Joining the cybersecurity field as an outsider without a technical background was a transformative journey for me. What immediately captivated me about the industry was its relentless pace and the exhilarating challenge it constantly presented. Interacting with professionals in the field, I was heartened by their overwhelming support for newcomers who genuinely exhibited the will to learn. However, I quickly found a prevailing sentiment: there's a general expectation for newcomers to be independent self-learners. This could be a daunting expectation, especially considering that many potential beginners in cybersecurity aren't inherently self-learners. While innate curiosity is undoubtedly a valuable trait, it's essential to recognize that many individuals, even those with immense potential, need a structured framework to move their initial steps into this vast domain.
In the last few years, significant progress has been made in filling the talent gap in the industry. However, as of 2023, according to the ISC2 Cybersecurity Workforce Study, there were 440,000 new jobs created in cybersecurity globally (an 8.7% increase year over year), but a staggering 4 million positions remained unfilled (a 12.6% increase year over year). This enormous gap results from the disconnect between employers' needs for experienced professionals and the real-world shortage of such expertise
The solution to this talent crunch lies in focusing on the early stages of potential cybersecurity professionals' careers, particularly young students. As a community, it's imperative that we equip the youth with the tools they need to explore cybersecurity as a viable career option. The key is to offer structured, practical, and accessible learning paths. Below are some steps and examples of how to do so.
The NIST-NICE framework categorizes cybersecurity work into seven high-level categories: Analyze, Collect and Operate, Investigate, Operate and Maintain, Oversee and Govern, Protect and Defend, and Securely Provision. Each category is further divided into specialty areas and work roles, providing a comprehensive roadmap for career progression.
Table 1: NICE Framework Work Role Categories
Category |
Description |
Number of Work Roles |
---|---|---|
Securely Provision (SP) |
Conceptualizes, designs, procures, and/or builds secure IT systems. Responsible for aspects of system and/or network development. |
11 |
Operate and Maintain (OM) |
Provides the support, administration, and maintenance necessary to ensure effective and efficient IT system performance and security. |
7 |
Oversee and Govern (OV) |
Provides leadership, management, direction, or development and advocacy so the organization may effectively conduct cybersecurity work. |
14 |
Protect and Defend (PR) |
Identifies, analyzes, and mitigates threats to internal IT systems and/or networks. |
4 |
Investigate (IN) |
Investigates cybersecurity events or crimes related to IT systems, networks, and digital evidence. |
3 |
Analyze (AN) |
Performs highly-specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence. |
7 |
Collect and Operate (CO) |
Provides specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence. |
6 |
This table showcases the broad spectrum of roles within the cybersecurity landscape. By understanding these categories, beginners can better position themselves for a more tailored and informed career trajectory.
For a comprehensive understanding of the NIST-NICE framework and to access a myriad of resources tailored for beginners, one can visit the
The goal is to explore various facets of cybersecurity and determine where passion intersects with proficiency. Since cybersecurity is a dynamic field, there's always room for an individual to pivot, learn, and evolve.
The cybersecurity community is exceptionally supportive of newcomers. Even seasoned professionals are often open to sharing tips and advice and are incredibly accessible to beginners. The secret to meeting these people is to attend live events.
Real-time interactions at in-person events offer spontaneous questions, discussions, and the possibility for deeper understanding. It’s not just about soaking in knowledge; it's also about networking. These venues are prime opportunities for establishing meaningful connections, potentially leading to mentorships, job placements, or even collaborative projects. Furthermore, many such gatherings have live challenges or hands-on workshops where attendees can put theory into practice, often under the guidance of an expert.
Here's why attending in-person events can be so beneficial for a cybersecurity enthusiast:
When it comes to venues, some platforms and organizations stand out:
When planning to attend, here are a few tips:
So, if you're aiming to deepen your cybersecurity knowledge and network, attending such events could be the stepping stones to your next big opportunity.
Capture The Flag (CTF) challenges are competitions where participants solve cybersecurity puzzles ranging from cryptography to web application vulnerabilities. These challenges offer beginners a practical, hands-on experience in solving real-world cybersecurity problems. For example, the DEF CON CTF event annually attracts a global audience and has puzzles suitable for all skill levels.
Engaging in CTF challenges directly correlates with several areas outlined in the NIST-NICE framework:
Analyze (AN): Deciphering cryptographic puzzles in CTFs sharpens skills pertinent to the Analyze category, where one evaluates incoming cybersecurity information.
Protect and Defend (PR): Addressing vulnerabilities during a CTF strengthens a participant's capabilities in identifying, analyzing, and mitigating threats to IT systems, aligning closely with the Protect and Defend category.
Investigate (IN): Some CTFs involve forensic challenges, aligning with the Investigate category, where one examines cybersecurity events or crimes related to IT systems.
Securely Provision (SP): Tackling challenges where participants must secure or harden systems mirrors the Securely Provision category, emphasizing the design and creation of secure IT systems.
