How to Build a Cybersecurity Career


Original text:How to Build a Cybersecurity Career

How to build the cause of network security

Normative guidelines for building a successful career in the field of information security

fromDaniel miesslerstayinformation safety

Created / updated: December 17, 2019

I’ve been doing itinformation safety(now many people call it network security) it’s been about 20 years, and I’ve spent most of my time writing about it. As a result, I received a lot of emails asking the following questions:

What should I do to get into the field of information security?

So this article is my answer to this question, putting all aspects of the question in one place. It will provide you with the knowledge from complete novice to start your first job, and then to reach the peak of the industry.

I break it down into the following parts.

Let’s start.


Information security is an advanced subject, which means you’d better be proficient in some other technical field before entering this field. It’s not necessary, but it’s common and ideal. Information security committees usually come from three areas:

  1. system management
  2. network
  3. development

These are sorted by the most common entry points, not the best. The best is development, then system management, then network.

But suppose you don’t have a background in these areas, you need to start from scratch. There are three main ways we need to get to know you:

  • university
  • Technical school
  • Qualification certification

I suggest a four-year course in computer science or computer information system or information technology in a decent University. But when you do, you need to do all the other things in this article.

How to Build a Cybersecurity Career

What you learn in college depends on the content of the course and your interactions with others, as well as the knowledge you can get from many different places. Going out with a bunch of smart people and doing something is the real benefit of college.

There are many people who go to university for CS or safety, but they have never been successful in this industry. There are many people who have never gone to university and have reached the highest level. University is not everything.

If you can’t go to college, you need another way to study, for example, technical college or certificate. Any of the above is OK as long as you have curiosity and self-discipline to finish the work you started.

Here are the domain knowledge you need to acquire from University, technical college or self-study / certification:

  1. Network (TCP / IP / switching / routing / protocol, etc.)
  2. System management (Windows / Linux / active directory / hardening, etc.)
  3. Programming (programming concepts / scripts / object oriented Basics)

The database is also there, mixed with system management and programming.

If you don’t have a good foundation in all three aspects, and ideally one of them doesn’t have enough strength, it’s hard for you to make progress in the early stages of your information security career. The key at this point is that there should be no major loopholes in your game, and weakness in any of these areas is a major loophole.

I’ll talk more about certification later, but the reason I mentioned them above is that you can use certified learning books as a teaching guide. They’re good at showing you the basics. Here are some examples:

  • A+
  • Security+
  • Linux+
  • Cisco Certified Network Engineer CCNA

There are many great books (the best one is on Google) that can quickly show you the basics of a topic. It’s a great way to make sure there’s no significant gap in your knowledge.


How to Build a Cybersecurity Career

Programming itself is important enough. If you don’t develop your programming skills, your information security career will be severely limited.

ad locumView differences between programmer types

You don’t need to be a programmer to get a job. You can even find a good job. You can even be promoted to management. But if you can’t build things, you’ll never reach the elite level of infosec. Website. Tools. Proof of concept. And so on.

If you can’t code, you will always rely on those who can.

Learn to code.

Input source

For any infosec professional, one of the most important things is to provide a good set of input for news, articles, tools, etc.

Traditionally, this is done through a list of priority news sources, depending on the type of security an individual is in. Some websites focus on network security, application security, OPSEC, OSIT, government security and so on.

However, Twitter is gradually replacing the following sites. The main reason is the freshness of data. Twitter is real-time, which gives it an advantage over traditional sources.

Twitter allows you to create (and subscribe) lists. If your user name is@Dennis Mishler, you can attach/List / list nameAnd twitter for everyone on the list.

My suggestion is to use two main sources:

  1. Twitter
  2. RSS feed

Follow people on twitter who can expose you to new ways of thinking, new ways of learning and new knowledge. Find all their sources and track them in your RSS reader. I recommend feedly’s RSS.

Build your lab

How to Build a Cybersecurity Career

It is essential to have a laboratory. In fact, that’s one of the first questions I have to ask in an interview. I ask them what kind of lab or network they want to play, and if they say they don’t, I thank them for their time.

The lab is where you study. The lab is where you run the project. The lab is where you grew up.

There are several options for the lab setup.

