Guide to Cyber Security Careers

By: Jon Good

https://www.jongood.com
Table of Contents
Introduction ............................................................................................................................................ 3
Certifications ........................................................................................................................................... 4
Vendors ............................................................................................................................................... 4
Education ................................................................................................................................................ 6
Certifications vs Degrees ......................................................................................................................... 7
Building a Home Lab ................................................................................................................................ 7
Computer ............................................................................................................................................ 7
Desktop vs Laptop ........................................................................................................................... 7
Build vs Prebuilt ............................................................................................................................... 7
Components .................................................................................................................................... 7
Virtualization Software ........................................................................................................................ 8
Soft Skills ................................................................................................................................................. 9
Job Descriptions .................................................................................................................................... 10
Blue Team (Defensive) ....................................................................................................................... 10
Red Team (Offensive) ........................................................................................................................ 10
Career Roadmap.................................................................................................................................... 11
Final Thoughts ....................................................................................................................................... 13

Guide to Cyber Security Careers 2 https://www.jongood.com

Introduction
Hello and welcome to my FREE eBook, Guide to Cyber Security Careers. Navigating any career field, and
in this case Cyber Security, can be very challenging for those who are either brand new to the industry
or those starting to gain experience in the field. The challenge is not necessarily because there is always
a lack of information available, but it is because there can be implied knowledge and usually the advice
is not easily adjustable for situations different from the writer. With this eBook my goal is provide a
foundational way of objectively looking at the industry and ways that I approach career progression.

This eBook will cover a variety of topics critical to the Cyber Security field to include:

• Certifications (Microsoft, Cisco, GIAC, CompTIA…)

• Education (college, vocational training, online training…)

• Building a Home Lab

• Soft Skills (communication, project planning…)

• Job Descriptions (Blue Team and Red Team)

• Career Roadmap

• Final Wrap Up

If you have any questions, send me a message on social media found on my website
(https://www.jongood.com/). You should also consider signing up for an All-Access Membership to my
website where you can ask questions in the forums.

Guide to Cyber Security Careers 3 https://www.jongood.com

Certifications
What is a certification for Cyber Security? Unlike professions such as Engineering, Accounting, and
Medicine…Cyber Security does not have a Professional Certification or Professional License requirement
in order to become employed in the industry. Instead, we have certifications on many different skills,
and each can be beneficial given the right job.

I would highly encourage you watch my video on entry Cyber Security certifications
(https://www.jongood.com/top-5-entry-level-cyber-security-certifications-and-bonus-advice/) where I
will walk you through the best options to help get you into a Cyber Security job. Additionally, I have also
provided below a short summary on the major certification providers including when you should
consider looking at each.

Remember, the hardest certification is not always the best or most valuable when it comes to getting a
job.

Suggested Resources:

• CompTIA Roadmap: https://www.comptia.org/content/it-careers-path-roadmap/cybersecurity-

specialist
• DoD 8410 Mandate: https://www.sans.org/dodd-8140/

Vendors
CompTIA (https://www.comptia.org/):

CompTIA is known as the entry level certification vendor of choice. They provide certifications on a
variety of different skillsets from repair technician (A+), to networking (Network+), to security
(Security+). The certifications from CompTIA are vendor neutral, meaning they focus on the concepts
but not necessarily the technology.

eLearnSecurity (https://www.elearnsecurity.com/):

Primarily focused on penetration testing certifications, eLearnSecurity uses practical exams to make sure
you can walk-the-walk and create a final report to show your findings. eLearnSecurity is less known
when compared to other vendors but there is value to be had here.

GIAC (https://www.giac.org/):

GIAC has certifications covering just about anything you can think of, such as reverse engineering,
incident response, and penetration testing. These certifications are highly sought after, but without the
SANS training, you shouldn’t even look at these. (See SANS)

Guide to Cyber Security Careers 4 https://www.jongood.com

ISACA (https://www.isaca.org/):

ISACA focuses on global adoption for the audit, governance, risk, and privacy areas of Cyber Security.
The CISA and CISM are two widely known certifications produced by ISACA, but all of these have an
experience requirement more suited to 3+ years into your career.

ISC2 (https://www.isc2.org/):

ISC2 (ISC squared), is most known for their CISSP certification, which is the “gold standard” when it
comes to Information Security & Cyber Security certifications. This vendor is not necessarily as useful for
those trying to break into the field from zero knowledge because most of their certifications require at
least a few years of experience. Don’t get me wrong though, most if not everybody should be aiming for
the CISSP later in their career.

