How to get started in cybersecurity: Beginner steps you can take now | Cyber Work Live

Chris Sienko: 1:10

Hello everyone and welcome to the June 2024 edition of Cyber Work Live. This is an ongoing series dedicated to asking and answering questions about cybersecurity certifications, training and careers, with a goal of bringing insights and opportunities to listeners who are choosing their careers in cybersecurity. As always, we welcome everyone on board, but we're specifically answering the questions today of people who are just putting their first steps down on the path of cybersecurity, as well as those who are coming to cyber later in life and maybe from an entire another career entirely. So if that's you, we are glad you're here and we are glad you're making this giant step. I would like to introduce you to our wonderful panel of guests today. So let's begin. Our first guest is a past guest on the Cyber Work podcast and someone you might recognize from YouTube or other places online.

Chris Sienko: 1:57

Confidence Stavely is Africa's most celebrated female cybersecurity leader, the author of API Security for White Hackers, as well as a talent developer and gender inclusion actionist. Confidence excels in translating cybersecurity concepts into digestible insights for diverse audiences. Her YouTube series API Kitchen explains API security using culinary metaphors. In its debut season, the series amassed over a half a million views across social media. Its confidence served up a banquet of API security wisdom. It's really fun. You guys got to check it out. She recently won the Cybersecurity Women of 2023 Award and holds several other recognitions. Beyond her advisory roles on various boards, confidence leads CyberSafe Foundation, a foremost NGO dedicated to fostering a digitally inclusive and secure landscape in Africa. She is also the founder of Merklefence, an application security as a service consulting company. Welcome Confidence.

Confidence Stavely: 2:54

Thank you so much. My pleasure to be here.

Chris Sienko: 2:57

My pleasure as well. Our next guest is one of InfoSec's own boot camp instructors, so I know he'll have a lot of great advice for you. Akil Phillips is a seasoned cybersecurity professional with 15 years of experience in the field. His career began with a distinguished nine-year tenure in the Marine Corps, providing a solid foundation in cybersecurity and information technology. Following his military service, akil had the fortune to work with top-tier organizations, including a top three auto manufacturer and the largest background check and media firms globally. He is also the teacher of InfoSec's CEH Pentest Plus Dual Certification Boot Camp, as well as the Bootcamps for Security Plus, security Fundamentals and Cyber Threat Hunting. Welcome McKeel.

Akyl Phillips: 3:41

Thank you, dan, and thank you for having me, chris. Thank you.

Chris Sienko: 3:45

Absolutely Great to have you here. So next I'd like to introduce a returning CyberWork guest educator and InfoSec skills author. Robert McMillan is the past president and founder of Alltech1 LLC, a Portland Oregon-based network consulting company. Currently, robert creates cybersecurity video courses for LinkedIn, learning, infosec, pluralsight and others with his company, tech Publishing. He is also an adjunct professor in computer science and computer information systems in the Portland Oregon area. Some of his higher-profile jobs have been restoring email for the government to prosecute Enron executives, training the network vulnerability assessment team for the US Army and performing wireless security auditing for the state of Washington. The NSA also requested an interview, but he decided he had had enough people looking over his shoulder for now. Welcome, robert. Thanks very much, chris, absolutely. So. That is our panel. Councilman Sakeel and Robert. Thank you all so much for joining me today.

Chris Sienko: 4:42

So, as we said, we will be taking questions from the audience as they come in throughout the event and we have a lot of our own topics to cover as well, but we really want to keep it focused on the travails of the first timer, the newcomer and the entry leveler. I don't know if that's a word or not, but I am using it. So let us begin. I want to get your advice for people who are just starting in this field, so I'm going to start with Akil Akil. You've been educating students with your InfoSec, dualcert, ceh, pentest Plus boot camps, as well as Sec Plus and Cyber Incident Response and Cyber Fundamentals. So what are some of the common questions that people who take these classes have about figuring out their career path?

Akyl Phillips: 5:21

Yeah. So I think in the very beginning, a lot of the questions are usually based around the anxiety of being in the field. It can be a lot of feeling anxious about the exam, trying to get over imposter syndrome and actually trying to get your butt in the seat in that job Right. And the number one thing that I tell people is to do projects. The benefit of projects is that it's going to increase your confidence. Confidence and when you show up in the interview, when you show up with that blog on your resume and it defines all of your projects we're going to go to that website and we're going to be impressed because, whether you choose to believe it or not, most of your peers, they're not showing up with that level of get after it right. So it really shows your character and if you do that, it definitely makes a difference.

Chris Sienko: 6:17

Fantastic. You've teed up an entire section that we're going to talk about later, so I'm very excited to hear that already Now, confidence, you've guided several cohorts of the Cyber Girls program and helped them kickstart their cybersecurity knowledge quickly, as well as helping them to move into meaningful jobs that can help them and their community. So what are some of the common first step questions that the women in these cohorts ask of you and that you try to answer for them?

Confidence Stavely: 6:41

I think one of the first questions is just what Akilah spoke to already. There is such a wide field and there's so much information, so we are having a situation where there's information overload for the average person who is looking to come into cyber. There's also so much balls about a particular, very small section of InfoSec, which is ethical hacking. Right, everyone just comes in and wants to do ethical hacking and they don't realize, just like you've said, chris, that there's a whole lot more. In fact, I would say you know, if that's not really going to be your thing, your thing. There are many more other rewarding, many easier routes going through many more in demand parts of information security. So because there's that shiny guy and the movies haven't helped either, right, there's a guy always at the basement, you know, tapping away at his computer and he's so fancy and everyone wants to be that person. So what I generally always say first and foremost is get to learn the fundamentals. A lot of people just want to keep about four rungs and just go up the ladder rather than making sure you get the basics right. So I want them to definitely get the basics right. How do packets travel across the network? What's the mechanics behind that happening? Do you understand or know how to use more than the operating system you're currently using, which in most cases, sometimes it's just an end user's Windows operating system? There are other operating systems, for example, that you need to be able to have an idea of or know how to use. Well, you need to get a couple of other things you need to know, for example, on the side, a bit about the cloud.

