Creating a career roadmap for the cybersecurity beginner

Okay, today's Cyber Work Hack is for security novices people who are just getting started in learning cybersecurity and looking for their career path.

Professor Robert McMillan is an InfoSec Skills Path author and he gives you some fantastic advice for making the decisions at the very beginning to help you steer your career to all the places you want to go To get your cybersecurity career started. Make sure you check out today's episode of Cyber Work Hacks started. Make sure you check out today's episode of Cyber Work Hacks. Hello and welcome to a new episode of Cyber Work Hacks. The purpose of this spinoff of our popular Cyber Work podcast is to take a single fundamental question and give you a quick, clear and actionable solution or a new insight on how to utilize InfoSec products and training to achieve your work and career goals. My guest today is Professor Robert McMillan.

Now, robert's been the instructor and creator of our skills modules for a long time and he was a guest on an early episode of CyberWorks, and I'm really glad to have him back for a series of CyberWorks hacks aimed squarely at the questions asked by cybersecurity novices, and we hear from you all a lot. We hear what you're asking and we're hoping to answer some of it. So today's hack, specifically, is about creating a career roadmap for yourself before you even step foot out on your first interview. So welcome back to the show, robert. It's always great to talk to you.

Thanks, Chris. It's good to be back. I really enjoyed our last get together and I hopefully can help out some people that are new to the industry.

Absolutely so. Yeah, robert. So let's start at the beginning and explain what a career roadmap is and also, I guess, what it isn't Like. What should you be trying to understand or clarify for yourself before you know by creating a career roadmap for a career in cybersecurity? And you know also the what it's not?

Like it's not going to solve certain problems, I imagine. But yeah, yeah, you're right about that. You know career roadmaps are interesting If you go to, say, microsoft to look at what their their certification roadmap is. You know AWS has the same thing, but there's really no roadmap out there just for cybersecurity students, and so I'm hopefully going to clear up a little bit of that for you, because I do see education from multiple different angles. I started out as an employee, I went on to become a consultant and then a business owner and now an educator, and so I kind of see it. You know all these, these, uh, the, the, the big picture, you know, basically, and so one of the things you could do is you could bundle certification together. If we step away just from the whole degree plan and things like that, temporarily, let's look at bundling certifications. Um, so you know a lot of people that want to go into sysadmin work will bundle the A+, the Net+ and the Security Plus from CompTIA, and that's a good. You know three certifications to start with.

One of the things is, if you're going to be a sysadmin, which is typically not a security role, it doesn't mean you don't do security. You're still going to be doing a lot of security. It's just it may not be your focus Now. In a smaller company, you are the main security person, as well as the sysadmin as well. You might also be doing voiceover, ip and webcams and things like that. But in a larger organization you're going to have a cybersecurity team, which, what I have found is really interesting. They are not even allowed to talk to the sysadmin team because there could be a conflict there, there could be some collusion there. So you know, larger companies don't even allow them to talk. So let's talk about certification bundling. Besides, just for a sysadmin, what I suggest for those of you who are just getting started start with the Security Plus.

Now, security Plus does have some requirements from CompTIA, but they're not really enforced. I mean they say, oh, you've got to be a security professional for a couple of years and things like that. They're not really enforced. It's not going to stop you from taking the Security Plus. Then the Azure SC100 is a good one from Microsoft. Microsoft has moved away from on-premises types of certifications much to my pain, because I have a lot of them, sure, yeah and has moved to, you know, mostly cloud. I mean there are a couple of hybrid ones out there the 800, the 801. But the SC100 is a great intro. Cybersecurity certification and then the last one I suggest is the OSCP, the Offensive Security Pro, very good certification. All these are available at the InfoSec Institute, as you know videos and you know labs and quizzes and you know a great way to get started.

Yeah.

Go ahead, I'm sorry. No, I'm sorry, I was just kidding. Then you can take the certifications from there.

Yeah, yeah, absolutely Well, yeah, I think that's an important distinction to make and that'll sort of come into our next question. But, like you said, if you're going to work for a small company, you're going to have to be a jack of all trades and master of none, and if you're going to come work for a large company, you're going to need to specialize a bit more and sort of drill down on what your specialty is going to be and what's going to set you apart from people on your team, I imagine.

Exactly. Oh, you know there's a magazine, there's some magazine out there, but I really like the Certification Magazine. I don't know if you've seen this one before, but it's put out by Testout. It's at certmagcom and they every month they have a lot of great articles about what employers are looking for for various different types of IT jobs and, of course, security is a big one among them.

Yeah, wow, what a, what a cool, what a cool resource I've, I've. That's literally a first time I'm hearing of it, so I'm glad you mentioned that.

Yeah yeah, certmag C-E-R-T-Magcom. Check it out, love it.

So, robert, whether you're a high school student who's studying, getting ready to go off to college, or you know someone who's opting to skip college and pursue your skills on your own to enter the workforce faster, you know, I think we can agree it can be a bit overwhelming to look up at your imaginary career ladder and imagine what path you're going to take to climb it, and so I wonder if you have any advice for making career roadmapping into kind of a manageable and useful process for yourself, rather than the, you know, the big, scary, open ended question what do I want to be when I grow up?

