My advice: Start your own cybersecurity company. No one will hire you for any IT position. So you need to create your own. A niche that isn't being addressed is cybersecurity offerings targeted to small nonprofits. You'd make a killing.
Have you considered getting a job in cybersecurity and getting exposed to a few problems that companies face? You mention you dont want to do a services company, but that might be a good way to learn about common unsolved problems they have too.
Aside from the guidance offered in the other comments, look at working at a cybersecurity vendor where there are multiple tracks. At a big vendor there are the traditional IT security roles for network, endpoint, cloud, GRC, IAM, etc.
But there are also roles in sales, marketing, operations, product management, and administration. All have entry points that do not require cybersecurity expertise. But you can work your way from an entry role in any direction.
54% of 3,175 cybersecurity vendors are hiring still this year.
If you get lucky you may work for a high flying success and participate in their IPO. At any rate it can be a lot of fun.
Good money yes, but i have engineering, game development, general programming, and audio analysis background. I figure though since these are all not very profitable, limited and don't bring as much enthusiasm as i once had to them that cybersecurity is a realistic role with goals i could strive towards with passion. Currently no work place i have found has allowed me to do so with good pay, job security and consistent work.
If you are in the US, I would consider moving on to a small company or start-up where you can simultaneously have more impact and learn more. Security is not where you work, it's what you know.
I echo this. I was also interested in cybersecurity through CTFs. I also do a bit of bug bounties in my spare time. But i've sort of come to the conclusion that cybersecurity as a career isn't that great in general, most roles are just administrative or compliance types from what I've seen. But then I again I have seen opportunities with sort of smaller boutique security firms that mainly focus on exploit research, but for those it feels like they're looking for more specialist knowledge.
Apart from the fact that it's pretty much impossible to find a job in cybersecurity unless you have some wanky certifications.
When I was younger I tried to break into that world and it was pretty much impossible. Companies I contacted to notify them about their security flaws seldom replied (and when they did, it was never to thank me)
On the other hand, I could always find buyers for exploits in alternative markets, or credit card numbers, or rooted servers.
My moral compass prevented me from going too deep into that stuff, but I know people who ended up setting DDoS -for-cash services, etc. (and they/we were just kids !)
I get it that you're trying to sell courses here, but come on...
Having spent the last few years in a hybrid role ranging from security practitioner, to curriculum designer, and educator, I'd say that cybersecurity has the luxury of being both a challenging and enjoyable career field.
As far as 'good career choice', I can't accurately respond to that without knowing what a good career looks like for you. That being said, if we use # of openings + starting salary as metrics... it does look like a promising career. CSOOnline predict 3.5 million unfilled jobs in cyber by 2021
(https://www.csoonline.com/article/3200024/security/cybersecu...).
I'd recommend taking a look at https://www.cyberdegrees.org to figure out what roles interest you and the experience / certifications that will help you get there. Additionally, if you are looking for materials to read/learn/practice hands-on activities in security, I'll share the (constantly growing) list I've curated: https://www.exeltek.net/accesscyber.
Feel free to reach out with any specific questions you might have, and best of luck!
Let me give you some advice, from the perspective of someone who runs a successful security firm.
Have you worked as a consultant at one of the larger firms, like Optiv, Bishop Fox or NCC Group? What professional experience do you have? Have you found serious vulnerabilities and published them? Any bug bounties?
Without a network to draw on it is very difficult to start your own practice. You need referrals, introductions and people to vouch for you. Failing that, you need to be "infosec famous" or very close to it (this is why so many people publish for publicity in the security world).
My recommendation is that you join an established firm if you really have the technical skills. If you've already been at a serious firm for two or three years or so then you'll understand the business processes inherent to running a successful consultancy. Without understanding how that works you won't know how to leverage your skills and turn them into a reliable income on your own.
Forget certifications. You don't need any to be successful if you can just demonstrate the ability to find vulnerabilities. The CISSP (as an example) can be helpful for a certain subset of clientele, but it's not useful enough to pour your energy into instead of e.g. getting CVEs on your rèsumè and establishing a network.
Can you find every single vulnerability outlined in The Web Application Hacker's Handbook? How about the trickier ones that crop up in Black Hat presentations? It's not enough to be able to find CSRF or XSS in a bug bounty, you need to be reliable, consistent and thorough when working as a consultant. This is one of the reasons bug bounty participants are rarely qualified to join consultancies, even if they find vulnerabilities. They often lack the professional maturity to find more than a certain subset of vulnerabilities.
