An Effective Strategy to Launch Your Cybersecurity Career

In this article, I’ll describe my path into cybersecurity: specifically, the exciting discipline of detection engineering. Along the way I will share some lessons learned, describe the strategy I used, and offer encouragement for folks from any background to pursue a career in cybersecurity. Although I am still less than three years into my cybersecurity career, I feel I’ve covered a lot of ground and have gained some experience that might be helpful to others. So, if you are considering a career in cybersecurity (either as a first or second career) or have just broken in and are looking for a cool place to specialize, read on!

In high school, I had a math teacher who shared with his students that he was a serial career changer, sort of like a serial monogamist but for professions. He told us that he enjoyed teaching us AP Statistics (he may have even meant it), but he planned to move on eventually. He would pursue a career, attain a high level of proficiency, and then explore something new. I found this odd at the time, but filed it away anyway as one way to conduct your professional life, albeit an unconventional one.

Fast-forward to 2019, and I could see where he was coming from. I had spent the first nine years of my professional working life as a Geographic Information Systems (GIS) specialist - someone who works with computer mapping software to make and share maps, manage geographic data, design mapping applications, and generally make geographic knowledge accessible using computers. I grew up around maps (my dad was and is a hard-core geographer and GIS guru) and enjoyed the GIS courses I took in college. I loved working in the GIS field, and still have many friends in that industry.

By the early-mid 2010s, as news of the Yahoo! data breach and the 2014 Sony Pictures Hack seeped into my consciousness, I developed a fascination with cybersecurity. I didn’t understand it all. But I gradually became aware of a seemingly alternate parallel reality where elite attackers routinely go head-to-head with cyber defense teams on a battlefield where critical infrastructure, our precious digital identities, and the success (or failure) of billion-dollar companies hangs in the balance. In 2020, I was working as a GIS contractor for the US Bureau of Land Management (BLM) Oregon State Office in Portland, OR, where I live. I had been there for four and a half years - the longest I’d stayed at any job. It was a challenging place to work (look up the Malheur Wildlife Refuge Occupation and the history of Portland and the US in 2020 to see why) and I was a little burned out. So, I signed up for a cybersecurity boot camp put on by Trilogy Education Services via the University of Oregon.

I’ll pause now to say that I know boot camps are controversial. I was fortunate to have the money, time, and family support not only to attend, but to make the most of the experience. The structured curriculum, high-quality teaching assistants (who both worked as cybersecurity engineers), and guided pathway through the many sub-disciplines of cybersecurity gave me a foundational understanding from which to plan my pivot to becoming a cybersecurity professional. Fortunately, I realized quickly that the boot camp alone was not going to be enough to land a job. I had to get certifications. Mid-way through our unit on networking, I purchased the Network+ study guide and started reading it cover-to-cover, outlining it as I went. I sat for and passed Network+ partway through the boot camp. Same with our unit on Azure - the Azure Fundamentals AZ-900 exam is a really good cert to get your feet wet with the world of cloud computing. The cert does not expire, and if you participate in a training through Microsoft Ignite you can get your hands on the certification exam for free.

At the end of July 2020, while still in boot camp, I was laid off. The BLM failed to renew the contract in time, so I found myself unemployed just a few months into the pandemic. This turned out to be a blessing in disguise: I could care for my young son, finish my boot camp labs, study for certification exams, and apply for cybersecurity jobs without having to worry about a government boss or commuting to the office. In October 2020, the boot camp ended. After a couple of phone screens that went nowhere, and two technical interviews for SOC analyst jobs that did not result in an offer, I realized that this was going to be harder than I thought. I realized two things:

1. Unemployment assistance does not last forever. I needed to find a job in GIS, prolonging my “old career” while persevering in my career pivot.
2. I needed to create a comprehensive and multi-faceted job search strategy to allow me to break into cybersecurity.