  1. VMware on laptop or desktop (or similar)
  2. VMware (or similar) on laptops or desktops (now servers)
  3. Real servers with VMware (or similar)
  4. Online VPS system (EC2, linode, digital ocean, lightsail, etc.)

If you have money, I recommend a combination of 3 and 4. 3 comes first. Here are some things you would like to do in such a laboratory:

  • Build an active directory forest for your house
  • Run your own DNS from active directory
  • Run your own DHCP server from active directory
  • There are multiple areas in the network, including DMZ if services are to be provided outdoors
  • Upgrade to a real firewall as soon as possible. I recommend Sophos’ firewall (formerly astaro) because it has been used since it came out, but there are other good iptables and PF options. Doing so will require you to understand routing and NAT, as well as the various basics that are really critical to upgrading.
  • Stand up website on Windows / IIS
  • Stand up website on Linux / PHP
  • Blog on Linux / WordPress
  • Ready to install Kali Linux
  • Create an OpenBSD box and use djbdns to create a DNS server
  • Setting up a proxy server
  • Build and run your own VPN on VPS
  • Build and configure an e-mail server that can send e-mail to the Internet using postfix, qmail or sendmail (I recommend using postfix)

I used some of the above terms. You may need to check them. Think of it as an exercise!

These are the most basic. In the past few years, most people who are very interested in infosec have made lists dozens or hundreds of times.

The advantage of the lab is that you have a place to do experiments now. You hear something from your news, you can jump to your lab, open a box, and mess around. For a growing infosec, this is priceless.

Now that you have this list, you can start focusing on your own projects.

You are your project

How to Build a Cybersecurity Career

This is where book knowledge stops and creativity begins. You should be working on the project all the time.

As a beginner, or even as a senior practitioner, no one should ask what you are doing, and you will say “nothing.”. Unless, of course, you take a break in the middle.

Projects often intersect with programming. The idea is, you come up with a tool or tool that might be useful to people, and then you do it.

When you are studying, don’t worry too much that someone has already done something. Creating is fun and you want to get used to the excitement of using code from concept to completion.

The key skills you need to develop are to identify problems in the current way and then 1) propose solutions and 2) create problem solving tools.

Projects show that you can actually apply knowledge rather than just collect it.

Don’t think about how many projects you have. If you do that, it’s artificial. Instead, just focus on interesting security issues and let ideas and projects come naturally.

In the world of writing, one of the biggest limits is “show, don’t say”. The project is being demonstrated and the knowledge gathering is very convincing.

Practice with bonus

Now that you have a lab, some solid skills, and you’ve been working on some projects, you may want to deal with some loophole rewards.

It’s best to attribute it to getting a real experience quickly, which is the first requirement of anyone who wants to offer you a job. As a result, in addition to coding experience (used with your project), you can also get testing experience with a bounty.

There are two main platforms you can do bonus: bugcrowd and hackerone. There are many more, but these projects are the most mature.

This process is that you register on the website, find a program that you are interested in to find the bug, and then you jump in directly. The following points should be kept in mind:

  • Read the rules and restrictions associated with each program carefully. You don’t want to conflict with the platform or the customer.
  • There are many types of bounty schemes. Some people spend money, censor and competition is more intense, while others pay more attention to karma, or honor, which is a better practice opportunity for beginners.
  • I highly recommend Jason Haddix’s Web reward content; learning from him is the fastest way to find bugs.

The world is quite subtle, with many rules and unique rituals that you should learn. So please respect that, you will be more efficient and will not step on your toes.

Whether it’s programming on GitHub or making a bonus, the goal is to gain professional experience before you get a job, or in the field you want. It’s a way of showing, not telling.

Having an active GitHub and finding some reliable bugs in your reward file is a way to keep you away from those who are still pure theorists, and it can easily help you get your first position or find a new position in an area you haven’t established yet.


Well, now that you’ve completed some projects, it’s time for people to get to know them through your brand platform. Yes, you should have a brand. It can be low-key if you want, and the industry is full of too much conceit, but you really need a platform to spread it.

If you’re an introvert and / or you think it’s bragging to talk about anything you do, stop. In this industry, this mindset doesn’t help you. In order to get to the top, you need to learn how to sell yourself and your work.

Introversion and (error?) Humility will not do. Good job, willing to talk. But from the perspective of sharing and cooperation, not arrogance.


