This is one of the questions that those of us who work in information security have probably asked ourselves at some point, and those in other areas of knowledge may ask themselves when they find this field attractive for professional development.
For some, starting out in information security may have been an almost seamless process, usually starting from a technology area. However, for others, starting out in this profession may not be as easy, considering that this field, like any other, has many lines of action and depth of study.
It also requires a desire to learn and prepare in the concepts specific to the area in which you want to learn, delve deeper, and identify your own skills based on prior knowledge, studies, and experience that will help facilitate this process without dying in the attempt.
So, returning to the question and how we begin, we recommend considering the following aspects.
1. At the macro level, what line of depth can be sought?
What do we mean by macro levels? In security, we can consider three higher levels of depth: Defense, Attack, and Management.
Defense considers the lines of depth and activities aimed at proactively protecting organizations and their assets. Think of the roles of police, vigilante, detective, defender, or hero who face attackers.
Attack considers the lines of depth and activities aimed at finding vulnerabilities and breaches in organizations and their assets and testing the effectiveness of implemented controls. It analyzes security from an offensive perspective by emulating or simulating techniques, tactics, and procedures used by real attackers. If we think of roles, we consider the marauder, thief, bandit, and anti-hero; but all of these in a positive sense, given that the activities are carried out with an ethical approach.
Management, for its part, considers the lines of specialization and activities that, based on compliance analysis, security risks, and the generation of policies and procedural frameworks, allow organizations to establish the security rules of the game. Again, if we talk about roles in this case, we can consider a judge or a legislator.
There are considerations regarding other intermediate lines, such as Security Architecture, and here we hear about the purple team, but in some ways this level of specialization is a blend between defense and attack.
Can I train in all three lines of specialization?
Someone may consider working in all three lines, and it’s entirely feasible. However, our recommendation, if you’re just starting out, is to focus on one and become proficient at it, because covering so many topics with high levels of quality and knowledge requires considerable dedication and effort.
But importantly, it’s necessary to have basic knowledge and an understanding of what is done in each of these lines, since they interact with each other, and security in organizations requires all three to complement and balance each other.
If, after being very good at one area, you find it’s possible and want to delve deeper into another, go ahead. There’s nothing better than pursuing a well-rounded approach, but specializing in a specific area will create a professional differential.
2. I've already decided on the macro level. Now what's next?
Okay, if the decision has been made about Defense, Offense, or Management, now go down a level and decide which activities to focus on. For each of the three areas, it’s possible to reach greater levels of depth. Therefore, the recommendation is to analyze your particular interests and also consider your current skills. This is to avoid choosing a specialty that, although you like, the skill level you have or can develop isn’t sufficient, and the learning process could become a headache.
Alyssa Miller, a hacker, researcher, and security advocate, shared some thoughts on landing a first job in security in a talk at Defcon on August 28, 2020, held at the Career Hacking Village called “From Barista to Cyber Security Pro.” She analyzed the challenges candidates face and discussed job descriptions, certifications, degrees, and challenges related to the job search.
While this presentation was just over two years old, several of Alyssa’s points are still relevant if you’re looking to get started in security. Here’s the full video of the talk, and we recommend checking it out if you’re just starting out.
Source: Career Hacking Village YouTube
Part of what is shared in this talk is the security domain research conducted by Henry Jiang, CISO of Diligent Corporation, whose last update is from March 2021 and which goes hand in hand with our specification on lines of deepening. Although we do not agree with all the strands as they are presented here, we like how it presents that in security there are different paths, these are related to the macro levels and working in each one implies developing different skills and capabilities.
Source: Cybersecurity Domain Map article ver 3.0
So, if you know you want to pursue a particular security path, the next step is to think about what you like about that path, what you want to learn, whether you already have some experience with a particular activity or specialty, and whether, based on what you know, you want to continue down that path.
While we’re hesitant to offer an exhaustive list for each of these paths, here are some references.
Lines of study or activities that can be considered in Defense:
Security incident response and management (and responding to an incident in a traditional corporate network, in the cloud, or in an industrial control system is not the same thing)
Security in the software development cycle
Security architecture from the perspective of secure implementations
Secure network design
Technical vulnerability management
Threat modeling
Threat intelligence
Threat hunting (and yes, threats are seen as a common denominator in the last three, but they are not the same)
Implementation of assurance guides (hardening or security posture)
Monitoring, correlation of security events, and automation (here, consider aspects of regular expression management and scripting)
Cloud security
Malware analysis
Defense-oriented reverse engineering
Security platform management
Digital forensics (and forensics in mobile, cloud, blockchain, operating systems, or networks is not the same thing, so pay attention to (this)
Security associated with emerging technologies (IoT, AI, VR, AR, ML, autonomous systems, blockchain, etc.)
Lines of deepening or activities that can be considered in Attack:
Technical vulnerability analysis and remediation mechanisms
Ethical hacking and pentesting (and pest testing on mobile devices, cloud computing, applications, web, APIs, etc. is not the same)
Security testing in software development
Malware design (be careful, use it ethically for pentesting)
Social engineering
Attack-oriented reverse engineering
Biohacking
Lines of deepening or activities that can be considered in Management
Risk analysis and management
Governance, risk, and compliance (here, industry-specific regulations should be considered based on requirements and country)
Definition and management of security policies, guidelines, and procedures
Privacy management
Business continuity
Disaster recovery
Management and communication of Crisis
Technical and management audit (aspects of the 3 lines of defense can be considered here)
Implementation of security management frameworks
Security metrics (KPIs, KRIs, KCIs)
Security awareness
Security training
Project management applied to security
Security strategy (zero trust, risk-based security, etc.)