For realization number one, I ended up getting a GIS job with a company coordinating disaster cleanup for the catastrophic 2020 Oregon Wildfires. This was an exciting and often very fun job, but I knew it wouldn’t last forever, and it didn’t sway me from my ultimate goal of becoming a cybersecurity professional.

By late 2020 I had a job search strategy with several pillars (I don’t include a good resume in this strategy because that should be obvious). For the first pillar, I continued to pursue certifications that would set me apart, including Splunk Core Certified User, Azure Administrator Associate, Azure Security Engineer Associate, and CompTIA CySA+. I generally buy whatever the top-rated study guide is, read it cover to cover, outlining each chapter (my Google Drive contents from this period is full of these outlines), take whatever practice exams are freely-available, and do extra research on the areas where I fall short.

For the second pillar, I demonstrated a commitment to the cybersecurity community by volunteering at the BSidesPDX conference, where I assisted conference speakers and helped moderate Q+A sessions over Discord (we were still in the thick of the pandemic at this time). I still participate in BSides, and even gave a talk at the conference last year. It’s been a great experience that has continued to deepen my enjoyment of the incredible range of topics and personalities which make up the industry. BSides groups exist in every major city and are volunteer-run. If ISACA, WiCys, ISSA, or some other group is more your speed, go for it! They will be grateful to have you involved.

My third pillar was networking, and I don’t mean with switches or routers. I reached out to people on LinkedIn, through family members, and friends of friends. You’ll be amazed at how generous people are with their time when you come prepared with gratitude, positivity, and thoughtful questions in hand. The people I spoke to included a cyber recruiter, a CISA regional Cyber Advisor, a security engineer at a local community college, a Coast Guardsman cybersecurity developer, and many others. This networking made me realize that hiring managers do want to hear from entry-level or early-career candidates who are driven yet humble; motivated to earn their seat in the cybersecurity industry through hard work, curiosity, and a commitment to team success.

The fourth and final pillar was hands-on experience. This is a must! I took the advice of someone on the interview panel for a job I did not get, who recommended malware-traffic-analysis.net as a good resource to learn the skills to be an effective SOC analyst. This website offers tutorials and network analysis challenges that showed me what real malware infection traffic looks like in a victim environment, and improved my data analysis and threat hunting skills greatly. I also invested considerable time at cyberdefenders.org, which I believe to be one of the best and most-overlooked blue team learning resources around. Boss of the SOC v1 in particular was eye-opening, and taught me a lot about how to put the labs and theories from my boot camp into practice. This also gave me a test of what SOC investigation work is like, which helped confirm for me that this was actually a career I wanted to work in.

By formulating and adhering to the pillars of my strategy, I gained a feeling deep down that I was giving 100% to my dream of becoming a cybersecurity professional. With your strategy in place, this internal feeling of positive perseverance will shine through in your job search - I believe recruiters and hiring managers take notice. After adopting this strategy and gaining this internal sense of commitment, in February 2021 I received an offer from one of the companies I had interviewed with previously but that had turned me down at the time. It almost didn’t feel real - I was going to be a SOC analyst! Ask anyone who has struggled to break into cybersecurity and finally achieved this goal after months or years of effort: it is an amazing and surreal experience.

My experience since getting a foot in the door has been delightful, thrilling, and humbling all at once. After hopping a few times, I am now in a detection engineer position with a great company where I hope to stay for the long haul. By far the greatest challenge was getting to that first SOC Analyst offer. If you are trying to break into cybersecurity, you are vying for a lucrative and high-stakes career, so it makes sense that the competition is intense. But rest assured that you are needed, and that there is a place for you in this industry.

I hope my story helps someone land their first job in cybersecurity, or take their young cyber career to the next level. Please feel free to reach out to me on LinkedIn or X to let me know how it’s going or if you need help crafting your own strategy. I look forward to celebrating your success!

Path2Sec is committed to helping beginners get into cybersecurity, whether that means teaching them some of the basics, pointing them in the right direction, or giving them a platform to show their passion for cybersecurity.

• contact@path2sec.org