Quick Look

Introduction

As my first blog post, and my retelling of my journey, I find it fitting to introduce myself a bit. My name is Zach Allgood and I’ve been a software engineer for roughly 7 years, focusing mainly on E-Commerce sites running Adobe Commerce (formerly known as Magento 2). As of September 5th, 2023, I am now officially a cybersecurity engineer.

I know many are in my shoes, wanting to break into the cybersecurity field from many different backgrounds, and this post will explain what I did to transition from a software background into the realm of cybersecurity, where IT and networking experience is valued over everything.

If you take a look at most job postings, they require 3+ years of experience in IT, networking, or help desk, most of them don’t mention software engineering at all aside from the Computer Science Bachelor’s requirement, so how do you transition into the field with software experience? What if you don’t even have any experience in anything technical? I’ll breakdown exactly what I did, and what you can do, to help get into the field and start hacking (or protecting against it).

If you have any questions about my experience or you just want to talk, feel free to add me on LinkedIn or join the Discord server I’m pretty active in and just start chatting.

Education

The first thing you’ll see when you browse cybersecurity job postings is the education requirements. “Bachelor’s degree in computer science or related field or 2+ years experience” is a common phrase I saw countless times applying to jobs. You’ll also see a large portion of job postings in the space requiring some sort of certifications, but there are far too many to list here.

Bachelor’s Degree

If you don’t have a degree, don’t worry, I didn’t either. There’s an online university I attended for my degree that is fantastic in my personal opinion. This university is Western Governors University. It’s entirely online and includes a large number of certification exams, most of which are required to even graduate. These certifications will be covered later, but for now just know that they are required for you to pass certain classes, which also gives you a leg-up against people that just have their Bachelor’s degree. WGU is also a competency-based, self-paced school, meaning that you only have to write papers or take the exams based on the class, nothing else is required. This allows you to advance faster than your average university without suffering from a lack of knowledge.

Think of it this way, when I joined I did my web dev class first, because I have 7 years of experience and I knew I could pass it without studying. The first day I started WGU, I took my practice exam, passed, took my final exam, and passed again, closing out an entire class in less than 2 hours. This is the power of competency-based, self-paced schooling.

As you go through your term, you may find that you complete all the classes in your term fairly quickly, but you don’t have to wait until your term is over to continue passing classes! You can move your classes from your next term into your current term, given that you’ve already completed the classes in your current term. This allows you to get an entire degree much faster than your average student - I completed mine in just 5 months. Obviously this timeframe depends on your ability to learn new information and how much time you’re able to dedicate to it day-to-day, but keep in mind I was working a full 40 hour work week during the time I was in school as well.

TL;DR: Check out WGU if you want a Bachelor’s in Cybersecurity - it’s well worth it and you get a ton of certifications that will give you a leg-up against the competition.

Certifications

Now we get to possibly one of the most important sections of your resume: the certifications. If you attended WGU like I did, you’ll already have enough certifications to land your first role (although there are a few additions you can make to increase your chances), however if you already have your degree, don’t want to invest the time/money into the degree, or don’t have WGU available in your country, you can still build a great certification portfolio.

I’ve broken down my recommended certifications into 2 categories: Core Certifications and Specialized Certifications. Core Certifications are certifications you should get no matter what niche you plan on going into. These are typically what you’ll see on most cybersecurity job postings as requirements or preferred qualifications. Specialized Certifications are here to improve your chances on landing a more specific role, like SOC Analyst or Penetration Tester (be weary of this one, it’s extremely difficult with no experience). See my credly for my current certifications!

Core Certifications

  • CompTIA
    • A+
    • Network+
    • Security+

Specialized Certifications

  • SOC Analyst
    • Splunk Core User and/or Power User
    • Blue Team Level 1
  • Cloud Security
    • AWS Solutions Architect Associate
    • AWS Security Specialty
    • Azure has a lot of potential certifications for security specialists - see here for a collection of them
  • Penetration Testing
    • INE eJPT
    • TCM PJPT
    • TCM PNPT
    • OffSec OSCP

Hands-On Training

When you’re applying and interviewing for roles, you need to have hands-on experience with different technologies to showcase. Without hands-on experience, all you know is the theory without any application. By getting hands-on experience, you’re able to showcase that you’re able to apply what you’ve learned in a realistic, practical way. There are some great homelabs you can build, and you should if you can afford it, but not everyone can. So here I’m going to showcase some free or low-cost options for you to get your hands dirty with some great hands-on learning tools.