First you need a website. Some people call it a blog. It doesn’t matter. The point is that you need a place to show yourself. You should have a page about it, some good contact information, a list of your projects, etc. Again, if you blog, that’s where it’s done.

As long as you understand that your domain name and your website are the center of your identity, so ideally you will have a good domain name that will last a websiteIt may be ideal, but many people can’t because their names are quite common. There are other options, but be careful. You want this domain name to remain unchanged until you die, or be brought into ecstasy, or upload to the collective.

I’m talking about choosing a good thing. This is your brand, your brand is very important.

You should blog and host all the projects on your own website and unite elsewhere.

Avoid writing too much on other places, such as media or blogger. Never write anything on Facebook, except random thoughts or interactions. If you create something interesting on a platform that’s not your domain, make it a complete part and bring it back to your own website.


So is twitter. The ideal account is the name, but if you can’t, choose a good alternative. Again, it’s a permanent personal infrastructure, so don’t set it to @ l33th4x0rs97. As you get older, your charm will get smaller and smaller.

Once you have a good operation, a lot of people will pay attention to you. There are many lists in infosec for people to follow. Use one of them to start and adjust.

How to Build a Cybersecurity Career

Participate in the conversation. Don’t force. Don’t over expand when you don’t have knowledge. But if you have anything to add, contribute. You have three followers, they have 10000 followers, it doesn’t matter. Twitter is an elite rule. If not, pretend to be.

A good way to start is to forward content from other people you like. As you become more capable of adding value yourself, you can start to alternate between forwarding and your own original content.

Don’t take it too seriously. Many of the top security people on twitter spend 90% of their time chatting. Others publish only the original content. Be yourself and it will succeed. If not, you think you’ve done everything wrong. Don’t worry. Stick to it. You’ll be fine.

Social media

There’s a lot of other social media. The other thing you should care about is LinkedIn. I have personal data. Try hard. Keep it up to date. Connect only with people you know or at least with people you’ve interacted with. Interacting with everyone will share the connection between you and others.

It’s easy to do too much with social media. Resist. Follow your website and twitter, join some LinkedIn. I basically separate Facebook, but that’s my personal preference.

Remember that everything starts with your website. Create content there and post it through Twitter, Facebook, LinkedIn and any other channel you use.

About authentication

I have a lot of questions about infosec certification. That’s too much. They come in two forms:

  1. Is infosec certification really worth it?
  2. What should I buy?

Good news: I have the answer.

Yes, certification. So is a college degree. So is experience. Others think so, too.

Things have value that others value.

There is no on the certificateInherentsense of worth. They are worth as much as people think. If employers ask them where you are looking for a job, they are important. If the place you’re looking for a job doesn’t care about them at all,They have no value there. It’s that simple.

But for beginners, yes, they are important.

What kind of certification

Let’s do it by level:

Beginner’s certificate

If you are just starting out, I suggest you obtain the following certificates:

  1. A+
  2. Network+
  3. Linux+
  4. Security+

No, I don’t work for CompTIA. But thank you for your concern.

In this case, I’m not saying that these certificates are of great value to most beginners, but of learning value.

As I mentioned in the education section, certificates have good learning materials. If you get these four certificates, you will have a fairly good understanding of basic knowledge.

Advanced Certificate

I like to explain infosec certification like this: you need your CISSP, you should get an audit certificate (CISA / CISM), you should get a technical certificate (SANS). So:

  1. CISSP applies to anyone who wants to work in safety
  2. CISA / CISM provides services for all-round security personnel who want to become managers
  3. San for technicians (gsec / GPEN / gwapt)
  4. Oscp for penetration testers

Once you have four years of information security experience, you should have your CISSP. This is the closest thing in our industry to a standard baseline. In many organizations, it’s actually better than a computer science degree (because many people didn’t learn anything in College).

Next, we will introduce audit space, which is a key part of infosec. Find your CISA or CISM.

Finally, you want to get one or more technical certifications. I suggest starting with gsec, which is very comprehensive. From there, you can enter gcia or GPEN or gwapt according to your preference. But if you just get gsec, it’s a great way to enrich your food group.

Oscp and crest are the most respected certification of core penetration testers, so if you are interested, be sure to start thinking about these certifications.

Then there’s CEH. Sometimes people ask about it, so you’d better just have it. But don’t brag about it, especially around experienced security personnel.