Confidence Stavely: 8:21

So all of those basics and then exploring also the different sections or different parts or different fields within InfoSec. And how would you explore? Very easily, what you do is read a lot of blogs or watch, go on YouTube and check a day in the life. So just search a day in the life. You'll find a lot of videos that are talking about different professionals talking about different fields within InfoSec and what their days are like and what they do on a day-to-day basis. You also have to see if that aligns with your innate skills and your interests, because this is such a challenging field to be in that if it's not something you genuinely enjoy doing like, enjoy enough to forget you've not eaten or had breakfast, that sort of enjoys what I need right yeah, you need to find that part.

Confidence Stavely: 9:10

Yeah, that aligns with both your passions and what you typically enjoy. And then you know you're in for a long haul, because the journey is a journey. It's not a sprint, it's a marathon. You're going to go on, so you need to ensure that you're maximizing your strengths, you're maximizing your transferable skills. If you're coming from another area, of another career and this is your second one You're doing all of that combination and when you make that choice, you can then also relate it, because this is another mistake.

Confidence Stavely: 9:39

I see quite a lot. A lot of people are stuck upon that path they've chosen and they are not rounded enough to just find an area to get into. So what I mean by that is, in certain parts of the world there are some parts within InfoSec that's harder to get entry-level roles. So, for example, if you're getting an incident response role, you can easily find a SOC entry-level role, but that's not as easy as T4, say, if you're a pen tester or if you are doing cloud security right. So making sure that you're flexible a bit but also, you know, knowledgeable enough to deliver value to an employer, is that right balance you want to strike and then, of course, begin to apply for those roles, because you never know. Applying for those roles, after stacking on those skills, like I mentioned and don't be afraid of the certifications Just stack up those skills and build your confidence, like Akilah's mentioned and that's what I tell people you would get that first role.

Chris Sienko: 10:40

Yeah, I think that's exactly right. You know there will be an upcoming episode that I interviewed David Lee, who's known as the Identity Jedi, and I don't think a lot of people know identity access management is even a thing if they're just starting to come into it, but there are so many related cyber roles that you know that he's incredibly passionate about IAM and you know you could be the next person who's incredibly excited about, you know, governance, risk compliance or threat modeling, or you know, is it response or any number of different tangents? Or you know, is it response or any number of different tangents? So I think that it is absolutely essential to keep an eye on the entire topography. So let's go to Robert next Now.

Chris Sienko: 11:22

Robert, you have a pretty extensive background in higher education teaching and is a course material creator, so you've had a lot of interesting experiences in the cyber field before that as well. But in our episode of our Cyber Work Hacks podcast, we talked about us providing listeners with some tips for starting career mapping early on in their studies, even before they're ready to enter the workforce. Can you sort of summarize for us about this? I don't think it's actually on the site yet, so tell us a little bit about early career mapping.

Robert McMillen: 11:55

Well, you know, this is one of the great things about education, especially if you're going to college. I'm looking at one of the questions here from Greg. It says how much coding do you need for an entry level? And the answer to that is you may need none, you may need some or you may need a lot, and that's one of the great things about getting your degree in cybersecurity.

Robert McMillen: 12:14

This is a fairly new degree. It hasn't been out much more than about seven or eight years, I believe, for most colleges, and some haven't even quite gotten to it yet. But what it does is it exposes you to a whole bunch of different types of classes, and the classes will get you excited about the area of cybersecurity where you want to work. You could be on the inside where you're protecting your network from hackers. You could be on the outside being a white hat hacker trying to find out what vulnerabilities there are. There's lots of different positions that you could be in in order to be in cybersecurity, and it's based on which one that you're excited about and the one you go to.

Robert McMillen: 12:57

It's going to make a difference on the types of skills, the types of certifications and things like that. However, there is a baseline, and that baseline is gonna be things like the CompTIA A+, security+, network+. Those types of certifications, especially since we're talking about cybersecurity or security plus, is important. Now you could be lucky enough to pick a college that will also teach to the certification as well, which you know could be very useful. You get credit and you get the certification at the same time. Or you obtain the certification, say, for one of Akil's classes, and then you go in and you get credit for it at the college, which is great. So what I say is you know, if you're really new to this, go in with an open mind. Don't go in saying I want to specifically just do this, because once you get exposed to the different types of cybersecurity and the different job positions that are out there, you might find that your position has changed and you definitely want to have that open mind to help you decide what skills are going to lead you to success.

Chris Sienko: 14:05

That's an excellent, excellent point and it definitely is in the spirit of some of the things that people are currently asking in the comments. So, for instance, sheridan wrote I recently finished my bachelor's degree in cybersecurity and, working on CompTIA Security Plus, I was wondering what kind of entry-level jobs he should be applying for. We'll talk about job stuff in just a little bit later, but I guess you know he asked which I think is relevant right now should he be worried about getting the certification first? Without it, he says, I feel I wouldn't be a serious candidate, though I have some IT experience. Do you have any thoughts on that? I'll pass this to anyone who wants to sort of answer that thought.

Akyl Phillips: 14:53

Okay, I've got you. Sheridan, really lean in and listen to what I'm about to tell you. My friend got a job at Microsoft Right, and immediately he started trying to help other people get hired at Microsoft. He started talking to hiring managers and what they found out was that majority of the people who apply for jobs at Microsoft, they don't qualify, that majority of the people who apply for jobs at Microsoft, they don't qualify. So what we determined from that conversation was let them tell you no. Never tell yourself no. Right, you might not feel like you're a serious candidate, but that's their decision to make, not you Right. And that's one of the things that I think creates a whole lot of imposter syndrome for people, things that I think creates a whole lot of imposter syndrome for people. Let the other side tell you no right, you might not see how. You have some skills that are transferable, you might be a personality fit and that may be difficult to find as well. So always let the other side tell you no, always let the employer tell you no.