Your first few clients will be the most difficult. Here is a rough outline of what you can do to get a pipeline of work:
1. Join a reputable security consultancy and develop your skills. Polish them from "I can find vulnerabilities" to "I can model a large software project for design flaws, implementation vulnerabilities and operational vulnerabilities, then thoroughly find everything" (within reason, given a finite testing timeline). Your track record for finding vulnerabilities must go from "more often than not" to "virtually always" for each application put in front of you.
2. Do independent security research. Subscribe to security alerts from large vendors. When a CVE is issued, check it out, try to reproduce the issue and learn from it. Start finding vulnerabilities just like it in widely used software frameworks and libraries. Build up a track record and a personal brand of security formidibility.
3. If you have done #1 or #2 already, or once you have, then leave and start your own practice. You won't be allowed to solicit your past employer's clients, but you can leverage your network. Talk to past colleagues and coworkers and put yourself out there. Try to subcontract out to various security firms (it's an open secret that most firms will do this if they have a surplus of work).
4. Aggressively pursue referrals for every single client you work with. Master the business side of running a consultancy. Consultants at large firms don't earn as much as successful independent consultants or founders because their margin is spread thinner. Conversely, your own practice will not have salespeople or account managers. It will be you and you alone.
You must be able to communicate exceptionally well, maintain deadlines on your own, support a plethora of payment methods from clients (checks in mail, third parties, ACH transfers), survive under uncertain payment timelines (large clients love to languish accounts payable forever) and manage all your clients and sales pipelines on your own.
Your technical ability must be exceptional, yet it will only be half of your ability to make a good income. I built what I have now by folllwing my own advice here and reading all of patio11 and tptacek's comments on consulting.
Hi guys, I've been thinking a lot recently about starting my own security/network security business; but I don't know where I should start. Any advice?
Like all things, different niches attract different people. There's a market for cyber security and if you're well-versed and highly qualified, you could certainly make as much, if not more, than a software developer. Of course, we could get into the cynicism of how corporations view cyber security professionals (i.e. as someone to blame when something goes wrong, despite not listening to their cyber security employees because it would hurt their quarterly earnings), but that's tangential.
I didn't -- I actually hit my first cybersecurity company straight out of a math degree. It was a firmware security thing, so I spent a lot of time outside of work learning about linux, device drivers, etc. and programming. That's to say -- diving in is surely possible. I'm now at my second cybersec company in a totally different part of the field.
Unless you’re going the vulnerability/malware research, reverse engineering, or something equally specialized don’t paint yourself into a corner and limit your options with over specific signaling.
And realize that the above are tough roles to get paid for. There aren’t many of them, you have to have intense technical skills across many domains to be effective. All things considered you are unlikely to be able to make as much money as a developer (with just a little business savvy) putting in the same amount of effort.
Don’t get me wrong, I’m still an old hacker at heart and infosec has a lot of amazing aspects of it. It is one of the last holdouts of the old community-driven cultures around computing, but know what you’re getting into with open eyes. Recruiters and businesses have been working hard to commoditize it for years, and will continue to. In addition it’s been a “hot” job track for a while now, similar to “devops” a few years ago, so you’ll find a lot of folks in it without a particular interest or understanding beyond the surface level resume fodder.
Both the Cybersecurity and Data Science are niche fields. You cannot go wrong by choosing either.
Regarding Cybersecurity, most of the companies are realizing the importance of incorporating security during the early phase of product cycle. Hiring is in uptrend with regards to security jobs. Having a certification similar to CISSP or CEH will help. Security has many domains, based on your experience you have to specialize in either network, web, systems, IAM, operations etc. Having experience in one of the language like python will definitely help. Good luck with your search.
The best part about running a cybersecurity company: lots of easy, free marketing. It's a really good time to be in the industry. It is unfortunate that people are trusting companies to protect their information and it ends up being really hard to do properly. Every able-bodied security engineer really should get in the game since there's money to be made as well as good to be done.
If it matters, I'm not necessarily looking for an InfoSec job. I'm mostly filling a hole in the rest of my knowledge, but now I realize I could have filled that hole on my own a lot better. I probably wouldn't pass a job up, as my carpentry business hasn't had a customer in months, but that's beside the point.
Cyber security is so wild west right now. change your linkedin. Do some public speaking. Read some blogs and you'll get your foot in the door. Where you go from there is about how well you sell your self.
Maybe look into translating your skills into an application security discipline. There seems to be a shortage of people with talent and you'd be miles ahead of those who have just a cert or degree with no foundational experience.
reply