Breaking into Cybersecurity

My journey into cybersecurity and what I recommend to others.

By: Nick Werner

To quickly preface this article, I decided to write this because I realized that there is a lack of information surrounding the topic of actually getting your first job in cybersecurity and what things you need to learn to be successful. I find this lack of information to be incredibly disappointing because I couldn’t have gotten to where I am now without the help of others. Hopefully, this article will provide some useful guidance to anyone new to cybersecurity or anyone looking to perhaps pivot into a different area of security.

DISCLAIMER: I still have much to learn and this article is entirely my opinion. Going through everything discussed does not guarantee you a job. Everyone is different and will have their own path. Finally, you DO NOT need a degree or certain certifications to get into cybersecurity. These things will only help your chances but if you don’t have the time or money they are not absolutely necessary. Just keep in mind that entry level cybersecurity jobs are extremely competitive so you can’t do exactly what everyone else is doing and expect to easily land a role.

MY JOURNEY:

Currently, I am working as an Information Security Engineer at Intel doing purple teaming, vulnerability management, threat research, etc. You may think that you need a plethora of experience and certifications to get to a position such as this but in reality you don’t need as much of the fluff that they tell you is necessary or required on the job description.

I started college in 2015 and I had no clue what I wanted to do with my life. I declared a few different majors before switching to Information Systems in the beginning of 2019 (yes it took me 4 years to decide and yes I graduated in 2020 with my Bachelors Degree so I definitely waited until the last second to make up my mind). At the time, I didn’t know anything about information systems, let alone cybersecurity. In the summer of 2019 I was determined to get an internship because I worked at a gym, selling gym memberships and making $10/hour. After hundreds of applications and rejections I got 3 interview requests and 2 job offers. One of them was for a Software Engineering Internship! While I was there, I learned a ton and I was introduced to security by their information security team. From my point of view, their job seemed much more interesting than what I was doing so that became my goal: to “break into cybersecurity”.

After that internship, I hopped onto a Help Desk Internship because I had been told that learning networking and troubleshooting was vitally important for cybersecurity professionals. I actually loved working help desk and I don’t understand why people love to hate on it. If you have the opportunity to work on a help desk, do it. It’s an amazing experience and you’ll learn a ton of things that will help you in your cybersecurity career. While I was there, I was able to obtain CompTIA’s Network+ and Security+ which I think are great beginner level certifications.

After months of applying, in February of 2020 I finally got a job offer for a Cybersecurity internship at a large government contractor! Once I graduated from college 4 months later I was promoted to a full time Cybersecurity Analyst position. My position was in Information Assurance/Risk & Compliance so I looked over security plans, provided guidance to our customers concerning the risk of certain programs, and I was responsible for updating security policies and controls. To be honest, it wasn’t really what I was hoping to be working on when I signed up. But, while I was there I decided to start leveling up my skills so that I could transition into a more technical role.

After about a year of being at the company I signed up for TryHackMe and Hack The Box. I quickly realized that I was going to need to put in a ton of work to get the position that I desired. I struggled with those resources for a couple of months and then I learned about INE’s Penetration Testing Student course and the eJPT (eLearnSecurity Junior Penetration Tester) certification. I went through all of the labs and course material and then I realized that I was still not knowledgeable enough to earn the certification. I then signed up for TCM’s (The Cyber Mentor’s) Practical Ethical Hacking course on his website. This course was fantastic and you need to check it out if you haven’t already. After that course, I blazed through the Black Boxes on the eJPT exam, took the exam and passed it first try. If you want to read more about my experience with the eJPT exam please read my other article about it here:

https://nicholaswerner.medium.com/how-i-earned-the-ejpt-certification-f096ef9ba819

About a week after I passed the eJPT certification exam, I got an interview for an Application Security Engineer position and I went through 3 rounds of interviews before they chose to hire me! From about December 2020 to when I got hired in April 2021, I had been applying for Application Security and Penetration Testing positions almost exclusively. I had countless rejections and embarrassing interviews before landing this position.

The process of leveling up my skills in order to get to this point was pretty grueling and took hundreds of hours. I was working 8 hours a day and studying another 6–8 hours a day for about 3 months straight (seriously no exaggeration!)

I worked as an Application Security Engineer for about 8 months, learned a ton and then got an amazing offer to join Intel in November 2021 that I couldn’t pass up. After you start getting some experience, companies and hiring managers start reaching out to you regularly on LinkedIn if you’re active and your profile is up to date.

WHERE TO LEARN THE BASICS:

People are constantly asking me what courses, certifications, resources that they should go through to break into cybersecurity and learn the basics and this is what I recommend:

CompTIA A+, Network+, and Security+ course on Udemy or Professor Messer’s website: https://www.professormesser.com/

• The only certification of the 3 that I think is necessary to take is Security+ because it shows up on almost every entry level cybersecurity job description and it will help you get past HR and compete with others who have it.
• If you’re a student and you sign up with your student email you can get a pretty big discount on the exam.

