Why You Don't Need a Background in Cyber to be in Cyber

We've all heard it and seen it in this industry - stop me if you've heard this one:

• You need to work help desk and work your way up
• You need to have a CISSP certification to work as a SOC analyst
• You need to have a Bachelor's degree in Computer Science to be eligible for this position
• You must have 7+ years of experience doing cyber security
• Unrealistic and "unicorn" job requirements

And it goes on and on and on...

Like many others who voice their opinions on LinkedIn and Discord and Twitter (or, X?) and many other places, we believe that's just a bullshit way of thinking. Let's talk about it.

Starting at the Bottom

Even me, who gets frustrated when people say that you need to start at help desk, understand the reasons why this is being said. Cyber security is not an entry level field, and certain filler and feeder positions (like help desk) only help a person get that desired hands-on experience that is necessary. As an aspiring penetration tester, I will tell you that Active Directory was a bit complex and challenging to pick up, but is absolutely a requirement to being able to perform legitimate penetration tests. I didn't learn it from a help desk position though - I took some courses, spun up a home lab, and I got that experience without a company paying me to do it.

You know what, it's not just penetration testing either - SOC analysts, system administrators, security engineers, GRC analysts, developers - is working in help desk really going to be beneficial for some of those roles? Let's be honest with ourselves here and think about what responsibilities the traditional help desk roles have. Password resets, creating/disabling user accounts, utilizing a ticketing system, performing hardware changes, some basic network troubleshooting, and I'm sure some other responsibilities depending on the organization. Tell me how performing password resets requires years of help desk experience and is going to validate I have the skills to be a SOC analyst, or a developer. Give me some insight as to why I need to work on a help desk to learn networking rather than setting up my own labs, using Cisco's Packet Tracer, and being the network administrator over my own LAN, including IoT and segmentation.

Are all of these skills helpful as you advance your career further? For the most part, yes they are, and I encourage those who are young or have no advanced training to pursue a role like help desk to gain that exposure. But a help desk role will not teach you all of the necessary things you'll need to know for a cyber security role.

Management Level Certifications

The CISSP certification is the "gold standard" in the cyber security/information security world. I'm not going to get too deep into the weeds of that argument as I am not a CISSP, so I'll reserve my public judgement. But I am curious though why a management level certification is being put on job descriptions that are...well, not management level? I'm too stressed out to really pull the numbers and do the research, but I'll take a gamble and say that at least 60% of cyber security job descriptions (excluding management or higher roles) have the CISSP listed as a desired or required certification.

So you're telling me that in order to get an "entry level role in cyber security", which by some is considered a mid-level IT role, is going to ask me to spend a few hundred dollars on a management level certification, which by the way also requires 5 years of experience in information security already, and only then will I have the required knowledge for that position? Look back at the first section where I talked about responsibilities in a help desk role. Please tell me how and why I should be worried about software development security (domain 8) or security architecture and engineering (domain 3) to be a SOC analyst? Here's also another thing to note, which will be discussed later - how is this a practical demonstration of knowledge and skill? This is a multiple choice exam and has no lab component or anything like that. Once again I ask why the CISSP is listed on so many job descriptions? Look, knowledge is never a bad thing, and I encourage those who meet the requirements and want to advance to a management level position to go and get the CISSP certification. That would be a very expected and common path to getting into a management role. But come on, we don't need that for non-management level positions, and especially if you aren't going to offer management level salaries.

Computer Science Degrees

Hey ChatGPT, give me 3 sentences that describe what a Bachelors in Computer Science will teach:

A Bachelor's in Computer Science will provide you with a strong foundation in programming languages, algorithms, and data structures, enabling you to develop software solutions and applications. Additionally, you'll gain expertise in computer architecture, networking, and operating systems, preparing you to design and optimize computing systems. The degree also emphasizes problem-solving and critical thinking skills, empowering you to tackle complex technological challenges and innovate within the rapidly evolving field of computer science. - ChatGPT

Awesome right? Where in there is the word "security" mentioned?

Alright, I'm not going to nitpick here - but I hope you know what I'm getting at. You want to develop software, Computer Science will help teach you the fundamentals and advanced concepts in that realm. You want to be a managing director for a fortune 500 company, well a Business degree will help teach you the business management side of things. You want to work as a medical professional, you'll probably pursue a degree in Healthcare. The point is you pursue an education based on your desired field of work. I got my degree in Cyber Security and Information Assurance because I wanted to pursue specifically cyber security, not Information Technology, not Computer Science, and definitely not History.

The point though is that a degree isn't, and shouldn't be required to get into a cyber security position, or even any IT position at all! Everything you need to know, and I mean everything, can be self taught, learned online or through training courses, and verified knowledge and understanding can come from certifications. I have my CompTIA Network+, and I'm definitely not experienced enough to work with BGP and complex ISP networks - but you can verify that I know at least the fundamentals of networking and how computers talk to each other. This has all been stated before but I'll state it again so there's no confusion - certifications are just one piece of the puzzle of validating knowledge. That's all that job descriptions are right, is validating you have the required knowledge for the position? I would think that those relevant certifications meet that required knowledge. I would think those relevant degrees meet that required knowledge. I would think those previous jobs give you some form of knowledge relevant for the position. No, I don't mean working specifically in cyber security, I mean any of those previous jobs. Which brings me to...

