Have you been researching how to get into cyber security and are confused by all the options? Or are you wondering why some people are heavily in favor of one option over the other?
Well, there are many routes into cyber security and various reasons you should take one over the other. In this post, I will do my best to explain your options to allow you to better choose the best path for your life circumstances.
College is the classic recommendation for living the “American Dream” (for those of you in the U.S.); go to school, get a job, get married and get a house. This is also the expectation placed upon us by most of our families.
But is it necessary? Yes and no. School is one of those things required at big companies whose executives are stuck in the past. They just won’t look at you without that piece of paper that says you have a degree. Fortunately, those aren’t the only places hiring cyber security professionals these days.
I have worked with many people who just have a couple certifications and are really good. Actually, a good chunk of those people were college dropouts. They were passionate about infosec and didn’t want to waste time in college when they could be getting real-life experience.
This means many other companies are out there looking to hire people who just know their stuff.
Will finding a job be more difficult without a degree? Possibly. But you can still get a job. You need to focus on making your resume shine in other areas and killing the interviews.
Keep in mind the people I mentioned were insanely passionate about cyber security. They spent most of their spare time hacking and learning. If that’s not you, not going to school may be a little tougher route for you.
This is one of those contested items in the industry. Some people vehemently hate certifications, but one thing is certain, you will have trouble finding a job without one.
Almost every role you will apply to will list a requirement for one of several certifications: CompTIA Security+, CompTIA CYSA+, CEH, GSEC, etc.
This is one of the must-haves. I am a strong supporter of the Security+ and CYSA+ because they are specifically listed more than any other certification in entry-level job listings.
Whether you go to school or not, you need to pick one, study for it, and pass the exam.
IT experience is often listed in job requirements and is usually recommended as a starting place for many beginners. This typically includes positions at a help desk, internship, or repair shop.
The upsides of getting IT experience is that you qualify for more cyber security jobs than those without it. This means you are more competitive as a candidate.
While you are working, you are also learning some things that may benefit you in the cyber security field.
I say “may” because not all IT positions are the same. I worked at a help desk for a hospital, and the issues were always the same: printers, accounts locked, software installs, etc. But other roles may allow you to learn more system or network administrator skills.
The downside of this experience is that you are not spending time in the field you want to be in. For every year you sit at a help desk, that is one year you are not in cyber security. This is a trade-off you must consider.
Another downside is that you may need to spend time studying for another certification like the CompTIA A+. Unfortunately, the cert doesn’t carry much weight in the world of cyber security. You will be spending time studying for something that will minimally impact your end goal.
Yes, getting a job without IT experience will be more difficult. But there are trade-offs that need consideration. Are you willing to sacrifice time working in a role that isn’t directly related to where you want to be? Are you willing to spend time and money on a certification you will only use during that role?
If you can get an IT support role without a certification, even better. Often this experience can come from an internship at school.
In pretty much every interview, you will be asked about how you learn independently or if you have a lab. Basically, the interviewer wants to know if you are invested enough in your career to learn on your own time. For most, they solely rely on school, work, and certifications for knowledge.
If you don’t invest your spare time to study, it tells the interviewer, you will be tough to train.
Brutal, I know. Infosec just has so much information that you need to know. Your job, certifications, and school can’t teach you all the knowledge you need to know. Instead, you must spend time exploring topics and filling in your knowledge gaps.
There is a big difference between reading about something and doing it. Think about it. How good of a doctor would you be without ever touching a patient?
In fact, most interviewers can tell when someone has just merely read about it. The depth of your answer always shows how in-tune you are with the topic.
This is the reason I share a ton of free and low-cost resources on The Cyber Union. It will set you apart from other candidates, and labs are imperative to your growth as a cyber security practitioner. I consider this a must-have.
Without gaining hands-on experience in a lab, even with a degree and certifications, expect interviews to be difficult.
Now we will get into the most common paths that I have seen people use to get into cyber security. Most of the time, when I hear about people breaking into the infosec field, it is by way of the SOC. So when I say Cyber Security, that is what I am referring to. There are other paths, such as engineering and compliance, but that is out of my wheelhouse.
Bachelor Degree -> Internship -> Certification -> Cyber Security
This is probably the most efficient route if going to college is on your radar.
The efficiency comes in because you can knock out internships and your certification before graduating. The hard part, of course, will be finding internships.
Make sure to check with the department at your school that deals with work-study, internship, and job placement. They usually have relationships with businesses for placing students. Anything in IT will be a great opportunity for you to learn. If you can snag a cyber security internship, even better.
But don’t stop there. Look on job boards for internship opportunities as well.
As far as the certification, some colleges are including these as part of the curriculum, but others may not. If you are in the latter category, make sure to take a summer to study and knock out the exam. That way, once you graduate, you can focus on job hunting.
Anything else you do as part of your college journey related to IT will be beneficial, such as clubs or CTF teams. Take advantage of any opportunity to study your craft.
Certification -> Cyber Security
pThis path is probably the most difficult to get a job with but is also the fastest. The keys here are getting a certification, doing tons of self-study, networking, and job hunting.
Not much to say about the certification. Get one I recommend on this site, such as the Sec+, and then focus on shoring up your skills.
Self-study is a pretty much straightforward one as well. I laid out an excellent plan for you with the Junior SOC Analyst Roadmap.
The most challenging part of your journey will be finding jobs you qualify for and then crushing the interviews you get.
You need to constantly look at job listings and apply as fast as possible to find a job. I learned recently that the junior-level roles don’t stay open long. When you find one, apply quickly!
To aid in finding jobs, use alerts on your favorite sites. The alerts will send you an email when something new comes up. Reference the Junior SOC Analyst Roadmap for search terms.
Networking also helps in your local area. This is especially important if you aren’t looking to move. Your job opportunities will be more limited; therefore, networking will play a more significant role.
Find tech meetups and professional organizations to attend. Here in Charleston, we only have a handful like ISC2. But your area may be different. The bigger the city, the more networking events you will have.
Finally, crushing the interview. This all comes down to studying hard and remembering the things you learn. Follow the Junior SOC Analyst Roadmap and get some lab time in.
Remember, you will be competing against people with college and experience on this route, so you really need to shine in these interviews.
If you get an interview and you kill it, you will get a job over a college grad with a mediocre interview any day. Believe it or not, some of the worst interviews I have seen were with Master's degree holders. They had no experience and hadn’t spent time learning real-world stuff.
Study hard and you will get that offer.
Help Desk -> Certification -> Cyber Security
Another common scenario is where people start at the help desk with no degree and work their way into cyber security. Since we already spoke about the upsides and downsides of the help desk route, I will focus on other things.
This route is much like the previous. Even though you are more likely to land an interview than people without experience, that doesn’t mean the interview will be any easier. You need to get your hustle on and study hard outside of work.
They will be testing you on cyber security knowledge, not help desk info. Study the resources I have provided in the Junior SOC Analyst Roadmap, and you will be fine.
Any chance you have on the job to work with incidents, make sure to volunteer. You can use that real world knowledge to set yourself from other candidates.
Most other paths, such as transitioning careers, are variations of those mentioned already. If you are in an unrelated career, then you choose one of these. If you are moving from an IT career, your path will look more like the Help Desk route.
If you think of any that I completely missed, please let me know in a comment below.
Hopefully these paths gave you an idea of the options you have to get into cyber security. If you work harder than everyone else, you will get a job. The key is to study, study, and study some more.