Last Updated: March, 2024
At one point at uni I put together a presentation titled 'How to Get a Job in Cybersecurity' for my university's cybersecurity club. I have since received a few requests for the slides, and hence I decided I might as well just put it on my website.
In terms of getting a job at the end, you have two options:
- Fall into the grad program of one of the large contracting companies (Accenture, CyberCX, KPMG, etc). Work will be relatively slow, and momentum can take a while.
- Float your skills and resume around some Melbourne-based businesses and consultancies to see if they'd be interested in hiring an extra pair of hands in cybersecurity. If you're a robust problem solver, it should be relatively easy to convince them to bring you in, if they have the space. If you have the agency, you'd also generally have much more flexibility and manoeuvrability than if you did a grad program.
IMO, option number 2 is better. The opportunities available to small-to-medium-sized businesses give cybersecurity a wide variety of potential involvement in interesting projects, much more so than you might get in a grad program. However, you need to have a large professional network, but as uni students your network is still only small. LinkedIn is now a requirement, add/follow people who are high-value, and curate your 'work' version of yourself on there. This will be your professional network, which will eventually blossom into a small group of somewhat well-connected individuals who can help with things like finding new positions, or with information about what's going on in the industry, etc. Then, continue to take part in local/industry/club events and add people on LinkedIn, the earlier the better. That is how you maximise your chances of success in finding a good job.
In terms of specific jobs, there's generally four:
- SOC Analyst: Operates within a Security Operations Centre, monitoring and analysing an organisation's security posture on an ongoing basis, and responding to security incidents.
- Security Engineer: Focuses on building and maintaining the IT security solutions of an organisation, including firewalls, anti-virus systems, and intrusion detection systems.
- Application Security: Specialises in ensuring software applications are protected against cyber threats by identifying and mitigating security vulnerabilities in the development phase.
- GRC Specialist: Governance, Risk Management, and Compliance Specialist, focusing on ensuring an organisation meets its regulatory requirements and manages its risk posture effectively.
All of them have roles equivalent to that of a junior/grad available - particularly if you naturally take to the whole "systems thinking, refactored problem solving with computers" thing, and also show a particular interest in one in particular. That said, SOC Analyst followed by Security Engineer are the more general ones, and as such, generally easier to find junior-position roles for.
The following are skills you need to know, ordered by how fundamental I think each one is, hence, you could argue it's a list in descending order of importance. That said, the lower items on the list generally build upon the upper items on the list, so in order of hierarchy, this list would instead be in ascending order:
- Networking (LinkedIn, clubs, professional contacts, grow your network)
- Networking (Internet Protocol, TCP/IP, traffic flow, Wireshark, nmap)
- Hardware/Firmware/Software (BIOS/UEFI, drivers, motherboard components, operating systems)
- Programming and Version Control ([Python, C/C++/C#, Java, PowerShell/Bash, SQL, HTML+CSS] pick three, plus Git/GitHub/Bitbucket/Subversion)
- Linux (RHEL, Debian)
- Administration (System, Network, Database, IAM)
- Cybersecurity (Cryptography, TLS, PKI, vulnerability and risk management, incident response)
- AI
- Virtualisation/Containerisation (Hypervisors, Docker, VMs, Kubernetes, etc)
- Cloud Technologies (AWS, Azure, P/SaaS apps like Microsoft E3/E5)
- Automation (Python, deployment and testing pipelines, DevOps, SecDevOps, IaC, immutable infrastructure, Jenkins, serverless code)
1. Networking (LinkedIn, clubs, professional contacts, grow your network)
This one can be overlooked easily, but is extremely important, hence topping the list – while at university, you need to be building your professional network when you can (assuming, of course, that this is the career path you want). This can somewhat vary in difficulty, but is well worth the effort, as these people might know people who know people that are looking to employ someone like you. Knowing the right people was the linchpin for how I got my first professional job in the cyber industry.
