How to get started in cybersecurity

I’ve been in cybersecurity for 25+ years, and the most popular question I get is my recommendation for how people can get started.

Here are six things that have impacted my career and helped me grow as a security person and a human being.

1. Get a solid understanding of systems and networks. Systems and networks are the foundation for everything we do in security. If you want to be better at security, you must have a foundation in TCP/IP. Both on the theoretical side and on the application side. The easiest way to get this experience is to become a systems administrator. The lessons I learned as a sysadmin allow me to speak about things in security, such as DNS, that I would only be talking about theory if I hadn’t ever wrestled with. Since I’ve had my hands on a DNS server and configured zones, I truly understand the security challenges of DNS.
2. If you don’t have Virtual Box installed on your laptop, do it now. Virtual machines are your friend. You can configure different machines (Windows, Linux, etc.) with virtualization and connect them. You can practice with the best security distributions (Kali, Web Security Dojo, etc.) without getting arrested! Learn to use Virtual Box (open source, by the way) and build VMs to test things and learn how they work. Have a system administrator mindset.
3. Read like crazy. In the security business, things are always changing. Whether new technologies (zero trust is the hot thing now) or new techniques, this industry is not stagnant. To get ahead in any industry, you must continue to grow and learn. Become an avid reader, and learn from the books you read. Even though college is over, take notes about the things that catch you in the book, and act upon them. Do not think you must limit yourself to non-fiction. Sprinkle fiction in as well to expand your mind.
4. Learn to code in a minimum of one language. Code is the foundation of everything in security. Learn at least one object-oriented programming language proficiently. You’ll be amazed at how you can apply the knowledge of a single language to any other language.
5. Take advantage of the training resources available on the Internet. There are many free security courses and training opportunities from Universities (Stanford and MIT), YouTube, where all the local conferences are archived, and Codecademy. Take advantage of the content that is out there and learn from it. Pick a specific topic and focus on it for a month. If you know nothing about Javascript, then learn it. You do not need the proficiency of someone who builds web applications daily, but knowledge can be applied when the situation arises.
6. Network, and not in a cheesy walk around and hand out business cards way. Make friends in the security industry. Do this on Twitter or Mastadon. Do not use Twitter as a news feed. Respond to security people and get into conversations. The worst thing that happens is that they ignore you. Go to conferences, and don’t just stand in the back of the room like you are at a middle school dance. Introduce yourself to people, talk before the sessions start, and make yourself a part of the community. You’ll benefit greatly from the relationships you establish with real security people.