Yeah, isn't it crazy and a little bit ridiculous to go? I mean, you were 17 once, right, and? And I was 17 once. And I just find it ridiculous that you, you, you go up to a 17 year old and you say it's time now to decide what you're going to do for the rest of your life.

Yeah, yeah, yeah, yeah. You and your non-developed prefrontal cortex, yeah exactly.

I'm sure this is going to go great. So here's, here's my advice on that. Certifications are not everything. A degree is a great idea, now can you? Can you get started without a degree? A degree is a great idea, now can you? Can you get started without a degree? Yes, you can. But let's, let's take the mind of a 17 year old right now who, by the way, knows everything you know being in their minds. They believe they know everything, but you really don't. So here's what I suggest is that you start out. If you don't have the money, start out at a community college. There are loans available for that. If you do have the money and the ability to get into a four-year college or university also a great way to go.

When you pick your degree that you're going to go for, what I suggest is you go for a fairly generic IT degree, if that's where you're heading, and start out with the real basic classes the math, the English. You're going to remember it better anyway because you just finished high school, right, you don't want to finish with math, because that's four years later or two years later. You want to start out with some of these non-IT classes, as many as you can take ahead of time. Let yourself start understanding the world a little better around you. Start networking with people and getting their opinions on things. Get professors opinions on things, and then go ahead and start focusing on exactly what you want to do. Knowing what you want to do at 17, it's, it's just almost impossible. So after that, then you can say, ok, I really like cybersecurity. I've been this for in for a couple of years. I really like cybersecurity. I really like cybersecurity. I've been in this for a couple of years. I really like cybersecurity. I'm going to finish my degree in cybersecurity or, or you know, sysadmin work or programmer DevOps, whatever it is that you want to do.

So can you just start out with certifications right out the door? You can, but you're going to find that your, your options are limited. You're going to get kind of pigeonholed into a specific area and if you don't like that area, you might be in too deep to get out of it. At that point you might start getting bills. You know things like that, and you're like, oh, I can't afford to quit my job now. So, yes, you can absolutely get certifications to start with.

Another interesting thing is getting certifications or taking classes that also offer certifications. There's, for instance, a lot of CCNA certification classes, uh, that also offer certifications. There's, for instance, a lot of CCNA uh certification classes, a plus certification classes, you know, and other things like that. Not a lot of cybersecurity ones yet. I have seen some CISSP ones, but that's a little bit tough to start out with. That's that's sort of like the PhD of security. I don't know if you want to start out with that ISC squared one quite yet, but, um, if you can find some, uh, some classes that also teach to the certificate or certification, then then it's two for one.

Yeah, no, totally Now to that end. I guess I'm thinking here in terms of you know people who are just starting to sort of feel that out and they're like, oh, you know, they take a few science classes, oh, this is interesting, and then they start realizing there's certain things I really like, like capturing the flag or you know, I like securing a network or I like actually just watching my computer processes running to see how information is transported, but like, do you have any advice for taking the things you're interested specifically and sort of moving them into kind of a path of learning and action and sort of career mapping?

Yeah, yeah, you know, this is kind of how I started out. So at the office where I was working they had a Windows server that was being retired. Now this goes back a few years. This is NT4. This wasn't even pre-Windows 2000. Yeah Well, windows 2000 had been out, but they were just retiring the NT4. And so I said, can I have this, is this okay? And they said sure. So I took it home and this thing was a beast. It probably weighed 100 pounds back then. It was a big old HP, no Compaq, it was a Compaq server. And so I got this thing running and I set up my first DHCP server. I connected a computer to it and it got an IP address automatically. My wife thought I was nuts, but I practically jumped up and down I was so excited.

When you have that kind of excitement, you know you're in the right place, you're headed towards the right kind of career, and those are the kinds of things that you know can get you started. There's a lot of great, great places. I know that in the Portland area in Portland Oregon, where I am, they have a free geek place and I'm sure other cities have similar things where you can go and you can work there for equipment. So, like they teach you how to repair computers, they teach you how to do all different kinds of things on computers and then you go to work for them as a volunteer and then you get equipment for your compensation. You take that home, you start playing with it, you know and get really excited about all the things you can do. I love that kind of stuff. So the other thing you can do join computer clubs, either in high school or college, whichever you're in. And if you clubs either in high school or college, whichever you're in, and if you're not in high school or college, vendor groups are a great idea.

Vendor groups will get you into places where the vendors you know they're like. You know there's firewall vendors, you know palo alto and cisco and all these different places. They have vendor groups in all the major cities. If you're fortunate enough to to be them, they will provide you with. You know some, a lot of times, some free demo equipment, some free software, things like that, and you can take that home and you can start your own projects as well. So you know lots of, lots of really good. You know early on with. You know one of the firewall companies. You know that's not a lot of people are using anymore. But and it was it was so great I got to talk to other people having the same problems that I was having, you know, in getting started in a career and you know those. Those folks really helped me out.

