One of the most common questions I get when I talk to those evaluating their future careers in the cyber security industry is “How do I get experience when I have never worked in a cyber security role before?”. It is a question that can frustrate those looking at job descriptions that show an array of technical and toolset requirements to land an entry level role. What if there was another way around gaining experience other than by having a job? Luckily, cyber security offers many creative ways to gain coveted technical knowledge and experience to showcase to a future employer.
When I go to the bookstore and I walk down the Information Technology book section, I am always awed at the number of certifications you can study for. While some certifications include a prerequisite to have a certain number of years in an industry, a secret is others do not have that same requirement. There are some certifications that will allow you to gain foundational technical knowledge to have more “hands to keyboard” confidence while sitting in front of a computer, while others are geared toward growing your cyber security knowledge. I have known smart people who successfully entered the cyber security industry by studying and taking certification. The dedication and effort it requires to learn about key concepts, how it applies to real world cyber situations, and being able to attest to that knowledge on your resume is a critical first step to showing the world you are ready for a career in cyber security. You will still continue to find me in the bookstore looking at new technologies and concepts to learn about!
Certification |
Description |
Comprehensive Core IT knowledge + Practical Hands-on Skills |
|
Core IT and Networking Skill Test |
|
Core Security Skill Test |
|
Linux Command Line Administration/Shell Scripting/Linux Security Exam |
|
Security Operations Center tactical exam |
|
Associate of ISC² (International Information System Security Certification Consortium) |
Take any ISC² certification such as the CISSP and gain the experience after the exam for full certification |
Hands on penetration testing exam |
|
Google Career Certificate - IT Automation with Python Certificate |
Automation through Python |
Many certifications allow you to gain key knowledge to start gaining hands-on expertise in functional areas. However, many can get worried that without having access to the enterprise level technologies seen on job descriptions, they will not be able to apply for the job. Luckily, open source software can come to your rescue when you do not have access to expensive tooling. Open source software is software with source code that can be inspected/modified publicly. This allows you to freely download the software. Being able to stand up the software, troubleshoot any issues you run into with it, and learn the data outputs of the tool will allow you to gain key experience that is hard to get without access to a larger enterprise toolset. In some circumstances, the open source software is very similar to an enterprise equivalent, making your experience in the open source tool even more valuable when you are ready for an interview. Even more important, being able to have an open conversation about your open source toolsets and the “sweat” that went into standing them up and utilizing them makes for a very strong conversation during an interview! The list of open source tools aligned to cyber security is large and I picked a few to look into that you may find beneficial to build your career.
Functional Area |
Tool |
Vulnerability Scanner |
|
Network Security Monitoring |
|
Intrusion Detection System |
|
Incident Response |
|
Identity and Access Management |
|
SIEM (Security Information & Event Manager) |
|
DLP (Data Loss Prevention) |
When I was starting my career, setting up a lab environment took a lot of time and effort. I researched refurbished computers to add into my computer lab to stand up new software. I put all of the wiring and components of the computer together to network my computers together. Setting up lab environments is a fun way of truly getting that “hands to keyboard” experience for setting up hardware. As cloud computing has grown into the ecosystem of many enterprise environments, it is becoming more important to understand cloud from the ground up. More importantly, companies are looking at cyber security professionals to help secure these new environments. What if you do not have any experience in working in cloud environments? Luckily, the large cloud providers want you to learn all about their cloud offerings so you can help protect organizations migrating to this new frontier. Even more exciting is you can set up lab environments in the cloud now, just like many of us used to do at home, to gain key experience in some of the most talked about cloud environments we are being asked to secure. If you do not want to set up a full lab in a cloud, no problem! Just setting up a free account and exploring is another great step in familiarizing yourself too. Whenever I meet with a new cyber security candidate for any role, I always try to assess their cloud experience so I know they are ready for the latest security challenges an enterprise may face.