By immersing oneself in CTFs, beginners not only gain valuable hands-on experience but also better understand the different roles and areas they might be interested in as per the NICE framework. It provides a tangible, engaging way to explore and deepen specific cybersecurity competencies.
In a bug bounty campaign, companies incentivize ethical hackers to find and report vulnerabilities in their systems. This practice is becoming increasingly prevalent among leading technology companies, realizing the value of the global pool of independent security researchers. For instance, tech giants like Google, Facebook, Apple, Microsoft, and Twitter have all rolled out their own bug bounty programs, encouraging ethical hackers to identify and responsibly disclose potential security flaws in their platforms. By offering these campaigns, these organizations not only enhance the security of their systems but also foster a symbiotic relationship with the cybersecurity community. For example:
Platforms like Bugcrowd, Hackerone, and Intigrity have also streamlined the process, acting as intermediaries connecting ethical hackers with organizations, including those that might not have independent programs like Google or Apple. Once a vulnerability is identified and reported through these platforms or directly to the companies with established programs, it undergoes a verification process. If validated, the researcher could receive a financial reward, recognition, or both.
For beginners, there are web browser-based labs. These labs allow users to practice in a controlled environment directly within their browsers. While convenient and easy to access, these platforms might not fully replicate the complexities and intricacies of real-world systems. They are good introductory tools, but as users progress in their cybersecurity journey, they might find them less challenging.
On the other hand, there are virtualized environments that require VPN access. These platforms offer environments that are almost identical to actual company infrastructures. The virtualized scenarios are meticulously crafted to emulate real-world networks, servers, and workstations. As users connect via VPN, they feel as if they are truly inside an operational network, providing a level of authenticity that web browser-based labs might lack. This type of environment allows for a deeper exploration of tools, tactics, and procedures, effectively training the participant to tackle genuine cybersecurity threats. The rigorous training in these environments ensures that participants are job-ready and fully prepared to address the multifaceted challenges they might face in their cybersecurity careers.
By experiencing both types of training, candidates can appreciate the gradient of complexity in cybersecurity challenges and better hone their skills to be effective professionals.
Here is a list of free or affordable practical cybersecurity training resources for beginners:
The resources mentioned above represent just a snapshot of the many tools and platforms that have gained attention and appreciation within the cybersecurity community. The realm of cybersecurity training is vast, and the list of valuable resources extends far beyond what's provided here. Additionally, there are numerous open-source projects and other content available online that can be instrumental in enhancing one's learning journey.
Specialized forums and websites, which I will detail in the next paragraph, can be invaluable in discovering reviews or feedback from other community members. This feedback provides insights into the quality of new resources that are constantly being released.
In the vast realm of cybersecurity, guidance from someone experienced can make all the difference. Platforms like LinkedIn can be particularly beneficial, not just for networking, but also for identifying potential mentors. By carefully reviewing profiles, joining relevant groups, and actively participating in discussions, you can showcase your eagerness and catch the attention of experienced professionals willing to guide newcomers.
Discord, a platform initially created for gamers, has burgeoned into a hub for various professional communities.
Specialized forums and websites further amplify the opportunity:
Reddit’s Cybersecurity Communities: Platforms like
Wilders Security Forums: Dive deep into discussions about online privacy, security, and data protection on
MalwareTips and Antionline Forums: Websites like
Bleeping Computer and Spiceworks Community: Forums such as
Hacklido: A unique platform,
By actively engaging in these forums and communities, not only can one expand their knowledge but also build meaningful connections. As you participate and contribute, the chances of meeting potential mentors who recognize your passion and dedication increase significantly. Remember, mentorship in cybersecurity is not just about learning the ropes; it's about guidance, feedback, and understanding the nuances of the rapidly evolving world of digital protection.
As you embark on your cybersecurity journey, it's essential to familiarize yourself with the plethora of free tools available. These tools, widely recognized and utilized by professionals in the field, can significantly augment your learning experience:
Wireshark:
OWASP ZAP (Zed Attack Proxy):
Metasploit Community Edition:
Snort:
OpenVAS (Open Vulnerability Assessment System):
Kali Linux:
Harnessing the capabilities of these tools not only gives beginners a practical understanding of various cybersecurity domains but also provides a hands-on approach to combating potential threats. Remember to explore the associated documentation and tutorials for each tool, as they often hold a wealth of knowledge and best practices.
While there are self-learners who manage to connect the dots on their own, a vast number of budding talents are not yet part of the cybersecurity ecosystem, mainly because they lack initial guidance. By providing targeted and practical guidance, we can help pave the way for a new generation of cybersecurity professionals ready to take on the challenges and opportunities that this rapidly evolving field has to offer.
Structured learning can be achieved in various ways, and this guide aims to offer an alternative perspective, coming from a non-traditional cybersecurity professional who had the unique opportunity to learn from genuine hackers.