And finally, stop fucking around and make a LinkedIn account. I know, I get it, LinkedIn is weird, wacky, inflatable hand-wavy strange. 99% of interactions are each the most inauthentic thing I’ve seen that week, but the secret is that everyone knows. Everyone is in on it, that we’re putting on our suits and we’re dressing up and saying our lines, and performing our Business™ and doing lots of Business™ and really, just, the Business™ is very Business™. All the world's a stage, and LinkedIn is certainly some peoples’ worlds, but it is a world in which it is currently necessary for you to have a presence in if you want to actually be taken seriously. So I say, do it and have some fun.
2. Networking (Internet Protocol, TCP/IP, traffic flow, Wireshark, nmap)
Knowing roughly exactly how everything and everyone talks to everything and everyone is such a fundamentally required skill, and the systems of thought in networking overlap quite substantially with the systems of thought in cybersecurity. Understanding how information moves, networking, not only brings about networking understanding itself, but also a way in which to see contexts or problems that might transit networking as a field. It’s like having a new column in the quality checklist your brain does automatically whenever assessing a system.
The OSI model is an extremely intricate, complicated, and technically detailed framework with which it’s fair to say all global communications use, everywhere. The best way to learn the theory would be to take pure networking classes at university, generally as part of a Bachelor of Computer Science (or something in the sciences). This would generally be similar to CCNA 1-4. You might be provided with Cisco’s Packet Tracer, but if you get the opportunity to work on real hardware routers and switches, jump at the opportunity. Once you get a grasp of what’s going on, look at nmap and wireshark, and see where they take you. Understanding networking, and having it included contextually when you’re problem-solving has huge benefits.
3. Hardware/Firmware/Software (BIOS/UEFI, drivers, motherboard components, operating systems)
This one is computer basics – you work with computers, you need to know how they work, and how to care for them, including how to take them apart and put them back together. If you're the sort of person I have in mind while writing all this, you're heading rather quickly into a life where a computer (phone/desktop/smartwatch/worklaptop/etc) might as well just be an extension of your own body, at least in the majority of the important things you do. This is all to do with encouraging a kind of ‘systems-thinking’ that must be fostered. Essentially, you need to be able to do things such as these:
- replace and/or match RAM correctly (timings, channel, Infinity Fabric, etc)
- clear CMOS
- perform a manual BIOS update
- monitor CPU hotspots and assess cooling efficacy
- choose between, and set up, either RAID 0 or 1 (or something cooler)
- securely manually update a driver
- install and configure an arbitrary operating system (Windows or Linux/Unix)
- correctly assess the parts for, then build and/or upgrade a computer, to arbitrary spec
- assess for, and then perform an over/underclock on CPU/GPU
- replace CPU/GPU thermal paste/pads
This list is by no means comprehensive, but these are examples of the sorts of things you should have the knowledge to do correctly, or ability to quickly (less than 60 seconds) retrieve the knowledge to do correctly.
4. Programming and Version Control ([Python, C/C++/C#, Java, PowerShell/Bash, SQL, HTML+CSS] pick three, plus Git/GitHub/Bitbucket/Subversion)
Programming is fundamental. A personal rule of thumb (of mine) is to ask someone to pick (at least) three of the following: Python, C/C++/C#, Java, PowerShell/Bash, SQL, HTML+CSS. The languages on that list can be swapped out, but (I hope) the sentiment comes across that these are ways of conceptualising the understanding of how computers function - knowing multiple gives you new (overlay-able) ways of understanding and directing computer systems.
Version control is not optional; it's essential. Git, alongside platforms like GitHub, Bitbucket, or Subversion, is crucial for code management, collaboration, and maintaining a history of your project's evolution. Understanding how to use Git goes beyond basic commands; it's about managing your project's development efficiently, handling versions correctly, creating automated tasks and workflows, and collaborating effectively.
Master these tools to make your work more manageable, your projects more collaborative, and your skills more marketable. Software development is the heart of the tech industry, and version control is one of the most important structures that supports it.
