Getting Started in Cybersecurity? 7 Steps to a Great Start!

You’re considering a change of career, or perhaps you’re starting out on the job ladder, and you think cybersecurity might be the way to go.?

You have no skills yet, perhaps even no real knowledge to speak of, but you’ve definitely honed in on cybersecurity as the goal.

You just don’t know where to begin. Perhaps you even need some motivation to get over the starting hump.

Sound familiar?

If you’re unsure of where to start in your quest to enter cybersecurity, then join the club. I was where you are not too long ago – I was transitioning from a completely different sector and didn’t have a clue where to begin.

I even wrote an article about it, which you can check out?here.

However, after much trial and error, I eventually landed on some good resources that got me started on my journey to cybersecurity. They also landed me my first job in IT, on the first try, with absolutely no previous experience.

So, I guess, from my experience… it works.

Or has worked.

The way I’m going to arrange this is a tiered list of jobs – so you can keep it straight what you need to do and a sort of priority list.

Let’s jump into it.

Job 1

Research the Industry

It’s no good just saying “I want to be in cybersecurity”, you need to know where you want to land.

Perhaps you’re super into governance, well then you’ll likely want to find out more about infosec.

Maybe you love breaking things for people so they know where the holes are? Maybe look into penetration testing, or application testing. Something red team.

Perhaps you just love beating the bad guys and want to spend as much time as you can hardening your network? Maybe you’d benefit from looking at blue team roles, or perhaps even network engineering.

My point is, there’s loads of different aspects to cybersecurity and each come with their own specialties – find out where you want to land and reverse engineer your path; look where you want to go > check the skills the top of the path requires > work backward until you reach the point you’re at.

Make sure you set a timeline, too! A plan without a deadline is just a wish list.

Congrats, that’s your first action plan.

If you want a more defined path to create goals and targets, my suggestion is always to use SMART targeting. It’s something I used to use a lot when I was personal training, and I’ve always found it a super useful tool. Here’s a good guide to get you started:

Job 2

Find Your Why

People often enter into cybersecurity because it pays well.?

You need to have more motivation than that.

Studying for your qualifications or gaining practical skills takes serious dedication – I have lost count of the amount of hours I’ve spent in the dim hours of the night, staring blankly at a problem on my screen that I have NO idea how to solve, but trying to puzzle it out all the same. Eventually it happens, but if you’re not dedicated to learning then you’re just going to give up.

I’ve turned the computer off several times out of frustration when hitting roadblocks in my problem solving, but I always end up back there once I’ve gathered my thoughts – because I’m dedicated, but also because I’m interested!

I actually really love working through more complex puzzles that take me time to problem solve and consider – those are the ones I feel I learn the most from, and the sense of achievement is great.

My point is, without having a WHY (for example, I’m interested, I enjoy it, I want to change career and, yes, I would like to earn more money) you’re going to struggle to stay the course.

If you don’t like problem solving, are you going to continue trying if you hit a road block?

If you don’t want to learn new skills, are you going to continue trying to understand something you’re struggling to grasp?

If you aren’t interested in the technology, are you going to be motivated to learn new programs?

Find your why!

Job 3?

Set a budget

No matter what you see online or hear people say, it’s damn-near impossible to get into cybersecurity without any fiscal input.

Don’t get me wrong, you can do the vast majority of the learning for free online with wonderful resources found easily online.

But, ultimately, if you want access to the best learning (Udemy or THM/HTB, etc) or get the most relevant qualifications (CompTIA, AWS, Azure, etc) then you’re going to have to fork out for them.

Certs/quals are most likely where your money will go.

Udemy courses can be super cheap, but they don’t give you anything at the end.

Platforms like Tryhackme or Hackthebox are amazing and cheap to sub each month, but the certificates you get don’t have much cache with the HR teams that unfortunately usually do the job profiles and hiring.

Places like Amazon and Microsoft do loads of learning online totally free, but the learning doesn’t give you any proof you know your stuff.

For every proof of learning, of knowledge, the vast VAST VAAAAST majority of companies will want to see certificates.

I don’t agree with it, but that’s the way it is.

So, do your research - what certificates and learning are most relevant to you?

If you want to go into ethical hacking and pentesting then you might look at the CompTIA Security+/Pentest+ and a THM subscription.

If you’re looking to get into network engineering, then the CompTIA Network+ and CCNA might be a goer.

Next, find out how much these cost to do with a training provider and just for the exam stand-alone.

Also, check the failure rates of the exams! This can factor into the costing of your qualification route - i.e if you can get a training provider to offer the Network+ (as an example) with all the videos, learning resources, mock tests etc and free exam resists for, say, ￡800 then that might look nicer than doing it on your own and paying, say, ￡450 for the exam and risk failing and sitting it twice…

That’s just a rough example, those figures aren’t representative of reality I don’t think, but it makes my point.

Consider how much you can afford to spend, then make sure you take the best and most efficient path to where you need to be.

Job 4

Build a workstation

I’m just going to say this once and leave it here - setting up a home lab, even the most basic home lab, will teach you the most per minute of time spent out of virtually anything else when you’re starting out.

If this were a fighting tournament, it would be pound for pound the best value for time input.

When you’re starting out.

In my opinion… and experience.

The reason I say this is, when I first started learning the practical skills for a future in ethical hacking, I was using the pre-made attack boxes on HTB.?

These things are GREAT! They have every tool you need pre-installed and updated, every file or directory you need pre-arranged and sorted, and they just work.

What’s tragic about them, however, is they meant I wasn’t really learning how Linux works.

If you don’t have to install tools, run updates, download directories, navigate through the command line… are you really experiencing Linux properly?

My argument is no, no you’re not.