That's cool. I've never heard that before either, so we have all kinds of stuff together.

You had mentioned before that you almost quoted one of my lines in here talking about getting your first job. But you know so you know speaking for listeners who are maybe ramping up their training now they're getting some experience. They might have even landed a first job. You have any advice for helping them stay focused on their career roadmap and pushing themselves into new learning and new opportunities to keep growing? Like you said, it's really going to be easy. You get your first job, you start to have to pay bills, work starts piling up your day-to-day seems like it takes a while, your entire day, to get all your work done. And then you're coming home and you're like I don't want to like study tonight. Like what? How do you sort of? How do you sort of keep yourself going so that you don't just sort of like drift into that same spot forever?

Well, you know that's. This is a tough one for young people, um it's. It gets a little bit easier as you get older because you know you kind of settle down and your brain isn't quite as wired, you know, for the next quick thing. But especially with people with disabilities like ADHD, that's especially tough for those folks and I realize there's medications that can help and not everybody, you know, wants to do that because it makes them feel strange and stuff. So being a disciplined person is not easy. It's not necessarily natural. You know, for us it takes a certain amount of security. When I was earning my degrees I had a business. I had a wife and three kids and a lot of bills. So one of the things that I and there's there's a lot of different. You know ways you can do this, but let me just give you one way that I think works out great. A lot of us play video games. Do you play video games, chris?

In the arcade, in the retro arcade, now and again. I don't have a system at home. Oh, you love the retro arcade. I love that too. Yeah, yeah.

I got this place for 20 bucks. You go there and you play as long as you want.

Same here. Yeah, galloping Ghost out in Bulling. Yeah, yeah, in Brookfield, oh that's so cool, yeah, yeah.

So what I but work reward system. The work reward system basically goes like this is that you know you have your favorite video game in front of you, right, you may be PlayStation or Xbox, or you know PC gaming, that kind of thing and what I do is I say, okay, I'm going to read X amount of pages of my book or I'm going to do my lab, I'm going to take this quiz and I'm going to reward myself, you know, by being able to play 30 minutes of video games or whatever it is that excites me. What do you know what I like to do? And then you go on to the next thing, and so, over the course of you know two or three hours, you might find that you get all of the rewards that you need and, at the same time, you get a lot of the work done as well. It's like I said I understand it's not easy and it does take, you know, some maturity, but this is this is a way that worked for me and maybe it'll work for you as well.

Yeah, no, if we're talking reward systems, yeah, for for mine the equivalent is get 20 minutes of reading done and you can listen to a, an LP or a, you know an album or you know or whatever. So yeah, but yeah and yeah. I think the thing that I've noticed too is when you, when you get on a good roll, you're like, well, I freed 45 minutes and I get 20 minutes reward and 45 minutes, and then at a certain point, like you start skipping the rewards, at a certain point you get so locked in that you're like, oh, let's just keep going.

Yeah, which is good, that's exactly where you want to get to. You know you get into flow, so so yeah.

So yeah. So one last question here, robert, if people want to, you know if listeners are logging into InfoSec Skills today, like, what are some of the skills paths when you sign up and then you can start watching videos and taking labs on various different subjects. Now here's what I suggest is do what excites you. You're going to hate a career that pays you a lot of money. That isn't interesting Because, as we mentioned before, it feels a little bit like you're in prison where you just you can't. You can't get back out of it.

However, I have created some learning paths and I started out with the Windows Server 2019 and Windows 10. I have since upgraded for Windows 11 and Windows Server 2022. And it's all about securing those operating systems. Securing those operating systems not necessarily for homes, you know it's not going to be the home version of Windows 10 or 11. Not necessarily for homes. It's not going to be the home version of Windows 10 or 11. It's going to be the professional, the enterprise versions. How to secure them using group policy, with Active Directory, with all the built-in utilities, as well as many third-party utilities, determine whether or not you've been compromised, your servers have been compromised. All those different things are very, you know, very important to you know most offices and businesses and I think that people will get a lot out of them.

That's great. Well, Professor Robert McMillan, thank you for helping our loyal listeners on their path to their preferred type of security career.

So glad to be here, Chris. Look forward to the next one.

All right, and thank you all for watching this episode. If you enjoyed this video and felt that it helped you, please do share it out with your colleagues and on any forums that you're on and on your social media accounts. The more people that know about us, the more of this that we can do. And, of course, please like this video and subscribe to our podcast. You can just type in CyberWorks InfoSec into YouTube and you will find all of our past episodes just like magic there. So there's plenty more to come for learners of all levels, including more with Professor Robert Millen. So if you have any topics that you want us to cover, just drop them in the comments below. We're reading them all. Until then, we will see you next time and happy learning. Hey, if you're worried about choosing the right cybersecurity career, click here to see the 12 most in-demand cybersecurity roles. I asked experts working in the field how to get hired and how to do the work of these security roles so you can choose your study with confidence. I'll see you there.