How to start your career in cybersecurity
Cybersecurity jobs are in demand more than ever before – great news for anyone thinking of starting their career in this exciting sector.
To put things in perspective, it’s estimated that the cybersecurity workforce worldwide is 65% below what's needed. That’s a gap of 33,000 specialists in the UK alone. Cloud adoption and the workforce going remote during the COVID-19 pandemic have both added to the boom, because when digital environments change and grow in this way, more resources are needed to secure them.
2.Working in cybersecurity: the basics
3.What cybersecurity roles are there?
- Penetration tester (Pentester)
- Red teamer
- Cybersecurity researcher
- Security Operations Center (SOC) analyst
- Incident responder
- Cybersecurity compliance specialist
4. Universal responsibilities and skills
5. Choosing a cybersecurity company with a good culture
6. What qualifications do you need to get a job in cybersecurity?
7. What certifications do you need?
8. Where can you learn more about cybersecurity?
9. Where can you practice your cybersecurity skills hands-on?
1. What’s in this article?
If you’re thinking about a career in cyber but don’t know where to start, this article is for you. Whether it’s choosing the right role, adding more to your CV, or refining your technical skills, by the time you finish reading, you’ll have a better idea of what your next step should be.
2. Working in cybersecurity: the basics
There are many roles to choose from in cybersecurity, most offering huge opportunity for growth and development. Jobs in the industry are constantly evolving, so this isn’t a sector where people tend to get “stuck” heading in a direction they don’t enjoy. Your choice begins with the type of company you want to work for:
Cybersecurity vendor: a third-party provider that develops and sells its cybersecurity services and products to clients (organisations, governments, and individuals).
Managed security services provider (MSSP): a company that provides outsourced security to its clients through managed services.
Other organisation: a company with its own internal IT and/or security function but doesn’t provide these as products or services (banks, retailers, government departments, etc.)
Working for a vendor or MSSP will require you to understand and respond to the needs of one or more clients. Working internally as part of an organisation means getting to know the security of that one business. Whatever the company, the objectives of cybersecurity roles can be broadly categorised as follows:
- Identifying and inspecting new threats
- Finding vulnerabilities
- Building remediation strategies
- Containing attacks and eradicating the live threat
You may not know exactly which of these you’d like to be doing day-to-day without understanding the bigger picture. To help, cybersecurity can be split into two areas: offensive and defensive security.
Offensive cybersecurity tackles threats proactively. It applies the same methods used in real attacks to pre-empt how an attacker might target a company’s applications and infrastructure and render any attempts unsuccessful. In their work, offensive cybersecurity specialists are constantly thinking from the attacker’s perspective: why would an attacker target a business, what precisely would they target, and how? Offensive cybersecurity roles include tasks like:
- Exploring how system vulnerabilities can be used to compromise a network
- Reviewing documentation to understand which policies and procedures could create a weakness
- Researching new vulnerabilities and developing tools that simulate the ways attackers work
- Developing threat intelligence around what attacks are being used by attackers against specific companies and industries
Defensive cybersecurity concentrates on what can be done to prevent an attack and respond to one taking place. Offensive knowledge is fed to the defensive side, so that measures can be built around the most likely, high-risk, high-impact attacks. Defensive specialists can be engaged in tasks like:
- Planning and setting up systems to prevent intrusion
- Monitoring activity for indicators of malicious (attacker-driven) behavior
- Checking that security protocols are being followed
- Fixing vulnerabilities identified through offensive cybersecurity exercises
- Locating live attackers on the network and removing them
Some roles, for example those that deal with detection, may include a mix of offensive and defensive work. Both offensive and defensive cybersecurity are incredibly diverse, so do some digging into each discipline to work out which suits you best. As we already mentioned, the two sides work together, and cybersecurity skills are incredibly transferable. This means that a career path in one direction may switch to the other as your interests and career goals change with time and experience.
3. What cybersecurity roles are there?
Once you’ve decided between offensive or defensive cybersecurity as your overall specialism, you can start taking a targeted look at jobs on the market. Maybe there’s more than one that interests you. If this is the case, find out more by speaking to others already doing that role – you'll come across so many people in the cybersecurity community willing to give you advice. The choice is vast, so we’ve picked just a handful of jobs to cover here.
