Cybersecurity pros are in high demand, but you don’t necessarily need to drop everything and go back to school to become one. Here's how one system administrator developed his own personal online night school curriculum to gain the expertise for a successful security career.

by Jessica Davis
Date Published July 6, 2021 - Last Updated December 16, 2021

If you are looking to take your IT career in a new direction where there's loads of demand, there are several interesting subspecialities, and the pay continues to increase, a career in cybersecurity is a sound bet.

It's impossible to ignore all the high-profile attacks -- from the SolarWinds supply chain attack impacting multiple government agencies, to the more recent spate of ransomware attacks against gas pipeline company Colonial Pipeline and meat producer JBS. The move to work from home and to accelerate digital transformations has only increased the alert level and the demand for cybersecurity pros.

"In cybersecurity right now there's a significant shortage of candidates," said Ariel Weintrab, chief information security officer at Mass Mutual. Her cybersecurity team is hiring from general IT pros and "recruiting from a wide variety of educational backgrounds," not just technology. Her organization is looking for problem solvers with intellectual creativity.

But if you just show up at the hiring office with your liberal arts degree or your cybersecurity certification, how do you stand out from the crowd of other applicants interested in cybersecurity? And if you are already a seasoned pro in IT, how do you establish your expertise in cybersecurity so that you can make that career change? Do you need to go back to school? Is a bootcamp-type of course right for you? Or can you learn what you need to learn on a shoestring budget via online courses and books?

InformationWeek recently spoke to an enterprising young cybersecurity pro who took the latter path, and he shared some details about his less-than-traditional entry into the field and the lessons that other aspiring cybersecurity pros can learn from his journey.

Logan Flook has just accepted and is starting a new job as a Security Analyst ll, specializing in Threat and Vulnerability Management with SMC Corp. The new position for him is the culmination of several years of work by the Air Force veteran.

Flook served as a system administrator in the Air Force for close to three years, but was discharged after an injury. Cybersecurity had been his career goal from the start of his military career, and during his separation from the Air Force in 2019 he launched a search for a job in that field. The problem was that employers didn't want to hire someone who didn't already have cybersecurity experience and training. Flook parlayed his sysadmin skills, which included some VMware work, into a VMware admin job with Booz Allen Hamilton.

Meanwhile, at home, Flook was coming up with his own self-driven education plan to get the skills for a cybersecurity career. He analyzed all his notes from his unsuccessful cybersecurity job applications to determine which skills employers wanted. He decided to dedicate every evening from 7 pm to 10 pm to an independent study of cybersecurity that included books, online courses, and guidance from other cybersecurity pros he met on cybersecurity-focused Discord servers.

"I was the most annoying person on those servers," he said. "I'd ask people how did you learn what you know? How could a person do that on a low budget? The community was very supportive."

Flook connected with a few individuals who became friends and provided him with ongoing guidance. One of them "has turned into my toughest mentor. He is my compass on cybersecurity. He's the most supportive person I know," Flook said.

He has posted many of his training recommendations on his LinkedIn profile posts. For offensive cybersecurity his top three training recommendations are eLearnSecurity Junior Penetration Tester (eJPT) certification ("very entry level but so good at teaching what you need to know. I failed it the first time I tried."), the book Hacking: The Art of Exploitation, and SANS Network Penetration Testing and Ethical Hacking.

In October 2020, Flook was promoted into his first cybersecurity job -- another position at Booz Allen. After participating in an incident response at Booz Allen (that turned out to be a false alarm), Flook decided to pursue more training in that area, which he found fascinating.

"We spent 9 hours one night doing incident response on what we thought was a breach," he said. "Those 9 hours completely changed what I wanted to do."

For incident response, Flook recommends eLearnSecurity's offerings for the blue side of the house. He also recommends RangeForce's offerings, which incorporate training and exercises. For a book he recommends the Blue Team Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder.

Flook said he likes to alternate his training from books to courses to labs/hands-on experiences.

"When my mental hard drive is full from labs, I can relax and read a bit. It's helpful to break up the training," he said.

For those who want to start in cybersecurity -- and many people message him on LinkedIn looking for advice about where to start -- he advises to start with what is free. RangeForce has 20 completely free labs, he said, and they are coming out with a knowledge base with free material, too.

"Once you are finished with what is free, move on to what your wallet can handle," he said.

Here's another pro tip from Flook: You can look at the curriculum of expensive online courses, and then look for the same curriculum offered in inexpensive or free courses.

Flook's experience shows that not everyone needs to get a degree in computer science to pursue a career in it. It does take determination, however. There's a quote, whose origin he doesn't remember, but he uses it to guide him though.

"You need to stop asking yourself what you need to do to become successful and start asking yourself how much you can endure to be successful," he said.

This article first appeared in InformationWeek .

Jessica Davis is senior editor for InformationWeek.

Tag(s): supportworld, service quality, service management, security management, training


More from Jessica Davis