How to speed your career in Cybersecurity as a student

Many people are moving into Cybersecurity, get their first degree and certifications, but struggle to get a job or have wrong expectations. This article is written for CS students or for people who want to know more about this career path including some free resources.

This article shows some tips to get hands-on knowledge in Cybersecurity and one path to become a SOC Analyst.

The first steps

You heard about Cybersecurity, but you do not know what “Solarwinds” and “Orion” have in common… think again about your career goal or change your habit. If you attend an interview, you might get one or two questions about such topics. Twitter is a great place to be up to date.

A career in Cybersecurity is a noble thing, because you can use your knowledge to help companies, family members and friends. You are a big helper, but the other side is, you have to learn every single day. Each day brings new threats and fresh problems. A career in Cybersecurity is not a 9 to 5 job, and it is one of the most immersive and challenging jobs what you can do.

You love to fill your brain every single day –> go for it.

The next steps:

Know, Cybersecurity is HUUUGEEE, and it is impossible to do and know all. At the beginning, you have to find your goal. Use excellent sources and do not believe everyone.

- Talk to many people in the field and engage with them. LinkedIn is a great platform to do that, but you can use twitter and other platforms, too. Align your goals with something what companies want and need.

A lot of people looking for a cool penetration testing job, but they do not know about how hard it is to get the first job. Penetration testing is an outstanding job, but you need an unbelievable amount of knowledge to be a valuable pen-tester. OSCP is just entry-level… and exam does not ask you about AD at all, and over 90% of the companies use AD.

- Do not trust ads on the internet. One example: You google for salary and Security+. If you open CompTIAs web page you see $110,321 but if you open infosecinstitute you find $35,000 to $45,000. The first page is sales (buy our certs and get rich) and the second is more realistic. If you start your career in cyber without a very strong background or good connections, you will never start with 100K...

- Most likely you start your career with entry-level certs like Sec+ and Net+, but do not spend too much time on it. These certs are quick bites, you have to move on unless a "40K" job is okay. If you have a background in IT, you can take each of them in a month or less. Buy an excellent book, watch Prof. Messer’s YouTube videos and if you want get the certs. Do not spend thousands of Dollars in training! If you prefer hands-on training in a classroom, check out your local Community College and you spend between $300 and $600 for 40 hours.

Get the knowledge for free

I mentioned it before, a lot of companies want your money and that is it. The good news is, you can get a lot of things for free. You can spend thousands of hours in free materials and labs. Here are some ideas:

- https://freetraining.dfirdiva.com/

- https://noxcyber.co.uk/

- https://www.dhirubhai.net/pulse/free-cybersecurity-resources-blue-side-stefan-waldvogel

- https://www.dhirubhai.net/pulse/penetration-testing-career-other-options-us-stefan-waldvogel

These resources are great, and you can use them as an indicator. Did I ask enough people? Was my information-gathering phase good enough to set up a specific goal? Without a very specific goal, you got lost quickly. You need a very specific goal, do not go into Cyber without one. Later you can change your goal, that is not a problem.

One path (SOC Analyst)

Let us say you talked to people and your career goal for an entry-level job is: SOC Analyst. You gathered information about this job, you watched some YouTube videos (e.g. https://youtu.be/n53S1yO9A_g or https://www.youtube.com/watch?v=7LY-zLpx_48), you have jobs in your city and you know the “real” salary range (payscale, glassdoor). You read some job postings, but you do not know about all the fancy words like SIEM, EDR, FW, AD, IPS, SOAR, WAF, CTI, Application and Email Defense, SandBox, etc…

Time to get your hands dirty! Learn with doing something, because learning the terms to pass an exam is not enough to do your job!

Where can you start? At the beginning, start with the basics and one good starting point is INE’s free Starter Pass (https://checkout.ine.com/starter-pass). This is an online course with real labs, some videos and you can read about 1500 pages. The course is more on the red side, but it does not matter, you need the basics to understand the advanced tools.

After this course, you can sign up for RangeForce free Community Edition (https://www.rangeforce.com/free-cyber-security-training-community-edition). Here you have a collection of 20 modules. You get an idea about blue tools like Splunk, Suricata, YARA and you get the idea about docker / kubernetes.

You are still here and you like it?

It is time to dive in. You can use more free tools, or you can spend a bit of money. Analyze your own learning style and find your best way to learn. You prefer guidance? Maybe spend $150 (student access) and buy all 400 RangeForce modules and you can do SOC1, SOC 2, Threat Hunter, etc… these paths / modules will keep you busy for a couple of months.

You want to try TryHackme? They have a Cyber Defender Path; it is about $10 a month.

You do not want to spend money at all: No problem, install a hypervisor and spin up a lab at home. Grab Kali, Security Onion and some victims… install tools and attack / defend the systems. If you need ideas, YouTube is a great and a free resource.

Whatever you do: write you notes down. Use Cherry Tree, Obsidian, etc to store your knowledge.

→ You do these things at home… do not hide it. Write a blog or post an article on LinkedIn, Twitter and tell people what you did.

What next?

If you did these things and you reached a solid level… you need little help anymore, try to help others. I wrote this article without having a job, but I can help many people. You and I, we are responsible for the next Cyber generation. To many students give up, because they have wrong expectations and did not have enough guidance. At this point, you know a lot about common mistakes, but you are on track.

Certifications?

The blue side does not have a lot of affordable and HR relevant certs. RangeForce (SOC1, SOC2, etc) is new, Blue Team Security (BTL1) is new, too. One relevant HR cert is GCIH, but this cert is not affordable ($7000??), unless you use the Work Study program (https://www.sans.org/work-study).

Additional things

One of the most important things is networking. If you are a student and a job looks far, far away, still add people on LinkedIn. Send 5 or 10 requests a day and spend 15 minutes on it. If you write something, write more than just a sentence, build a relationship. Avoid politics, religion, etc → focus on cyber… You are a professional.

Join relevant discord channels (e.g. Black Hills Information Security, The Cyber Mentor).

Final words

This is one path, but there are thousands. Planning a career in Cyber is not a simple decision, it is hard work. At the end, you want a job. Plan well and start early.