While there are less resources on breaking into security than there are on breaking into the tech field, the fundamental problem remains the same: If a new student is pointed at a list of resources and told they should be able to teach themselves, no benefit has been provided to anyone.
There are arguments in defense of finding the answers yourself, and that is why Roppers does everything we can not hold your hand the entire time. However, we point at exactly where your next step in the journey should go and give you the best resources possible. If you want to skip this rant and get directly to my list of things worth doing, click here.
Because reading things makes us feel good and we learn things, if you are going to read anything on starting a career in information security, my recommendation is you read this series of essays by Lesley Carhart. https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3?roppers/. (But don’t read it now yet, wait until you finish this article. Please.)
For a fun fact about Roppers Academy, it originally started as a Google Doc named “what jobs can you do” and the first link was the one above. The next step from that Google Doc was deconstructing what Lesley (and all other 500 people who have written one of these articles recommends). 6 years later, I’ve deconstructed it into a repeatable, self-guided, and most importantly free pathway.
If you want to read a second article, here is one from Daniel Miessler. https://danielmiessler.com/blog/build-successful-infosec-career/?roppers
Now reading those feels good, but listen to me, take everything that they say to heart, and don’t look for any more articles on starting an infosec career. When one pops up in your browser, ignore it. When someone posts a list of resources, ignore it. As much fun as they are to read and bookmark, they won’t improve your ability.
What will improve your ability is to follow this path I am about to lay out for you.
For links and more information, check out the Roppers list of things worth doing.
Now you might be thinking… “what about CTFs? Isn’t that this guy’s whole bit?” Well, I’ll be honest here: CTFs won’t get you hired, and you definitely don’t need to do them to be good at security. Sure, the average person who spends their free time on a computer doing CTFs will be more technical than someone who doesn’t spend their weekends in a dark room, just as a function of time put in. CTFs and their contrived problems are far from the most efficient way to learn, but for me and many other CTFers, it’s the most fun way to do it. So no, officially, I do not recommend playing CTFs to get hired. Do it to challenge yourself, do it to make friends, do it because you want to learn, but don’t do it because you think it will help you get a job. Enjoy your weekends, please, you deserve them.
I know this was a bit of a rant, but this is what you need to do. If you do these things, you will be more than qualified for any entry level job, and you will crush any interview you get.
It’s a lot of work, but you know what to do, you can do it, and I’m here to help.
If you have thoughts, questions, comments, whatever, hit me at firstname.lastname@example.org or on Slack.
Stay stoked, Dennis