It is not easy for new graduates, especially those without any IT work experience, to get their first job in cybersecurity because more than any other area of IT, cybersecurity, even for entry-level positions, requires an extremely high level of knowledge mastery on the part of the candidate. A graduate familiar with the basics of networking can easily get a position as a junior network engineer, but to succeed in the field of cybersecurity requires not only the proprietary basics of cybersecurity, but also a basic understanding of virtually all the facilities and technologies in the ICT environment – after all, a person who is not able to understand the way these ICT facilities and technologies work is not able to protect them at all. We here focus on sharing some of my personal insights and providing some advice to beginners and enthusiasts who are thinking of pursuing a career in cybersecurity to help them stand a chance of getting their first job in the industry. Cybersecurity analysts are often the starting point for cybersecurity career advancement, so let’s talk about the needs around this position.

1. Obtain basic knowledge and skills

Knowledge and skills is always the cornerstone of getting a technical job, and whether it’s through a university degree or professional training, entering the cybersecurity industry involves proving to an employer that you are sufficiently knowledgeable to do what the organisation needs for the role. Here I’ve summarised some of the essential knowledge and skills to satisfy a cyber security analyst.

a. ICT Basic Knowledge

As mentioned earlier, cyber security is fundamentally about securing an organisation’s ICT assets against breaches, so understanding and familiarity with the IT infrastructure is a prerequisite to accomplishing this, which includes operating systems, networks, AD domains, Cloud (AWS/Azure), virtualisation, etc. Understanding how they work makes it easier to understand the attacks and protections against these technologies, and to spot “anomalies” in their routine work so that suspicious behaviour can be detected and responded with appropriate measures. It is worth to know that since most of the time security analysts use logs to understand what is happening in their environments, it is obviously important to understand and analyse their logs in addition to understanding how these technologies work, especially security-related logs (e.g., Windows Security logs and Sysmon logs). Additionally, as there are times in the workplace when it is necessary to write scripts to complete automation in order to increase efficiency and reduce the pain that repetitive tasks bring to analysts, being able to write scripting programs in simple languages such as bash, Python, and PowerShell is also indispensable.

b. Security Controls Knowledge

Security controls refer broadly to all the protective measures that organisations take to protect ICT assets, whether technical (e.g. firewalls, group policies, DLP, EDR, etc.) or non-technical (e.g. processes, security auditing), physical (e.g. perimeter fencing, CCTV) or non-physical, they are all included. Understanding how security controls work, the types of threats they can defend against, how they are deployed and maintained, and having experience on configuring policies/rules and reviewing logs are all important.

c. Knowledge of Task Procedure and Tools

Analysts are generally required to perform specific tasks in the Security Operations Center (SOC), so it is also necessary to understand the basic objectives of these tasks, the workflow, the way they work with other roles or teams, and the tools and technical approaches used. I’ll write a separate article about the different functions and tasks in the SOC, while the technical tools are basically inseparable from the basic ICT tools and the various types of security controls.

d. Knowledge of Attacks and Adversaries

If you want to defend against a real threat adversary, it is not enough to know the theories only, but to have a basic understanding of the TTPs (tactics, techniques, procedures) that they actually use, in order to know how to formulate a strategy to prevent them before an incident occurs, and how to handle and respond to a security incident after an incident occurs. Threat profiles, threat modelling, and basic hacking techniques are also necessary for security analysts.

e. Soft Skills

As security analysts often need to work collaboratively with others within the cyber security department (e.g., people in other functions) as well as externally (e.g., users, IT departments, management), teamwork and communication skills (written and verbal) are very important in addition to technical knowledge and skills, especially when working with people from different professional backgrounds, where communication tends to be more prone to. Therefore, choosing the right way of expression and technique is an indispensable skill in this industry.