Chris Sienko: 15:50

Yeah, awesome advice. Yeah, it doesn't cost anything. I want to move on from here a little bit. So, as you can see from the TikTok usernames that are asking these questions, infosec is indeed on TikTok. Go, follow us. We're at InfoSec Institute on certain videos, and so I posted a couple of them below.

Chris Sienko: 16:13

Someone asked rather surprised some people get Security Plus certs before Network Plus. People are asking if 701 or 601 is more difficult. You know which certification path become an auditor? Can you work in cybersecurity without certification? So you know people are thinking.

Chris Sienko: 16:32

You know people have gone, taken the time to ask us questions and think about these things, like whether or not you know whether the order you study certs in is important, how you change certs and experiences together for certain high-level roles, as well as tips for running the job market. And so I just want to say to everyone who's asking these questions I'm glad you're thinking big about these things, because you know we're looking at the road ahead of us, but also the work to be done further down the road. So, as I say, as listeners send in questions to be answered, we'll break the, you know, break in the action now and again to make sure that these things are prioritized. So, for instance, james Ratzliff asked I'm targeting incident response Is there a search stack that's recommended? And I know, akhil, you do some IR work there Do you have any thoughts on that?

Akyl Phillips: 17:19

Yeah, sure. So in terms of incident response, typically incident response is a pathway that opens up right after SOC analyst right, and when you're a SOC analyst you can go into incident response or threat hunting. Those paths are really open from there. So anything that would be good for you to understand. The SOC analyst side of the house is usually pretty good in the incident response space. So I would say Security Plus is a really good cert. The CYSA would also be really good and if you're really trying to go into the higher levels, look into the GCIH, which is the GAC certified incident handler. That one is usually pretty well touted for incident response.

Chris Sienko: 18:09

Thanks, okay, good, oh, here's a question I definitely want to ask. This is a different sort of question from Nadim's son. Nadim asks can you work cyber with only one hand, physically for typing and such, maybe just your thoughts? Anyone have any thoughts on the sort of physical requirements of working in cybersecurity?

Robert McMillen: 18:33

Yeah, I'm not aware of any issues with just working. You know, with one hand, I think that you know, when you look at the job postings online, you're going to see whether or not you need to be lifting certain you know amount of weight. You know, sometimes they'll say, hey, you must be able to lift 50 pounds. You know things like that. In those particular cases you may need to, you know, ask HR if this is something that we can get around or if this is, you know, something that we have to do. But I don't think a lot of cybersecurity you know positions require. You know that. You know an issue. You know any kind of an issue with that type of accessibility problem.

Chris Sienko: 19:21

Yeah, yeah, that sounds about right and I think it does come down to you know if you're able to, you know, engage in your regular sort of typing and processes. Currently, I don't know that cybersecurity is necessarily going to be that much more you know. It's more knowledge-based than it is. You know speed or what have you. So that seems I think you can go forward with great excitement here. So I want to talk a little bit before we answer some more questions about learning, how that you learn.

Chris Sienko: 19:51

So I'm not being facetious when I say that there's a lot of learning that goes into being a cybersecurity professional. Your brain is, I think all our panelists can say your brain is going to be spilling over with protocols, tools, languages, compliance, regulations, any number of things. So you know there's going to be late nights on top of late nights as you learn this stuff. So you know, to learn it all. I want you know. I want you to know that you need to understand how you learn what works best for you and again, like career mapping up front, you're going to be on better footing if you explore all your options before you choose one. So, robert, I want to start with you. So there are a number of different ways that we can learn, so tell our listeners about the higher education part of the educational equation by committing several years to an academic course of study, say computer science and cybersecurity. What are the ways that a computer science degree might affect your career objectives and possibilities? Are there certain types of opportunities it'll open up?

Robert McMillen: 20:48

Yeah, that's a great question. You know, when I'm done, I would love to hear Confidence's answer as well, because I'll bet she has some great insights into you, insights into the way she teaches the girls in her area. So people ask me all the time should I go to a brick-and-mortar school? Should I go to a completely all-online school? How should I be taking my classes? And here's been my experience classes and here's been my experience.

Robert McMillen: 21:14

If you have zero experience in cybersecurity, very little technology experience, this is something that excites you and you want to get into, but you're very entry level. Don't go to an all online school. It's really designed for people with experience. You'll see postings all the time. Hey, I finished my four-year degree in six months. You know that kind of thing time. Hey, I finished my four-year degree in six months.

Robert McMillen: 21:36

That's because they've had 10 years experience working in their field, and if you have zero years experience, the percentage of people who actually get their degree is under 50%. So you really need to go to the school that fits you and so, with very little experience, go to community college, go to your local university, wherever you can get accepted into to get started, and I think that you'll find that, especially the on-campus classes, because all schools are online, right, but the ones that are brick and mortar have on-campus classes. You'll find that you'll learn so much more. You'll learn more from the instructor or the professor, you'll learn from your fellow students and then you can use that information, especially all that networking with those fellow students, to go out and get positions, because you're more likely going to work for someone you know than someone you don't.

Robert McMillen: 22:35

So let's say, you go get a four-year degree. It's completely online. You've networked with no one. You know how hard it is to get a job in cybersecurity when you know no one. It's like handing the keys to the kingdom to someone you don't know and that just doesn't happen. You need to go to a place where you can network and you can get to know people, and that will make your career take off, along with that degree and certifications.

Chris Sienko: 23:02

Yeah, completely agree, and we're going to talk networking later on in the presentation as well. So Robert asked about confidence, so let's talk to confidence next year. You work closely with the Cyber Girls program in Africa, in which young women are educated and upskilled with an eye for placing them in cybersecurity roles to improve their economic opportunities. Can you tell me about these Cyber Girls cohorts, how long they last, the structure of learning, the areas of study and just kind of how it all works?

Confidence Stavely: 23:30

I've heard from a lot of alumni that it's the most intensive eight months of their lives.