Penetration tester (Pentester)
What they do
A penetration tester’s overarching purpose is to help organisations identify and lower the risk posed by the applications and infrastructure that make up their attack surface. They do this using a mix of automated and manual techniques to hunt out and exploit vulnerabilities in the same way an attacker would. This approach puts them under the offensive cybersecurity specialism. A pentester’s work is done in the open. That is, they don’t have to conceal their activities from their team or client (in cybersecurity terms: they can be “noisy”).
Pentesters will follow an agreed process to reach their end goal of finding the misconfigurations and bugs that could be used against a system or systems. This process will include using specific methodologies when hunting for vulnerabilities, writing reports to explain the found ones, communicating their findings with clients, and recommending remediations (ways to fix the problem). They may also QA each other’s penetration testing reports and are likely to do research that keeps them up to date with the latest vulnerabilities being discovered.
Working environment
Penetration testing (pentesting) engagements vary in terms of what gets tested, their approach, and their duration. The duration will be dictated by the volume of systems that need to be tested and the complexity of doing so, both of which will be outlined in the scope. Pentests can be performed both remotely and on-site, based on the client’s needs and the type of test. Usually, they are undertaken during office hours but may sometimes require work in the evenings or weekends.
Red teamer
What they do
Red teamers, like pentesters, are offensive cybersecurity specialists. They plan and conduct security tests driven by specific objectives and based on potential attack scenarios and real threats. Unlike pentesting, red teaming is designed to be delivered covertly, simulating a real attack. While they’re at work, defensive specialists (the blue team) try to detect the red team activity and respond as they would under real conditions.
Red teamers will work to understand the client’s goals, design a suitable test, create custom scripts and payloads, perform other offensive activities, write reports, and discuss the outcome of an engagement with the client.
Working environment
Red teamers have a very similar work environment to pentesters in terms of where and how they work. However, the complexity of assessments can sometimes mean they last longer, leading to more work outside of business hours. Red teamers may work alone or with the support of a team to achieve their objective.
Cybersecurity researcher
What they do
As the name suggests, cybersecurity researchers conduct research into new vulnerabilities that have been made public, hack systems to find new vulnerabilities, build offensive tooling, write about their findings, and share the most interesting ones with the security community. They keep their own company at the forefront of cybersecurity and use that same knowledge to help others secure their businesses.
Working environment
Cybersecurity researchers will typically work during business hours, either in an office or remotely. Because they are expected to deliver new findings and develop tools regularly to keep up with new threats, they may sometimes have to put in extra hours. Speaking at events or conferences may require them to travel as well.
Security Operations Center (SOC) analyst
What they do
A SOC analyst works within the wider SOC team to monitor the company’s digital infrastructure for signs of attack (known as indicators of compromise or IOCs). This includes setting up alerts, managing logs, and proactively responding to malicious behaviours. They may also be involved in developing detection and response strategies and come into contact frequently with incident response teams (see role description below). A SOC analyst’s work demands lots of data analysis and using a range of tools. This is a defensive cybersecurity role and one that would be especially fulfilling for anyone who enjoys digging for anomalies.
Working environment
SOC teams can be based on-site or remotely. There is likely to be a lot of collaboration. However, much of your time will be spent deep in the data. For that reason, it’s best suited for people who don’t mind focusing for long periods.
Incident responder
What they do
Incident responders are responsible for stepping in when an attack occurs. Sometimes they will manage an incident alone and sometimes part of a team. Their work covers the whole of the incident response lifecycle:
- Helping organisations build strategies to respond effectively during an attack
- Detecting a live attacker and tracing back their steps
- Containing an attacker so they can’t cause further damage, then removing them from the network
- Supporting the target organisation to recover, building measures to keep the attacker out, and documenting learnings
Working environment
Some of an incident responder’s work will take place during office hours. But attacks happen 24/7, 365 days a year, so the working day may be much longer when on-call. Incident Response (IR) can be stressful, but it’s highly rewarding to save companies in crisis. A lot of incident response work is managed remotely, but on-site work is still common. IR is one of the most people-facing roles in cybersecurity, so you’ll need a cool head and good communication skills to do well.
