How to Learn Cybersecurity for (Almost) Free
A Focused Plan and Resources for Learning Basic Cybersecurity Pathways
It might not cost much money, but it will cost time and energy. This is critical to understand. Now let’s jump in.
Learning and developing a cybersecurity career in 2024 is a very complex task. I would compare it to the medical field, but without the established career path (undergrad → med school → residency). I am not insinuating that these fields have the same level of difficulty, so drop the pitchforks, everyone. The industries are similar because when someone says they are a “doctor,” often they do not include what they specialize in. When you say you work in “cybersecurity,” you often don’t include your specialty, as most people are already confused after you say cyber, and will just assume you’re a hacker.
Sure most doctors probably have a similar baseline knowledge, but at some point, they chose to focus on a specialty. In cybersecurity, there’s a decent amount of baseline IT knowledge, such as networking, operating systems, web, and programming, that most expert cybersecurity practitioners will have obtained. In the medical world, you can be an Anesthesiologist, Audiologist, Cardiologist, Surgeon, Neurophysiologist, Clinical Neurologist, Dermatologist, Endocrinologist, or fall under a whole list of other specialties. Well in cybersecurity, you can be a SOC analyst, security engineer, vulnerability researcher, risk analyst, CISO, or one of many, many other positions. There are also new roles and titles popping up every year. For example, some popular titles in 2024 that didn’t really exist 5 years ago include Detection Engineer, AI security specialist, and Adversary Emulation Engineer. You can see a quick mind map I made below for a list of possible job titles. If you want a really in-depth look, go check out the NICE framework. In my opinion, the site is a little confusing to comprehend, however.
One big difference between the cybersecurity and medical professions is that unlike in medicine, cybersecurity titles can vary greatly for the same role. This is dependent on the size of the organization/team, sector, and sometimes just some random roll of the dice. People could hold the same title but have very different roles and responsibilities across different organizations (for example, “cybersecurity analyst” could mean almost anything). When deciphering what a role really does, it is much more important to look at the job tasks/responsibilities than the position title. The below image is a quick breakdown of the domains/topics that make up what is often simply labeled as “cybersecurity.”
Obviously, that mind map looks like a scrambled mess to anyone who doesn’t work in cybersecurity. I mean there are only 11 domains and over 100 topics, and that graphic has not been updated since 2021! We can probably all agree that’s a bit excessive, and one of the main reasons why it is so daunting for beginners to learn cybersecurity. “Where do I even start?” is a very common and difficult question to answer.
But fear not, if you really want to become a skilled cybersecurity expert, there are actually skills that are more important to have than possessing technical knowledge of all the items seen in the image above. The desire for learning, the ability to analyze and communicate well, and the skill of “googling” will take you so much further than just how much you know. Unfortunately, I cannot teach those traits, especially if we don’t have a close work relationship. But what I can do is provide you with resources and direction when it comes to learning the “cybersecurity” discipline.
A while ago I made a LinkedIn post about how to go about learning cybersecurity fundamentals. It was honestly just a list of the general items and topics that you should know to be a well-rounded cybersecurity practitioner. For some reason, it gained some popularity, so I thought it might be beneficial to actually develop a plan for people to follow when learning cybersecurity. And of course, as any resourceful person can appreciate, what better way to learn than for free on the Internet.
I cannot emphasize this next point enough, this blog will not help you get a job. The purpose of this blog is to help you learn cybersecurity. Getting a job is a whole different story. But in the spirit of being helpful, here are a few great resources that may assist you in landing that first cybersecurity job.
Roppers Academy: The Ropper's Guide to Breaking Into Security
Stefan Waldvogel: The Cybersecurity career and job hunting guide
Lesley Carhart: Starting an InfoSec Career – The Megamix – Chapters 1-3
Daniel Miessler: How To Build a Cybersecurity Career
TCM Security: Soft Skills for the Job Market
Everyone’s journey is unique, and there is no clear path toward a guaranteed job in cybersecurity. But, there are a few tips I can share that may make the process a bit easier. I’ll share them, but it’s Michelle Pupoh who wrote them, and I couldn’t have said it better myself. Here’s her thoughts:
“You need a clear strategy.
And the determination to stick to it.