Akyl Phillips: 23:36

So I'm taking that, akil.

Confidence Stavely: 23:40

What Akil said about alumni after alumni, the same thing with Robert. It's just something that they get to experience. It's a very wide field. There's so much to learn. You can't learn enough. You can't stop learning.

Confidence Stavely: 23:54

So imagine wanting to come in here. We just need to be able to learn. You can't learn enough, you can't stop learning. So imagine wanting to come in here. We just need to be able to get you equipped enough to get your foot through the door, because every other day you'll be learning anyway. Um and I just want to share this before I go further, answering my question that if you don't enjoy learning, if you don't, if you don't like learning, cyber security or information security is not a space for you, sadly, but if you love to learn, you will love it here.

Confidence Stavely: 24:18

Honestly, your learning never stops as it goes to the structure. So what we do is we mix a lot of the hard skills and then a sprinkle of the human skills, because I don't want to call them soft skills, right. We start off with some frequency training. So, basically, what everyone needs to know you need to. For example, I described earlier, you need to understand identity and access management, like. Those are things that you need to get like an intro of some sort. You need to understand network security. You need to be able to know the principles and pillars of cybersecurity and know how that pans out in the industry. So those fundamentals. They get to learn that for three months and it's every weekday for three months literally. So you're committing four hours every weekday. So it's quite an intensive training program. And then after that point we again expose them to different parts of InfoSec and we have about eight parts that it can pick from. We expose them to these different parts of InfoSec and then they see professionals we work there. They're able to ask questions and then they choose what part they want. And when they pick what part they want, we are able to narrow down the kind of training materials we give to them.

Confidence Stavely: 25:37

Like I mentioned, there's so much to learn, right. You would even find that when you, for example, you pick up a path such as cloud security, right, you could finish learning with us cloud security and then upskill yourself to get, say, soc skills and then walk in a SOC. So you find that you need to be, like we have all said, flexible and get that base right. It's like baking right that cross that base for your pizza needs to be done very well.

Confidence Stavely: 26:08

So those basics we get them in, they get to peak and then we narrow it down, but then there's also a strong emphasis on hands-on training. So there's a lot of labs and there's also a lot of projects. Projects so you have projects that you get to do as an individual and projects you get to do as a group. Now for the group projects, what we're really aiming for is ensuring that you're able to open up yourself to collaborate with other people, because cyber is a team sport. There is no almost no part of cybersecurity, even when it's a one-person team, that you get to do it alone. You definitely will need to collaborate with other stakeholders.

Confidence Stavely: 26:43

So, we get to do that bit and then you come out of the program having attempted a couple of sets. You've also had a couple of projects that you would have on your resume. We encourage you to put them on your LinkedIn, have a media post about it. So all of that is sitting on your resume. We encourage you to put them on your LinkedIn, have a Medium post about it. So all of that is sitting in your resume. You also we also really encourage for set of tracks to have like a home lab set up, because I've just seen a question around that and I just wanted to add that in. We encourage you to have a home lab set up and then you're also playing with all of that and you're documenting them across your LinkedIn and, of course, documenting them on any other blogs. You have all of that reflecting in your CV. So that's what I would say in a nutshell.

Confidence Stavely: 27:27

The program is, um is a combination and a stack of skills that we have looked at um job description, job descriptions and also touch base with the industry as to what's required.

Confidence Stavely: 27:40

But just before I close that, because that's been a very long response I've given there, if you don't remember anything I've said to you remember this one strategy when you think about any path within cyber that you're interested in, go and look for about five job placements, job openings, you know, and then crack that down into, or break that down into bits and bobs of like skill sets.

Confidence Stavely: 28:05

Now what you need is between 60 to 70 I would even say 50 to 60 percent of those requirements, right, and then you begin to apply for those roles if you're not sure about how to stack on. That is where the way I would work it out, if I was going back and redoing my career, I would start from the goal and then walk backwards. That way you'll be sure you have the skills. That way you'll also be in touch with what employers currently want, and then you will not just be a set stack person, you will actually be skilled, and I think that's what we lack as an industry. There's a lot of sets, you know, and a lot of people do not have the actual skills, and that's what we lack. It's not a people we don't have a. We don't have a people shortage, we have a skills shortage. So don't forget that bit. Remember that when you're looking out for opportunities and you're getting ready for them, don't forget that you should be building the skills, and while building the skills, your confidence would also increase.

Chris Sienko: 29:03

Yeah, oh, absolutely, and I'm glad you said 50 to 60 percent, because I think too many people wait until they have 90 or 100 you know 99 percent of the skills in the job listing before they even think about applying for it. And if you're already in that point where you, where you know a lot of this stuff, you know very well that you can learn the extra stuff that you need to do you know, on the fly very quickly on a weekend. What have you, like you said, this is constant learning here and you should definitely be jumping after Again. They can say let them say no, don't say no for yourself here. So Catherine has mentioned obviously clustering certain types of skills and sort of chaining these skills together, whether or not they're cert-based or not. So you know if you're already burning with cybersecurity knowledge and enthusiasm and reading for fun. Anyway, you're doing self-paced education yourself. But there are even more focused methods you can add to your schedule, as we can see here. An on-demand training library like the InfoSec Skills Platform is a comprehensive collection of training resources, including pre-recorded videos, practice exams, labs and exercises covering various topics and certifications. This approach sort of provides you with customized learning resources tailored to your specific needs and you can learn more about that, you know, in the links that we've provided or by going to infosecinstitutecom free.

Chris Sienko: 30:26

If you're seeking a more structured approach, though with professional guidance for certification preparation without the intensity of a live boot camp, we also have self-paced boot camps. They provide structured learning without forcing you to commit to a preset schedule that might not fit with your current work or life requirements. Everyone's life is different and if you don't have that seven days that you can just completely shut down and do nothing, but then you might be able to do something like self-paced, where you can train at night or on the weekends or during working hours, if that's an option for you, or after working hours, if it's not weekends, or during working hours, if that's an option for you, or after working hours, if it's not, so you know. So we've got a lot of options here. You've looked at, we've looked at the multi-year process of studying for a bachelor's or master's in computer science. We've knuckled down with search study guides and self-administered practice tests.

