6 minute read
CYBER SECURITY FUNDAMENTALS LEARNING CYBER
By James Bore cyber security fundamentals Learning Cyber
We're now into my fourth year regularly writing for Circuit, and while the cyber security scene has changed there are some obstacles which seem insurmountable. One of those is the often discussed skills gap, the shortage of people in cyber security.
There's a lot of debate over the skills gap and I've mentioned it before.
For now I'm going to set that to one side, and talk about the various ways organisations and individuals try to address it, from self-study, to degrees, to bootcamps.
Self-Study
Probably the most championed and well-known way to break into cyber security is self-study and self development, with something of an old-fashioned and outdated view that the best hackers are self-taught for free and so the best cyber security people must be as well. As one of the most qualified professionals I know of in the security field, Dr. Richard Diston, writes the "worst advice is the stuff you get for free because nobody has any investment in its quality". This is true in any domain, and especially in cyber security a lot of the free advice out there
is put out for ego purposes as much as educational. While there is definitely some good material available being able to filter out the bad stuff requires a degree of experience.
Even with paid self-study material, there's an investment of time and self-discipline required which works for some, and not for others. Equally there's cheap material which is, to be blunt, outright misleading (for that matter there's some expensive material which is actively harmful if implemented). Autodidactism is definitely an option, just one that requires a significant amount of work and can involve more than a few dead ends on the way. If you decide to take this route, it is definitely worth joining some of the many communities out there for cyber security learners as they can help validate, assess, and guide towards the useful materials and filter out bad advice.
I am far from against the selfstudy route, but it carries risks that learners should be aware of and can be both frustrating and ineffective. Very much a case of buyer beware.
Certifications
Another route, also often touted Certifications can definitely help. A lot of the time entry level roles are poorly specified by potential employers with a raft of required certificates, and having a few of the right ones can help get past the human resources filter
as the one true path in, is to take various industry certifications either through a self-study route again (just with expensive course books, or less expensive unofficial course books), online courses studying over the long term, or short bootcamps promising certification at the end.
Certifications can definitely help. A lot of the time entry level roles are poorly specified by potential employers with a raft of required certificates, and having a few of the right ones can help get past the human resources filter to speak with an actual human being who can evaluate knowledge and understanding effectively. Many (though far from all) certifications also have reasonably good, wellresearched source materials which effectively teach vital areas of cyber security for new entrants. Sadly very few of those certification courses assess that knowledge in a way that makes the certification useful. The vast majority rely on multiple choice automated quizzes, and seem to believe packing them full of a family edition Trivial Pursuit game’s worth of occasionally-tricky questions is the way to assess learning.
The few that don’t are easily recognisable as they tend to take a more hands-on approach to assessment, offering a variety of laboratory tests and simulated environments to demonstrate learned skills. These work well for the better-defined, more technical roles within cyber security such as penetration testing (trying to exploit systems to gain unauthorised entry or cause harm, with permission from the owner of the system) and SOC analysis
(monitoring, reacting to, and trying to prevent the same harm). SOC analysis work is not as well defined, since the roles can encompass anything from straightforward monitoring through to aspects such as forensics and vulnerability management, but a good course will take you through these, and a good lab assessment will have you carrying them out.
The problem is that very few of these practically-assessed exams are well recognised so far. The OSCP is the most well-known for penetration testing, though others have started to pick up similar approaches. For SOC analysis a relative newcomer which is gaining ground fast is BTL1. OSCP is now often found on penetration testing roles, while BTL1 has more awareness work to do before it becomes commonplace. Of course when you do see a job description with these certifications, it’s a good sign that the hiring manager
understands what they are looking for in a qualification.
Bootcamps
There are various bootcamp programmes out there, and for full disclosure I teach part time for one called CAPSLOCK. As with anything else quality varies, so I would always say to try and speak to previous students of the course and get their opinions. Many of them are, sadly, focused on teaching a handful of certifications and promising ridiculous salaries which never materialise. Fortunately others, and the number is growing, are more interested in helping to resolve the skills shortage.
Bootcamps get a mixed bag of opinions in the industry, many people are very attached to the self-taught route and accuse these courses of profiteering and exploitation (and indeed, some do exactly this), without any evaluation of the individual courses. Others will take a dislike to even the best course because it does not include the certification they fell is most important (which is frankly often a sign of a narrow view of the field).
The good bootcamp courses will include placement support and
advice to get learners not only through the course, but into an appropriate role, which brings me to the last piece of this article.
Breaking into cyber security Over the years I have helped a number of people to enter the cyber security field, and the thing that I have found most in common among the ones who succeed is that they did not get their roles through simply applying to jobs online. A few have found good recruiters that they have built up relationships with over time, but most have relied on networking and making themselves known to people who are likely to be looking for recruits.
If you are interested in entering a cyber security role, my strongest piece of advice (beyond learning whatever aspect or aspects interest you) is to put yourself out there. That’s not a case of simply sending your CV to as many places as possible, but includes speaking at rookie (or non-rookie if you are comfortable with public speaking) conferences, networking, using LinkedIn, joining communities, and so on.
I will not pretend that I believe entering cyber security should require these things, but there is so much misunderstanding in the sector, and so few of us out there (DCMS estimated 46 000 cyber security professionals in the UK in total, 30 000 of them work for large vendors and include sales staff while the rest work for organisations directly) that it’s the system we have until we manage to change the way the recruitment works.
James Bore is an independent cybersecurity consultant, speaker, and author with over a decade of experience in the domain. He has worked to secure national mobile networks, financial institutions, start-ups, and one of the largest attractions’ companies in the world, among others. If you would like to get in touch for help with any of the above, please reach out at james@bores.com