Networking with others

Remember that you can perform many of these steps at the same time.

Well, now we have some education, we have a lab, we are doing some projects, our website and twitter are open, we are ready.


Now you need to talk to some people. Again, you can and should do it all the time, but if you don’t, it’s definitely time to do it.

Pay attention to who will come to your website. Follow interesting interactions on twitter. Reach out to those people. Start the conversation. Go where they want to go and communicate with them in person. Go to Vegas for black hat and riot week. There are a lot of infosec people chatting there.

Find a mentor

This part can almost be a single article, but I will put it here. Find someone with a style you like and let them guide you. Email them. Call them. But we need to do research in advance. Be sure to finish this article first.

In order to get the best response from potential mentors, make it clear in the first interaction that you have made an effort in advance.

Let them help you as easily as possible, and you won’t be rejected. One of the things I see in infosec is that people are very willing to help people who are eager to work and are just starting out.

Provide internship opportunities

Offer to practice with sb. Take the initiative to do their dirty work. Write scripts for them. Edit their blog posts. Help them filter the data. These things may help, and may directly lead to your future interviews or other types of introductions.


How to Build a Cybersecurity Career

Meetings are a way to do something in the industry:

  1. See what new research is being done
  2. Contact other infosec friends who live far away from you
  3. Present your own ideas, ideas and research results to others

For 1, you really don’t have to attend the meeting. Most conversations (especially very good ones) are provided immediately after, so you can remove them from the site.

However, this did not help Chen 2. Most infosec veterans who have worked on the site for about 10 years would go to the conference to visit their friends. The talks are basically an environment for doing so, not a center, especially because they can make the talks online.

But for novices, on-site talks are a valuable way to understand infosec culture. I suggest you consider the following:

If you’re just starting, you should definitely go at least once. At this point, it’s basically an imitation of itself, but that’s just because it’s become so popular. It’s a victim of success.

Before the annual Defcon was black hat, which was more corporate (and more costly), but still respectable for newcomers.

Every year, veterans in the battlefield begin to avoid these problems more and more, and turn to small companies with a sense of old-fashioned, such as higher quality talks, a small place for closer discussion with other participants, and Well, it’s just that there are fewer people.

These include:

  • DerbyCon
  • ShmooCon
  • ThotCon
  • CactusCon
  • HouSecCon

… And others.

My favorite type of meeting is a monorail meeting that is more like Ted, focusing on ideas rather than just new ways to break the status quo. Of course, we need to break the status quo, but we also need to hear more about the overall concept and how to actually solve the problem.

For example, I’m crazy about enigma. In my opinion, monorail mode is a feasible way.

In addition to these traditional types of meetings, you should also register your OWASP branch locally. Start by attending the meeting, put in your heart and soul, and then offer to help. When you’re ready, ask yourself to give a speech.

You want to do the same for bside in this region. Basically, bside is an alternative to major meetings in any particular area. The biggest one was in Las Vegas, corresponding to the black hat / riot campaign.

Bottom line:

  1. Start locally, get involved and give your own talk as soon as you’re ready
  2. If you’ve never been to a conference before, you should do Defcon at least once
  3. Small but popular meetings like Derby con and shmoocon are generally considered “better” by most people at this point, but it’s a time-varying slider based on popularity and exclusivity
  4. Keep in mind that the main benefits of cons are networking and meeting friends in an infosec environment


Another good way to improve your career is to use your skills to help you complete a variety of projects.

This is usually done with your programming skills. The key is to find something that suits your interests and work. You don’t want to force this step, or any of them. Do what’s natural.

A good way to start is to simply notice if there are any outstanding errors or problems with the tools you use and like. Contact the creator of the tool and ask if you can help.

GitHub is a good fit for this type of interaction, because pull requests allow you to fix something that they can bring into the project if they want.

Hey, I love this project. I have a solution to this problem. Can I code my solution and send you a request?

99% of project leaders will skip this step and will probably mention you in their credits.

  • It’s a good practice for you
  • It helps to improve the tools
  • You will help the project leader
  • As an active programmer, you will get your name

Even if you don’t help technically, there are a variety of ways to help the project. You can help organize input, create documents, publish information about projects, etc. Find out what you care about and help them do better

Don’t chase honor or recognition. Put it on the output and let everything else happen.