TCM’s (The Cyber Mentor’s) Practical Ethical Hacking course on the TCM Security Academy website: https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course

• They also have a ton of other courses for about $30 each that are regularly on sale for even less.

Set up a Kali Linux VM

• If you’ve gone through TCM’s Practical Ethical Hacking course, it has a section on how to set this up step by step.

INE’s Penetration Testing Student course and the eJPT (eLearnSecurity Junior Penetration Tester) certification: https://my.ine.com/CyberSecurity/learning-paths/61f88d91-79ff-4d8f-af68-873883dbbd8c/penetration-testing-student-v2

• This course is free and was just recently updated. If you want to take the exam — it’s not too expensive and it’s a hands on penetration test with multiple choice questions about the pentest. Overall, really fun test and you’ll learn a ton but not super necessary if you can’t afford to take it.

Learn Linux

• OverTheWire is a cool CTF (Capture the Flag) style way to learn Linux: https://overthewire.org/wargames/
• To play OverTheWire you need to have a Kali Linux VM set up. I think that hands on is the best way to learn Linux but if you prefer courses or videos then a simple Google search will probably find something useful.

From here, you can go down a bunch of different paths but this should give you a great start.

AFTER LEARNING THE BASICS:

If you want to go into blue team which is a lot more beginner friendly, here’s some cool resources to check out once you’ve learned the basics.

TryHackMe (has a ton of learning paths including Cyber Defense, Web Fundamentals and much more): https://tryhackme.com/

Cyber RangeForce: https://go.rangeforce.com/community-edition-registration

Security Blue Team (really great platform that also has certifications): https://securityblue.team/why-btl1/

Black Hills Information Security via Antisyphon (hosts live courses all the time and allows you to pay whatever you can): https://www.antisyphontraining.com/

INE courses (kind of expensive but you get their full library of courses for a year which is a pretty good deal — although they really need to update their courses): https://my.ine.com/

Here are some red team resources if you’re more interested in that:

PicoCTF (super beginner friendly CTFs): https://picoctf.org/

OverTheWire (beginner friendly war games/CTF style games: https://overthewire.org/wargames/

TryHackMe (has a ton of learning paths including Offensive Pentesting, Web Fundamentals and much more): https://tryhackme.com/

Hack The Box (a great resource but not very beginner friendly): https://www.hackthebox.com/

PortSwigger Web Security Academy (seriously the most underrated platform ever for learning application security): https://portswigger.net/web-security

Any of TCM’s courses on his website: https://academy.tcm-sec.com/courses

TCM’s Buffer Overflow playlist on YouTube: https://www.youtube.com/watch?v=ncBblM920jw

Offensive Security Proving Grounds: https://www.offensive-security.com/labs/individual/

INE courses (kind of expensive but you get their full library of courses for a year which is a pretty good deal — although they really need to update their courses): https://my.ine.com/

RESUME:

This article wouldn’t be complete without talking about resumes. When applying for cybersecurity positions please be aware that HR is skimming through your resume and looking for key words so make it short and sweet. Only include the most important information and don’t include any fluff. If you are new to cybersecurity and IT you probably shouldn’t have 2 pages of resume. Also, make sure you are adjusting your skills to more closely fit the role in which you are applying for.

If you have any projects that you’ve done that relate to cybersecurity or you’ve done any of the above resources put those up at the top of your resume. Go ahead, put your rank in Hack The Box or TryHackMe, talk about the labs that you’ve done in Portswigger Academy, include your blog, etc. When I was interviewing for the positions that I’ve held, the hiring manager was always most impressed with what I was working on and learning about outside of my 9–5 job.

Also, I’ve chatted with a ton of recruiters and there are no robots that are automatically rejecting your resume. So please don’t worry about “beating the ATS”. The only things that are automatically rejecting your resume are the questions that you fill out before submitting your resume on either LinkedIn or the company website.

Another tip: once you’ve applied for a position, reach out to the hiring manager or recruiter for that role on LinkedIn! Seriously, almost every time I’ve done that I’ve gotten an interview.

INTERVIEW:

Once HR and the hiring manager have seen your beautiful resume and moved you on to the interview phase make sure that you show your passion for the position and for cybersecurity. Hiring managers care about this more than anything, including your level of knowledge. If you are passionate and knowledgeable, you have an extremely high chance of landing the role because if they are interviewing you for the position they already believe you to be qualified.

CONCLUSION:

If you have read this far, thank you so much I really appreciate it and hopefully your career appreciates it as well. I love helping out others and I spent a lot of time creating this article. It’s amazing to hear about others succeeding simply because I took a small amount of time out of my day.

If you enjoyed the article and you found it useful please let me know! And if this guide helps you to obtain that elusive first cybersecurity position, pay it forward and please help others as well. :)