking, if you haven’t already, is FIND A MENTOR! Mentors can help you set appropriate expectations, put you on the right path to success, and help you understand what to do to position yourself for success. They can also help you eliminate your blind spots and prepare for interviews, as soon as you can show them your motivation with “actions”. And not onlye “Please help me, I want to do my career…” Show them how they are special for you and how you could help them too !

If you don’t have a mentor, or can’t find one, LinkedIn is a great place to start. Local groups (like SecKC) are also fantastic places to meet, and there’s almost always some sort of mentoring branch present there. Find someone who is where you want to be in 5 years, and ask them how they earned that position — people love to talk about their successes.

Next to networking, LinkedIn has a ton of openings. LinkedIn is beneficial because they are both social media AND job board. Indeed, Dice and others are also good places to search. When looking however, it is better to take your time and spend a good amount of time researching the organization and crafting your resume specific to that opening. Creating a “streamlined” resume for ALL applications and re-using that same resume is one of the worst strategies. Sure, it saves you time — but you will be hard pressed to find a recruiting manager who wants a “streamlined” resume.

Building Your Resume/Application Process

Resumes should be as unique as the individuals. It’s important to never lie or be dishonest, but always represent yourself in the best possible light. It is incredibly important throughout your entire career to learn to market yourself, and if you don’t know how, the resume is the best place to start.

Here are a few rules that are almost universally accepted:

  • Resumes should be on average 1 page per every 10 years or so (you can do 2 pages if you’re close, at around 7 years)
  • Be creative in formatting, but be sure it is still clear (don’t go too far with distracting formatting or visuals)
  • Tailor every resume you submit
  • Be specific in your former duties
  • Use bullet points, not complete sentences
  • Understand how keywords work on resumes, and be strategic (read: not obnoxious) about using them.
  • If you meet 1/3rd or more of the applications criteria, apply anyway
  • (This is security-specific): Do NOT put your address on your resume. Email, LinkedIn URL, blog, hobbies. 

 

Another important note is that when you are searching, be specific as to what you want. There are a LOT of “Security Engineer” roles and they vary pretty wildly. Think of it more like spear-phishing or whaling than spamming. (If you don’t understand the analogy, spear-phishing/whaling takes more time and is very targeted towards a few specific individuals. Spamming just blasts everyone). Each application should be a slightly different resume, based on the job descriptions and requirements.

When you write your experience into your resume, make sure you find the security-related concepts and highlight them. Did you reset passwords in a help desk role? Cool, you have IAM experience. Resumes are all about positioning.

Finally, understand that applying and interviewing is a 2 way street. Never get emotionally invested into a job you haven’t even been offered yet. The cybersecurity job market is still hot enough that you should be screening them, too. It’s better to apply for 10 jobs correctly than 100 jobs incorrectly. Think quality over quantity.

The Interview

The interview is, obviously, the best place to really seal the deal, so avoid all traps.

Most interviewing advice is common sense, but there are still occasional pitfalls that need to be mentioned.

First, be prepared. OSINT the company (meaning research them, understand what they do, etc). Bring with you some sort of writing portfolio and a pen, even if you don’t plan on using it. While you’re talking, write things down that stand out to you. Taking notes makes you seem more enthusiastic, interested, and organized.

 

I’ll start my advice here with the obvious:

  • Dress professionally. This should be a minimum shirt and tie (or the female equivalent of blouse and slacks or a dress). If you are able to beg, steal or borrow a blazer or suit coat, do so. Appearances matter!
  • Listen carefully to the interview questions, and ask clarifying questions
  • Smile a lot. People want to hire people they enjoy being around.
  • Think before you speak — be sure to actually answer the question being asked
  • Don’t ramble
  • Don’t be on time — plan on arriving in the parking lot 20 minutes early and walk in 10 minutes early. If the interview is remote, log in 5 minutes early.
  • If it’s an in-person interview, bring enough copies of your resume (printed on card stock) for everyone to have one, PLUS 2 extras. If you want to do even better, put them in a portfolio. This is guaranteed to leave a lasting, positive impact — even if they never read your paper copy
  • Be honest in your responses. Not every job will be for you. Don’t make a square peg fit into a round hole
  • If there are more than 3 interviews for an Engineer 1, withdraw from the candidacy (except for clearance level jobs). You don’t want that level of bureaucracy. Even 3 interviews is really too many for a level 1.

 

Finally, always ask questions at the end. It’s better to prepare them in advance. Many people are too nervous to do this — but it actually shows the interviewer you’ve done your homework and you care. More importantly, it tells the interviewer that you’re careful about where you want to be, and have put more thought into this decision than “I’ll just go with whoever makes an offer.” This universally commands a little more respect.

The Hiring Decision

To understand how hiring managers hire, understand that there are really 3 core attributes that most leaders hire for. The exact percentages of how each hiring manager weighs those attributes certainly differ, but they are all important.

