
Ask HN: What is the best way into a cybersecurity career in 2019? - horstgrand
As an mechatronics&#x2F;research-engineer with great interest in pentesting and cybersecurity I&#x27;d like to make a career change. Where do I start? - comptia or cissp certs or is a university degree the only way?
======
valiant-comma
None of those are necessary, though it depends on what your desired path is.

Here’s one approach:

1) Find several local security meet-ups and get involved. Volunteer, talk,
make friends. Network early and often, ask questions and learn.

2) Using the contacts and exposure developed above, find either an internship
or contract role doing whatever security-related work you can find. You will
(most likely) need to pay your dues, meaning it might be pretty basic security
work to start with, but you’re looking for experience and further opportunity
to grow your skills.

3) On the pentesting side, you’ll want to learn the target systems well (e.g.,
use them in practice), learn the common types of vulnerabilities and how to
exploit them, and immerse yourself in opportunities to use your nascent skills
(online challenges, capture-the-flag events, etc.). Read vulnerability reports
published by other researchers, watch relevant videos, experiment on your own
setups, and so forth.

4) As you feel more comfortable with your assessment skills, you might
consider entering bug bounty programs.

Again, this is just one approach, there are many options depending on what
works for you. Best of luck!

Edit: Line breaks.

~~~
badrabbit
What you said sounds good but I have never heard of anyone that got into
infosec this way.

~~~
valiant-comma
They exist; I’ve hired a few myself who’ve chosen this path. But it’s just one
of many approaches to get into security as a career, and there are many.

Along these lines, I highly recommend Rachel Tobac’s talk “The Path to Infosec
is Not Always Linear”[1].

[1]
[https://www.youtube.com/watch?v=rWAeDVo8mXc](https://www.youtube.com/watch?v=rWAeDVo8mXc)

~~~
relaunched
My team has hired at least one that way and it's how we encourage others to
develop skills.

------
bashwizard
Don't waste your time and money on CompTIA certs or CISSP. They're basically
worthless when it comes to pentesting.

Pentesting is learned by doing. Get your hands dirty and start learning basic
methodologies by using Hack The Box, Virtual Hacking Lab or Vulnhub VM's. When
you feel that you're getting a bit comfortable rooting boxes, sign up for the
PWK and go for the OSCP. This is your ticket into pentesting if you're like me
with no work experience whatsoever in IT.

I came from +10 years in finance and landed my first job as a junior pentester
two months after I passed the OSCP.

~~~
relaunched
OCSP is a hands on test that requires you to break into a system and write up
your findings. It's all done in a controlled environment and time-boxed. It
shows you have real abilities in a hands-on setting. It's also one of two
certs that are respected. The other is SANS.

------
jkamdjou
I always point folks looking to get into cyber/infosec to this great post by
Daniel Miessler: [https://danielmiessler.com/blog/build-successful-infosec-
car...](https://danielmiessler.com/blog/build-successful-infosec-career/)

------
jor-el
In my personal experience getting started with cybersecurity career is tricky.
Many companies want cybersecurity professionals, but most of them are not
willing to train one. It creates the dreaded situation - companies dont hire
you because you dont have experience, but you need a job to get experience.

A good way to get started is to take up any opportunity you get (and of
course, of your interest), so you get a foot in the door. Other comments have
talked about internships and certifications, I would like to highlight OSCP
certification. It is hands on certification, and it will give you a good feel
about the whole pentesting process. It is fairly respected certification in
the industry and getting one will surely help you in getting a good starting
job.

