How to successfully

break into Cybersecurity

You are a successful experienced IT professional (non-cyber)
or a beginner who wants to enter Cybersecurity field. How
can you do? What things to be considered? Are there any
best approach or steps for this process? In this guide I am
going to share an approach you can follow to successfully
break into cybersecurity.

By: Chintan Gurjar

There are 3 main components of this approach

2. Create & meet

1. Understand the
your
scale of the 3. Plan & execute it
requirements/
spectrum
needs

8 Steps of the Approach

Research Refer IT to
Find a mentor Congrats!
Keep doing your various Cyber Prepare a
Enter the field in Apply for jobs Mission
current job Cybersecurity domain study plan
Cybersecurity Completed.
domains mapping

Keep doing your current job

It is vital to keep earning with your current job until and unless you have successfully entered the Cybersecurity field with a full-
time job. Your family might be dependent on you.

Do not take a break for specific study/course/certifications/masters if you are already working in the non-cyber IT field.

Research various Cybersecurity domains

Refer to SANS CISO mind map. https://www.sans.org/posters/ciso-mind-map-and-vulnerability-management-maturity-model/

Understand how many various fields there are in the security field.

Take each bullet point from that PDF and Google it. Ask the below questions to yourself:

1. What is that domain?

2. What kinds of roles company offer in that domain?

3. What tools/commercial solutions do people use?

4. What daily routines do people have in that job role?

5. Is it demanding or not?

6. Which reputable organizations provide certifications in that domain?

7. Look for the course syllabus of that cert to understand what can be covered?

8. Does that fancy you?

9. Which roles can you start within that domain as a beginner, and where can you reach maximum?

10. What will be the future of that domain?

Refer IT to Cyber domain mapping

Refer to the IT to Cyber mapping table. (Page 3)

Understand what your position is, in which IT field you are working currently.

Understand what possible options/areas you can start your journey with within Cybersecurity.

If you are an absolute beginner with no IT experience, you can select any field you are interested in. Maybe you would select
domains that are closet to your IT role or maybe completely separately as you are willing to learn new things from scratch. Any
approach would work here.

Prepare a study plan

Identify what learning options you have. There are various learning options for any IT or Cyber field. There are pros and cons of
every option which I have illustrated.

1. Read a book – Time-consuming but can give you a very granular level basic to advance understanding of each
thing.

2. Study a complete course on YouTube – Depending upon channel creators, their views, opinions, the study approach
can be vary. No. of topic coverage & in-depth content may also vary. So, you will require to do a lot of research
before selecting any particular course on YouTube as they are free.

3. Go for any certification and read official certification materials – Some people feel that they can't feel motivated if
they don't have any goals/challenges. Hence, they go for paid certifications as once they spend money, they will
require to study and crack the exam in a limited timeframe. This keeps them motivated and focused towards
achieving the goal. Some reputed certification authorities are ISC2, eLearnSecurity, SANS/GIAC, Offensive Security,
CompTIA, ISACA, Mile2.

4. Study a complete course on Pluralsight/Udemy/Coursera/Oreilly – These are some popular portals for studying the
entire course of any security domain. Trainers on these platforms are well experienced, and these portal owners also
review course content. Ensure you check the ratings of the course before you select and start.

5. Freeform well-structured self-study via Google & YouTube – Manier times, you cannot or don't want to spend money
on material as it can be found via Google. So, you can follow this approach. Before starting self-study, all you need
to do is select a particular field. Find a famous book on Amazon that has good ratings and is not older than a
maximum of 6 years. Find a table of contents of that book. E.g., You found a book on Amazon.com. Refer to its table
of contents what all they are going to teach in that book. Then Google each topic, read, and study. Watch
practical/theory explanation videos from YouTube. Prepare your notes.

Prepare a plan that works best for you. Things to consider:

1. Time management for work-life balance

2. Time allocation for your job, social life, learning security from above options (Prepare a daily, weekly schedule, Set
targets)

Go for certification post your preparation. It is vital to have relevant certifications to crack interviews.

Enter the field

Do company research before applying for a job.

I believe below are the foremost common factors one should consider before selecting a company or applying for a role:
There can never be any company which would fulfil all your below needs. (You will need to prioritize minimum 2 maximum 3 areas which you
would assess in your next company. So, if the first 2/3 of your needs are completed, you can select that company.)

1. Location

2. Flexibility

3. Daily routine/Job duties

4. Types of services they offer

 5. Type of company (Small, Big, Product based, Consulting based, Research-based, etc.)

6. Type of industry they serve (Banking/Financial, Retail, Gaming, Healthcare, etc.)

7. Boss/Senior management

8. Money

9. Learning opportunities

Create a killer LinkedIn profile (So many guidelines out there on YouTube and Google)

Add more security connections to your LinkedIn.

Volunteer in any cybersecurity conference.

Join a cybersecurity working group (LinkedIn).

Start a blog or YouTube channel.

Guest on a podcast.

Join a cybersecurity meetup or club in your local town.

Find a mentor in Cybersecurity

Finding the right mentor is a challenging task, especially for beginners in the security field. There are DOs and DON'Ts to consider
before selecting the right mentor for yourself:

1. Don't get attracted by no. of certifications those mentors have

2. Don't select mentors just based on their online presence/appearance/how famous they are in the industry

3. Don't select mentors just based on the total no. of experience they have

4. Don't select mentors just based on their super technical hacking skills

5. Don't select mentors just based on the number of achievements they possess

6. Select a mentor who is down to earth, willing to learn from you as well while also coaching you

7. Select a mentor who just not only solves your tech queries but gives you a perfect vision/direction for what you need
to do to become XYZ down the line in the next 2-5 years and so on.