So, I would suggest starting there - get you some Linux!

Now, Linux comes in various versions, known as ‘distros’ and you have to be sure to get the right distro for you and your goals!

My personal suggestion would be to get Kali Linux, as this is the most common and most optimised distro for ethical hacking and pentesting.

You can also try Parrot, that’s becoming more and more common (and is the one you might well get advertised to you when you do HTB, unless they changed it since I did the introduction stuff), but I’d suggest Kali.

But, the question then becomes, how the chuff do you get this all set up?

To my mind, you’ve got 3 options that are fairly straightforward for starting out:

1. Create a USB stick to boot from
2. Create a dual boot with multiple hard drives
3. Create a Virtual Machine (VM)?

Let’s review these.

USB boot stick?

This is fairly simple, and pretty low cost. In fact - Do you have a sizeable USB stick just knocking about, doing nothing? If you do, this is free.

Essentially, you’re mounting an image of the distro you’ve chosen onto the stick to operate like a removable USB. The pros of this are that it’s cheap, it’s highly transportable, and it’s easy to do. The cons, however, are that it means you’re booting to your distro, so you are only using Linux as the OS and nothing else; persistence can be a bit spotty (you have to make sure you set this up right first time); and if your Linux has an issue, it’s not so easy to just rebuild or go back to a snapshot - you probably end up having to wipe that thing and start over.

Dual-Boot HD

This is kind of like the USB boot stick on steroids. Persistence is easier to get working reliably, the storage is most likely waaaaayyy bigger… but it’s not as portable. You’re still booting purely into one OS, however, so Linux will be your primary OS every time you do your hax. If you’re not used to it, maybe you’re more comfortable browsing or storing things on Windows for example, this could feel awkward/clunky.

Virtual Machine (VM)

This, to my money, is the best choice of the three.

VMs solve lots of the issues the other two struggle with - persistence is easy, backups are easy, fixing issues is easy (just rollback to your last snapshot if all else fails), you can have both Linux and your normal computer operating simultaneously, etc etc - plus, you’re isolating your hax platform from your own system! Admittedly, it’s not the most portable thing, but I believe you can export your snapshots to a USB and take them with you (though I’ve not tried this).

It’s also completely free! You can download Oracle here and work from there for absolutely nothing!?

You also have the added bonus of the VM being logically separate from your main computer OS, so if some malicious actor were, for some reason, to get into your system, they can’t get anywhere that matters.

This is the root (hacking pun) I would strongly suggest you go down.

Job 5

Pick Your Platform

Now you have a little lab set up, you can start learning your leet skillz.

There are lots of ways you can do this, but my strong recommendation is you go down a guided route.

If possible (and it is) go down a guided route that has labs and practical learning too.

My top picks for this would be either TryHackMe or HackTheBox.

If you’re not sure which to pick, check out my article where I broke down the two.

There are also lots of ‘satellite’ platforms that deserve a shout out too!

TCM Security

Blue Team Security thing

Let’s Defend

You can do labs that aren’t guided if you like, there’s plenty on OverTheWire and VulnHub, as examples, but not having a guide when you’re still learning the tools is proper hard work.

Trust me, it’s what I did when I started (read that article I linked above)! It was… not the optimal way to do it.

Once you’ve got the basic tools, you can stretch yourself on these platforms, but before then stick with some guidance. If you go down the THM route, they do rooms that have no guidance, like a proper CTF, so it’s an option there too.

Speaking of CTFs, these are cool ways of learning new skills and tools! I’ve learned about steganography, hiding meta data, developers tools in browsers and all sorts doing them. I’d suggest CTFlearn as a go-to as, again, it’s guided! It also has a really great community of people active in the forums.

So, to sum up - my strong recommendation is Tryhackme, but Hackthebox is a close second. Pick one and, if your budget allows, pay for the premium sub.

Job 6

Pick Your Top Tools

It may seem a bit early, but it wouldn’t hurt to work out which tools you need to learn for your planned career path.

I’m not saying anything mad like “blue team don’t need to know red team tools and vice versa”, I subscribe to the idea of having knowledge an inch deep and a mile wide, but there are tools that are more prevalent in certain roles than others. There are also just tools that are more commonly used than others, no matter the field!

Just by way of example, you’ll probably use nmap quite a lot early on whenever you’re doing enumeration, but tcpdump might not come up that much. Still learn tcpdump! Just don’t commit as much time upfront as you do to the more common tools (nmap, CLI tools, hydra, John, ssh, etc).

Another example, a SOC Analyst or forensic investigator might use wireshark a fair bit to capture traffic, but a Pentester might only use this occasionally when seeing what is happening when they interact with a specific network segment.?

These are just general examples that I’m sure many people would be able to find issue with, I’m just trying to make a point - some stuff needs more investment than others early on, and it would behove you to work out which to focus on so you don’t waste time.

Once you’ve got your list, practice! And don’t just muck about - again, make sure you’re doing guided learning!?

They say “practice makes perfect”, but one thing I learned in my many years as a sports coach is that saying is nonsense. Only perfect practice makes perfect.?

Job 7

Get After It

So, you know where you want to go, you’ve picked your route, you’ve got your lab, you’ve got your platform, you know the tools you want to work on - the only thing left is to work, work, work.

As I consistently tell my son when he’s learning something (particularly swimming) - get after it, son! You can do it!

Practice, practice, practice.

Work, work, work.

Just make sure you enjoy the process, because you’re about to venture into one of the coolest and most exciting skillsets out there!

Hopefully this little guide has helped somewhat!

If you’re new to all this and want some help or guidance, please reach out to me here or on LinkedIn and I will happily give my opinion and advice.

Get after it!