TryHackMe

TryHackMe is a fantastic site for beginners. They have learning paths for beginners, blue team/SOC paths, red team/penetration testing paths, and independent modules you can complete for specific technologies or methodologies. As an example, I used their Pentest+ path when I was studying for the certification and it was fantastic in giving me hands-on learning in addition to my video courses and textbook studies.

HackTheBox Academy

HackTheBox Academy is also an amazing resource for hands-on learning, specifically for penetration testing. I wouldn’t recommend this to complete beginners, but if you have the basics of networking and security concepts down, this is a fantastic resource to practice your hacking skills. The downside to HackTheBox Academy is that if you don’t have an edu email address, it can get quite expensive. I highly recommend this for students with a school email, however if you’re paying for each lesson individually it can get quite costly.

The benefit to HackTheBox Academy is that HackTheBox is also well known for their main application, which allows you to hack into individual boxes to find flags. This is a common practice in hacking training, which is known as Capture The Flag (CTF) games.

LetsDefend

So far we’ve only really discussed resources that are focused on penetration testing and hacking, however Let’s Defend is a great resource for blue teamers. It has lessons specific to different career paths, however personally I’ve only tried the SOC Analyst path. That being said, the content of this learning path so far has been great and I’d highly recommend it for anyone looking to get into defensive security.

Splunk/BOTS

Although Splunk is not completely free, you can do a lot in the free trial. Try setting up a Splunk instance in a VM and connecting Splunk Soar to it. From there you can create alerts and playbooks to run whenever alerts are fired. In addition to this, you should also check out Boss of the SOC (BOTS), which is a hands-on, completely free learning tool that allows you to use Splunk the way a typical SOC Analyst would. They spin up a Splunk instance for you and ask questions regarding the data in said instance. It’s up to you to find the answers they’re looking for. I highly recommend it for anyone trying to become a SOC Analyst, Security Analyst, Security Engineer, or anyone that may need to use Splunk as part of their regular responsibilities.

AWS/Azure

Both AWS and Azure have free usage allowed, which means so long as you stick to the free resources and stay under the usage limit, you can spin up and play with many different services completely free of charge. Their training is pretty good, although you may search places like Google, YouTube, Udemy, or LinkedIn Learning for better guides if you’re looking to do something specific.

Building Your Resume

Now that you have your credentials and hands-on training, it’s time to start building your resume. If you don’t have much experience, that’s fine, we can focus on what you do have. Your resume should be structured in a way that showcases your security focused experience first. If you don’t have professional experience that would apply to security, put your hands-on training first, followed by certifications, then education, then professional experience. If your professional experience relates to cybersecurity in any way, follow the prior order but move professional experience to the top.

When building your resume you want to focus on listing out qualities from your experience that could apply to the world of cybersecurity or an office setting as a whole. This may be difficult at first but once you get the hang of it, it becomes much easier. As an example, let’s say you’re a software engineer like myself. Finding things to relate to cybersecurity can be quite easy. I use python for automation, I understand application level networking, I understand port numbers, I use ElasticSearch, JavaScript, and MySQL on a daily basis. These are easy connections to make.

However, what if you’re coming from a career that isn’t even technical? Let’s say you’re coming from an electrician background. How often are you diagnosing complex issues? Do you often have to explain electrical issues so that a non-electrician can understand? How often do you learn new things, like wiring a new device or dealing with uncommon appliances? These are all things you can list on your resume to show that your skills are not specific to your role. Strategic and systemic troubleshooting skills are a necessity in cybersecurity. Explaining technical issues to non-technical people is a daily occurrence. Learning new tools and technologies is common, if not expected, in the field. Think about what you do on a foundational level, less specific to your current background, and more broad, thinking about how it can be used outside your field.

Networking

Networking is a huge part of finding a role early on. Join local meetups, add people on LinkedIn that are in the field, join Facebook groups and LinkedIn groups, follow tons of people on Twitter, and start posting about your journey on everything. Eventually people will see what you’re doing and they’ll know you’re dedicated to your path.

You can also join public Discords, such as TryHardSecurity (yes I’m plugging the server I’m in again, I just love the people there), or even servers dedicated to specific things you’re learning. For example, I’m also in the TCM Security server, the HackTheBox server, and a local DefCon server.

All of these allow you to have conversations with people regularly, form friendships, and get close to other people in the industry, so that when you’re looking for a job you’ll have people that want to help, not just random people you find on LinkedIn.

Applying for Jobs

Finally, the giant elephant in the room. Applying for jobs is not fun, let’s just admit it. Especially in today’s market, where half the jobs are remote and everyone wants them, and the other half are local or hybrid. What do you apply to? Is it worth it to apply exclusively to remote positions? Should you focus on local positions because there’s less competition? Why not apply to both? Where should you apply? What should you do after applying? These are all questions that stirred in my mind when I first started looking at job postings and it left me in a state of analysis paralysis, unable to complete job applications because I didn’t know what I should be applying for. So here’s my advice.