Cybersecurity compliance specialist
What they do
These specialists are essential for helping organisations keep their businesses in line with regulatory requirements, such as PCI, GDPR, Cyber Essentials governance, etc. This aspect of cybersecurity is especially crucial in industries like financial services and critical national infrastructure (CNI), where regulation is strict because security that falls below standards carries economic risk. The workload will include implementing compliance projects via policies, procedures, and other controls. Report writing will be frequent, as will meetings with people across the business, potentially up to CEO level. As well as keeping up to date with the latest compliance demands, you’ll have to keep your knowledge of IT solutions and systems current as well. Working environment As with the other roles here, compliance work may be conducted on-site or remotely. For the most part, it will occur during regular business hours.
4. Universal responsibilities and skills (the stuff that everyone does)
Whatever specialisms and roles appeal to you, there are essential requirements that all cybersecurity professionals either have before they get hired or develop fast after starting.
Problem-solving skills and thinking outside the box
Successful cybersecurity specialists can think like an attacker with ease. That means looking at systems as puzzles to solve and lines of code as structures to break. You won’t always have the answers to a technical problem or the essential tools at your disposal, which means finding new, novel ways to find solutions to reach your objectives.
Attention to detail
Cybersecurity is a highly technical field and you may be dealing with large volumes of data every day. It’s seeing the tiny patterns and discrepancies in that data that will help you reach your goal. When you’re dealing with critical systems and sensitive materials, care must also be taken not to damage, lose, or compromise their secrecy.
Enthusiasm
This fast-paced sector often demands hard work, focus, and passion. If you don’t have enthusiasm for the projects you’re working on, things will get missed, mistakes will be made, and your peers will quickly overtake you. It’s necessary to consider what skills you have and those you’d like to develop, so you put your best foot forward. However, finding a workplace that encourages you to speak up when you’re struggling and need a boost is important too.
Good communication skills
Communication is critical, whether it’s your team and fellow employees or your clients. Whether in person, on a messaging platform, or on a call, that means conveying technical details clearly, without missing key information. It also means adapting your communication based on your audience. The CEO of your company or a client’s CISO isn’t going to have the same knowledge as your pentesting colleague, so you will be challenged to find ways to convey your thinking to a non-technical audience. Your employer should help you if you show you’re passionate about learning.
Report writing
Like investigators, scientists, and military personnel, cybersecurity professionals must spend time reporting their findings. Good report writing skills are crucial to helping clients, managers, and peers understand the findings of an assessment or incident. Reports should be clear, accurate, and informative, leading to the successful remediation of issues.
5. Choosing a cybersecurity company with a good culture
When we say, “good culture”, what do we mean? The truth is that we spend most of our lives at work, so the happier you are there, the happier you will generally be. The culture of a company – the shared values of its employees, how people communicate and behave, how people spend their time together – will directly impact your job satisfaction. Looking for an employer whose approach makes you feel excited, connected, and worthwhile, and which gives you opportunities to grow is just as important as the job title and pay. Some green flags you can look for when scouting out a company’s culture are:
Regular social activities: these can range from internal networking events and skills-sharing sessions to good old-fashioned time spent together, just for fun.
Internal training: an employer that takes your wellbeing seriously will invest time and money into your learning through external and internal training.
Development pathways: if you’re passionate about getting from A to B in your career, pathways provide a useful structure for doing so, with the help of more experienced peers.