Response CFP

It is closely related to mastering the scene of the meetingspeechAt those meetings. To do this, you have to be familiar with the call for documents (CFP) game.

If you visit any conference website, you may see a link to a spokesperson or CFP, where you can find out how to submit. You can also subscribe to an email list of meetings and receive notifications as soon as CFP is opened.

Basically talks. Good talk. There are good speakers. It is the lifeline of any good event. Therefore, every year, a few months before the event, the meeting will open their CFP, or request to submit documents, which is the way people submit talks for consideration.

It’s calledpaperBecause the whole concept comes from the academic space. In this case, a group of doctoral or graduate students submit practical academic papers (such as the Peruvian butterfly mating Seminar) at a special meeting. These academic papers are very professional and have many citations, which are unlikely to arouse the interest of people outside their narrow field.

Information security borrows this concept, but the rules are much looser. First, in most cases, people don’t submit academic style papers. They are talking. Presentation. Slides, really.

Here’s what you need to submit:

  1. Great titleThere is a lot of talk in the meeting, it’s hard to get people’s attention. So you have to have a concise title. Simple and descriptive things. I will soon give a friend an example of “from WTF to CTF: how to become a natural force of information security in less than two years”, which may bring some people to the table.
  2. A decent summaryAbstract (also from academia) is where you can make a basic summary of what you are going to talk about. You need to really solve this problem, because it’s where the jury decides whether to accept you or not. According to the situation of the meeting, this should be paragraphs 1-5. From the basic concept, or in other words, people will certainly have what kind of description. Be sure to mention whether there are demonstrations or handouts. I love these.
  3. A deeper description: some meetings ask you for a more detailed description of your presentation. What are these parts. Presentation content. If you’re going to submit to the meeting that needs it, you should have it, but in most cases, you can get through a decent descriptive summary.
  4. Your resumeYou always need a resume. You should have one on hand. Refer to the speaker bundling section below. You may want to have two available BIOS. A really formal, serious talk about your own work, there are a lot of references. Maybe there are more interesting and relaxed meetings for more technical or hacking meetings.
  5. head portrait: you usually need a photo of yourself to send with the speech. Be sure to have a few, so you can customize it according to the type of speech you give. RSA or some government meetings may have different avatars than Defcon or shmoocon.

The burden of the speaker

I recommend that you create a speaker bundle that includes all of the following:

  • resume
  • head portrait
  • Talk (everyone has this)
    • title
    • abstract
    • explain

Store these files somewhere so that you can quickly copy and paste them into CFP forms for various meetings as needed. It’s really bad to miss the CFP because you don’t organize fast enough.

Get these things ready. Meetings are held throughout the year, which means that once you’re in, you’re likely to submit at least a few objections every quarter.

Find your first job

How to Build a Cybersecurity Career

Like I said in the bookThis is this pieceA strange thing happened to Steve Jobs in the information security / network security department. Employers think there are no candidates, and people who want to enter the field think there are no jobs. They are all right.

But it turns out that this is only a very simple answer about middleman, which is very contradictory.

Entry level jobs don’t exist in cybersecurity.

In order to be useful to a team, you have to work on the first day, which requires you to combine the following three things:

  1. A degree in computer science and / or information security.
  2. A good set of certificates showing knowledge similar to a degree.
  3. An actual, tangible project work shows what you can actually do and what you will be asked to do.

For most of you who read this article, “Chen 1” is not your current choice (otherwise you already have a position). So you probably need a combination of two and three.

See the authentication section of this article about authentication.

In practice, you need a blog, a GitHub account, a twitter account, and most importantly, you need to find or create projects you care about and generate code around them.

Here is an exampleIn one of my projects, someone can do it with minimal programming skills.

You don’t have to be a full stack developer, but you need to be able to program. You have to be able tocreateThings. Maybe it’s workflow automation. Maybe it’s creating a new tool. Maybe it’s improving an obsolete tool.

Anyway, just go out and create.

Understand the job

The next thing you need to do is to prove that you are really good at what you might be asked to do. Based on nearly 20 years of industry experience, some of these tasks are listed below.

