The path to becoming a cybersecurity expert
Graham Thompson · Thursday, April 29th, 2021
In this entry, I want to cover what your path to becoming a cybersecurity expert will look like.
This article is tailored for those who are trying to enter the Information Technology security industry and have identified this field and are passionate about building a career in the field.
We’ll focus here on systems and networking, not application development.
If you want to be a software developer in the Cloud, you might consider starting with Python programming. This is highly in demand for Cloud implementations as so much of Cloud automation is created with Python.
If your interest is more in cloud security, check out our article The path to becoming a cloud security expert.
For those looking to pursue a path as an application security specialist, you should start with learning programming then follow the path laid out below.
Experience vs learning
Before I begin discussing the path outlined before, I do want to emphasize that nothing beats experience to become an expert.
Of course, the dilemma is: how do you get experience when you have no experience?
Although it is said that experience is the best teacher, you only learn by making mistakes. Mistakes can be very costly, like accidentally deleting your entire production environment and company goes out of business costly.
This is why certification can help ease an employer’s mind when it comes to hiring you.
If you’re certified, this means you have a baseline of knowledge.
How do you get certified? You need knowledge.
How do you get the knowledge? You have two choices: Self-study or training.
You know that good old saying “there’s good, fast and cheap but you can only have two”? This perfectly describes your education options.
Self-study is of course the cheapest option and can be good based on the material you’re using.
Look for the certification exam blueprint that lays out what subjects you need to know and get a copy of a good book such as a McGraw-Hill All-In-One exam guide from Amazon.
Trying to learn with nothing more than free resources is not a good idea.
Ever hear the expression “ask 10 people and get 11 different answers”? That’s the internet. You’re going to get really frustrated and you’ll have a bunch of gaps in your knowledge base. Honestly, you’ll probably just give up and that’s not good.
Training is the fastest and can be the best, but not the cheapest solution.
A quality, cybersecurity training course will do in a week what would take months to learn on your own.
Of course, the better the training, the more expensive it will naturally be.
A good trainer will be able to share actual experiences in the subject matter and you will learn from their mistakes and successes.
I would stay away from “bootleg” training because they’re so hit or miss.
Whichever way you choose to pursue your certification, having a strategy to get there is required.
Let’s get into the certification path you should pursue to become a cybersecurity expert.
Here’s the funny thing: I’m going to begin with general computing, then traditional cybersecurity.
Don’t worry, we’ll get to Cloud security.
A+ certification by CompTIA
Starting things off, I’ll begin with the A+ certification from CompTIA.
This is the absolute base level certification.
This certification essentially deals with computing hardware and basics of things like virtualization. Everyone has to start somewhere and if you’re brand new to computers, this is a good starting point.
Personally, I’m not sold on much of the material being directly relatable to security and especially Cloud security as the provider is dealing with the hardware, which is always the responsibility of the Cloud provider.
However, there are elements that are foundational that can be used for future growth, or to get an entry-level technician position in a company.
There are 2 exams you need to pass. Both of these tests are around $250 USD each.
Network+ certification
Once the A+ certification is done (or skipped, your call), now you’ll need the Network+ certification from CompTIA. To work in the systems and infrastructure security side, you will need a solid understanding of networking.
Again, the Network+ is a fairly basic certification, but it is absolutely critical foundational material.
Simply put, if you don’t know this material, your base of knowledge will have gaps a truck can drive through.
You MUST know TCP/IP, network ports, OSI layers, how DNS works, and the like.
Now the nice thing is, if you found yourself an entry level position with the A+ certification, you might just be able to get your employer to pay for your Network+ certification.
There is one Network+ certification called the CompTIA Network+ N10-007 exam. This exam costs about $350 USD.
Security+ certification
Now, we start with actual security learning in the Security+ course, again from CompTIA. The Security+ will address the basics of a wide range of security basics that you MUST know to progress in the security world.
After this certification is obtained, I would say you stand a very good chance at finding employment in the security field. You’re not going to jump in as a senior engineer, but you will absolutely have the credentials to gain employment as a security analyst in any company of any size.
There is one Security+ exam labeled the CompTIA Security+ SY0-601 exam.
There is a 501 exam, but as the 601 replaces it, and the 501 will eventually be retired, I’d go with that one. The SY0-601 exam costs $370 USD.
Cybersecurity certification triad investment
I’m calling these 3 CompTIA certifications as the base cybersecurity certification triad. I would say that all in, you’re looking at 3 books at $50 each (assuming self-study), about $1200 in exam costs and about a year of time, assuming of course that you’re starting from scratch.
All of the exam outlines for the CompTIA exams are listed on the CompTIA website.
After the CompTIA triad
The Systems Security Certified Practitioner (SSCP) from (ISC)² is a progression from the Security+ certification and begins to expand your career from hands-on tactical security to the business side. This is where you begin to cover key business aspects such as risk management and having a broader view of security across a wide range of disciplines.
I would say the SSCP certification will get you to the intermediate level in a large company.
Additionally, it starts gearing you towards the ultimate security certification goal: the Certified Information Systems Security Professional (CISSP) certification. However, the CISSP requires you to have 5 years of experience, so I won’t deal with this one here.
What kind of investment are we looking at here? The SSCP exam is $250.
Again, a good book on the subject will cost around $50. Time investment should be around 2 months if self-studying, or a few weeks if taking the official training.
As mentioned, if you want specifics related to a career in cloud security, read our article The path to becoming a cloud security expert.
Make no mistake though, you can’t be a Cloud security expert without being a cybersecurity expert first. Cloud is simply a progression where everything you learned during your cybersecurity journey applies.
