I've been reading quite a few books recently. Some, related to security, might interest some readers of this blog, so I decided to create a new Reading Notes category to share some of the notes I take about books (a summary/the main points, and my general impressions).
Cybersecurity Career Master Plan: Proven techniques and effective tips to help you advance in your cybersecurity career is a book written by Dr Gerald Auger, Jaclyn Scott, Jonathan Helmus, and Kim Nguyen. It was published in September 2021 and aims to give directions to people wanting to get a job in the cyber-security industry. It is described as follows (quote from the preface):
This book is a complete plan to help you decode the field and understand a direction to head in, the tools and supplies to take on your journey, and how to achieve your destination.
This book is broken down into [...] three logical sections aligned with a career chronology.
Section 1 [...] helps you answer the question, "Is a job in cybersecurity right for me, and if so, which?
Section 2 [shows you] hw to apply your knowlege, skills, and abilities in the field and ho to showcase yourself to potential hiring managers
Section 3 [shows you] how to level up your career once you're in the field
If you are slightly curious or ferociously hungry about a career in cybersecurity, then this book is for you.
Book Content Notes
As previously mentioned, the book is split into three parts. We will go through all of them and highlight their content and main points.
Section 1: Getting Started with Cyber-Security
The first chapter of this section will introduce various topics related to cyber security, such as the various laws related to security (GDPR, HIPPA, ...), the main security frameworks (NIST, ISO 2700/27001, SOC2, ...), as well as some concepts like the CIA triad (Confidentiality, Integrity, Authentication) and a few types of attacks that exist. The chapter ends by describing what are the pros and cons of a career in cyber-security. Among other things:
- Flexible hours, great salary, remote work
- Possible to train by yourself (but entry-level positions usually have quite a few prerequisites)
- Things are always moving, so you have to keep up and train yourself
- The career requires serious passion and might cause mental burnout due to high cerebral work
- Criminals don't take vacations
Some extra takeaways from this chapter are that it is good to try and develop one or two specializations to avoid being a jack of all trades, master of none and that there are abundant free resources online, so starting with them before using expensive certifications and training is better.
The second chapter aims to answer the question of "Which career is good for you?" To do so, it lists the different possible domains and explains quite thoughtfully what kind of job you can find in them. The main domains each have various areas, as listed below
- Risk assessment (Offensive Security)
- Governance (Risk Management, Compliance, Gouvernance)
- Threat Intelligence (External and Internal)
- Security Operation (Incident Response)
- Security Architecture (Cloud Security)
- Learning (Education, Training, and Awareness)
Some takeaways are that, to choose how to build your career, you need to find your passions, identify your strengths, create a list of dream jobs while keeping on exploring to discover new options.
Multiple components should be considered when building a career: the skills (soft and technical), your passions and interests, the potential personal growth, the job value, the salary, the potential development opportunities, etc.
Section 2: Your path into the industry
This section is there to help you land a job in the industry. I would grossly split it into two parts: the first one is generally related to the different types of sectors, and which training and credentials you should consider. The second part is mostly about networking, self-promotion, and job search.
Cyber-Security Industry and Training
In the same spirit as the end of the last section, the authors list the 16 critical infrastructure sectors (e.g., financial services, healthcare and public health, energy, information technology, ...) defined by the US Cybersecurity and Infrastructure agency and discuss what to expect when working in each of them. They do the same for the public and private sectors and also explain what are typical organizational structures for security offices. If you are not sure of which kind of company you want your next job to be, this information would be quite helpful to help to guide your choice.
One point that people would usually be quite unsure about is what degree or certifications are right, which is also addressed in this book. A chapter lists the various industry certifications (CISSP, CompTIA Security+, OSCP, CEH, ...) and gives an idea of what they teach, how much they cost, how much they are recognised, and what is their difficulty level. On the college thing, the book mentions that entry-level positions usually pay 10 to 15% more if you have a degree, and many will require to have a least a master's to begin with.
