The deeper I dive into cybersecurity, the more I realize I do not know. I started out thinking there were a few roles in the field and that I could align with one and make my move. But as I dug deeper, I realized just how vast the field is – there are so many areas to choose from. And each area has many sub-disciplines with many roles within. It’s HUGE! Which has made it overwhelming.
So this present two challenges to my next move. Challenge #1) finding my place Challenge #2) gaining enough credibility to have someone take a chance on me for my first role
Challenge #1 is more time-consuming that anything else. I am the Queen of Research. Anyone who knows me, knows that I never make a decision without thoroughly investigating all options, weighing the pros & cons (probably creating a spreadsheet), and deciding based upon the logic. I excel at this. However, it’s a major time suck. I fall down rabbit holes looking at different roles. I read tweets and blog posts from people about their roles in cybersecurity. Then I watch YouTube videos. I check out articles online. Groups and organizations like Women in CyberSecurity (WiCys) and Women’s Cyberjutsu, even Women Who Code and GirlGeekX. I’ve connected with people on LinkedIn, and even reached out to people at my work who are in the InfoSec teams to ask about their roles and advice on entry. It’s both exhilarating and exhausting. I’m an introvert, so the people contact is draining. But I’m learning so much and have a much clearer idea of where I want to be. The most freeing part of this research has been the realization that once you get past the velvet rope, you can move into a different area. Within the field, people move all the time. They get into a role and realize which parts of their job they love and which ones they don’t like. With that knowledge, they move into another role. It’s understood within the industry that people move around, so it’s accepted. This means that even if I choose a role and realize it’s not what I really want, I’m not trapped. That has taken a weight off because I now know the entry role will not define my career.
So on to Challenge #2. How in the heck do I get in? Returning to college for a new degree is not feasible. And I really don’t want to do that. I’m “seasoned” (read: lots of years of experience) in other roles, and everyone I have spoken to in the field says I have loads of transferrable skills. That’s great – nobody has to teach me about data analytics or project management. I don’t have to be shown how to work as part of an interdisciplinary team. I already have great communication skills. I have experience writing reports and creating presentations for upper management. I’ve proven I can work independently and meet target deadlines. There’s so many skills I have that someone straight out of college won’t. I’ve also spent the last couple of years learning programming languages, operating systems and networking. What I need is proof that I understand the basics of cybersecurity and someone willing to take a chance on me. In an effort to make that happen, I have been pursuing certifications.
In September, I saw that ISC2 had just released a new entry-level certificate aimed to help get more people into InfoSec called the Certified in Cybersecurity program. They were offering it free to qualified students for the initial launch, so I signed up. I studied the coursework (self paced) and completed the program. I then sat the certification test and passed!
I was very excited, but that was a bit short lived. The cert is so new, that hardly anyone had heard of it. So it wasn’t exactly setting my resume on fire. Okay, what can I do? I then heard about a Cyber Security Bootcamp for Women being offered by the ICTTF (International Cyber Threat Task Force) – an organization that offers training to companies. Again, it was free so I applied. I was accepted and started that training in October. It lasted about a month. The training consisted of modules from their existing training programs, combined to give a high-level overview. Most of their training is aimed at CISOs and risk-management type roles, so the bulk of the training was regarding frameworks like NIST and creating security policies for organizations. It was helpful, but not quite what I had been hoping for. I completed the training and passed the test, receiving a certificate of completion.
Around this time, one of the contacts I made at work suggested that I attend the BSides conference local to us. In addition to some great talks, they also had a Career Village where you could sign up to have a resume review. I did that, and had a fabulous conversation with one of the volunteers. She said my resume was great, and if she had a role she’d hire me today! That made me feel so good. She said with my past skills and enthusiasm, I would be an excellent candidate. She encouraged me to start applying for jobs now, rather than waiting until I took more training. She also mentioned that SANS training would be the best, but since it was so expensive I should try to get hired somewhere and have my employer pay for it. I took her advice and applied for a role with my current employer. However, I was immediately rejected as they have a policy that you must be in your current role for 1 year before applying for a new role.
Shortly after that, I saw a tweet where someone was talking about free training through SANS. Really??? It must be fate. It was for the Women’s Immersion Program. It’s a 6-month program where you get to take 3 SANS courses in preparation for the GIAC certifications. All free!! I saw this about 2 days before the deadline to apply. I was hesitant – it was a 6-month commitment. It would be demanding, meaning my nights and weekends would be devoted to this program. There were also requirements to meet that I didn’t think I could. I drug my heels for a day before showing the webpage to my husband. He was so enthusiastic. He said I had to apply! If I didn’t get it, no harm, but if I did it would change my life. So with his encouragement I went ahead and submitted my application. A day later I received the link to complete an online assessment. It was much harder than I thought it would be, a lot of questions about networking protocols, operating systems, IP addresses, and hacking tools. After that, I needed to complete the other requirements – college transcripts (really? from 20 years ago?) and letters of recommendation. That was the hardest – how do I get a recommendation? I’m not in the field. I decided to ask my manager at work and another co-worker. I had been at the company for about 9 months, so I felt weird asking, but I didn’t have anyone else to ask. Thankfully both said yes and completed the forms. Then I waited. And waited. And waited. They had not given an exact date that they would announce the results, but with the program due to start in mid-December I had expected to be notified by Thanksgiving. Nope. My husband kept telling me to email them and ask, but I kept waiting. Finally, the first week of December I decided to email. Obviously I had not been accepted, but I was annoyed they hadn’t told me. So I emailed and asked. A day later, I received an email telling me I had been accepted! Did my email jog something? Was it a coincidence? I’ll never know, but at least I was in!
The SANS program consists of 2 classes with correlating GIAC certification attempts that are set by the program, and one elective. SEC401 (Security Essentials) sets you up for the GIAC GSEC certification. SEC504 (Hacker Tools, Techniques & Incident Handling) sets you up for the GIAC GCIH (Certified Incident Handler) certification. The last course is your choice of elective (they give you 7 classes to choose from) with the correlating GIAC cert. Classes started the week before Christmas. The SEC401 course itself covers A LOT of material. It is definitely an inch deep and a mile wide. It touches everything from cybersecurity frameworks to penetration testing to Windows and Linux OS. At times it was completely overwhelming, but I made it. I took my GSEC certification exam on February 14th. I passed, and am now GSEC certified!
I am now mid-way through the SEC504 class. It is a very different class. It is mainly geared towards hacking, combined with risk mitigation and remediation techniques. It uses a ton of tools and commands, so I’m intrigued how the exam will look. It’s interesting, but it definitely has proven to me that I am not at all interested in penetration testing. I see myself more as a blue-teamer, defending and protecting.
Which leads me to my recap of where I am on Challenge #1. I still don’t have a definitive answer. I am really intrigued by threat intel and threat hunting. It aligns well to my researcher personality. I’m also interested in learning more about cloud security. There’s so much scope there, and that sounds like it would be constant learning. So, no answer yet. I’m still researching, still connecting with people to learn more about different roles. I have another month before this class is finished and I need to decide on the final elective. Stay tuned, and I’ll let you know where I go from here!