You've got your Security+. Now what?

2023-02-26 12:55:17

On /r/comptia and Discord, there's a lot of people hopeful to break into cybersecurity. The get their Security+ (because CompTIA's marketing promises a lot of jobs), but... then what?

Here's something I told someone on Discord the other day.

CompTIA will have a big list of options in their marketing fluff, but as I said I personally don't believe Sec+ preps you for any particular roles.

That doesn't mean it's not valuable! Quite the opposite! Having passed Sec+ means you bring fundamental InfoSec knowledge to any role you'll work in, be that user support, systems administration, network operations, DevOps, IAM, risk management, or whatever.

Career wise, it makes sense to define short and longterm goals for yourself. Investigate what different jobs in your local marketplace mean, what the work involved actually is and check their requirements.

${Deity}, I'm saying the things I hated hearing twenty years ago, but here we are.

Next to those goals, also investigate the options available to you in your local marketplace. Also take stock of your current set of experience and skills. This information will help you figure out what kind of tools are at your disposal to meet your goals.

For example, say that your long term goal is to have a hardcore technical role in cyber security. Like pen-tester maybe, DevSecOps engineer or cloud security engineer.

From that you would start figuring out which of those roles sound best to you and figure out what you need to learn to get there. This will help you define short term goals... mile stones, if you will.

For example, if you already have some prior IT experience and you've dabbled with programming and Linux, then you could aim for junior devops or sysadmin roles for the short term. If you've already done a lot of TryHackMe, HackTheBox then a junior pentesting role, or junior devsecops.

Now, if you have zero IT experience, then you're going to have to take a different route. One option is to start way lower in the IT ladder, like IT support. Another option is to go for a soft-skills based role! Like user awareness training, or risk management.

Here's a very long Reddit thread about why it's hard to break into InfoSec right from the start.

Which reminds me of a solid tip: check your local market for MSSPs: managed security service providers. They are often in a position to train juniors with little IT experience into the job. They need warm bodies to take care of the low-level work influx and can help you build experience and knowledge on the job. tags: ,

View or add comments (curr. 0)