Senior Program Manager at Microsoft Cybersecurity Engineering, Cloud and Artificial Intelligence Division
The cybersecurity journey—where do I start?
If, in the past, the struggle to get into the information security (because it wasn't really called cybersecurity) field was due to lack of information, today, we have exactly the opposite: a tsunami of information. In the past, you just couldn't really find anything; it was almost like a dark market, and now it is fully mainstream. I believe that today's situation is much better from a self-learning perspective, as today you can easily create a lab environment to simulate attacks on your own machine, or in a cloud-based environment. Books are widely available, free online materials are usually of good quality, and there are far more target security certifications. So, if everything seems so good, why is it still so hard to start working in this field? I could give many reasons, but I will start with the two main ones: the level of competition and the (infamous) previous experience in the job. Let's see what can be done to overcome those.
An information security career has many ramifications, from a very specialized pentester to a security analyst who needs to know a variety of topics about security. This means that the first step that you should take is to perform a self-assessment and decide where you want to go in your career. What do you like to do and how can you advance in that particular field? This is an important point because, often, a professional decides what they will do based solely on the market's demand. Blindly following this rationale can be dangerous, because you might end up working in a field that you don't like, and that will have a negative impact on how you grow in your position. As a result, you will not evolve and, sooner or later, you will start looking for another job. Regardless of what pays more, you must be passionate about what you are going to embrace in your next career move. Some security professionals are already in this situation, having to work in an area of this field where they don't feel passionate; the rationale is the same: find your next career move by doing this self-assessment and discover what motivates you. Nowadays, everyone talks about hacking, ethical hacking, cybersecurity, and other terms. Don't let the buzz distract you; understand deeply what you want to do and pursue the right path for your next move.
Once you decide which path you will take, evaluate what you already have to offer. In general, there are three core components that you must assess regarding the field that you are going to work in:
- Experience: Do you have the required experience in that field?
- Professional certification: Do you have the professional certifications that are required for the job that you are looking for?
- Degree: Do you have a degree that will be helpful in that field?
This self-assessment is very important to allow you to understand your strengths and weaknesses. The goal is to ensure that, once you detect your weaknesses, you start working on a plan to fill those gaps. If the result of this self-assessment shows that you need a specific certification in order to be more competitive, then you already know what to do: study and obtain the certification.
A survey performed by SANS in 2014 shows that experience is a key factor for a better salary in the information security field. The same survey also reveals that certification is a critical component for career success in the information security arena. What should we conclude from this? Having both is the best scenario for a security professional. While experience is, for the most part, directly related to the jobs that you had in that field, you can also obtain experience by attending training conferences and helping your community. Initiatives such as Security BSides are available in many locations around the world. You could propose a presentation for one of their meetings or you could volunteer to work at their meetings. By engaging yourself in communities like this, you will gain knowledge and you will also expand your network.
I've been teaching the bachelor of science in cybersecurity and the master of science in cybersecurity at EC-Council University since 2015, and every year I have a good mix of students who are already in the market and ones who are brand new. What they have in common is that they are all pursuing a university-level degree in the field. I'm truly a believer in studying to your foundational knowledge about something, and getting credentials to validate your skills; credentials will be the most useful in this market. Keep in mind that credentials via certification or degrees do not give any guarantees that you will rapidly get a promotion (if you are already in the field) or a job in the field. What you need to understand and focus on is that there are things you have control over (pursuing a better education in the field) and things that you don't have control over (getting a job, for example). By doing your homework, you increase the likelihood of a positive outcome, so make sure you do your homework!
Now that you understand the general considerations regarding which path you should take, how to choose it, and the generalist/specialist dilemma, it is important to build your security foundation. If you are new to this area and you want to know what you should learn about security, the best advice is to obtain a vendor-neutral certification, such as CompTIA Security+. The current exam (SY0-501) is very broad, because it covers subjects such as BYOD, SCADA, Incident Response, and other topics that are relevant for anyone who wants to either start working in security or boost their security career by obtaining a vendor-neutral certification.
One of the advantages of starting with a broad certification in the security field is that you can decide which area you want to focus on in if you want to specialize in something; for example, after obtaining this certification, you might conclude that you want to invest more time and effort into becoming a computer forensics analyst. If that's your choice, you could start with GIAC Certified Forensic Analyst (GCFA) or EC-Council's C|HFI (Computer-Hacking Forensics Investigator). The reasons that will lead you to choose one certification over another can vary; it could be job requirements, financial restrictions, and so on. It is important to research and to verify what certification will aggregate more valuenot only on your resume, but also your own knowledge. What you learn throughout the preparation phase is vital, because if you are going to spend hours and hours studying for an exam, you better like the subject and be very passionate about what you are about to embrace.
If IT is already a very dynamic field, information security is even more challenging, because it changes on a daily basis and one change can cause collateral damage in different areas. Be aware that these challenges can be overwhelming but they are also full of opportunities to highlight the quality of your work. As with anything you do in life, progressing in this field becomes easier if you are passionate, self-driven, and have discipline to pursue your vision of what you want for your career. Make sure that you participate and network with other professionals, because this will help you to identify areas that you can explore further and will offer real-world scenarios that you might not be exposed to if you are working on your own.
Last but not least, follow this simple advice and stay hungry for knowledge:
Who is Yuri Diogenes?
Yuri Diogenes is a senior program manager at Microsoft C+ AI Security CxE Team, working with Azure Security Center, and Azure Sentinel. He is also a professor at EC-Council University for its master's degree in Cybersecurity programs and bachelor of science in cybersecurity.
Prior to working in this team at Microsoft, he worked as a senior content developer for Azure Security Center. He started in the content team in 2011, initially working as a technical writer for the Windows Security Team. Prior to joining this organization at Microsoft, he was a senior support escalation engineer at the CSS Security Forefront Team.
He has a master of science degree in cybersecurity intelligence and forensics from UTICA College, an MBA from FGF Brazil, and a post-graduate from UGF Brazil. Some of the IT industry certifications that he currently holds are CISSP, E|CND, E|CEH, E|CSA, E|CHFI, CompTIA, Security+, CompTIA Cloud Essentials Certified, CompTIA Network+, CyberSec First Responder, CompTIA Mobility+, CompTIA CySa+, CASP, MCSE, MCTS, and MCT. He is also a senior member of the ISSA, Fort Worth Chapter, and a writer for the ISSA Journal.