Cybersecurity pros are in high demand. Here’s how one system administrator developed his own personal online night school curriculum to gain the expertise for a successful security career.
If you are looking to take your IT career in a new direction where there’s loads of demand, there are several interesting subspecialities, and the pay continues to increase, a career in cybersecurity can’t be beat right now.
It’s impossible to ignore all the high-profile attacks — from the SolarWinds supply chain attack impacting multiple government agencies, to the more recent spate ransomware attacks against gas pipeline company Colonial Pipeline and meat producer JBS, to name a few. The move to work from home and to accelerate digital transformations has only increased the alert level and the demand for cybersecurity pros.
“In cybersecurity right now there’s a significant shortage of candidates,” said Ariel Weintrab, chief information security officer at Mass Mutual. Her cybersecurity team is hiring from general IT pros and also “recruiting from a wide variety of educational backgrounds,” not just technology. Her organization is looking for problem solvers with intellectual creativity.
But if you just show up at the hiring office with your liberal arts degree or your cybersecurity certification, how do you stand out from the crowd of other applicants interested in cybersecurity? And if you are already a seasoned pro in IT, how do you establish your expertise in cybersecurity so that you can make that career change?
InformationWeek recently spoke to an enterprising young cybersecurity pro who took the latter path, and he shared some details about his less-than-traditional entry into the field and the lessons that other aspiring cybersecurity pros can learn from his journey.
Logan Flook has just accepted and is starting a new job as a Security Analyst ll specializing in Threat and Vulnerability Management with SMC Corp. The new position for him is the culmination of several years of work by the Air Force veteran.
Flook served as a system administrator in the Air Force for nearly 3 years but was discharged after an injury. Cybersecurity had been his career goal from the start of his military career, and during his separation from the Air Force in 2019 he launched a search for a job in that field. But employers didn’t want to hire someone who didn’t already have cybersecurity experience and training. Flook parlayed his sysadmin skills, which included some VMware work, into a VMware admin job with Booz Allen Hamilton.
Meanwhile, at home, Flook was coming up with his own self-driven education plan to get the skills for a cybersecurity career. He analyzed all his notes from his unsuccessful cybersecurity job applications to determine which skills employers wanted. He decided to dedicate every evening from 7 pm to 10 pm to an independent study of cybersecurity that included books, online courses, and guidance from other cybersecurity pros he met on cybersecurity-focused Discord servers.
“I was the most annoying person on those servers,” he said. “I’d ask people how did you learn what you know? How could a person do that on a low budget? The community was very supportive.” Flook connected with a few individuals who became friends and provided him with ongoing guidance.
One of them “has turned into my toughest mentor. He is my compass on cybersecurity. He’s the most supportive person I know,” Flook said.
He would spend 3 hours a night on those courses and books, after he and his wife put the kids to bed. He has posted many of his training recommendations on his LinkedIn profile posts.
For offensive cybersecurity his top three training recommendations are eLearnSecurity Junior Penetration Tester (eJPT) certification (“very entry level but so good at teaching what you need to know. I failed it the first time I tried.”), the book Hacking: The Art of Exploitation, and SANS Network Penetration Testing and Ethical Hacking.
In October 2020, Flook was promoted into his first cybersecurity job — another position at Booz Allen. After participating in an incident response at Booz Allen (that turned out to be a false alarm), Flook decided to pursue more training in that area, which he found fascinating.
“We spent 9 hours one night doing incident response on what we thought was a breach,” he said. “Those 9 hours completely changed what I wanted to do.”
For incident response, Flook recommends eLearnSecurity’s offerings for the blue side of the house. He also recommends RangeForce‘s offerings, which incorporate training and exercises. For a book he recommends the Blue Team Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder.
“You need to stop asking yourself what you need to do to become successful and start asking yourself how much you can endure to be successful,” he said.