Top 5 Questions from Mentees

This year, several of us started a mentorship monthly meeting we now call Thyber Thursdays. The team of mentors span resources from the USA, Canada, UK, Europe and Caribbean. We are always seeking new mentors and mentees to join the group, so all are welcome. Note that the views documented below are not those of anyone’s employers and not meant to be a prescription as every individual’s career journey will be unique.

After our January and February meeting, our team answered several questions, I tried to encompass as much as possible with the top 5 which are consistently asked either 1-1 when persons PM us and on our monthly meetings. To ensure best use of everyone’s time and for the benefit of those who were not able to attend past sessions, these are documented for reference.

To Self-Train or to Attend formal Training:

Q1 (From a Military veteran trying to transition into cyber): I’m new to cyber security and did my first official training on a SIEM vendor but did not get the value from it despite costing a lot of money. The trainers seemed to be focused on exam content and not on building practical experience.

A1 (from multiple on mentor team): There are a few things to consider when attending training, especially bootcamps. Many bootcamps are geared at persons who already have experience using the solution and are meant to prepare for exams. Be sure before investing your hard-earned money to understand the target audience and scope of training. If in doubt, communicate and ask to ensure your goals are aligned with the curriculum. Many of the experienced persons on the meeting expressed potentially getting some home lab experience which is how a lot of us built capability before getting real world experience or before attending training that way you’re not starting from ground zero.

University Degree Vs CISSP or another cert?

Q2 (from a final year university student): What is considered more highly by hiring managers, a university degree, CISSP or other qualification?

A2: (From a Senior Manager at one of the world’s largest cybersecurity provider: by annual revenue) After HR screening for minimum qualifications and sends for hiring manager interview, the focus isn’t on certifications or degrees, but whether you will be a good fit, your hard and soft skills, personal attributes etc. Often there will be a technical interview with a senior tech in the organization, however having said that, this particular senior manager had a degree in civil engineering and worked his way up the ladder. While the team did not discourage anyone from pursuing university academia, many were able to navigate through their careers without the help of a degree.

(From others on the mentor team): That does not discount the qualification requirement for many roles for instance, I had a customer who stipulated in a multi-million-dollar RFP that the lead for their project needed to have at least a Master’s Degree with 10 years field experience, so there are times where it would be needed. There are many who would argue for or against qualifications. This answer was expanded on the next question below.

What certification or qualification to pursue to find a job?

Q3 (From an Accounting professional wanting to switch to cyber): Which qualification is best for someone new to cyber?

A3 (from a senior manager at a united nations unit): This all depends on which type of cybersecurity role you are interested in pursuing. There are many different domains ranging from penetration testing which seems the most popular to GRC to Sales etc. One of the ways to get a gauge of what is being asked for particular roles would be to search job postings to understand what employers are asking and work backward from there on the requirements needed for the role you’d like to fill. Of course, your interests may change over time which is perfectly ok. Many on this forum have served in multiple capacities through their years and pivoted based on the dynamic nature of the industry over the years into new roles.

?

What are some of the different roles and domains in cybersecurity?

Q4 (From someone new to IT) Which types of jobs are best to pursue for a newbie?

A4: There's no one answer to this question which will be the same for everyone as each person will have different strengths and interests and there are multiple domains in cyber security, ISC2 CISSP1 courseware literature defines eight domains:

1)?????Security and Risk Management

2)?????Asset Security

3)?????Security Architecture and Engineering

4)?????Communication and Network Security

5)?????Identity and Access Management (IAM)

6)?????Security Assessment and Testing

7)?????Security Operations

8)?????Software Development Security

You can follow any one of those tracks to specialize or multiple to become a generalist. One mentor mentioned the concept of T-Shaped skills which the depiction from the Corporate Finance Institute2 does a good job of illustrating in figure 1 below:

Figure 1: T-Shaped Skills (Corporate Finance Institute)

A very good source to map some trainings to different type of roles is listed on the SANS Institute3 Cybersecurity skills roadmap outlined in figure 2 below which is the closest outline I’ve personally seen which maps training to different career paths in cyber. Having said that it does not list every different type of cyber role available but is a good place to start to understand what is available.

Figure 2: Cybersecurity skills roadmap (SANS Institute)

Starting from Scratch or not?

Q5 (From someone working in the retail sales industry): I have no experience; how can I get experience if jobs postings are asking for experience for entry level positions.

A5: Firstly, I don’t understand why entry level job postings ask for years of experience, but there are ways in which you can leverage existing experience and pivot into a role that may not be so obvious, for instance in the case of someone who has sales experience, albeit not in cyber, they may be able to transition onto a sales role in a cybersecurity, particularly cybersecurity vendors and resellers. I myself would have changed to a business development role and enjoyed it immensely. Unless you don’t care to utilize that experience then that’s a different story. In that case you are actually starting from scratch, so some food for thought. The same was discussed for a software developer of 20 years who may find less friction to enter a DevSecOps related role and similarly a technician in the manufacturing sector who has knowledge and experience working with a lot of IoT devices may want to consider pursuing IoT security.

Don’t forget the Fundamentals

Leveraging seemingly unrelated experience may reduce that friction to enter the field, but everyone also needs to understand the foundations. Every competent cyber professional that I know have solid network, Linux/UNIX, programming skills to name a few. Focus on foundational training before making that leap into a specialization and it will make you much stronger in the long run.

Labs – make sure you continue to hone your skills and capabilities.

Nowadays there are so many online tools and practice labs available that were not available in the past. Be sure to make use of them which may not be work experience, but it is experience nonetheless , more importantly you build capability. Back in the day we had to rely on VMs, dual booting laptops and desktops, purchasing old equipment to practice on, now there are so many options available that it would take another newsletter to document. Make use of the opportunities you have in front of you!

References

1)?????ISC2 (2023), ?CISSP : Cybersecurity Certification | CISSP - Certified Information Systems Security Professional | (ISC)2 (isc2.org)

2)?????Wale, H (2023), Corporate Finance Institute: T Shaped Skills T-Shaped Skills & Their Importance in Hiring (corporatefinanceinstitute.com)

3) SANS Institute (2023), Cybersecurity skills roadmap: Cyber Security Skills Roadmap | SANS Institute: Cyber Security Skills Roadmap