Where do I go from here?
Some prefer to stay technical others want that feeling of advancement in there careers to the old mahogany row or C-Suite as it’s known as today. How to get there seems to be the bigger question and challenge. In one of my other blogs “The daunting question” I referenced the easiest way to get to the C-Suite, and that was through creating your own business while the easiest for some, others don’t want that burden of starting a new company or have the inclination or admiration to start a business.
So what’s your roadmap? That all depends on your desire and end goal. Cyberseek.org recently published an excellent piece on cybersecurity roadmaps for people that don’t know where to go or what they could specialize in when they first started there IT career. Just like every other career field even cybersecurity has a “Feeder” piece to it. Not too many people can walk straight out of nowhere and into a security position without some feeder position or background in security.
Below is Cyberseeks “Cybersecurity Career Pathway” for your convenience. My personnel pathway was very similar and is still moving in the direction that I think it should.
While salaries vary from location to location, any decent cybersecurity engineer/ architect/ consultant can easily obtain a six-figure wage given they can show considerable knowledge in security and be able to back up an employers decision through experience and certifications.
I strongly recommend anyone trying to get into the security field start with some computer programming skills, as this becomes a necessity later in your mid-career and helps out tremendously when needing to break down/ apart programs and review scripts. Additionally, it helps when conducting IR’s, Pentests, and auditing for you can review and understand the functionality behind the application in some form or fashion.
I get asked all the time where did I start, and I know it’s not feasible for all as a time-machine would be needed but I tinkered with everything when I was a kid. An Atari 2800 called to me when I was only five years old but that soon ended when I poured juice boxes, not on one but two Atari systems making it pretty much impossible for my parents to obtain another one. From there I went through a dry spell of the sort as computers were on the rise and rather expensive and reviewing the pictures in the JC-Penny catalog was the best option I was offered. After what seemed to be a century I obtained an old 286 computer from my dad that he bought from the school as they were getting rid of them. (Pentium I and II’s where on the rise) Shortly later we obtained a 386 and 486. The 486 became my computer for about 2-3 years, or until the first Pentium 4 came out. However, the older 386/486 machines were my most significant stepping stone into computers outside of the Atari as it required me to run MS BASIC and the first few renditions of Windows 3.0 – 3.x.
While I initially started from Atari and the older 286/386/486 systems and gained much valuable knowledge fully understanding computer/networks didn’t come till I acquired that Pentium 4 and was finally able to see how computers and networks operated and talked to one another. It also led me to create my first few malicious pieces of malware and obtaining the old RAT tool SUB7. Yes, script kitty is my background but everyone starts somewhere from there I just built my knowledge year after year. Initially joining the Marine Corps gave me another dry spell of almost 2-years but that shortly changed and led me back into computers and quickly managing servers/networks abroad. From there I was self-teaching learning every piece I could which eventually led to superiors asking me why I’m in the Infantry field and that my talent was being wasted. The rest is history.
So for anyone trying to get into Cybersecurity, start with the basics or at least some sort of programming, take things apart figure out how they work, tinker with electronics and self-teach. From there when you have a good understanding of how systems communicate with one another get some formal education or mix the two but get some security certifications to show you have some knowledge of cybersecurity. Experience is vital and can never be replaced.