8. Select mentor who is regularly contributing and giving back to the community

9. Select a mentor with the right attitude not only the right knowledge

10. Give time for your research, talk to them regularly, talk to many regularly before you select them as your mentor

11. Most notably, in the above list, ensure all or the majority of the points are giving a green signal to select your mentor
and don't just evaluate anyone based on one or a few DOs or DON'Ts. Remember, no one is perfect in this world.

Apply for jobs

If you are an experienced IT professional, you will need to tweak your resume to make it sound more of a cybersecurity one than
just an IT.

If you are a beginner, you will require to create a professional resume to apply for a job. There are plenty of cybersecurity resume
templates on Google which you can refer to.

If you have no professional experience in IT or Cybersecurity, you can add below things in your resume as a beginner:

1. Volunteering experience for any cybersecurity conference

2. Security certifications

3. Open-source contribution (Any tool created/contributed)

4. Any talk given at a conference

Select any portal to apply for jobs but do not forget to use LinkedIn for the same. LinkedIn jobs are best according to my
viewpoint compared to other specific job-hunting portals.
You can contact specific cybersecurity recruitment companies who fill positions for big companies.

You can add Cybersecurity specific HRs to your LinkedIn to build relations and ask them to take an interest in your profile.

Prepare for interviews based on job descriptions. Whatever roles/responsibilities are mentioned in the JD, most likely, you will be
asked questions from those areas only + the things you have mentioned in your resume.

Congratulations! Mission Completed.

It is not over yet. You have just entered the cybersecurity world. There are things you will need to continue doing for better
survival and better growth.

1. Learn more things – Learn those things in your company which you cannot simply learn by Google and YouTube.
E.g., One can learn how to hack a website by sitting at home, but cannot learn, how to design a new secure
architecture diagram for an application development within the DevSecOps project based on their company's
infrastructure. That is the real experience.

2. Advancing to management – See what else you would require learning apart from tech skills to advance your
career to the management level. Learn more soft skills of business, management. Learn people, process and
technology problem dealing.

3. Know your competitions – Competitions are everywhere; it is a good way to keep yourself motivated and learn more
things that others are learning in your network.

4. Know the market – Understand how the market is shifting in Cybersecurity, know various new vendors coming into
the market, launching their products to tackle large enterprise problems. Understand what problems are being
discussed in the community through conference panel discussions, YouTube podcasts, or other sources. Understand
the market when you started your career and how rapidly it is changing and where it is going. You can determine
your future roles, opportunities and can set goals accordingly.

5. Do not get demotivated – Cybersecurity is a very competitive field. You will meet many people in your life who might
know more things than you. Don't get demotivated by that. If they know 2 things, you know 1, if they share 1 extra
thing with you, now you both know 2 things. So always keep +ve attitude of learning from them and don't get
demotivated by your position of learning.

6. Make StackOverflow & Google your besties – It is not important what you don't know; it is crucial how quickly can
you learn. Google and StackOverflow are the best sources for your doubts (tech or non-tech). Keep them at your
fingertips. It is ok to ask stupid questions, so keep asking around.

7. Community appearance – You should attend/present at well-known conferences. Start with your local town
conference/meetups. Present on few topics. Gain confidence in public speaking. Then advance to national level
conferences and then international level. Meet more people, build relationships.

8. Bad practices in Cybersecurity – Nothing is perfect in this world. In Cybersecurity, even there are bad practices,
loopholes, cheats. Ensure whatever small or big decision you take, you do all your sanity checks and don't get
trapped into all of these.
IT to Cyber domain/role mapping (It is not a 100% mapping of all IT roles to all Cyber, just a heads-up)

Network Engineer, Network Administrator, Network Architect

Network security

Firewall, IDS, IPS proxy

Filtering

VPN

DDOS protection

CIS benchmarks for networking devices

Infrastructure VAPT

Security Log management and analysis

DevOps, Web Developer, Software Developer, Development Manager, Project Development Manager
(Agile/Scrum Master), Project Manager, Database Administrator, Database Engineer, Quality Tester, QA
Engineer
Threat modeling

DevSecOps

Design review

Secure coding

Static Analysis

Bug bounty

VAPT

Application security testing (Web, Android, iOS, thick/thin client app testing)

SAST

DAST

WAF

RASP

CIS benchmarks for anything in application security

Windows Administrator, Server Administrator, Linux Administrator, System Administrator, Windows/Linux

Engineer, IT analyst, IT Helpdesk Analyst, Helpdesk Technician, Technical Support Engineer/Specialist,
Programmer
Endpoint security

Anti-virus/anti-malware

EDR solutions

HIDS/HIPS

App whitelisting

Patch and Image management

Vulnerability and patch management

Infrastructure VAPT

Secure configurations

CIS benchmarks for OS

Auditor, Reviewer, Compliance Manager, Financial Auditor/Reviewer, Legal and Regulatory and any
Senior Leadership within IT role
Compliance (PCI, SOX, HIPPA, NIST, FedRAMP)

Privacy and GDPR

ISO, SOC1, SOC2 audit and review

Lawsuit Risk

Risk management

Security strategies

Identity and access management

Business impact analysis

Vulnerability Management

Risk assessment

Security awareness

Vendor risk management

DR/BRP

Policies, Procedures, Frameworks

Cloud Architect, Cloud Consultant, Cloud Service Developer, Cloud Administrator, Cloud System Engineer

Cloud infrastructure security

Cloud penetration testing

Cloud security architect

Cloud security monitoring and detection

Cloud automation in DevSecOps

Containers & Kubernetes security

Incident Manager, Incident Handler, Investigation Specialist/Officer, Crisis Management

Incident response

Breach investigation

Forensics analysis

Breach communication

Crisis Management