Chris Sienko: 31:12

So now we're going to talk a little bit about live boot camps. So I want to jump back to Akil. Now you teach CES, ch, pentest Plus, dual Sec Plus, cyber Fundamentals. Talk about how your own live boot camp is structured, like what are the number of days of these, what's the structure of the learning, and like the way that people learn in your classes.

Akyl Phillips: 31:37

So the shortest boot camp that I teach is three days, and that would be the Cybersecurity Foundations and the Cyber Threat Hunting Boot Camp, and all of the other ones are five days long.

Akyl Phillips: 31:50

So keep in mind, though, the language that we're using is indicative of how much pressure is going to be presented in that class. Right, we call it a boot camp, and that means that it is going to be, you know, a trial by fire, drinking from the water hose experience. However, at the same time, I believe that my job is to make sure that I answer all the questions. So I do think that it's a great way to learn, but it's as we said if you have a little bit more experience, it's a little bit better for you, and if you don't have the experience, I still recommend going, but don't expect to understand everything in the moment. Right Understand, you're going to have to go back, you're going to have to rewatch videos, you're going to have to go look at other material in order for it to make sense, but it is a great way to go ahead and upskill in a very short amount of time.

Chris Sienko: 32:48

Yeah, yeah, absolutely. Thank you for giving us a little context on that. So InfoSec also recently launched its first immersive bootcamp programs, which this is still fairly new, but I encourage you to seriously consider it if you're looking for an option for kickstarting your career. So an immersive boot camp combines all these different things. It combines live and self-paced instruction, but the major difference is the length. The live certification boot camp is less than a week, whereas an immersive boot camp often lasts six months or more. So, for example, infosec Cybersecurity Foundation's immersive boot camp covers 500 plus hours of training over 26 weeks. So it's got a bit of a different goal than a traditional boot camp. So, although certification is often included, the goal is about sort of transforming your skill sets in a more profound way. You'll have time to sit with the materials, get personalized guidance from an instructor and build hands-on experience. So again, this is all stuff you can learn more about at infosecinstitutecom.

Chris Sienko: 33:40

Slash free, but no matter which way you choose to pursue your cybersecurity career and education, one thing is absolutely positively certain You're going to learn a lot, and a lot of what you learn is going to be conveyed through the written word.

Chris Sienko: 33:54

So we've sort of been talking about this, but a secret for cybersecurity success is you're going to have to always be learning, and to always be learning, you're going to have to always be reading.

Chris Sienko: 34:04

I'm a firm believer in knowing all the facets of your job role, both the fun and the challenging, and I just want to be clear that if you're looking to get into just about any facet of cybersecurity, you're going to need to be prepared to do a lot of reading every day, not just in school, but after school, after you get your first job.

Chris Sienko: 34:20

This is not something where you can learn your basic tools and requirements once and then do that job for 20 years, you know, or even five years, or two years or two weeks. You're going to need to be looking for new or better ways to solve problems. You're going to need to find out what others in your industry are asking about or solving for themselves, and you're going to need to keep a constant eye on what new cyber attack techniques are being tested, tried and deployed. So I know that we have three very learning intensive and perpetual learning enthusiasts and experts here. So I want to start Akil. Where do you go to keep up with new tech and features and trends in cybersecurity. Do you have certain information sources or readings that you go to on a daily or weekly basis?

Akyl Phillips: 35:06

Definitely so. I have about 23 RSS feeds that I keep up with. There's, you know, threat-free feeds, just so I could throw one out there Shriner on Security, which is Bruce Shriner's blog, and also social media. Right, social media has been a great place to keep updated with cybersecurity and I didn't think that that would be the case, but I think that our industry has done a really good job at adapting to social media. So there's a ton of YouTube channels, instagram channels and Twitter channels or X now that focus on micro learning and keeping you up to date. So definitely get out there and start looking for those. It will change the way that you look at learning.

Chris Sienko: 36:01

Yeah, great, great, great answer. Confidence how much do you read and research per week and what aspects of the industry are you monitoring and keeping at the forefront of?

Confidence Stavely: 36:12

I'll definitely say I love conferences, so a few of them that I identify. One of them is RSA, for example, but it's not just attending the conference itself. I'm definitely looking at RSA 365. So looking at the videos on demand at different points. But I also have some micro habits which I like to share with the girls that we train. So I read at least one article every day. So there is always one article I'm reading and so I would start my day or end my day with an article. So typically I would have minimum one article read, but on many days I read more than one article. So that's something I would definitely say.

Confidence Stavely: 36:55

Pick a couple of blogs that you really maybe love what the blog about or maybe the interests that you have to cover that. So I generally have one general purpose blog, something like a news blog, like bleeping computers, and then I have another one that is in my core area of interest and a couple of them like that. So I do that mix and then I also read reports. That is a major part. If you're just getting to, you're going into the industry. So you want to look at, say, verizon data breach reports. You want to look at Mediant reports if you're interested in I mean not just if you're interested in cloud security, but everyone should be interested in right? Because it cuts across how we're even delivering the services we are delivering or solving the problems we're solving. So you definitely want to look at all of those annual or biannual reports and binge on them. They give you a very good idea of what's happening in industry, what to plan for.

Confidence Stavely: 37:49

And there's something very profound about this particular habit when I hear some of the girls that we train come back and speak about it. So when you go to interviews because this knowledge is not knowledge you gain one day right, it's been accumulating You'll be asked certain questions about certain scenarios and you remember articles where you read about remediation. It will just come to you and you'll be able to discuss them as though you've done them before. So really make a habit. I call it one cyber thing a day. If you have that one cyber thing a day habit, you would not realize where you're pulling knowledge from when you need it. It will just come to you.

