Lets start by discussing the Cyber Security talent gap.
The most conservative estimates on this talent gap is around 1,500,000 worker shortage worldwide. Many other estimates are in the range of 1,500,000 for just north america. These levels of job vacancies are extreme. Filling cyber security positions takes at least 6 months.
Cyber security needs people desperately, so how does this happen? We need to create new talent, we need to create paths into the industry to fill these roles. These candidates need to answer these questions for themselves.
How do you learn any new skill?
First, how do you best learn? Some people learn best by reading documentation/books, some like to watch instructional videos, and other people learn by doing. Some like a mixture. Whatever works for you, that’s what you should do.
Second, you set your goal. Where are you going? Why do you want it? Is your goal to become a CISO, penetration tester, security awareness blogger, security researcher, security software developer, and/or the many other roles that are out there? Pick what you want to be; don’t pick more than 1 at a time.
Finally, find or create the blueprint on how to achieve your goal and set yourself expectations. You will not be a penetration tester or CISO on your first day out of school. You cannot run a marathon without taking the first steps. You push yourself to the end and when you get there, you get there. Don’t be discouraged about failing; failing is mandatory to become anything. If you’re not failing, you’re doing something wrong.
I’m in high school, what are my next steps?
First, let’s assume you are best by reading textbooks.
Second, let’s pick security researcher as the goal.
Finally, how do we become a security researcher? Step #1 is a Computer Science degree from a university; this is the ideal path. A comp-sci degree will provide you an understanding of how computers work. This is necessary for a security researcher.
There is your blueprint. Go get that Computer Science degree. While you’re in school, get involved in open source projects; learn how coding works in practice and the common security mistakes, you will start to understand how things go wrong. Don’t stop there. Step #2 is never stop. Keep elevating your skills all the time. Anything you don’t know how it actually works, go learn it and try to break it. That’s what security researchers do.
I’m a systems administrator, what are my next steps?
To start, you can already do security as a systems administrator. Go make sure firewalls are on, make sure you’re patching your devices, and just generally make security better for what you are responsible for now. However, let’s join cyber security.
First, let’s assume you are best by doing or watching instructional videos.
Second, let’s pick penetration tester as the goal.
Finally, how do you become a pentester? Step #1 is Kali Linux.
Install Kali and get yourself Metasploitable3 up and running and teach yourself metasploit via youtube videos. This will make you an entry level security analyst. Those youtube channels that taught you how to use the tools in Kali will be able to pivot you to step #2 and step #3.
Don’t stop there, you keep going and get into the guts of how metasploit works. Learn Ruby, read and understand the exploits and tools in metasploit. Go back on youtube and learn how to find software bugs and then how to make them into an exploit. When you get here, you’re a pentester.