Breaking Into Cybersecurity

By: Nick Werner

To quickly preface this article, I decided to write this because I realized that there is a lack of information surrounding the topic of “breaking into cybersecurity”. I find this lack of information to be incredibly disappointing because I honestly couldn’t have gotten into the position that I am in now without the guidance of others. Hopefully this article will provide some useful guidance to anyone new to cybersecurity or anyone looking to perhaps pivot into a different area of security.

DISCLAIMER: I still have much to learn and this article is entirely my opinion. Going through everything discussed does not guarantee you a job. Everyone is different and will have their own path. Finally, you DO NOT need a degree or certain certifications to get into cybersecurity. These things help your chances but if you don’t have the time or money they are not absolutely necessary.

MY JOURNEY:

Currently, I am working as an Application Security Engineer at a Fortune 100 company. You may think that you need a plethora of experience and certifications to get to a position such as this but in reality you don’t need any of the fluff that they tell you is necessary or required on the job description.

I started college in 2015 and I had no clue what I wanted to do with my life. I declared a few different majors before switching to Information Systems in the beginning of 2019 (yes it took me 4 years to decide and yes I graduated in 2020 with my Bachelors Degree so I definitely waited until the last second to make up my mind). At the time I didn’t know anything about information systems, let alone cybersecurity. In the summer of 2019 I was determined to get an internship because I worked at a gym, selling gym memberships and making $10/hour. After hundreds of applications and rejections I got 3 interview requests and 2 job offers. One of them was for a Software Engineering Internship! While I was there, I learned a ton and I was introduced to security by their information security team. From my point of view, their job seemed much more interesting than what I was doing so that became my goal: to break into cybersecurity.

After that internship, I hopped onto a Help Desk Internship because I had been told that learning networking and troubleshooting was vitally important for cybersecurity professionals. I actually loved working help desk and I don’t understand why people love to hate on it. If you have the opportunity to work on a help desk, do it. It’s an amazing experience and you’ll learn a ton of things that will help you in your cybersecurity career. While I was there, I was able to obtain CompTIA’s Network+ and Security+ which I think are great beginner level certifications.

After months of applying, in February of 2020 I finally got a job offer for a Cybersecurity Internship at a large government contractor! Once I graduated from college 4 months later I was promoted to a full time Cybersecurity Analyst position. My position was in Information Assurance/Risk & Compliance so I looked over security plans, provided guidance to our customers concerning the risk of certain programs, and I was responsible for updating security policies and controls. To be honest, it wasn’t really what I was hoping to be working on when I signed up. But, while I was there I decided to start leveling up my skills so that I could transition into a more technical role.

After about a year of being at the company I signed up for TryHackMe and Hack The Box. I quickly realized that I was going to need to put in a ton of work to get the position that I desired. I struggled with those resources for a couple of months and then I learned about INE’s Penetration Testing Student course and the eJPT (eLearnSecurity Junior Penetration Tester) certification. I went through all of the labs and course material and then I realized that I was still was not knowledgeable enough to earn the certification. I then signed up for TCM’s (The Cyber Mentor’s) Practical Ethical Hacking course on Udemy. This course was fantastic and you need to check it out if you haven’t already. After that course, I blazed through the Black Boxes on the eJPT exam, took the exam and passed it first try. If you want to read more about my experience with the eJPT exam please read my other article about it here:

https://nicholaswerner.medium.com/how-i-earned-the-ejpt-certification-f096ef9ba819

About a week after I passed the eJPT certification exam, I got an interview for an Application Security Engineer position and I went through 3 rounds of interviews before they chose to hire me! From about December 2020 to when I got hired in April 2021, I had been applying for Application Security and Penetration Testing positions almost exclusively. I had countless rejections and embarrassing interviews before landing this position.

USEFUL COURSES/CERTIFICATIONS:

People are constantly asking me what courses and certifications that they should take to break into cybersecurity and this is what I tell them:

CompTIA A+ course on Udemy or Professor Messer (taking this certification exam is up to you)

CompTIA Network+ course on Udemy or Professor Messer (taking this certification exam is up to you)

CompTIA Security+ course on Udemy with practice tests (I highly recommend taking this certification exam because it shows up on almost every entry level cybersecurity job description and it will help you get past HR)

TCM’s (The Cyber Mentor’s) Practical Ethical Hacking course on the TCM Security Academy website. (You can also find it on Udemy but it is no longer being updated there)

INE’s Penetration Testing Student course and the eJPT (eLearnSecurity Junior Penetration Tester) certification

From here, you can go down a bunch of different paths that don’t have to be Penetration Testing but this should give you a great start.

Here are some red team resources that I recommend:

PicoCTF (super beginner friendly CTFs)

OverTheWire (beginner friendly war games/CTF style games)

TryHackMe (has a ton of learning paths including Offensive Pentesting, Web Fundamentals and much more)

Hack The Box (a great resource but not very beginner friendly)

PortSwigger Academy (seriously the most underrated platform ever)

TCM’s Windows and Linux Privilege Escalation courses on the TCM Security Academy website. (Also available on Udemy but not being updated there)

TCM’s Buffer Overflow playlist on YouTube

Offensive Security Proving Grounds

INE courses (kind of expensive but you get their full library of courses for a year which is amazing)

Here are some blue team resources that I recommend (blue team is a lot more entry level so I usually recommend this to people starting out):

TryHackMe (has a ton of learning paths including Cyber Defense, Web Fundamentals and much more)

Cyber RangeForce

Security Blue Team (really great platform that also has certifications I believe)

Black Hills Information Security (hosts live courses all the time and allows you to pay whatever you can)

INE courses (kind of expensive but you get their full library of courses for a year which is amazing)

RESUME

This article wouldn’t be complete without talking about resumes. When applying for cybersecurity positions please be aware that HR is skimming through your resume and looking for key words so make it short and sweet. Only include the most important information and don’t include any fluff. If you are new to cybersecurity and IT you probably shouldn’t have 2 pages of resume. Also, make sure you are adjusting your skills to more closely fit the role in which you are applying for. Here is an example resume that you can copy:

INTERVIEW:

Once HR and the hiring manager have seen your beautiful resume and moved you on to the interview phase make sure that you show your passion for the position and for cybersecurity. Hiring managers care about this more than anything, including your level of knowledge. If you are passionate and knowledgeable, you have an extremely high chance of landing the role because if they are interviewing you for the position they already believe you to be qualified.

CONCLUSION

If you have read this far, thank you so much I really appreciate it and hopefully your career appreciates it as well. I love helping out others and I spent a lot of time creating this article. It’s amazing to hear about others succeeding simply because I took a small amount of time out of my day.

If you enjoyed the article and you found it useful please let me know! And if this guide helps you to obtain that elusive first cybersecurity position, pay it forward and please help others as well. :)