  • Manage safety equipment / services: one of the first things you need to do is to manage security devices / cloud services, such as firewalls, IP, etc. Understand its function. Know how to configure it (you have to read the manual and watch the video). Centralized recording. Configure the report to show the value of the purchase.
  • Reply to safety questionnaire: This is what every security team must do, which is usually a dirty job, requiring a lot of technical knowledge, experience and ability WellCreativeIf you can help the team in this area, you have won a place in the team.
  • Conduct product evaluationManagement often requires the team to implement X-type protection, whether it is endpoint defense, cloud WAF, spoofing technology, AI SOC enhancement, etc. You need to be able to find the best suppliers, set up a rating system, evaluate, and then write a proposal for management based on your research and evaluation results.

Did you see?this paperMore details about this key skill.

  • Quick scripting: many times in a team, you need to extract data from a place, do something about it, and then put the results into the narrative. Data needs to be extracted, processed and presented continuously. Mastering this skill will give you a great advantage.
  • Perform safety checks: for various reasons, you are often asked to evaluate the security of the website, the company we are going to acquire, or anything else. As an expert, you need to make a very quick assessment.

It’s a short list and I’ll keep adding because I want more. But I find it interesting that it shows why there are no junior cybersecurity positions. All of these require a lot of education, training, experience, intelligence, or some combination of the two.

If you can show in the interview that you can do this, you are more likely to be hired.

One thing they have in common is thatStrong writing ability.

Master professional knowledge

Well, now we’re going to advanced art. These things will take you from the medium tech field to the land of masters and leaders.

Specialty is the packaging you use to show yourself. Failure in this area means that your content can be world-class and you can still be ignored or ignored. Here’s the basics:

  1. reliabilityDon’t make promises you don’t keep. Don’t miss the meeting. Be early, not late. Don’t miss the project deadline. Insufficient commitment, excessive delivery.
  2. wardrobe. buy yourself a decent wardrobe. Put the T-shirt down. Put down your sneakers. Buy some high quality jeans and black shoes. Buy some decent shirts. Make sure everything fits. Buy a few jackets and wear them with jeans; they’re indices, not multipliers. Finally, have at least one good suit when you need it.
  3. concise and comprehensiveLanguage communication should be clear. Don’t stay on points. Another person can answer them cleanly.
  4. Tighten up your writing. learning and Implementationthis.
  5. Learn to presentPublic speaking is a wild animal for many people, but if you can’t attend, your progress will be severely limited. I suggest Toastmasters who have major issues ahead of people.

These skills magnify everything you do, and there are always people around you who have no skills in these areas. Being a strong person in all these areas, you will do well in most cases.

Understanding the business

How to Build a Cybersecurity Career

This is a lot of people (most people?) One aspect of development is the lack of technical personnel, which seriously limits their ability to participate in dialogue to a certain extent.

The basic principle is: for enterprises, everything comes down to money. Money goes in and money goes out. So, all the work you do in risk planning, or vulnerability scanning, or your new zero day vulnerability attack, is far below the focus area of your business.

Companies want to quantify risk in order to decide how much money should be spent to mitigate it. You should at least be prepared to consider how much risk exists (in dollars), how much it costs to mitigate it in various ways, and what the remaining risk will be (if any).

It’s very difficult, you don’t want to do it in a false, pseudoscientific way. But you need to realize that every security decision is ultimately a business (and therefore financial) decision. This is a sign of the maturity of infosec personnel.

Some people accept it at some point and move on, while others simply reject it and spend the rest of their career tossing and turning.

In short, use as many numbers as possible to represent things, and try to think from the perspective of risk and business impact, rather than specific vulnerabilities and other details.

There is passion

So far, we’ve been talking about tangible things. Now let’s talk about another, or the most important, key difference, in this game, who reaches the top and who disappears in the middle.

Curiosity, interest and passion.

90% of success is just a chance to get 100000 successes. You’ll have a chance to show up. Start the virtual machine. Write a proof of concept. Write that blog. You have to stick with it for a few years.

You can use two different methods:

  1. Non human self-disciplineMake possibleYou do this
  2. An innate passionforceYou do this

Not many people have been able to last as long as the first. It’s empty. It’s empty. There are all these types of people, but they are often exhausted and turn to other things. The best people arebe forced.

Most successful people who have worked in infosec for many years are successful because they are motivated by the internal lava core. If they work hard, they can’t stop doing security work.

They stay up late to write tools or blogs, not because it’s a scheduled time, but becauseThey can’t do anything else physically.