Here’s your focus:
• Know Your Target
• Create Your Roadmap
• Stay the Course
• Quality Over Quantity
• Tune Out the Noise
• Measure Your Progress
First, get crystal clear on the specific role you're aiming for. Research the key competencies required for that position. This is your north star. ← Why I shared the list of possible roles in this blog, so you can understand the options
Now, map out the exact skills, knowledge, and certifications you need for that role. This is your personal roadmap to success. ← Why I wrote this blog
Here's the crucial part: once you have your roadmap, stick to it religiously. Don't get distracted by every shiny new training or free lab that pops up. Ask yourself: "Does this directly support my goal?" If not, let it go. ← Shiny new cert/course syndrome is real, don’t commit to too much. It’s better to learn one thing really well, than kind of learn a lot of things
Focus on high-quality, relevant training and hands-on experience that aligns with your target role. It's not about doing everything; it's about doing the right things. ← Why I share training resources below
The cybersecurity field is vast and constantly evolving. There's always something new to learn, but that doesn't mean you need to learn it all right now. Trust your strategy and tune out the noise. ← Take another look at that mind map
Regularly check your progress against your roadmap. This will help you stay motivated and on track. ← It’s useful to write down goals and check them every so often
Remember, success in cybersecurity isn't about knowing everything; it's about being really good at what your chosen role requires. By staying focused and following your strategy, you're setting yourself up for success.
When you complete your roadmap, you'll be well-prepared and confident in your abilities. You'll have the exact skills and knowledge that employers are looking for in that role.
So, keep your eyes on the prize. Trust the process and before you know it, you'll be launching your cybersecurity career with confidence and expertise. Stay focused, stay determined, and success will follow.”
If you follow that advice from Michelle, you will be in a better position than 95% of job seekers. Before I get to the learning paths, I need to throw a reality bomb in. You must know that it’s really hard to get an entry-level job in cybersecurity in 2024. You were lied to about the cybersecurity job shortage. Most of the jobs that are listed are for senior roles, and some others are only posted to make it look like the company is doing well, without any intention to hire. For any legitimate entry role openings, there is extreme competition (1000+ applicants a posting is normal). To make matters worse, the pay is not great for new people. I started at 50k, and according to the below data, that is average, meaning that a good amount of roles make even less. And lastly, you’ll probably feel like quitting at some point. You really will need to enjoy this field to maintain the motivation to push on.
In hopes of not being all doom and gloom, here are my tips to help early-career cybersecurity professionals.
Learn, learn, learn
Your #1 focus should be to continue learning. This field does not reward the stagnant. Learn on the job, learn outside the job, and be willing to do new things to get different experiences. Your first job should not be your dream job, it should be used to learn as much as possible.
Set goals
Without goals, you’ll just float and never get anywhere except by chance. You need to make goals and plans to create the future you want.
Network - LinkedIn, Conferences, Remote Options
Knowing people is the second most important trait to have, besides experience, when looking for a job in cybersecurity. Go find people, the internet has enabled this to happen much easier. Also never overlook local events, organizations, and meetups such as BSides, ISSA, and virtual presentations.
Show passion - Projects, CTFs, Labs, NCL, TryHackMe, Hack the Box
Employers love people who are excited about the work. Displaying passion can be a deciding factor in an interview. Also, a great way to accomplish #1.
Utilize resources, student discounts, and anything free first (lots of stuff listed in this blog)
You can read a previous blog post where I explain how I got all my certs and Master's degree for less than the cost of a typical semester of college. Never pay before exhausting all free options.
Be patient and work hard
It took me 5 months after I graduated undergrad to get a job. You may need to be willing to do a job that you don’t necessarily enjoy just to get in the door. It’s so much easier to move roles/companies once you have 2-3 years of experience.
If you want to “future-proof” yourself, learn scripting, quick data/info collection (OSINT, google wizardry - you will always need to learn new things fast), fundamental system admin skills (these will always be useful), critical analysis (think for yourself, don’t repeat what the internet says), and flexibility (your ability to adjust to whatever circumstances or environment you’re working in). These skills seem to always provide value, no matter your role.
