Archive 5 min read

Getting Started In Security: Post Certification

A common step when you're trying to get started in a career in cybersecurity is getting a basic certification. What comes after?

Getting Started In Security: Post Certification

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Morning everybody. How are you doing today? In this episode of mornings with Mark, I want to talk to you about sort of your second step or your half step into getting started with cybersecurity. And the reason being is that quite a few people have reached out to me in the last few days talking about, hey, I got a security certification or I'm about to write my first security certification.

What should I do next? How do I get that next thing going? Well, a reality check first. And I don't mean this to be a Debbie Downer, but this is important to understand a cyber security certification, something like a comp a security plus or a GC from sands. Some basic entry level certification is not going to be enough to get you rolling in a good cyber security job.

It's a part of the process. Absolutely. It's an external validation that you have a certain level of knowledge and understanding of the security domain and that's absolutely important, but on its own, that's not going to be enough to get things going. So the reason for that is a couple, this is multiple fold because a security certification is good as a part of a puzzle, but it's not the whole thing because mainly that's just testing, especially the entry level certs are simply testing your multiple choice answers to certain basic security questions.

OK. So it's not enough to say, is this person going to be a good analyst? Do they have the principles behind it? Can they learn quick enough? It doesn't answer the core questions for me that make a real good cybersecurity professional. So here's a suggestion and this is a little harder for people, but it's absolutely critical for cybersecurity and it shows multiple things at the same time, which is great.

You want to double up on the activities as far as proof points that you can handle a job in cybersecurity. So one of the biggest things that I've talked about multiple times on the show is sort of that thought process, that mental model. Can you take a security problem or take a general it problem and bring it down into its parts and have a good perspective around the cyber security or privacy issues around it.

So one of the things that I think would be a good start and again, this is just my opinion. My suggestion is writing up an analysis of a particular vulnerability or security issue, whether that's a breach, whether that's something very public in a privacy failure or a vulnerability, writing up your thought process behind why it's important how it works.

Um Generally how it fits into a larger context and putting that out there um on something like or if you have a personal blog or peer list, anything that will get it seen or that you can point to publicly. Now, the reason why I think this is a really good idea.

Um is that a, it shows you've got the ability to communicate through written word which is critical in cybersecurity. It also shows your thought process behind tackling a security problem. So if you take the latest remote code execution vulnerability and something like Apache struts and analyze why this is a problem. Call out some of the challenges around mitigation around deploying the patches in the development process against the potential impact, given the wide deployment of something like Apache strats that will show your thought process.

If you do a couple of those, then you'll have a nice little body of work. And these are just for you, for your own edification and have a nice little body of work to point to not just for potential employers but also for others in the community to help you out, to help you learn, you need to learn by doing in cybersecurity that's very, very critical.

And if you don't have a role in cybersecurity, need to basically cherry pick these projects to figure out what you want to do or to start to get examples of you working through this stuff so that you can do it and learn, it's not going to be perfect, but you need to show that you've got that ability to break that problem down.

That's absolutely critical. And for me, if I'm hiring somebody that's far more telling than saying, oh, I've just got these four certs. Well, it's saying like, hey, I've got a certification, I can play that game. I've got all this other it experience or this experience and something else that's relevant like risk management, you know, so, hey, I was a security guard, so I'm understanding risk or I was a financial controller for a company or, you know, whatever the case may be related to a cybersecurity principle.

But also saying, hey, I've also got these analysis that I've posted online to get feedback from the community. Also just as practice to show my ability to tackle a security problem and then to relate the perspective and the solution to other stakeholders within the organization. And because I'm just trying to get started in cybersecurity, I thought it would be useful to have this public so that not only could I get feedback and learn from the community, but also I could show people that, hey, I can do this, I can tackle these problems and I can explain why they're important and why we need to take action.

I think that's probably going to push you forward more than getting another certification, especially if you're knocking on doors and finding um, not so great of a response. So again, we talked about that in another episode where you should get out there and network as much as possible. Go to free meetups, go to, um OAP, go to, um I Squared Meetups, go to B SIDES, go to anything out there.

There's tons of great free security stuff in pretty much every major city and a lot of the smaller cities as well. Um So it's, it's never one thing that's going to get you started in cybersecurity. But I think if you tackle this on multiple fronts, it can help and really get something like an analysis out there.

Um, it does not have to be 50 pages. Um, you know, something that's in like the 15 to 2500 word range would be comprehensive enough to show people that you can do this. So if you can pound out a couple of these in a reasonable time, it shows people that, hey, I can actually put pen to paper, I can put the rubber to the road.

I can do this. Um, far more than just saying, hey, I've got the check box of being, um, XYZ Certified. So what do you think? Let me know, hit me up online at marknca.

Read next