Offensive Security (https://www.offensive-security.com/):

Offensive Security is known for their penetration testing certifications. There is an extensive lab
environment, where you can break into simulated systems and hone your ethical hacking skills. The
courses and exams are challenging but if you really want to be a penetration tester, you need to get at
least the OSCP to have some real credibility.

SANS (https://www.sans.org/):

SANS offers the highest quality training available for Cyber Security. Typically, the best value comes from
going to a physical conference to not only learn but also to network with highly motivated professionals
and experts in the field. The course material is developed to prepare you for the GIAC certification exam,
but don’t kid yourself…these courses are quite expensive. I wouldn’t look at these until you have at least
a few years of experience, or if your employer is willing to foot the bill.

Guide to Cyber Security Careers 5 https://www.jongood.com

Education
Within the last ten years, the amount of college and university Cyber Security programs offered has
increased dramatically. Prior to that you typically had the option of getting a Computer Science degree
or going straight for certifications. The National Security Agency (NSA) came up with a program several
years ago called the National Centers of Academic Excellence (https://www.nsa.gov/resources/students-
educators/centers-academic-excellence/) to develop curriculum for Cyber Defense and Cyber
Operations. I would highly encourage you to research these schools and be careful if you decide to go
with somebody else.

With degrees, you are basically going to find three different categories of programs: certification-based,
technical, and non-technical.

Certification-Based:

The major players in this type of degree are Western Governors University (https://www.wgu.edu/) and
SANS (https://www.sans.edu/academics/degrees/msise). The general idea is that all your coursework is
based around certifications. When it comes down to it, the major benefit for this type of program is cost
savings. With WGU, they have a large student population so you can benefit from all those students
going through the program. With SANS on the other hand, you can have some additional networking
opportunities and frankly you get the best certifications possible. Keep in mind though that the SANS
program is significantly more expensive. The final point with this program type is that all these
certifications can be achieved without going through these programs.

Technical:

The technical programs that exist are generally from more traditional universities and colleges. From the
variety that I have seen, the programs are typically linked to the Computer Science or Engineering
schools and have some sort of programming requirement. If you are looking into a master’s degree
program, this can be challenging if you do not have a technical undergraduate degree because you are
likely to need additional classes to qualify.

Non-Technical:

“Non-technical” programs honestly could range in a variety of topics that could also include technical
components. Expect to learn about policy and there is a good chance you will be geared for a more
managerial or governance risk and compliance role. These programs can link to Business, Engineering,
Computer Science, Computer Information Systems, or really any other school.

Guide to Cyber Security Careers 6 https://www.jongood.com

Certifications vs Degrees
This really depends a lot on you. Obvious factors include ability to focus, cost, time commitment and
many others. People have been successful go either way. Ultimately, if you go for a degree then you
MUST get certifications because it’s a natural part of our industry. If you go for certifications, you don’t
necessarily need a degree. If you already have a degree (in anything), you might only need to get
certifications. In a perfect world you would have a Cyber Security degree and certifications, but the most
important thing is that you keep learning and pushing forward.

Building a Home Lab

In Cyber Security, some of the tools that we use can be extremely dangerous to a company’s network if
we do not know what we are doing. Some types of testing we might do is even illegal to perform
without written permission from somebody of authority. For those reasons just mentioned, a home lab
is an essential component to improving your Cyber Security skills.

Computer
When it comes to computers, there are so many different options that will work.

Desktop vs Laptop
The first decision you will need to make is based on form factor and mobility. If you decide you want a
laptop either for class or to be mobile in general, then will have to buy from a vendor (Apple, Microsoft,
Dell, etc.). Both choices have their pros and cons, for example desktop components can be upgraded
very easily.

Build vs Prebuilt
The second decision you will have to make is if you want to build your own computer (you assemble the
parts) or buy a prebuilt computer (Apple, Microsoft, Dell, etc.). This really depends on how much time
you have on your hands and your experience level. Building a computer takes research and making sure
all the parts are compatible, which frankly for a beginner or new person to technology jobs can cause
frustration and potentially not be worth it. On the other hand, if you build a computer correctly then
you can get a lot more bang for your buck. A website extremely helpful in picking parts is PCPartPicker
(https://pcpartpicker.com/).

Components
CPU Processor

I would highly recommend you go with at least a Quad-Core processor. You do not necessarily need the
latest and greatest but if you want to run several virtual machines at once (and you probably will), then
anything less will cause performance issues for you.

Guide to Cyber Security Careers 7 https://www.jongood.com

RAM

These days 16GB of RAM is common among all computers Similar to the recommendation for processor,
more RAM is always better. Each virtual machine you will run, most likely will perform best if it has 4-
8GB of RAM, especially if it is a Windows virtual machine as they tend to be resource hogs. If you get a
laptop, 16GB is probably going to the be the most common option, however with desktops you could
get 32GB or 64GB easily.

