[unixhero]

Unless you have broken software and hardware since the 1990s or 1980s, and then gotten a degree in management or engineering, my path is hard to replicate.

But I certainly can offer some advice:

1. Be hardcore and really interested in security. Read everything. Deep diving into networks, software, vulnerability, risk management.

2. Get a CISSP certifiaction, then maybe an ISO 27001 cert and then also something juicy from SANS (I have none of these).

3. Get an AWS or a public cloud of your choice certification

Also

* Cia triad

* Mitre attack framework

* Cis controls

* Nist framework

* Ise 62443

* Zero trust framework from NIST

Get work experience, projects, situations, grow and evolve

[tptacek]

If you're interested in someone else's take on this: don't get a CISSP, and ISO 27001 is generally something a company gets, not a person.

[unixhero]

True, it would be more toward security leadership in things like CISO roles or equivalent.

Yet if one takes them, they will certainly help.

[tptacek]

Again, just in case you're interested in a second take on this, no.

[iJohnDoe]

Why no? CISSP is often requested on job postings for cybersecurity.

[tptacek]

They're disproportionately requirements for the worst, lowest-status jobs in cybersecurity, and many of the best known and "highest placed" practitioners in the industry (not just in vuln research and xdev but also in management) don't have one.

[hollerith]

What does "xdev" mean, please?

[unixhero]

I am intersted in your version of my answer. I don't think picking at elements from my list and just saying "no" is fruitful.

[tptacek]

I disagree, and am deliberately not trying to start a protracted debate here. I'm just offering a data point, nothing more.

[unixhero]

Well, it seems we have arrived at an impasse.