6. What qualifications do you need to get a job in cybersecurity?
Professional qualifications can be useful when searching for your first cybersecurity job, but they are by no means essential. As anyone in the industry will tell you, it’s the way you think, not what you know today, that will make you successful. While some new starters come straight from a computer science degree, others come from corporate IT, and others the military or government. Some may have no higher education or work experience, instead demonstrating their skills and passion through personal development projects and research. Some of the areas your knowledge must cover include:
- Windows and Linux operating systems (Mac is helpful too and could potentially become your niche, but it’s less essential)
- The basics of computer networks, software, hardware, and the cloud
- Technologies, such as firewalls and anti-virus software
- The basics of cybersecurity, such as password protection
- Intermediate coding skills in languages such as Java, JavaScript, Python, SQL, PowerShell, C, and C++
7. What certifications do you need?
If you’re looking at sitting any certifications before entering the industry, the following are highly respected but not essential:
CREST: CREST offers numerous exams for offensive security professionals. Look at the CREST Practitioner Security Analyst exam. With each exam, the difficulty increases, so expect to build up your experience before sitting more of them.
Offensive Security: Offensive Security offers well-known certification called Offensive Security Certified Professional (OSCP). The exam for Offensive Security is more expensive than the entry-level exam from CREST, but it comes with lab access and learning material for revision. Offensive Security also offers other courses that you may want to investigate.
Tigerscheme:if you don’t want to go down the CREST route, then you can look at Tigerscheme. Two levels of qualification are available: Qualified (CHECK Team member equivalent) and Senior (CHECK Team Leader equivalent).
CompTIA Security+: This test is designed to build fundamental and helpful knowledge for any cybersecurity role and can provide “a springboard to intermediate-level cybersecurity jobs”.
Microsoft certifications:Microsoft offers exams across everything from MS 365, Endpoint Manager, Azure, and more.
8. Where can you learn more about cybersecurity?
Learning is an integral part of cybersecurity, even when you are years into your career – learning never stops. There’s an endless supply of places to go for information and inspiration for those starting their cybersecurity career. Here are some picked by our pentesting team:
Pentester Academy: an extensive collection of courses on multiple aspects of offensive security.
Port Swigger Learning Paths:multiple learning paths for web application hacking, broken down by topic.
Cybrary: providing free and paid-for courses on several different topics within cybersecurity, with courses ranging from beginner to advanced.
The Cyber Mentor:well-known for creating excellent content to help people get into cybersecurity and improve their skills.
Udemy: many courses across different topics within cybersecurity (and more). The courses aren’t free, but you might be able to get something in one of the sales that take place regularly.
Eli the Computer Guy: Eli provides many introductory videos for those looking to seek a fundamental understanding of many avenues of IT, of which cybersecurity is one.
Danoct1:videos that detail the step-by-step of various public exploits. Though many apply to old operating systems, they could still ignite a cybersecurity interest that viewers were unaware they had.
9. Where can you practice your cybersecurity skills hands-on?
If you prefer to learn through practice, like many people interested in cybersecurity, here are some practical labs and challenges. These won’t only help you understand some of the fundamentals, but they may help guide you towards the type of role or company that suits your interests best.
Try Hack Me: a free online platform for learning cybersecurity using hands-on exercises and labs, all through your browser.
Hack the Box: a resource that enables you to practice hacking different machines. These range from easy to complex, and you can use the free version or pay for a VIP membership. (You’ll have to hack your way in before you even get to that point, of course.)
Offensive Security:a lab environment with free or paid access. Like Hack the Box, it allows you to play in a safe environment and practice your skills.
OWASP Web Goat: a vulnerable web application designed to help you practice web application hacking through different challenges.
Damn Vulnerable Web App:another vulnerable web valuable application for practicing your hacks.
Port Swigger Labs: informative labs with practical challenges to help you learn web application hacking.
Pentester Lab: like the above, with free and pro versions available.
Graceful Security Vuln VM: a vulnerable virtual machine (VM) designed to help you practice web application hacking.
Vuln Hub:more vulnerable VMs to practice with.
10. Where can you read more about cybersecurity?
If you’re looking for some helpful blogs for your cybersecurity reading list, here’s a mix to appeal to all kinds of interests:
https://markitzeroday.com/ (run by one of our pentesting team leads)
https://blueteamalpha.com/blog/
11. Want to find out more?
We’re always looking for bright and passionate people to join the Claranet, including those looking for their first cybersecurity job.
Check our latest vacancies here.