5. Linux (RHEL, Debian)
Unix runs everything. All* servers, cloud infrastructure, embedded systems, S/P/I/DBaaS, networking, telecoms, everything-everything. Start with the basics of RHEL (Red Hat Enterprise Linux) and Debian, including their derivatives like CentOS (including understanding what Rocky Linux and AlmaLinux are) and Ubuntu, respectively. These platforms will introduce you to the Unix-like environment where much of the internet and modern IT infrastructure operates.
Understand the file system hierarchy, bash/shell scripting, package management, and system administration. These are the tools and concepts that make Linux powerful. It’s not just about running commands; it’s about understanding how and why they work, and how to leverage them to manage systems effectively. For instance, being able to automate tasks with shell scripts or quickly string together a powerful command can significantly streamline your workflow and system management tasks.
If you think you're ready to delve further into Linux, get to know CoreOS + Ignition/Butane.
6. Administration (System, Network, Database, IAM)
Systems, networking, databases, Identity and Access Management (IAM), etc - being able to get shit done in the modern IT landscape seems to be a major differentiating factor. You could have the most amazing SQL DB schema, but ultimately it needs to run somewhere and somehow.
7. Cybersecurity (Cryptographic Algorithms/Vulnerability Management/Risk, etc)
Having 'cybersecurity' as number seven on a list of things ostensibly needed for a cybersecurity gig might seem a bit weird, but cyber is one of many IT jobs, and everything above really is basically essential for working in IT (imo). I digress.
Keeping cybersecurity in the back of your mind, having a grasp of the concepts, how to communicate with and understand within the field to be able to get the information you need, will ultimately unlock the door to staying ahead of the curve - being at all ahead of the curve seems to be the best possible strategy, especially with AI levelling the playing field, and quantum computing looming to possibly entirely destroy the playing field.
Encryption, TLS, PKI, certificates, key management, risk management, vulnerability management, incident management, crisis management, etc. Write a cybersecurity incident response plan, have a look at NIST's version. Think about what elements/factors you'd use to prioritise potentially thousands of machines (internet-facing?, CVSS?, is it a workstation/server/domain controller?, other vulns on same machine?, exploit known-working/exploit kit available?, etc, etc).
8. AI
I could say a lot here, instead I'll keep it brief. Products such as OpenAI Codex, Claude Code, and other open-source alternatives/ecosystems are allowing impossible feats of engineering to become commonplace, if you know how to leverage these tools. Streamline/optimise your personal productivity, abilities, insight, and creativity.
9. Virtualisation/Containerisation (Hypervisors, Docker, VMs, Kubernetes, etc)
If it doesn't currently already run on kubernetes, it's running in containers, and if it doesn't currently already run in containers, it's running in a VM. If you want to even begin to understand Cloud, you'll need to understand this.
10. Cloud Technologies (AWS, Azure, P/SaaS apps like Microsoft E3/E5)
Similarly to point 6, administration, engineering within a company's cloud environment seems to be where things are heading. Also, cloud-based antimalware such as Crowdstrike Falcon (lol), Carbon Black, Microsoft Defender, etc, are slowly upgrading from should-have to must-have. Try building in AWS or Azure using some of their free credits, start by investigating serverless code like AWS Lambda or Azure Functions.
11. Automation (Python, deployment and testing pipelines/devops/secdevops, I/CaC, Immutable Infra, Jenkins, serverless code, etc)
Mastering automation will significantly, and in most cases exponentially boost efficiency, drastically reduce errors, and accelerate deployment cycles. The expertise in automation allows you to not only save considerable time but also to innovate and implement solutions that are both scalable and reliable. With a solid foundation in the areas covered previously, excelling in automation will turn your skills into highly valuable assets, making you indispensable in the modern tech ecosystem.
There are two things that you should try to aim to do well. The first is an extremely easy life hack to make free money in three easy steps:
- automate your current work
- take on new (preferably higher-level) work
- return to step 1
The second is the ability to understand and explain tasks on as wide a range (from low to high level) as possible. Fast scalable thinking like that lends itself towards higher quality work.