Internal Storage

For internal storage (hard drive), you want to try at all costs to get a solid-state drive for the
performance and reliability that they provide. I would recommend at least 500GB but 1TB provides
more room for storing virtual machines, files, and anything else you want to store.

Operating System

If you choose Windows, I highly recommend getting the professional version for additional features not
found in the other versions. Other than Windows, you have the option of Mac OS or any version of
Linux. I typically do not recommend using Linux as your main operating system, especially for beginners,
because most tasks are going to require a good amount of tinkering (leave that to virtual machines and
avoid the frustration).

Other Components

Everything else is personal preference, such as graphics cards, screen size, etc. and will not have much of
an impact on the Cyber Security aspects.

Virtualization Software
Today, we no longer need racks and racks of equipment in our home lab to perform experiments.
Virtualization allows us to create networks and perform testing in a controlled environment that we own
and destroy without fear of legal jeopardy. When it comes to Virtualization software, there are three
main players that you can decide from:

VirtualBox (https://www.virtualbox.org/)

Virtual Box is developed by Oracle and is a very well-known and free virtualization software.

Hyper-V (https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/)

Hyper-V is the virtualization software from Microsoft. If you are using Windows 10 Professional, you can
enable the software using Microsoft’s instructions to deploy virtual machines.

VMware Workstation Player

VMware is the third virtualization software choice. All the virtualization software options generally
function the same, however if you are getting prebuilt virtual machines from somebody then they will

Guide to Cyber Security Careers 8 https://www.jongood.com

typically have less issues with VMware. I personally prefer the Professional version because you get a lot
more features and customizability.

Soft Skills
When it comes to soft skills for Cyber Security careers, or even for technology jobs in general, there are
many different areas you want to improve. This list is not going to cover all the soft skills required but
this list is extremely important for you to develop.

Problem Solving

When it comes to technology related jobs, one of our primary purposes is to solve problems. In Cyber
Security specifically, you will start to realize that many ideal security solutions can cause significant
roadblocks for the business if implemented to the extreme. If people come to you with a request that
has security issues, it’s important that you analyze the situation and if it’s legitimate for the business we
need to try to find the path to “YES.”

Creativity

Along with problem solving, sometimes we need to get creative with solutions and think outside of the
box. Perhaps another software solution does the same thing but is more secure, or maybe there is a way
to automate things securely? Don’t be afraid to experiment and think outside of the box because after
all, that is what attackers are doing.

Teamwork

Face it, you are going to be working on teams in Cyber Security. Whether that means your department
team or a team with other areas of the business, and you must be capable of working together.

Communication

With teamwork comes the need to be able to communicate effectively both verbally and written. Cyber
Security deals with a lot of documentation so being able to clearly put words on paper will help in
reports, procedure documentation, and frequent email communication. Cyber Security also must
interact with auditors and employees of all levels, therefore speaking ability is extremely important. I’m
not saying you must be as captivating as Steve Jobs, but you should be able to explain things verbally.
One last point that is frequently lost in communication is that you need to cater your communication to
the audience. If you are speaking to executives, don’t start telling them about the methods within your
code because you will lose them quickly.

Flexibility

Priorities are always changing because technology and the business are always evolving. Although it can
be easy to get caught up in a routine of doing things a certain way, you should understand that the only
thing guaranteed is change. The business, technology, compliance requirements and legal requirements
are some of the things that can drive change and you need to be flexible.

Guide to Cyber Security Careers 9 https://www.jongood.com

Job Descriptions
This list is not going to encompass all the potential jobs that exist, but these are the most likely roles
that you could find yourself performing when you first get into Cyber Security. I also want to make the
point that many companies will use these titles interchangeably (possibly even incorrectly), so you must
read the job description and ask questions to determine the real responsibilities.

Blue Team (Defensive)

Risk & Compliance Analyst

This role is heavily focused on making sure the company is compliant. Of the roles listed in this section,
the Risk & Compliance Analyst role will have the most amount of documentation requirements.
Depending on the industry, the documentation requirements will vary but expect highly regulated
environments to have plenty of documentation. Also, this role is typically not as hands-on with
technology and relies on subject matter experts and process audits.

Security Analyst

As a Security Analyst you should expect to deal heavily with log analysis of various tools. This could
include SIEM (Security Information and Event Management) tools and vulnerability management tools
to name a few. You will find that a lot of Security Analysts work in Security Operation Centers (SOC) and
depending on the industry/company you would find yourself working on shifts.

Security Administrator

It is possible that a Security Administrator role could have analyst or engineer duties as well, however
typically administrators will administer various applications and making sure they function correctly. You
could configure vulnerability management tools to configure scans or configure some type of reporting
and alerting capabilities.