Learning Plan
So here is a plan for learning cybersecurity. I have broken down the material into a few pathways. No matter which path you choose, you need to start with the IT Basics and then Cybersecurity Fundamentals. After that, you are free to choose the section (Security Operations, GRC, Security Arch & Engineering) that interests you the most. The PEAL section from the mind map is sort of a catch-all for certifications, degrees, user awareness, legal, product sales, and more. I have some knowledge of that realm but have never worked it in. That pathway is pretty bare because it is not necessarily easy to explain how to learn those items as the skills could be so different based on the role. Each pathway will include a description, common job titles, standard knowledge or skills needed, my favorite places/sites to learn these items for very low costs, and relevant certifications.
IT Basics
Description:
Not all people hold this opinion, but I do not believe you can learn cybersecurity properly without learning certain IT topics first. Just like you need to understand how Algebra works to learn Calculus, you need to know IT processes to learn cybersecurity. Practically, how could you tell someone how to secure something that you do not understand yourself? It’s not always required, but it will help you not look like a moron if you do manage to get a job and skip over IT knowledge.
Common Job Titles:
IT Helpdesk, IT manager, IT Administrator, Cloud Engineer, Network Administrator, System Administrator
Standard Knowledge, Terms, and Skills:
Networking (TCP/IP, DNS, Ports, Switches), Operating Systems (Windows and Linux), User Directory, CLI, Basic Programming, Web, Cloud (AWS, Azure, GCP), Troubleshooting, Googling, Docker & Virtual Machines
Best Free Places to Learn:
Roppers - Computing Fundamentals
Roppers - Practical Networking
Level Effect - IT Fundamentals
TCM Security - Practical Help Desk
TryHackMe (some courses require membership): Pre Security Pathway
Relevant Certifications:
CompTIA - A+, Network+ | SANS - GFACT | Cisco - CCNA | Microsoft - AZ-900 | AWS - CCP
Cybersecurity Fundamentals
Description:
Now that certain IT knowledge is obtained, let’s jump into securing those assets. Before we can specialize, we need to have a baseline knowledge of cybersecurity terms, topics, and strategies.
Common Job Titles:
N/A to this one, too many options to list everything. Look at the pathways.
Standard Knowledge, Terms, and Skills:
Tools, Firewall/NGFW/Security Appliance, OWASP Top 10, Identify and Access Management (IAM), IDS/IPS, MITRE ATT&CK, Antivirus (AV), Data Loss Prevention (DLP), Zero Trust, Access Control, Least Privilege, Vulnerability Scanning, Malware
Best Free Places to Learn:
Level Effect - Cybersecurity Fundamentals
Roppers - Security Fundamentals
Roppers - Technical Security Fundamentals
Google - Cybersecurity Certificate
Fortinet - Certified Fundamentals Cybersecurity
Relevant Certifications:
CompTIA - Security+ | ISC2 - Certified in Cybersecurity (CC) | Google - Cybersecurity Certificate | SANS - GSEC | Fortinet - Certified Fundamentals Cybersecurity | Microsoft - SC-900 | OffSec - SEC-100
* ISC2 CC (it’s a free exam, but comes with a $50 annual maintenance fee (AMF) to be a part of ISC2)
Security Operations
Description:
These are the roles most people think of when the term “cyber” comes up, the defenders and attackers. These roles are very hands-on and can be super specialized or more general. 90+% of cybersecurity jobs are defensive, so if you need a job, it is very advantageous to plan to start on the defense/blue team side of things.
Common Job Titles:
SOC (Security Operations Center) Analyst, Incident Response Analyst, SOC Manager, Information Security Analyst, Cybersecurity Analyst, Threat Hunter, Cyber Threat Intelligence Analyst, Digital Forensics Analyst, Penetration Tester, Reverse Engineer, Vulnerability Management, OSINT analyst, vulnerability researcher, Detection and Response Analyst
Standard Knowledge, Terms, and Skills:
SIEM/Logs, EDR, Vulnerability Management, Malware, DFIR, IOCs, TTPs, APTs, CVEs, Threat Hunting, Threat Intelligence, Threat-Informed Defense
Best Free Places to Learn:
Security Blue Team: Jr Analyst Courses
TryHackMe (some courses require membership): SOC Level 1 Pathway, SOC Level 2 Pathway, Red Teaming Pathway
HTB Academy (requires subscription): SOC Analyst Path
Relevant Certifications:
CompTIA - CySA+ | Security Blue Team - Level 1 (BLT1) | TCM Security - PNPT, eJPT | HTB - CDSA, CPTS | SANS - GPEN, GCIH, GSOC, GCFA | Offsec - OSCP, SOC-200
GRC (Governance, Risk Management, Compliance)
Description:
This discipline is driven by regulations and law. It includes audits, controls, frameworks, policies, and spreadsheets. Often decision-makers fall into this realm. GRC utilizes a business-first approach that is geared towards ensuring the success of the company by managing risk to its operational abilities, brand, and customers.