Also, keep honing your skills on various aspects of security, on job, you
might not be dealing with all security topics all the time, but they show up
and it helps to know about them. For example, you might be evaluating a C
codebase with some applied cryptography. You may have all your focus on
improper memory handling, but knowledge about applied cryptography can be
helpful to contribute better.

~~~
badrabbit
I agree mostly except OSCP is hard,there are easier certs for those that are
not pursuing a pentester path.

------
alltakendamned
In essence, here's a full overview of what will be enabling a career path as a
technical contributor with a focus on pentesting / red teaming for you:

1\. Get OSCP

2\. find CVEs (proper ones, not XSS in $random_github)

3\. Publish good, detailed articles

4\. Do talks at major industry conferences

Play some CTFs in between for learning and meeting people in the community.

Good luck !

------
czbond
Many years in security - engineering through leadership. The comments here are
quite solid. I'd add that CISSP requires documented security experience + a
CISSP sponsor to sign off. I started from a C.S. background, but you can start
in many routes: if you have CS background, find a small security services
company and apply. You might also do a 1 pivot move, where you use your
mech/research background and combine it with security to become a specialist
in that area (IoT related may be easiest pivot). Also, check out cybrary.it
for significant free learning resources. Too exhausted to add more - but other
commenters have great ideas.

------
luckylittle
It's bit of a chicken-and-egg problem: You will not easily get security job,
because you don't have experience and you don't have experience, because you
don't work at security. The same goes for e.g. CISSP - they require work
experience, but lot's of jobs require CISSP. Go figure.

Having a solid profile - either on Github or Blog and entry-level
certification could be a good start. Participation in events like CFG or other
hackathons would also help open some doors.

I don't work at security myself, but based on what i've seen, having
operational experience will also gain you more respect.

Good luck my friend.

------
airbreather
Seems to be a sudden rush of openings in industrial cyber security - eg
PLC/DCS and other control systems gear.

You need to have a particular background as well as the IT skills though,
there are subtle but significant differences in attitude and implementation in
the way things are done, esp where functional safety is involved.

------
badrabbit
No degree and doing well in infosec here.

First, there are a lot of people that know security related subjects well but
have never worked in infosec. Those people in my experience give bad advice.

Second,what they keep saying about high demand in infosec is true. But like
another commenter said there's the typical catch 22.

My advice:

I have known people from a non-IT background do well but you still need to get
your foot in the door by doing intetnships or some other work. Another
approach would be socializing at local meetups or cons (which I know little
about).

Infosec is very broad. It would benefit you greatly to have done some other IT
work prior to infosec. I've met a lot of peopoe who can't code, don't have
certs,don't keep up with current security news,can't even name a single
malware family to save their lives and they do well in infosec. The thing is
you can do complaince,architecture,incident response,vulnerability
management,penetration testing,security engineering and my favorite: a generic
infosec analyst.

A lot depends on the size,maturity and architecture of the infosec team. I
have been at a company with dedicated teams for red teaming,IR,SOC,security
engineering,etc... With total of >50 infosec staff. And i have been in a team
where the whole infosec team is 3-5 people. The smaller the team,the more they
need prior infosec experience and the broader your skillset needs to be. On
larger teams, they try to diversify skillset so if you bring something
valuable to the team they don't care all that much about your certs and
experience so long as they can be sure they don't have to train you extemely
basic things. In a big team you are siloed which means you can either be
complacent or grow deeper into the area of infosec you picked.

Aim for very large companies first. But before that be good enough at
everything. Code something and have an ok github,get certs to show you're
serious,know enough networking,sysadmin(especially windows) ,etc...and keep up
with latest security news and chatter (twitter!). All that is to help you get
an interview. You gotta be flexible with work conditions for entry level work.

Exploit/vulnerability research,bug hunting,pentesting and malware analysis get
a lot of press. Before I got into infosec I didn't know about the wide range
of jobs in infosec. People even tried to convince me I needed to be great at
mathematics,crypto,reverse engineering or whatever.

A lot of people give advice with a survivor-bias mentality. In reality if you
have passion and specific areas of interest within infosec it's only a matter
finding an entry point that will help you get there.

If vuln management (boring) intetests you for example offensive security certs
and a solid IT experience will help. If incident response interests
you,finding a SOC job which will require basic IT/security certs and breadth
(you need to understand context behind a wide range of security events) is
natural. SOC or other entry jobs can also benefit you as a starting point for
security engineering or red teaming.

For certs, a lot of people would tell you OSCP (and it is great) but in
practice Security+,CySA+ and SANS GIAC entry level certs go very far and teach
you a lot of things that are out of scope for OSCP.

For entering infosec, your provable ability to understand formal infosec
methodologies and various IT processes,network protocols and applications
function is what you need to showcase in addition to "passion".

All that said,study MITRE's ATT&CK framework [1] and use it to develop your
vocabulary and see what real life techniques and tactics are seen. Regardless
of which area of infosec you pick having an accurate understanding of
realistic threats is foundational.

I have also heard linkedin social networking helping a few colleagues. YMMV.

I hope that helped,be happy to answer questions.

[1] [https://attack.mitre.org/](https://attack.mitre.org/)