Just apply.

I know, I know, it seems simple enough right? But when I say “just apply” I mean apply to whatever sounds interesting to you. I’ve yet to see a single job description that didn’t require experience in the field, yet I know plenty of people that have gotten jobs without any experience whatsoever. Don’t let the requirements or preferences scare you, apply anyway. It doesn’t matter if it’s remote or local, although local positions do seem to have a higher success rate amongst people I’ve talked to. It doesn’t matter what the salary posting is, this can always be negotiated. It doesn’t matter what the requirements are, these are more of a wishlist than a requirement. Just apply.

If you find a position that you’re extremely interested in, look at the hiring manager if it’s listed and follow up with them on LinkedIn after you’ve applied. If you know someone that works at a company that you want to apply to, have them give you a referral (before you submit an application). Follow up however you can and get the conversation started your way. It may not always work, but it does work.

Interviewing

After sending out your applications, eventually you’ll be able to land an interview. If you’ve never had an interview in tech, don’t worry, they follow a pretty typical process. The first interview is with HR, a recruiter, or a hiring manager. In this interview they typically just go over your background and discuss things you’ve listed on your resume or job application that seem relevant to the job. This one’s pretty straightforward: be friendly, be honest, talk about what you’ve done so far, and what you plan on doing in the future. Typically, so long as you’re friendly and have a basic understanding of what’s needed for the role, you move on to the second round of interviews.

This is typically a technical interview, here you’re going more in-depth about what you do and don’t know. You will receive questions that are more technical and in-depth, but don’t worry, typically for entry level roles these are fairly simple. You’ll get questions about the OSI model, port numbers, basic networking principles, basic security principles like the CIA triad, things you should’ve learned in your certification training. If you’re going for a more advanced role, like a penetration tester, expect to get some more advanced questions.

After passing the second round of interviews, you’ll move on to round three (shocker). This is where the process may differ from company to company. I’ve had third round interviews be skill assessments, both on call with an interviewer and take-home assessments, and I’ve had them be another technical interview with a different interviewer, for example an application security role may require a technical interview with the security team lead and a technical interview with the application dev lead. However, since we’ve already covered the technical interview, let’s assume the third round is a skill assessment.

Skill assessments can be nerve-wracking. You may not pass first try just because you don’t know what to expect. It’s difficult to give advice on this portion as it differs so much role-to-role and company-to-company. Generally I’d say look at the job posting’s listed job responsibilities and try to get hands-on practice on some of the most important aspects of it. For example, if you’re applying to a SOC Analyst role, look into getting hands-on experience in a SIEM and try your hand at incident response.

After the skill assessment is typically when you either get a job offer or get rejected. If you get rejected, don’t fret. You got plenty of interviewing experience that you can learn from to improve your skills and do better next time. If you got a job offer, congrats! We can now move on to the last section.

Keep Going

Congratulations, You’ve now got a job in cybersecurity! However, this isn’t the end. Cybersecurity is a field that requires constant improvement and consistent learning. You have to stay updated on new technologies, new exploits, and new processes. The field is constantly evolving and if you don’t keep up you run the risk of falling by the wayside, using outdated information that doesn’t apply to modern environments. Just because a patch version is safe today doesn’t mean it’s going to be safe tomorrow. Keep yourself busy with upskilling and news feeds to make sure you’re up-to-date on your necessary information and improving your skills to boost your career.

Conclusion

All in all, getting into cybersecurity is no light endeavor. Judging by just the size of this blog post you can see that there is a ton of steps to take, a ton of information to learn, and you’ll never be done learning. However, this is actually one of my favorite aspects of cybersecurity. I love learning new things and this field has a ton of information that is constantly evolving, which means no matter how hard you try you’ll never know everything. To me, that’s a treasure trove that keeps giving. If you’re in the process of transitioning to cybersecurity, keep going! I know you can do it and once you do, it’ll feel fantastic that all your hard work finally paid off.

If you’re looking into cybersecurity and wondering if it’s right for you, consider all the aspects of cybersecurity. I believe there’s a niche for anyone. Some of them I didn’t even touch in this article, like cybersecurity sales or project management. However, it is definitely a field that requires consistent learning and staying up-to-speed so to speak, and if that isn’t something you’d enjoy maybe it’s not right for you.

Finally, if you enjoy problem-solving and learning new things, I’d suggest trying out TryHackMe at the very least to test the waters. Who knows, maybe you’ll find a new passion like I did!