Ideally, people who want to succeed in this information security world should have strong self-discipline. It’s important. This is worthy of respect. You need a certain amount.

But if you really want to thrive without a rigid soul, you should be driven by passion, not discipline.

Become a master

How to Build a Cybersecurity Career

Well, now you’ve done it. You have a lot of experience, in your 30s, 40s, 50s, everything is fine. What does the top floor look like? What can the best people in the field of information security do while others can’t?

First, they usually have everything we’ve discussed. But they have extra dimensions that separate them. Examples include:

  1. Financial knowledgeAbility to handle budget, understand venture financing, make purchasing decisions, etc.
  2. Management experienceManaging projects and managing people are two very different things. People at this level are good at both.
  3. Extensive networkMany people in this layer know that the proportion of major participants in infosec and business is very high.
  4. DressThe players sitting on this table have significantly improved their wardrobe, etiquette and etiquette, and enjoy more exquisite leisure activities, such as golf, skiing, rowing and so on.
  5. Higher EducationIt’s a good idea to have a master’s degree at this level. It’s not necessary, but many top jobs do use a college degree as a check box.
  6. Media savvyTrained and able to communicate with media on various topics.
  7. Technology / business mixThis level of people can go into the developers’ room, help them, talk to a Fortune 50 customer on the phone, report a key issue to the board of directors, and then be interviewed by the media. Understanding different audiences and their respective needs is the key.
  8. creative abilityThose who come to this stage will come up with new ideas and methods to solve problems in a regular rhythm. It’s not enough to just perform what you get at this level. You have to be creative.

Reverse interview

In the industry, after seeing and doing a lot of things, the top security personnel usually do other things:

They began to think more about how to change the world than what the company gave them.

Therefore, instead of asking 401k, vacation or salary, they are more likely to ask themselves how much support they can get in the organization to do what they think they need to do. Or they may start to work only where they feel they can have a direct impact on safety.

The best candidates are talking, not being interviewed.

Basically, after a certain degree of experience and success, a small number of security professionals will think that (almost) nothing given to them by a soul crushing company will make them willing to work there. At that point, they will only work where they think it makes sense.

Not everyone can get to this point in their career, and not everyone should. But from a point of view, it’s an important difference: are they still trying to earn more from the companies they work for, or have they changed to be more concerned about their impact on the industry?


I hope these resources can help people enter and experience all levels of the network / information security profession.

It was a trip, but it was worth it.


  1. Be sure to catch up with this letterLeslie kahart (@ hacks4pancakes). she hasExcellent guideIn the field of information security, you can choose different career paths. Highly recommended!
  2. If you have any feedback on how to improve me, please let me know on Twitter or in the comments below. If you have any specific questions about how to navigate the maze, please contact me directly.
  3. Remember, the deeper you go into your career, the less important any education or certificate is. It’s all about what you do, and that’s what you should do.
  4. Thanks to my friendsJason HaddixTo read this version.
  5. If you want to focus on your influence on the industry, you need a certain degree of confidence and / or influence, which few people have. Otherwise, this person will only feel that he is a cog and can’t influence change. This is another reason that only experienced and successful people can make this change: they are the only people who believe they can make a difference.

About the author

Daniel mislerIs a network security expert, author ofThe real Internet of thingsHeadquartered in San Francisco, California. He specializes in reconnaissance / intelligence, application and Internet of things security and security programming20 years of experienceHelp companies from early start-ups to global top 100 companies. Daniel is currently working for a leading technology company in the bay areaOWASP Internet of things Security Project, andYou can find the textAbout the intersection of security, technology and human beings. So is heUnsupervised learningPodcasts and newsletters. ::


Defcon: Defcon geek conference is the world’s top security conference. It was born in 1993 and is known as the “Oscar” of geek world. It is held in Las Vegas in July every year, with nearly 10000 participants. In addition to geeks, security researchers and fans from all over the world, there are also representatives of many large companies around the world, as well as the US Department of defense, the Federal Bureau of investigation and the national security agency Officials of government agencies.

Infosec: infosec is a 100% Thai owned company. Infosec is a leading IT security distributor in Thailand. Provide IT security system requirements from individual users to small or large enterprises.

This work adoptsCC agreementReprint must indicate the author and the link of this article