AWS Lab Setup:
Get hands-on practice in a live AWS environment with AWS services and real-world cloud scenarios. (aws.amazon.com/training/self-paced-labs/)
Azure Account Setup
Free access to popular products plus a $200 credit
At the end of your first 30 days or after you spend your $200 credit (whichever comes first), you’ll only pay for what you use beyond the free monthly amounts of services. To keep getting free services after 30 days, move to pay-as-you-go pricing. (azure.microsoft.com/en-us/free/free-account-faq)
Google Cloud Account Setup
20+ free products and $300 credit (cloud.google.com/free/)
After working hard to understand the best certification for you, trying your hand at open source security and understanding the beginning concepts of cloud computing, you may be wondering how to solidify this into experience without a job. When I was looking to work full time in the cyber security field, I wanted to showcase on my resume under a “job” how the skills that I learned about from the methods above would help out an organization as well. While there are creative ways of gaining resume worthy job expertise, I’d like to share with you one way that worked for me. I was aligned to a non-profit organization in the city I was living in. Their cause was something I cared about deeply and I volunteered with them for a few years. One day I was talking to some of the workers in the organization and the topic of IT came up. The non-profit was having issues trying to find someone to help them out with their IT problems. I heard this and I thought that if they are having issues getting IT help, security must be an afterthought. I asked the head of the organization if I could help them not only with some of their IT concerns, but also help build up their security posture as well. I asked for nothing in return. For the next few years, I helped them both with their technology and implementing key security principles in their organization. It never felt like a job for me. I loved being able to help out a non-profit that I was already volunteering for, but now I was volunteering in a different capacity. Importantly, as I helped stand up their security program, it helped validate to me that I loved the security work I was doing and I was even more excited to join the cyber security field in a larger capacity. My ask of you is to think about an organization you may have always thought about helping out because you care about the cause. Start volunteering to help them out, and maybe one day if you can help them out in a greater capacity through building up your security expertise. Expect nothing in return and be ready to have a great time in the process too!
Looking into the cyber security field from the outside in can seem daunting sometimes. Terminology that is specific to the industry, certifications that seem miles away from your level, and tools that are prohibitively expensive that will prevent you from getting key experience. The cyber security industry wants you to join our ranks and we want you to be successful and confident in your future cyber security role. Much of these resources are at your fingertips and are free for you to explore while developing your cyber security expertise. Utilizing free resources from SANS at SANS.org/free
will also give you access to thousands of content-rich resources developed by industry experts and provided to the information security community. Learning about current research, information, and tools on the latest on technologies and attacks and will help support your security awareness and growth.
ADDITIONAL SANS RESOURCES
Scholarships & Community Programs
Cybersecurity Skills Roadmap pdf download
SANS Foundations training
GFACT certification
New to Cyber Summit | recordings
Trust Me, I’m Certified | GIAC Podcast
STI Bachelor’s Degree Online Information Session Webinar
Digital Forensics and Incident Response
BUILDING A HOME LAB RESOURCES
Building Your Own Kick-Ass Home Lab, Jeff McJunkin webcast
Becoming an All-around Defender: Building an Enterprise Grade Home Lab, blog
Building an Enterprise Grade Home Lab, webcast, Ismael Valenzuela & Justin Henderson
Extending Your Home Lab to Include Cloud, webcast, Ismael Valenzuela & Justin Henderson
Building Your Own Super-Duper Home Lab, webcast, Jeff McJunkin & Jason Blanchard
OSINT RESOURCES
“I always suggest those interested in OSINT join an OSINT community like the SearchLight Discord as there newcomers can interact with LOTS of OSINT-focused people sharing tips, techniques, and jobs. Have them say hi to “WebBreacher” once they join the community!” - Micah Hoffman (author of SANS’ OSINT course)
HR + CYBERSECURITY SERIES
1. Listen to the corresponding webcast here.
2. Read the rest of the Blog series here:
- Skilling the Gap: Creative Ways to Recruit Top Cyber Talent
- Knowing Your Applicants: How to Stay Current to Best Assess Your Cyber Applicants
- Slow the Revolving Door of Talent: Creative Ways to Keep Your Cybersecurity Talent in Your Organization
- Transition to Cyber Security From a Non-Cyber Role: Creative Ways to Impress to Land Your Dream Cyber Role
ABOUT THE AUTHOR
Kevin Garvey is the US IT Security Manager for an international bank responsible for overseeing incident response, vulnerability management, cyber threat intelligence, as well as the security operations center (SOC). Previously, he worked at New York Power Authority, JP Morgan and WarnerMedia (formerly Time Warner). Kevin has always had a passion to hunt down the adversary and has loved tackling the risk and threat challenges his responsibilities have thrown at him. Kevin teaches SANS MGT512: Security Leadership Essentials for Managers. Learn more about Kevin here.
