| When I say "do CI/CD first" I do mean "make a commit and watch it go brrrr". You could build a pipeline yourself if DevOps engineering sounds fun but my experience with it professionally is "do whatever the DO guys say to make sure your changes reach prod". I dabble in my spare time out of curiosity and because I like punishment, lol. I took a nonstandard path into infosec- I never actually went to school for it because it just wasn't taught where I went at the time. I learned by reading a lot and testing what I read against my own (and sometimes not my own) machines and my previous employment gave me a solid foundation since all of my professional skills were transferable. I was a dev for 2 years and a security-focused business system analyst for 6 years before getting my first job in infosec, and I'm 100% sure I passed my CISSP solely on dumb luck because I just "picked what made sense to me." I never took Sec+, Net+, OSCP, etc... certification because by the time I found out those certs existed I was already a CISSP and working to shore up my blue team weaknesses (blue team = "don't hack me bro", red team = "IT'S PWNIN' TIME". There's also purple team where you do both, I see this being the future of the craft much like how development and operations has pretty much merged). I definitely recommend reading up about cybersecurity topics- maybe even take a Udemy or Coursera course or two on the fundamentals. Even if you get an entry level role I have no doubt you'd be able to ramp up quickly. You DO need to understand networking concepts so that might be new but it's seriously not THAT in-depth and you can skirt by initially with the basics (know how networks work, and be able to both capture a packet and read a PCAP file) and pick up more as you grow into the field. You'll need to pick up soft skills to help you frame technical concepts into terms laypeople can understand for your reports, which can be a challenge at first but you get the hang of it after doing it a while. As long as you're on a decent team any weaknesses you have can be covered by an ally- DO NOT BE AFRAID TO ASK FOR HELP WHEN YOU DON'T KNOW SOMETHING! I do need to be transparent- my skills are more on the security management side (I could talk for HOURS about security risk) and most of the roles I've seen advertised (including the one I just left) are for security operations center staff. Hopefully another security professional here more skilled than I can chime in to keep me humble and honest! If you're interested (ISC)2 has a "Certified in Cybersecurity" certification intended for people new to the industry. I'd take a look at the exam material for that and see if it interests you. You may be tempted to jump for CISSP, CISM, a GIAC cert, etc... Save those for later in your career when you KNOW you're ready (also I dunno about CISM but CISSP requires at least 5 verified years of professional security work and the endorsement of another CISSP. I don't think the GIAC certs are as strict but they're WAY more expensive). They're NOT easy, and there's a real risk you'll end up like me if you successfully take the shortcut, a CISSP that excels at the really hard stuff but has no interest in/sucks at the grunt work. If you can get a mentor for cybersecurity that would be a huge plus- not just for helping you find a job in the industry but it REALLY helps fight off the inevitable imposter syndrome (I have met exactly ONE security professional in my entire career that didn't deal with imposter syndrome at some point in their career. That one guy has a higher IQ than my car has horsepower). Hope this helps! |