Security Engineer

A Security Engineer is typically the person who will configure new systems and possibly develop the
architecture. This position requires the ability to determine requirements and understand how all the
components work together.

Red Team (Offensive)

Penetration Tester

Penetration Testers (Pen testers, Ethical Hackers, Red Teamer, etc.) are the people who test the security
of a company. Depending on the engagement rules, this role typically is imitating an attacker to
determine vulnerabilities that exist. Typically, these roles work for consulting companies, but their work
can be exciting.

Guide to Cyber Security Careers 10 https://www.jongood.com

Career Roadmap
Essentially there are three types of people trying to break into Cyber Security careers:

• Currently in College for IT or Cyber Security Degree

• Not interested in College or Changing Careers
• Currently working in IT but not Cyber

Regardless of which type that you associate with, the advice below will still be consistent. One possible
scenario that might come up is your college degree plan requires certifications earlier than listed below,
in which you should adjust accordingly. Another example is if you already have a certain level of
knowledge then you could expediate the program.

All the time periods given below are the estimated time it will take you to complete that section. For
example, the first section will take approximately 6 months in total to complete both the Network+ and
Security+ certifications.

~6 months

This year is all about building up a solid foundation of knowledge and skills. These certification exams
can be expensive so starting out you want to pace yourself, especially as you become comfortable with
studying for the exams. My advice is to start out with conceptual certifications because as you start
mixing in technology, things can get exponentially more complex and confusing without a foundation.

• Objectives:
o Learn concepts and begin reading news about the industry
o Do not be afraid to download virtual machines and just break things…be curious
• Potential Certifications:
1. CompTIA: Network+
2. CompTIA: Security+

9-12 months

This step is a continuation of the first step where we are trying to build a more solid foundation.
Networking is the backbone of Information Technology and Security so having strong knowledge is
important. Linux is in this step because many security tools and server operations tend to be in the Linux
or Unix environments so it’s a must.

• Objectives:
o Continue to build your knowledge base
o Consider learning scripting in Bash and a programming language like Python
• Potential Certifications:
1. Cisco CCNA
2. CompTIA: Linux+

Guide to Cyber Security Careers 11 https://www.jongood.com

12 months

With everybody trying to move to the cloud, now is the time to start looking at cloud certifications to
make sure you stay relevant. If you are currently employed and looking to go into Cyber Security in your
company, you should go for the vendor that the company uses. Otherwise the vendor doesn’t matter
too much, but ideally you want a really strong foundation in the technology.

• Objectives:
o Aggressively learn about the cloud and how to secure it
o Continue to improve your scripting and programming skills
• Potential Certifications (pick one vendor and do all):
1. Amazon AWS Cloud Practitioner
2. Amazon AWS Solutions Architect Associate
3. Amazon AWS Security Specialty

OR

1. Microsoft Certified Azure Fundamentals

2. Microsoft Certified: Azure Administrator Associate
3. Microsoft Certified: Azure Security Engineer Associate

Unlimited+ Months

The reason we have focused so much on foundational knowledge such as Networking and Cloud is
because the greatest number of jobs will always be on the defensive side. Getting your first job in
Security will probably be one of the most challenging and frustrating things about the industry, however
once you get that first job things become easier to navigate.

At this point you have a solid amount of knowledge on the core technologies that are going to be used
in any company and a fantastic resume if you haven’t already landed a job.

Now you should begin to research other subjects in Cyber Security to not only expand your knowledge,
but also to see if something interests you enough to specialize. Those who can specialize and become
experts in a certain area can make A LOT of money, but they can also have a lot of choice about where
they work.

Objectives: Explore and find a specialization

Potential Certifications: TBD based on specialization, but at minimum aim for ISC2 CISSP (at around 4
years of experience)

Guide to Cyber Security Careers 12 https://www.jongood.com

Final Thoughts
Cyber Security is an exciting field to work in and it has way more jobs than there are professionals to fill
them. With new regulations and compliance requirements being enforced every year, you can expect
the demand to only be increasing. Don’t kid yourself, you will need to work to improve your skills if you
want to get the six figure salaries, but there are a lot of them out there for you to achieve.

I want to truly thank you for taking the time to read through this eBook and consider the advice I have
provided. The goal of this eBook is to help give you a foundation for breaking into Cyber Security instead
of giving you exact suggestions that are likely to change every year.

Feel free to reach out to me as we all continue this journey through the Cyber Security industry and help
companies strive for truly secure networks!

Sincerely,

Jon Good

Guide to Cyber Security Careers 13 https://www.jongood.com