I’ve been getting a lot of questions from folks about how to get started in cybersecurity if they have a non-technical background, to include if it is even possible. First, absolutely yes, it is possible. I know many fantastic cybersecurity professionals who in prior lives were English teachers, real estate agents, psychology majors or marketing professionals with little to no technical training. I myself am a History major who rode Main Battle Tanks for a living. In many cases having a non-technical background can actually be an advantage. A growing challenge we are facing in cybersecurity is we have a growing number of highly technical people, but often they don’t have the soft skills needed to interact with people outside their world, such as the ability to communicate to business leaders about the impact their work is having or working with or partnering with other departments throughout their organization.
So, if you don’t need a background in Computer Engineering to be successful in cybersecurity, what do you need? A continuing passion to learn and understand how technology works. Too many people think cybersecurity is all about hacking into or breaking things. Nope. Cybersecurity is all about learning how things work. Once you have a deep understanding of how technology works, the hacking (and defending) easily follows. So, from a technical perspective, your goal is to understand how things work and interact with each other. What is so exciting about this goal is you can learn how many technologies work at home. For example, you can take classes online, build your own lab, or interact with others through the Internet. Ultimately the key is not a technical background, but your willingness and desire to learn how technology works and to never stop playing.
Now, before you jump right in, there are some things to consider. In many ways cybersecurity is similar to the healthcare field, there are so many different paths you can specialize in, from mobile device forensics and incident response to penetration testing, endpoint security or secure code development. Don’t worry at first about what path you want to take, give yourself time to play with and understand all the different technologies. Over time, your interests will guide your path (interject Yoda like voice here). To get started, I recommend you first get an overview of the basics.
- Systems: Learn the basics of administrating a system, including both Linux and Windows. In addition, learn how to administer Linux using the Command Line Interface (CLI) as opposed to the Graphical User Interface (GUI). In addition, learn how to create basic scripts for Linux. Learning how to administer a Linux system from the command line, to include scripting, is an extremely powerful skill that will help you no matter what path you take.
- Applications: Learn how to configure, run and maintain applications, such as a web or DNS server.
- Networking: Learn how a network works, to include capturing and analyzing network traffic. This can be great fun as your home network is most likely already a complex environment with all sorts of devices connected to it.
One of the best ways to learn all of the above is setup your own lab at home. This is quite easy as you can create multiple virtual operating systems on the same physical computer at home, or setup up a lab online through Amazon's AWS. Once you get these systems up and running on your network, start interacting with them and learn everything you can. Have a browser on one computer connect to a webserver you setup on another computer. Capture the network traffic from your house’s thermostat and decode what information you are actually sending to the Internet. The possibilities are endless. However, don't start hacking into and breaking things until you understand the fundamentals of how these technologies work.
The other key element to starting your career is to meet and work with others in cybersecurity. The best way to jump start this is attend a cybersecurity conference (often called ‘con’) near you. Just about every major city has several events a year. One of the best series of cons is Bsides which most likely has an event near you. In addition, many cities have monthly community meet-ups. The hardest part is finding that first event or meet-up. Once you attend one, your network and opportunities will quickly expand. The other option is to join online communities, however I highly recommend you attend an actual event and meet people face-to-face first, its the fastest way to spin-up your connections. Finally if you are a women or US veteran, SANS has an Immersion Academy that can quickly accelerate your training in the cybersecurity field, be sure check out the SANS Immersion Academy site.
Ultimately do not let your education or background determine your success in cybersecurity. Anyone with any background can be successful. No matter what your background is, you bring something unique and special to this field which we desperately need. The key is the passion and desire to learn how technology works and interacts with other technologies, and to never lose that desire to learn. Once you start to develop your technical skills and you begin to develop a network of people, trust me the opportunities will come.