cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mnold
ISC2 Team

Advice for cybersecurity newbies

What is the most useful advice you have for future cybersecurity professionals?

11 Replies
vistauxx
Newcomer I

Tactical76 is very correct.   HOWEVER, security is often a make or break issue for companies, and breaches and successful attacks are reputationally devastating.

 

Security is more and more becoming THE issue.   You will make mistakes.   This is not about fair and balanced advice.   Represent the risks accurately, and do not "go quietly into the night" unless and until you are sure that management has UNDERSTOOD the risks and accepted them.  Terms have different meanings to different people.   As an expert witness it has often been required to bring a judge or jury up to speed on terms that I use.   But until they understand what I am offering, they cannot make a informed decision.

Anne
Newcomer I

Advice: stay positive with yourself and your business. It’s hard to do in our industry, but if you use the “sky is falling” card sparingly, it’ll yield great results.

Advice: Learn to let the “no’s” slide off your back, but fight for what you really need. Many of your wants will be dismissed and you will feel like that is injustice. Focus on the needs of good business and making incredible arguments that are focused on the business to get needs fulfilled.

Advice: Network. You can’t keep up on everything. Get a personal network or one through and industry organization and keep up with them. Having others in our industry you can bounce ideas off of and share insights is invaluable.

Advice: your skills are perishable, keep learning.

Advice: unplug when needed. Cybersecurity can eat your life; have something where you can forget about the crazy that is this profession.
John
Newcomer III

I get this question a lot.

 

Infosec is not a very good first stop for those new to technology.  I always recommend IT/IS students to spend a couple years doing something else (appdev, sysops, networking, etc.) before circling back around to security.  All practisioners have their strengths and without a good industry baseline, those strengths are hard to forge.  That said, starting your career as, let's say, a Web developer and always incorporating OWASP Top 10 into your testing will make you a better developer and a huge asset to any team you join.  There's a good chance after a year or two, they'll actually send you off for training to be their appsec person.

 

Be a part of the community.  I worked in infosec for over a decade before taking part in community events.  I went to small one-day conferences and such, but never the local meetups or week-long cons.  My knowledge and local network for advice and reference improved drastically since becoming a part of the local scene.  That led me to attend a few cons, where I got to meet people who are at the leading edge of security practisioners.

 

Say hi.  A lot of us in cyber-security are kind of introverted.  We get into our little circles of friends and end up staying there.  We're pretty friendly, though.  When you attend a social event, make it a point to meet 3-4 new people.  Let them know you're new to the event and there's a good chance someone will take you around to meet people.  Add the people you meet to your Twitter feed.  You'll probably learn more there than anywhere else.

 

And when you do get into infosec, keep in mind that most people dislike us.  You can change that perception.  People see us as an obstacle to innovation, deadlines, and profit.  A good infosec team is a resource to the different departments to improve their stability and long-term profitability.  Sometimes we have to be the bad guys, but that's just so the real bad guys don't pwn us and our customers.

---
You only say it's impossible because nobody's done it and lived.
erasparsa
Newcomer I

Not sure where to start as this is a huge area to cover and may differ if you are working in an organization (end user) or a consulting company;

 

If you are working in a company and need to

 

A) Convince your boss:

  • Make a gap analysis and note the prioritize the risks.
  • If boss does not care, shock and awe; create a real case from all CIA point of view, that you can showcase, usb attacks, mitm, lateral movement etc. Mind you that there are people in some industries that may think that data breach (confidentiality) is not a biggie, but for them not being able to access the data and use the ERP is (availability, integrity), thus when prioritizing risks make sure you see from all angles.
  • Educate them constantly to the point of nagging :D.

B) To team mates, staffs and everyone else:

  • Create awareness and educate them, if, they are not aware yet.
  • Share videos, stories, best practices, guidelines and such.

 

C) And as for oneself:

  • Learn psychology, and how to communicate properly, you will be meeting and need to convince lots of people of the risks related to information security.
  • Never stop learning, you can only improve yourself and everything else if you know what is better than what is already implemented / known by others. 
  • Be humble, you are both everything and nothing at the same time, no one likes an a-hole.
  • Learn to code, it trains yourself on how to be orderly.
  • And might want to to focus on one area of interest, IT security is a big world, and every industry vertical is kinda unique.

 

 

bamisanu
Viewer II

I am glad I can get someone local that can help me to really navigate this field. I have attempted the CAP certification exams twice now with score of 599 and 661 respectively. I understand that I can re-test again until 90days. I still have 78days to go. Do you or anyone you know or have a clue on how best i can prepare gor the exams? Apart from the time it is getting very expensive for me to do the exams now and I can not afford to fail again. Can you guys pls help ?
CISOScott
Community Champion

1) Get experience by building your own lab. Insecure.org has lots of free tools.

2) Do not become the Department of No. The biggest knock on INFOSEC community is that we are the people that will always tell you no. We need to learn that the customer has a need and they do not know the best way to secure it. That is our job to help the find a solution that reduces the risk to an acceptable level to the executives.

3) Look for things that are not being done. I got into INFOSEC because I was changing tapes on out backup server 14 years ago and noticed that it had an anti-virus console on it. I asked my boss who was monitoring it daily and she said "No one." I asked if I could do that and she said yes. I kept looking for duties I could add to my resume. This allowed me to gain experience in many of the domains.

4) Security podcasts. Use your downtime to listen to them. I used to have an hour and a half commute. Security podcasts kept me company and informed the whole time. I used "dead" time as training time. Some of my favorites are:

Paul's Security Weekly

The Social-Engineer Podcast

SANS Internet Storm Center

JPBTech
Viewer II

A few things to keep in mind:

 

  1. Always look for ways to disrupt the cyber kill chain at every step.
  2. Keep your personal cyber arsenal up to date.
  3. Become a lifelong learner in every aspect of your professional life.
  4. Give back to the "cyber" community.

 

 

 

Dakotad
Newcomer I

Don't expect 6 figures after getting your CISSP.  If you are one of the lucky ones to land a six figure salary after getting one certification, good for you, you won the lottery.

 

I have mentored several folks and all but one of them lacked the delusion of making a hefty salary.  A career in Cyber Security will definitely command an excellent salary for years to come and if you focus your efforts on cloud services and or white hat practices, we are going to need more folks like you.

 

Just be patient and stay the course, the salary will find you if you love what you do.

CISOScott
Community Champion

The most important advice is this:

FIND WHAT YOU LOVE TO DO.

If cyber security is not your passion and you got into it because you thought the money would be good, you are setting yourself up for a miserable experience. Find what you really love to do. The money will find you.