Chris Sienko: 38:27

Awesome, awesome recommendation.

Chris Sienko: 38:29

I will absolutely double or echo what Confidence says, that I think there's a lot more to be said about the importance of doing a little bit every day rather than a lot, maybe one day or two days a week.

Chris Sienko: 38:43

I know it can be very hard to keep up with your studies or the things that you want from life, and so sometimes a day or two will slip by, and then you decide on the weekend all right, I'm going to really hunker down and you sit, you know, with your Sec Plus book for six hours until you're, you know, drooling on the pages and half asleep.

Chris Sienko: 39:02

But you know and there's certainly a lot for that, you know, to be said for that as well but there is a lot, lot, lot to be said for sitting down with that book every single day, 15 minutes first time you wake up in the morning, 15 minutes after you're done for the day. Just keep it in your head and, as Confidence said, if you're constantly thinking about this and seeing what's in the industry, this stuff is just going to start to soak in and it's going to start answering questions you have in other places. I think that's awesome advice. Thank you, confidence. So, robert, I'm going to jump to you. Do you have any tips for making this amount of reading and constant learning part of your regular routine?

Robert McMillen: 39:41

Well, I'll tell you, I've fallen asleep in a lot of books as well.

Robert McMillen: 39:44

Yeah, you really have to make that habit and it takes, you know, roughly seven to 14 days to make a habit. You know the beginning of my day is always jumping right to the news, the general news first and then going right into technology and hacker news and things like that. I also like to look at government sites, because government sites like NIST, the NSA, cisa at CISAgov they all have daily updates and reports on new vulnerabilities that are found Super helpful. That you know, that you can, you, you can really see what's about to hit. Big time in the news is usually going to hit these government sites to let you know what vulnerabilities are there, and then the vendor sites are going to all come out with how you can fix that or keep that from happening.

Robert McMillen: 40:33

I like to think of our knowledge as a brick wall. We all have a brick wall of knowledge. The problem is that we don't always have all of our bricks in our brick wall and I think that frustrates a lot of new learners because they end up saying, well, I understand this, but I don't understand that, and that you really need to be patient as a new learner, somebody new to cybersecurity or any other technology, because these bricks will fill in over time the second time you read that book, the third time you watch that video, you know that's when things are going to click into place for you. So read what you can, do what you can, even if it feels a little bit like you know it's a hodgepodge of different pieces of information. You will be surprised over the next year or two how those pieces will all fit together for you.

Chris Sienko: 41:30

Yeah, awesome, yeah, absolutely true. I think. Great advice from all three of you. I really appreciate the detail.

Chris Sienko: 41:37

So I'm going to jump to some of the questions that we're getting. We're about to move into another territory, so I want to kind of get through some of the questions that people are asking around study and certs and so forth. So I want to start with Oluwatobiloba. Apologies if I got your name not quite right there. I hope that was close. Apologies if I got your name not quite right there, I hope that was close.

Chris Sienko: 42:02

They say I just transitioned into cybersecurity last year and talked about some of the different certs they're in, but said I think need to write security plus after these exams, also in final year of university studying mathematics, and would love to do his master's in cybersecurity. I'm wondering if any of you have any thoughts on whether this person says they want to know whether to do their master's in school or start applying for jobs. So you know, maybe I'll throw this to Robert first, because I think there's that question of higher education, and then there's higher, higher education. And who is a master's in cybersecurity for? And what is you know if the other one kind of opened doors, I almost think a master's kind of closes some doors in certain ways, right, I mean, you're sort of locking yourself into a different type of career. Can you talk about that at all?

Robert McMillen: 42:51

Yeah, masters are generally going to be for one of two things You're either going into management or you're going into very deep. You know types of technology and I'd like to reach back to something Confidence said earlier, and that is that go to Indeedcom, go to LinkedIn, go to some of these different job sites and find out what they're looking for. After you have got an idea of the type of job that you want to get, and you know there's dozens of different overlapping job titles you know that are out there. There's no single government agency that says you know this job title equals these. You know types of things that you're going to need to know.

Robert McMillen: 43:32

No, it's all done by industry and industry is very disjointed in this area. So you need to go to these job sites and you need to say, ok, I want to be a cybersecurity analyst. You know you type that in, you put in the area that's where you want to work remote, on site, a certain area and then you find out what certifications, what education and what experience you're going to need. And those are the three of the four things you need Certification, education, experience.

Robert McMillen: 44:00

The fourth one is enthusiasm. If you are not enthusiastic, if you're not passionate about that area that you want to go into, then none of the other stuff matters, right? So if you're passionate about, you know, a certain area cybersecurity then and you really want to get that education at the master's level fantastic, you're going to be great at this. But if you're doing it just because you think you need it for a job, you're not going to be great at it. You've got to have that enthusiasm to decide how far along you want to take your education and look at those job sites that tell you what you're going to need.

Chris Sienko: 44:40

Perfect transition to oh, go ahead. I'm sorry, can I just add to what Robert said.

Confidence Stavely: 44:44

It was just too profound to let go of. I needed to drop that more, and I will just share a personal experience. So I had a recruiter, you know, reach out to me and say They've been trying to hire women that are knowledgeable, and this is not a gender thing, but yeah, just let me land. So they're trying to get more women into their team, but of course they're not hiring because they're women. They want women who are skilled right. And so they start interviewing people and the people who came through certain boot camps and then they had all of the training and then they were interviewing them but just none of them clicked and it just occurred to the person interviewing that they did not demonstrate passion.

