I am always amused to tell new friends about my job because no one knows what a security consultant is. Some confused security with securities (as in the stock market, which Hong Kong famous for), some only know about IT. On one occasion, my friend asked why I studied at university and became a security guard.
For me, I am more like a security guard than an IT guy. As I always say to my colleagues, to keep a different mindset than IT staff. The main differences are: Security will not improve efficiency or productivity, but Confidentiality, Integrity, and Availability (CIA).
My colleagues always said I know something new as I am different. Yes, I agree. But it doesn’t mean that I am a freak or genius to do a better job. I obtained my Master of Computer Forensics.
Yet, I was only a Science undergraduate working at nightshift to save money for the tuition when I started my career. By telling you my story, I hope more people will be interested in pursuing InfoSec careers even they do not have experience.
The Proof of Your Interest
Most people would tell you to find your passion for being successful in your career. I think it is what makes success in all parts of life. To find a job in cybersecurity, you need to show your interest in this field.
Studying a tertiary education in InfoSec is one of the methods. Writing about security also works (but it may need more to start writing). The purpose of the proof is to let people, especially employers, know that you like InfoSec.
Taking the CISSP examination was my way to show my enthusiasm. The CISSP exam uses Computerized Adaptive Testing (CAT) for all English exams now. It was a six-hour straight examination on pencil and paper when I took the exam. My exam started at 0900 to 1500. I only left my chair once for the toilet.
Passing the exams do not necessarily demonstrate that you are an expert in the field. However, it can tell companies you studied in the area and spent hours of effort on the subject related to the job.
Most people who took the exam with me are working in the field. But why not take the exam to learn about the area first then gain experience along with the career? Studying for InfoSec exams can help you gain the necessities in this job.
There are different levels of exams for different kinds of positions, such as what I mentioned. For example :
- CEH: Certified Ethical Hacker.CISM: Certified Information Security Manager.
- CompTIA Security+CISSP: Certified Information Systems Security Professional.
- CISA: Certified Information Security Auditor.
Look into organizations such as (ISC)², CompTIA, and ISACA. You can find more about certifications by taking a look at the job advertisements.
The InfoSec Language
I also took the Security+ examination weeks after CISSP as the syllabus is similar. All these efforts were what I wanted to tell my potential employers how much I like this job.
Studying for the exams was not easy, especially for a rookie. It will be easier if you like the contents. But the best thing about passing these exams is about learning a common language with other real professionals.
Speaking a common language does not necessarily need field experience. Like you do not need to live in Japan to know Japanese. It is a crucial advantage if you can understand questions in a job interview with security professionals.
You show the interviewer that you know the subject but do not have experience. Moreover, you indicate your interest in the field and also the know-how of the basic concepts. By that point, you are ready to learn more and find your more specific area of interest.
You can learn the language in different ways. Taking an exam is one way. Or like learning a real language, reading more on that subject would unquestionably help. I read different kinds of magazines in InfoSec and online media, like BlackHat, Hacknoon, and Darkreading.
Is experience a must?
I once saw a LinkedIn post about getting into a cybersecurity career. The passion of this instructor admired me as I also taught, although not full-time. He pointed out to work in this field may require a full spectrum of IT knowledge.
Screen capture of the LinkedIn post
With such a steep learning curve, you could only see people nearly retired in the security department. But what do we see in the Security team? We have people of different age groups and both genders.
All industries have junior positions. I do agree that experience matters. But what kind of job that experience do not matter? We all should, from time to time, recall our memory of how we start our careers.
You need to know the basics. The key is the width of knowledge, not the depth. To suit yourself in a job, you need to know what kind of work would fit into your domain but not the others.
If you glance at the exam outline of CISSP, you can find the “width” of the things we need to learn later in the job. It is recommended to know the meaning of the eight domains to get started.
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communication and Network Security
- Identity and Access Management (IAM)
- Security Assessment and Testing
- Security Operations
- Software Development Security
Study for the exam can surely learn about the meanings. But you can also learn them from books or google search (maybe a lot of searches). As I said, technical knowledge can be learned by anyone. But we only have 24 hours a day, so pick the subject wisely to focus on once you are in the field.
For me, I would suggest learning about the definitions of different areas of security. For example, in Identity and Access Management, you will come across the descriptions of the following:
- Access Control
- Biometric
- IAAA (Identification, Authentication, Authorization, and Accountability)
Do not worry. No one can be an expert in all domains. The focus at the beginning is the “What”, not how or why. As this industry is so dynamic, we need to update our knowledge continually; otherwise, we are no better than junior associates.
Just like driving a car do not need to understand every part inside the engine. To find a job in Cybersecurity, you do not need experience in all IT aspects. Instead, you can learn all technical knowledge from training and your day-to-day operational tasks.
An Insecure Child
Since I was young, there are things that I am not comfortable with and always prepare for the worst. To be more specific, I was an insecure child, even paranoid. However, my living area was safe.
I would not walk strange back home if someone were with me when leaving the elevator (In security, this is called piggybacking). I would not open the door if someone could not prove his/ her identity. (This is authentication in the old fashion.)
Later I found out it was very relevant to what I need in my job. I thanked my mum for that. But she and I do not know it will go that far. Think differently makes a considerable difference from the beginning and along with my career.
In a security professional’s daily life, our primary goal is not to make sure everything is running as expected but to make sure the unexpected or unknown are minimized or mitigated. When everything is considered and handled, IT should be happy and business as usual — Nothing happens.
Being a great security professional is not just about how excellent your technical skills. It would be best if you were particular about the choices or suggestions based on the different contextual information you had.
To know more about what is a Security Mindset entails, please refer to my previous article.
Extra: Shortcut for a CISSP
As I did not have any working experience in the field, passing the CISSP exam does not immediately certify the profession. I was only called “The Associate of (ISC)².” According to the requirements of CISSP:
A candidate who doesn’t have the required experience to become a CISSP may become an Associate of (ISC)² by successfully passing the CISSP examination. The Associate of (ISC)² will then have six years to earn the five years required experience.
But I got certified with only four years of experience. If you prepare for the examinations like me, to study the rules before examining the contents, you will find the following waivers:
- Based on educational qualifications, the candidate can get a waiver of a maximum of one year of work experience as a full-time direct security professional.
- A one-year professional experience waiver is also applicable if the candidate possesses an additional (ISC)² credential from the approved list.
I planned my study of the Master Degree and Security+ examination. These two fit in the waivers and help me to get my CISSP two years earlier.
Final Words
Once in a while, I come across different kinds of candidates in the job interview. I look into people who are dedicated to the field. Most often, it is the one who does not have an IT degree. Why?
People who overcome their difficulties and show me their passion is the one who truly wants the job. I preferably teach them than an experienced IT guy who does not think like an insecure child.
If you are interested in an InfoSec career, I dare you not to afraid if you do not have any experience. Instead, be prepared, like any other job, to let people know you are open to the challenge. As a Chinese saying goes, “You need to show your back to the public if you want people to give you a push.”
Below are the areas you can begin with:
- Get the proof of your interest in the field (overcome a challenge like further training, exam, or a lot of reading)
- Learn the InfoSec’s common language (focus on the what and the overall concepts)
- Tune yourself into a security mindset (it is the most important)
Thank you for reading—happy reading and getting into Cybersecurity (if you are inspired).