IT law
Security architecture from the perspective of secure implementations
Management and auditing associated with emerging technologies (IoT, AI, VR, AR, ML, autonomous systems, blockchain, etc.)
3. I decided to go deeper, but I don't know where to start.
Let’s imagine you’ve decided to learn about threat hunting, but along the way, you discover that you’re unclear about what a threat is, what an attack vector refers to, or you encounter a scenario where analysis is necessary in cloud environments.
Similarly, you want to work in mobile pentesting, but you identify significant gaps in operating systems, applications, or how APIs work.
Or you want to be a technical auditor and don’t know how to review a network topology, you’re unfamiliar with authentication and authorization principles, or you simply don’t know what a control should consider for its proper design and effectiveness.
In situations like these, it’s important to have a foundation in technological and analytical knowledge and to develop some soft skills that allow you to properly develop any of the in-depth training, as they provide solid structures that will facilitate the learning and work process.
Below, we share some foundations you should consider to get started.
Technology Foundations
Networking (network topologies, protocols, TCP/IP, network infrastructure devices, etc.)
Operating Systems (Windows, Linux, macOS, Android, iOS)
Computer Architecture
Databases (relational, non-relational, database engines, query creation)
Repository and Storage Schemas
Scripting (Python, Powershell, Go, Bash)
Software Development (programming languages, development methodologies, data structures, etc.)
Virtualization
Cloud (Microservices, APIs, containers, security as code, infrastructure as code, multicloud, etc.)
Blockchain
Mobile Phone Technologies (5G, mobile-oriented malware, etc.)
Concepts of Emerging Technologies (IoT, AI, VR, AR, ML, Autonomous Systems, etc.)
Security Foundations
Basic Risk Analysis (concepts of threats, vulnerabilities, Risks, impact, probability, control design)
Access control, user and identity management
Biometrics overview
Malware overview and attack types
Asset management and information classification
Cryptography
Bases for developing metrics
Physical and perimeter security
Regulation and legislation surrounding security and technology (remember that this depends on each country)
Cloud security frameworks
Soft skills foundations
Improving writing and reading skills, including a second language such as English
Preparing technical and executive reports and briefs
Communication and public presentations
Again, the foundations mentioned above are not intended to be exhaustive; you may identify others that are not listed here, so add them to your to-do list.
4. What learning options are there for all of the above?
For career development in security, you can choose from different methods and mechanisms, such as self-study, formal studies, in-person or online courses, training, study groups, certifications, YouTube tutorials, participation in CTFs, conferences, coaching processes, mentoring, among others.
If self-study is considered, the recommendation is to look for introductory or beginner courses that facilitate the process, but verify that these are not obsolete for the technological and security foundations, given the constant changes.
Some ideas for basic, intermediate, and advanced courses can be found on platforms such as Cybrary, edx, Coursera, Udemy, Future Learn, or Platzi. There are paid options with different costs and free options. You can also find options offered by technology providers, services, and universities through these platforms or through their own websites.
It’s all about taking the time to conduct your research based on what you want to learn and filtering it so that the information you gather is appropriate. Let’s remember that the problem today isn’t the lack of information, because we find it by the thousands; the current challenge is knowing how to filter the ideal information that truly provides us with knowledge.
When searching for information, an additional recommendation is to include resources in both Spanish and English. It’s even possible that you may find more resources, or that they are more up-to-date, in the second language than in the first. Therefore, it’s also important to give them the opportunity as part of the search and not be restricted by weakness in a second language. Precisely through study resources, they can find opportunities to learn and strengthen everyday and technical English, which is a great advantage and even a necessity in the professional world.
And regarding the common question: choosing between formal or informal studies or certifications.
This depends on each individual’s interests, the sector in which they want to work, and even the culture of the country they are in. There are places where knowledge that can be demonstrated through technical tests or interviews is more valued than the presentation of specialization diplomas, master’s degrees, or certifications.
Likewise, there are places where professional qualifications or certifications are part of the profiles, which become the first selection criteria when reviewing a resume, regardless of actual knowledge.
There are recent topics for which formal studies or certifications fall short, while informal studies allow for an approach (including, and relevantly, self-study topics by searching for material online and even reading articles and research).
So, based on the required foundations, the desired lines of study, the sector you’re looking to expand your knowledge base, and your geographic location, the recommendation is to create a training and development plan that will allow you to approach the level of knowledge you want to achieve. You’ll surely find new things along the way that will cause new avenues to appear on your map; and that’s the beauty of security, which is as wide as it is wide. So, if it happens, take it as a new opportunity to reinforce what you’re learning or perhaps to veer toward other lines of study that you discover you’re more passionate about.
But be careful! Don’t lose your bearings either. Remember that the main recommendation is to specialize in a particular field and avoid becoming a sea of knowledge with minimal depth.
In many places, certifications are highly valued, even above formal studies. That’s why we’re sharing this list of security certifications geared toward different specialties and based on beginner, intermediate, or expert levels, which Andrés Velázquez (@cibercrimen) shared on Twitter a while ago.
And even with these ideas, I don’t know how to organize my study plan in this regard.
You’re new to security, just getting started, and want some guidance on how to advance your preparation and study plans. Contact us, and we’ll help you validate a roadmap or initial career plan that will allow you to better focus your efforts in finding learning resources.