Confidence Stavely: 45:31

And I cannot tell you enough how much passion which I'm calling passion and Robert is calling enthusiasm really just drives you. You really come off hungry for knowledge, and the thing about being hungry for knowledge is you're constantly, you know, eating every form of knowledge. You know I'm saying metaphorically here you're constantly trying to take in knowledge, you want to learn more. The eagerness is in your voice, is in everything, and it you, you recover it. I mean, I, rick, is in the good term. Right, you will definitely come up very passionate, and the truth is, when you're getting your first role, you're most likely going to be hired for your potential, because you do not have experience yet. So if you're not passionate, you cannot exactly show potential, because potential will be not just in your voice but in the things you've done before. That point, um, like akil was speaking about and like robert was speaking about. So please, um, in honor of what we've said, remember that you need to be passionate to be here absolutely uh perfect, perfect transition into our next section.

Chris Sienko: 46:35

Here I want to make sure that we uh help people to uh get noticed by the right people and uh make sure that we help people to get noticed by the right people and make sure that their passions are properly recognized. So when Cyborg guests and leaders of the industry say they hire for passion and credentials, what they leave unsaid is that you need to see that passion screaming out of your resume or CV, just like confidence says. You need to practically reek with it. And even at the beginner level, there are things you can do to stand out. So I'm going to open up this up to the panel. So there are things that you, there are ways you don't need to have your past experience, job experience to get your first job. So let's start with confidence. And then Akil and then Robert Can you suggest a manageable cybersecurity project that you could do at home and put on your resume to show potential employers that you've gone beyond theory and can actually do the thing?

Confidence Stavely: 47:28

Okay. So I would say it depends on what sort of roles you're looking for, right, but for just about everyone who would go into a role that is technical, you need to minimally have a home lab that you've set up and you sort of would test out, you sort of would use some of the tools maybe three editions of the tools that you would most likely be using in your workplace, and have them installed and begin to use. So, for example, if you are going into web application security, you need to have BurpSuite, for example. If you are going into web application security, you need to have BurpSuite, for example, set up on your computer. You need to be able to use an intentionally vulnerable web application and show that you've been able to you know, get, you know, find those vulnerabilities and be able to maybe document how you did that and what remediations or what things should have been put in place to make that application safer. Now, after doing that, of course, the documentation part is what makes it able to sit on your CV. You can't put that home lab on your CV, right.

Confidence Stavely: 48:36

So you would then put down the steps on Medium or you would use, say, linkedin articles and then you do a post Now. As a person, I lean more towards LinkedIn Now because LinkedIn will do two key things for you. The article sits there and you can just pull out the link and put on your resume, right? But aside from putting that on your resume as well, when you post it out on LinkedIn, linkedin is one of the social media websites where cybersecurity leaders and cybersecurity professionals, generally speaking, are really spending time. So, between X and LinkedIn, I would say more LinkedIn these days after what happened recently right, with the takeover. But I would say when you put it on LinkedIn, you have a bit more eyeballs that a random person, a random recruiter, can find you and then basically reach out to you.

Confidence Stavely: 49:31

I've had people who have had recruiters reach out to them because they were documenting their learning, and please don't think that it all has to be perfect. Documenting their learning, and please don't think that it all has to be perfect. Like we've said, even on your role, even when you're 10 years in, there are still things you will just randomly Google. That's the truth, right? So don't wait until you're perfect. What you need to do is have the boldness to learn in public, if I was putting it that way to grow in public. And then, once you have these sort of projects and you have them documented on your LinkedIn, which again will differ per the parts in cyber or the kind of roles you're preparing for then of course, you then begin to connect with other people as well, within your local environment, within your country, within your city, and then, before you talk about internationally, yeah, great advice.

Chris Sienko: 50:22

All Now we're getting close to the end of the hour here, so I'm going to jump ahead a little bit, but I know we have some people in the audience because a few of them have reached out to me before that they're entering cybersecurity as maybe a second or even a third act in their career, which is something I love to see.

Chris Sienko: 50:40

Cyberprofession professionals frequently come from other careers, even non-tech focused ones, like engineers, lawyers, healthcare administrators, teachers, psychologists, business administrators, av professionals, auditors of all kinds you name it. Your skills and talents are desired and are absolutely vital to the cybersecurity industry, and I'll say that as many times as you need to hear it. Please come join us. So I want to ask each of you do you have any tips or suggestions for how to translate a previous career skills and accomplishments into clear signs to hiring managers that you understand the assignment, you can do the job and maybe you just need some quick tech upskilling? Let's start with Robert on this and then go Akil and then Confidence as well. Do you have any experience working with people who are coming to cybersecurity later on in their career?

Robert McMillen: 51:27

Oh, absolutely. I've trained people as like their second act, their third act. Sometimes they're getting money from the government to be retrained because, you know, maybe they used to make wagon wheels and nobody makes those anymore, right? So the government helps us out by doing that kind of thing. But let's say, for instance, you're already in IT but you want to transition to cybersecurity, and the reason I'm mentioning that is because I'm seeing several questions in the Q&A where people are asking that exact thing.

Robert McMillen: 52:00

So let's take for an example, finding networking abnormalities, like high traffic counts. That can lead to the discovery of malware or denial of service attacks. That's something a sysadmin would be looking at, a network admin would be looking at, but can translate into cybersecurity. Those are stories that you can tell the hiring manager hey, this is how I discovered malware, this is how I discovered an attack. Properly securing active directory can lead to hacker prevention from privilege escalation Something else that you can share. You know how you secured active directory as a sysadmin, but now you would like to take that further in the cybersecurity field. Unusual firewall and server logs those can lead to discovery of hacking attempts. All these can assist in migrating from other parts of IT into cybersecurity, as long as you can document them and tell your story on how it is that that would translate into that field.

Chris Sienko: 53:01

Akhil, any thoughts on that? Are you confident? I see you raised your hand. Do you have any thoughts for a later period? Cyber people.

Confidence Stavely: 53:09

Yeah, I just wanted to add to what Robert has said. If you are coming from a non-technical background but maybe a regulated industry, that's also something you can tell your story in such a way that it connects it, because what you have shown is you can tell your story in such a way that it connects it, because what you have shown is you can follow processes and procedure.

Akyl Phillips: 53:25

So it depends again on what part of infrastructure you're coming to.