Been in This Position Before

I like to keep picking on the SOC analyst roles because that's like the "help desk of cyber security" right? If that's the case, I ask again - why are we asking for all of this advanced level knowledge or education or certification for the "help desk of cyber security"? You have to have been a SOC analyst for a year before you can apply to be a SOC analyst.

Wait, what? Yeah, that's the catch-22 that we all experience, and I'm sure it's not just in the cyber security field. Well you want knowledge and experience, but you won't allow us to get that knowledge and experience without already having that knowledge and experience. Look in the mirror, say that three times fast, and say "that makes sense" without laughing.

There would be way too many resources to list, but let's start with what you can do to make sure you get that knowledge and experience without having a previous SOC analyst job:

• Build a honeypot in the cloud and analyze and document incoming attacks
• Perform vulnerability scanning and recommend remediations on vulnerable machines
• Perform email analysis on emails in your junk folder
• Analyze potential malware to see if it is malicious, and if so what it's doing
• Parse through firewall logs to identify web-based attacks, port scans, or other malicious traffic

These are just a few ideas of how you can get that hands-on experience of doing some of the responsibilities of a SOC analyst. There are platforms like LetsDefend that have a SIEM for you to investigate alerts and document findings while going through a playbook. Employers, you want people with these hands-on skills and not those who have zero experience - we know. So when we get this hands-on experience in our own labs and on our own free time because you want someone to "hit the ground running", we're demonstrating to you that we have done this stuff before and have a foundation to grow and learn.

Also here's another thing that really grinds my gears - every company is different and is going to operate with different tools, different procedures, and have a different organizational structure and software. Just because somebody has experience with Splunk and Jira, does not mean they aren't able to work with the ELK tools and Zendesk. Give people a chance to apply their previous knowledge to your particular environment.

The Mythical Unicorn

It would be great if every company was able to hire the perfect candidate every time who didn't need any training or guidelines, and who just knew what to do at every step. Hey, wake up, welcome back to Earth. Sorry employers, but you need to have a training program in place to get your new hires up to speed. Whether that means teaching them how to use your software tools, where to find your knowledge base, and giving a plan of action within the first few weeks/months, you're going to need to do some training. If you want qualified candidates, that's understandable - but this is currently 2023, and qualified candidates means qualified pay. As a jobseeker, I wouldn't be applying to positions where I meet all of the requirements, I'd have no room to grow and expand my skills doing new things, plus you couldn't afford me if I was the subject matter expert in that role.

Contrary to what you might think, many people actually enjoy learning things that interest them. Whether that be learning new skills on the job or interacting with new technologies, avoiding the "unicorn" candidates with specific and specialized job requirements will lead to a higher retention rate of employees and more satisfaction for the new employee, as they'll find fulfillment in progressively learning in that role.

Admittedly, this does change depending on the actual position. A highly advanced and specialized role should have specialized requirements. However on the contrary, many other previous roles could have taught some of those specialized skills. Tell me that a red team operator wouldn't benefit from having a previous physical security specialist on their team. Tell me that a digital forensic analyst wouldn't benefit from having a previous law enforcement investigator on their team. In my case, tell me that my law enforcement experience and managing incident responses on a daily basis doesn't benefit a cyber security incident response team. Transferrable skills and knowledge come from everywhere, and widening your hiring requirements will allow those with these transferrable skills to shine.

The Bottom Line...A Little Selfish

Look, I didn't create this article just to talk about things that everybody else does. Many of us in this industry and in related industries understand the struggle with getting into or advancing in the cyber security field. I want to talk about my background and specifically my opinion on why I'm upset with everything mentioned here so far.

My "true" IT journey started with the role I'm in now as a Systems Engineer. I don't deal with Active Directory or control most networking functions. Instead, I'd consider my position a bit of project management and a bit of software support. Although I deal with adjacent technologies, my role is focused on the company's software products. Unfortunately for me, I'm not able to fully utilize my knowledge and skills to my full potential, as I'm not working with the technologies I've learned about and interacted with my entire life. Speaking of entire life, I grew up with Microsoft and their products. I've been the youngest in my family and have always been a computer gamer, so much of my passion stems from that aspect. But this also means that I've been the one managing network issues in my house, building the computers, doing the troubleshooting, and making sure that my LimeWire downloads were safe (if you know, you know). I worked physical security, loss prevention, and as a police dispatcher. The physical security and loss prevention jobs had me validating physical security controls, performing auditing of credit card transactions, and performing limited fraud investigations. As a dispatcher, my job was all about incident response - we received an alert, we performed information gathering, we managed and directed personnel to respond, we contained the incident, we documented the steps and actions taken, and we made sure information was accurate.

I have some certifications that are more advanced than others, and although most of them won't prepare me to "hit the ground running" as a pentester or SOC analyst, there is enough verified knowledge for me to be able to actually put that knowledge to use. I'm not getting my CISSP because I don't want to get into management, and I shouldn't feel like I have to in order to make a transition to a security role. I do have a Bachelors in Cyber Security and Information Assurance, and that coupled with my certifications and labs should meet the requirements for job postings - but it feels like it's not enough.

What I hope that you take away from this article is that there are thousands of other people just like me who have those qualifications, related experience, education, certifications, background, and passion to move into a cyber security role. It's time that we start acknowledging that fact and start hiring people who are in it for the passion, and not for the bad reasons.

People often ask why I stopped pursuing law enforcement and instead chose to pursue cyber security - the truth is I've always wanted to help people feel safe and secure knowing I was around. Only now, I get to do that with my passion for technology.