2. Know Incident Investigation Methodology

Monitoring and investigating threats in ICT environments is one of the most important daily tasks of a security analyst. When an alert is encountered, it plays a decisive role-having to have a clear idea of how to start the investigation, what logs and information to check, where and how to get the basic information needed for the investigation, and how to make quick, accurate, and efficient judgements based on what is known. Understanding threat attack methods and principles, understanding the steps of the Cyber Kill Chain, familiarity with the ATT&CK framework and common TTPs, familiarity with ICT environments and network security control tools, and familiarity with the ISO27001 framework and the organisation’s security policy are all helpful in incident investigation.

3. Find Out What You’re Good At

Although the basic tasks of a cybersecurity analyst are the same, the areas of strengths and future career paths are different for each individual due to their different educational backgrounds, experiences, and personal interests. For example, analysts with more cloud experience have a deeper understanding of the underlying workings of the cloud, and are better equipped to respond to events in the cloud environment, as well as to assist in the design and development of more sensible security control policies, processes, incident response playbooks, and other cloud security stuff. Finding an area of expertise based on your background and preferences will not only give you extra advantages and compitetiveness when looking for a job, but will also help you in your subsequent career development.

4. Get Certificates and Practical Opportunities

In the first section, we listed some of the essential knowledge and skills of a cybersecurity analyst, and obviously it’s very difficult for any organisation, whether it’s a university or an independent training organisation, to provide all the required knowledge skills a beginner needs (if someone claims to be able to teach you all you need for your job in one go, run away! The guy must be a fraud). Therefore, it is important to have a clear idea of the scope of your knowledge and skills, and you can build on that to fill in the gaps in other ways. I would recommend two ways: industry certificates and practice opportunities.

Let’s start with certificates. I personally like to study knowledge through certifications, even if I don’t intend to take them, I will use their course structure and materials for learning, because these certificates tend to be more structured, the content arrangement is more reasonable, and they will be updated with the development of technology and knowledge of their learning materials. For the learner, it is a convenient and efficient way to learn. For beginners who have an IT knowledge background and want to accumulate knowledge through certificates, I have two suggestions. Firstly, try to give up the traditional exam-oriented learning method if you have enough time, but build up a solid understanding of the knowledge content (I highly recommend using mind maps and skimming notes to help you learn and remember). Secondly, I personally recommend the 1+2+1 model to take certifications, i.e., one core vendor-neutral certificate, two vendor-specified certificates, and one security-specific domain certificate. Core certificates can be selected according to your own knowledge level: Security+ (primary) or CySA+ (intermediate) or other certificates of the same type. For vendor-specified certificates, I recommend you to choose certifications provided by vendors with high market share (such as Cisco, Microsoft, Splunk, Amazon, etc.) At the same time, when choose this type of certification, you should consider in the field that you want to focus on, such as network, cloud, etc.. Special field certificates are those focus on certain types of tasks and provide you additional advantages and future directions to be shown when delivering analyst positions, such as penetration testing, security incident response, and digital forensics.

Let’s move on to practical opportunities. Hands-on opportunities cover a wide range of topics, including internships, cybersecurity projects, CTF competitions, and so on. Sites like tryhackme and hackthebox beginner-friendly, and are a great way to get started and improve your skills in online labs. You don’t need to build your ICT environment from beginning but use what they provide to you directly. Meanwhile, building your own home lab is another way that is the more challenging and complex. Thanks to the large number of open source systems, programs, and tools available, it’s not too hard for a learner who has an IT background. You can deploy systems in your own lab and try to exploit security holes in them to do what you like without any limits (almost!). Last, there’s nothing more effective for getting a job than getting internship experience, as it gives you the opportunity to deal with what actually happens in a real corporate environment, and it’s also a great way to network.

5. Networking

Have to say, taking part in social events is not easy for people as introvertive as me. But from my personal experience, if you know someone in the industry, the success rate of job searching is much higher, so it is very necessary to establish networking with people in the industry. Joining industry associations/organisations (AISA is the first one we recommend in Australia), participating in industry events, establishing good relationships with professors, or keeping stable connection with other security practitioners are all good ways. Not only can they bring you more jobs and internships opportunities, but they can also share their knowledge and skills, help you understand current industry trends, or answer your questions, and you can learn things from them that you never learn from universities.