Confidence Stavely: 53:29

Those are very, very clear, transferable skills you can link in. Another key in a career that I've helped so many people cross over from is people with legal backgrounds, so lawyers, for example. Very easy connect would be compliance right right out the box. They sort of like understand this is how things are done, they know how to document, they know how to write policies. So if you would definitely find that for almost every field I could possibly think about even for stay-at-home moms right, there is something you have already in terms of what you've always done that can be applicable in this industry. What you then would then focus on would be the hard skills that then shows an employer that you can do the work, and then the human skills that we've spoken about in terms of connecting what you previously had in here. But as long as you can solve problems, there will definitely be an entry point for you here.

Chris Sienko: 54:25

Yeah, Aguil anything to add to this?

Akyl Phillips: 54:29

The last thing that I would add. I think both Robert and Confidence did a great job summarizing that one for you guys, so I don't want to touch on it too much but if you are transferring into the industry, take a look at the cybersecurity framework. And the reason I say take a look at the cybersecurity framework is there are directors and hiring managers spending all day looking at the tasks that are described in the cybersecurity framework like asset management, and if you're coming over from a warehouse job or a retail job, you can provide some insights into asset management and that's how you know that you have a transferable skill right. So I would recommend looking at what the directors and the hiring managers are looking at and what are the requirements that they have, because when they hire you, that's the thing, that's the problem that they have, because when they hire you, that's the thing that's the problem that they want you to solve for them.

Chris Sienko: 55:26

Yeah, yeah, no, absolutely. I think that's a superb way of thinking about all of this. So, OK, we're getting real close to the end here. Can we talk a little bit about networking? Because I think there's you know's some stigma around the idea of it's not what you know, it's who you know, and all this job sort of being hired behind the scenes. But I forget who said it, maybe Confidence said it or Akil said it but hiring someone new without experience is always going to be a little bit fraught. You just have a piece of paper to go on and so if you are able to network with the people that you want to network with and you know what your desired outcome is going to be, and all that, what are your thoughts? And we can round around this however we want, but what are your thoughts on newcomers getting into networking? What is your best tip for that?

Robert McMillen: 56:24

Well, knowing someone will get you will help you get a job, but knowing how to do your job will help you keep your job Right. Yes, absolutely. But networking includes getting to know other students in school, getting to know your professors. It also includes going to vendor meetings. If you live near a larger population, you go to a vendor meeting for Cisco, for Microsoft, for Palo Alto, for whatever it is. If you're not going to college and you don't know anybody, those are great places to network. And then, of course, you can find places online, such as Reddit. It's a good place to go to network with other people in your area of interest.

Chris Sienko: 57:06

Excellent, kathleen Sakil. Anything to add?

Confidence Stavely: 57:10

Really quickly. I would say find community, so any kind of community that's related to who you are and what you do. Find that community, locally and internationally, and connect. There's also another very major mistake. I see a lot of um, alien trends making. You're always drawn to connecting to people ahead of you in the industry and you sort of like play down your peers. There is magic, sitting there, someone I know just got a job. Um, she, she, she didn't. She was interviewed with that person. That person was hired and now they need another hand. But she built a relationship with that person. That person was hired and now they need another hand. Well, she built a relationship with that person and so the person that was already doing the job well just brought her on board.

Confidence Stavely: 57:48

So if you don't have those peers who get to hear things that are not posted on social media because a lot of the cybersecurity roles are never advertised on social media, right? So if you don't get to hear those things, there is no way to be able to apply for them. So definitely community I would say volunteer, make friends with peers that are just like you trying to find roles. They would see something, hear something, and you'll make them available to you. And also, don't forget to be your own signpost.

Confidence Stavely: 58:19

So, for example, if you're doing something very technical, begin to put together like a gif for yourself that shows what you've done over time. Begin to put together your LinkedIn, making sure that you're showcasing what you're learning over there. And I would say, not just use a push effect, but also a pull effect. So when you're putting out those things you're capable of and showing yourself as knowledgeable and growing and very eager to learn more, you begin to attract more people to yourself as well. So I would say, a combination of those things. Don't forget the people who are on the same level as you in terms of where you are in your career.

Chris Sienko: 58:56

Excellent, akhil, I'll give you the last word here. Any networking thoughts?

Akyl Phillips: 59:00

I completely agree with confidence in terms of look to your peers. One of the things that I did for the people that go through my classes that I think has had the best effect is creating a discord and when they need to study, they study together. But the thing about your peers is, if you guys are trying to break into the industry and you find that you're alongside other people, they're going to have success Right, and you're going to have success, and success happens at different rates. Now, if my friend has success and they remember hey, you know what I remember studying on this discord with him. I remember that I needed this. That's where the opportunities come from. They see how diligent you were in the early days and you stuck with him. I remember that I needed this. That's where the opportunities come from. They see how diligent you were in the early days and you stuck with it. So I 100% agree with you know, utilize your peers. And also, let's go ahead and say this Networking can be a double-edged sword, right, and here's why I say it can be a double edged sword.

Akyl Phillips: 59:59

Oftentimes people put too much pressure on networking. Right, it's now you're worried a little bit too much about whether or not people like you. Remember, it's not about that, right? It's not about people liking you. It's about having a unified goal, right? So remind yourself what the unified goal is. If everybody's trying to break into the industry and create a safer version of the Internet, don't get distracted by all the other stuff. That's all I would say about it.

Chris Sienko: 1:00:28

Perfect, all right. Well, we are about to wrap up here. I'll just say thank you to everyone at home or at the office or wherever you're listening or watching to today's episode of CyberWorks Live, go to infosecinstitutecom slash free to check out all of our free resources for CyberWorks listeners. We also offer a download of our free cybersecurity talent development e-book, which has in-depth training plans for the 12 most common roles, including SOC analyst, cloud security engineer, information risk analyst, privacy manager, secure coder and pen tester. Thank you once again to our wonderful panelists. You went above and beyond.