  1. Hard/Technical Skills. These are often determined by the triad mentioned above, but in most interviews, I need to see the proof that your resume is accurate. I like to start with basic technical questions (what are some common services, and what are their associated port numbers) and gradually become more difficult until I ask questions that they are not able to answer. This is for me to find out exactly where they are technically so I can understand how much (or how little) they need to learn to be a contributing member of the team.
  2. Soft/People Skills (Emotional Intelligence). Are you easy to get along with? Are you able to communicate with others who disagree with you without being abrasive? Can you demonstrate some level of empathy towards others, and accept the possibility that you need to listen to problem solve instead of explain? These are incredibly important questions even though they have nothing to do with malware or incident response. You can teach someone how DHCP works — you can’t teach them to not be a jerk to their co-workers.
  3. Coachability/Learnability/Initiative. This one really is sort of personality-based, and is difficult to put into words. Some people are great workers bees, but are not interested in tackling new skills. Some people are zealous, ready to take on whatever training you can throw at them and learn new stuff to bring back to the team. If you take things personally, are defensive, difficult to coach, or unwilling to admit error, this job probably isn’t for you. This is not the same as soft skills — those are actual skills, this is more “outlook” or “personality” if you will.

I personally play the long game, so I place the greatest emphasis on #2 and #3. I’ve worked with many managers who prefer #1. There’s no right or wrong answer — but ideally, a GREAT candidate should be well-rounded in all 3. A lot of this will depend on the individual position as well. If I am hiring a contractor for a 6 month contract, I’m going to place a greater emphasis on #1.

The Hiring Process

The hiring decision might take some time. Believe me, I’d fix it tomorrow if I could, but it just doesn’t work that way. Know that the hiring manager WANTS to make an offer to someone just as badly as you might want to receive it. Please know that there are often roadblocks that a hiring manager faces to making an offer that they are not able to explain. It’s not ideal, but sometimes just works out that way and it can’t be helped.

For instance:

You apply on Monday.

Wednesday, a recruiter emails you to set up a phone screen Friday, and afterwards sets up an interview for the following week (remember, a recruiter is fielding 10 different positions with 5+candidates each, so it takes a few days to review applications. Reasonable, right?) You interview the next Wednesday with the hiring manager, and knock it out of the park. The hiring manager may have already made their decision to hire you but they can’t just yet. If you’re lucky, you’re the last of the 3–5 candidates that were interviewed in that first round, and they can make an offer next week (extremely unlikely after 1 interview. Even if I know who I’m going to hire — and I usually do — leadership and HR rarely allow this to happen). More likely, the pool of candidates shrinks from 5 down to 3, and there’s a second round of interviews during week 3.

Many organizations require a minimum of a second interview with another manager — perhaps the manager’s Director or Assistant Director. This is slow but understandable, as I have seen some really bad hires and they’re bloody difficult to move out once they’re hired. This adds an additional layer of scrutiny to make sure the right candidates are hired. Your follow up interview is the Friday of week 3. After all, the Director’s schedule is pretty busy, and that’s the only time he has.

At this point, you’re in the end of week 3. You likely have 2 other competitors, who also have to interview. Candidate B can only do Tuesdays due to child care (IF you want an employer who cares about these things, you do have to acknowledge this is a reasonable accommodation) and the following Tuesday (week 4) the Director is gone for an on-site walk through of the Data Center, so that pushes it out to week 5. The hiring manager still wants to hire you, but can’t tell you that as it might be perceived as discriminatory. So you have to wait for Candidate B and C’s schedules to align with the Director. After 5 weeks, the hiring manager and recruiter have made a decision to hire you. The package is put together at the end of week 5, and goes out to the VP of HR for signature. VP needs a day or two to review it, so finally, by Wednesday of week 6, they sign it and the formal offer goes out.

While this is a little long (6 weeks is truly ridiculous) it’s really not that uncommon. For what it’s worth, most hiring managers hate it just as much as the candidate. Chances are, they need someone NOW!

 

Certifications

This will vary widely, depending on the position. Again, we’re assuming SOC Analyst 1 or something similar.

CompTIA’s Security+ is virtually a requirement. If you don’t have at least this amount of knowledge, you will likely struggle to get any sort of traction. I won’t hire anyone who doesn’t at least have this certification or its equivalent in education/experience… and they must be able to demonstrate equal knowledge orally in an interview. The Security+ is a good certification considering it requires a lot of other pre-requisite knowledge as well, but that still leaves a LOT of room to learn before being a competent, functional analyst. The Sec+ is often enough to get your foot in the door.

CySA+ is a better target for Analyst 1. Someone who has the CySA+ has proven that they are one step beyond the Sec+ material, and understands concepts that are more important to Incident Response and basic defensive principles than the Security+ alone. Having the Security+ and CySA+ would position most people well for an entry-level role.

CCNA, PenTest+, CASP+ and any SANs training are also good, but they’re really overkill for a level 1. CCNA and PenTest+ are not directly relatable (although more knowledge is always better) and CASP+ is closer to 2/3 level roles. CISSP is also a more level 2/3 role, but the CISSP is not technical and is geared more towards leadership. If you have questions about other certifications, drop a comment and I’ll update this with my thoughts on that cert!

Don’t bother with the CEH (unless it’s part of a degree curriculum). That’s a blog post of its own, but the security community as a whole does not really take the CEH seriously anymore. They are ridiculously expensive with a very low return on value. The PenTest or eJPT is the same material, (the eJPT is much better IMHO) and much cheaper.

Conclusion

Breaking into an entry-level cybersecurity position can seem daunting, but the key is to understand that nothing worth doing is done overnight. It takes months to build the knowledge, and it will likely take months to get your foot in the door from your first application. Be prepared, be targeted in your search, and you’ll find a good opening that will work fork you

Open chat
Hello 👋.
Tell me, how can I help you?