The last chapter of this subpart aims to help readers address the chicken and egg problem one might find himself into when looking for a security position without previous experience: a lot of companies what you to have some experience to hire you (special point for companies asking to hold a CISSP for junior positions), but nobody will hire you if you have no experience. The authors make the following suggestions (which are a bit redundant with the next chapters):
- Install something like WebGoat (some kind of pwn-boxes) to get some penetration testing practice
- Try to go to conferences, capture the flag events, ... to get contacts in the industry, but also to be up to date with the latest trends
- If you have the opportunity, volunteering to help at conferences is a good mean to connect with various like-minded people
- Try to widen your professional network: most of the open positions never get posted online, and if you know someone you might go through fewer interviews compared to the normal process
- If you have experience in somewhat related jobs (e.g., software engineer, help desk, ...), try to leverage this experience
- You could make a blog to help you showcase your skills and ability to communicate while gaining knowledge
- If you are already employed, you could try to connect with people in charge of security at your company and try to give them a hand within your means when possible
- If you are a student, an internship is a great way to get experience, as it would usually be way easier to get one than a job
Networking and Job Search
If you've read all until there, you now have a better idea of what the industry looks like, and how to get credentials and skills to land a job. This subpart helps with this last thing.
The first chapter of this subpart aims to give you tools to brand yourself. To achieve this, you will need a purpose (goal) and consistency. The authors suggest some ways to define what your goal is (e.g., asking yourself what you want to do, how you want to be perceived if you had the choice, what would you want to do, what prevents you from doing that, and how to address it, ...) Knowing your purpose will help to define your brand. Some extra points that the authors make are:
- Spend some time writing quality posts for social media
- Posting consistently on social media
- Know the characteristics of the social media you are using (e.g., Twitter doesn't have the same vibe as LinkedIn)
- You can share some articles if you don't feel confident sharing your unique thoughts. If doing so, adding a quick summary or an engagement question is good
In general, the authors give a lot of advice related to using social networking, without it being specifically related to information security.
This subpart finishes with how to apply to positions, make a good CV, land interviews and do well in them. Again, most of the authors' points are not related specifically to infosec. Some elements that we can note:
- Determine the root cause of your career pivot to make the appropriate decisions
- Use job searching services such as LinkedIn, Glassdoor, Indeed, ... to find interesting positions, but also to get intelligence about the market (which kind of jobs are widely available, how is the pay, ...)
- Search for people with a similar path as you, and try to see how they got into Infosec, and what their career path looks like
- Resources such as resumeworded.com, skillsyncer.com can be used to see if your resume has the good keywords to be attractive
Section 3: Now You're in; Time to Level up!
This section mostly gives bits of advice to help you go further in your career once you managed to get into the industry.
The authors encourage the readers to speak to conferences and give some advice on how to apply, which conferences might be good, and how to discover topics to talk about. They also emphasise that burnout is a risk on the industry, and offers ways to try avoiding it, and what are the indicators of a toxic work environment(e.g., gossips, blame games, toxic leadership, high turnover).
To conclude the book, some last advice it offers are:
- Understand and set SMART (Specific, Measurable, Attainable, Relevant, Time-based) objectives
- Be accountable and put in the work
- Try to find a mentor, and nurture this relationship
- Engage with people online through various means such as LinkedIn, Discord Servers, Twitter, ....
- Remember this when building a social network
- Find a common ground when reaching to new people without a soft introduction (e.g., you are working in the same field)
- It's about them, not you: take away the context of having a parasitic relationship
- Create depth, not width: dedicate time and consistency to your network. Not about daily posts/Snapchats, but writing personalized emails, text, ... Consistency is key
- Be smart when networking: creating a network takes time. A good approach is to find a way to multi-task when calling someone. e.g. when commuting
- Follow up after the first meeting with someone
My Opinion on the Book
I think that the authors are making a lot of good and helpful points in the different chapters. Some things I was a bit reserved about are:
- You might want to ask yourself if all the pieces of advice are good for you. For example, at some point, it is suggested to tag people in the comments of your LinkedIn posts to get some engagement. It would personally annoy me to be tagged without a good reason but to each his own
- In some parts, I felt like giving a link to online documentation would be better. Specifically, the how to install and use WebGoat part (also, I would personally rather recommend something like Hack the Box)
- It might be due to the book having multiple authors, but there are multiple places where they are making the same points, and sometimes the transitions are a bit confusing
That being said I would totally recommend reading the book if you are in one of the following situations, as there are much good and actionable advice and knowledge you might benefit from:
- You are a student, or just started your career (if you are studying security, the parts where the CIA concepts and such are defined might be something you want to ignore)
- You are a mid-career professional without security experience wanting to get into the security industry. In this case, the first half of the book would be helpful to get you familiar with security and how to get experience. The second half maybe a bit less, except for the self-branding part