Common Job Titles:
CISO, ISSM, ISSO, GRC Analyst, Risk Analyst, Security Manager, Privacy Manager, Data Protection Officer/Analyst, Policy Writer, Security Control Assessor (SCA), Security Auditor, External Risk Management
Standard Knowledge, Terms, and Skills:
Frameworks (PCI-DSS, GDPR, RMF - NIST 800-53, CMMC - NIST 800-171, NIST CSF, FISMA, ISO 27001/27002, CIS Top 20, SOC2, HIPAA), Security Controls, Security Assessments, Policy/Documentation, PII, Risk Assessment, Audits, Laws/Regulations, Disaster Recovery, Standards, Business Continuity
Best Free Places to Learn:
Level Effect - Compliance Fundamentals
TryHackMe: Governance & Regulation Room
TCM Security ($29.99 / month): Definitive GRC Analyst Master Class
Relevant Certifications:
ISACA - CRISC, *CISM, *CISA | ISC2 - CGRC, *CISSP | *PMP | ITIL foundations
*These are advanced certifications requiring at least 5 years of experience
Security Architecture & Engineering
Description:
Engineers are builders. These are the people who implement controls, build defenses, harden networks, create tools and workflows for others to use (security operations), and write the code. They design and create secure systems, apps, and really anything that runs on code. These are usually advanced roles, and unless you major in CS with a concentration in Security from a major research university such as Ga. Tech, Va. Tech, Carnegie Mellon, etc, you won’t start your cyber career as a security engineer.
Common Job Titles:
Security Engineer, Security Architect, Application Security Engineer, ISSE, DevSecOps Engineer, Cloud Security Engineer, Cloud Infrastructure Engineer, Product Security, Detection Engineer, SIEM Engineer
Standard Knowledge, Terms, and Skills:
Security Orchestration and Automation (SOAR), Scripting, Automation, System Hardening, Static/Dynamic Code Analysis, Database, Application Security, System Design, APIs, Encryption, Container Security, Web App Development, CI/CD, SDLC, Cloud Infrastructure, Zero Trust, Defense in depth
Best places to learn:
TryHackMe (some courses require membership): Security Engineer Pathway
Microsoft Learn: Security Engineer Training
Relevant Certifications:
ISC2 - SSCP | CompTIA - CASP+ (soon SecurityX) | Cloud Security Alliance - CCSK | Microsoft - AZ-500, SC-100 | AWS - CSS, SAA | Splunk - Certified Cybersecurity Defense Engineer, SOAR Certified Automation Developer, Enterprise Certified Architect
PEAL Cybersecurity Education
Description: The cybersecurity education domain is honestly a pretty lucrative space to be in. I mean there are over 15 organizations that provide certifications, and every major product vendor also has their own certifications. Add in security awareness and training vendors, and the space just continues to grow. The rise of content creators and influencers in cybersecurity has also begun, however, many seasoned professionals are wary of these individuals as some have not been in actual cybersecurity roles for long, or seem to be more of a walking advertisement.
Standard Knowledge, Terms, and Skills:
Certifications, Conferences, Product Sales, Labs, CFTs, Security Awareness Training, Courses, Degrees, Workforce Development, Recruiting, Boot Camps (ew),
Recommended places to learn:
The Internet
From other people (on the Internet)
Relevant Certifications:
N/A for this category of roles
Closing Thoughts
After being asked many times what to do/learn to be ready to start a cybersecurity career, I finally decided to write up something. Hopefully, this information has proven beneficial and will be useful to anyone hoping to understand the job opportunities in cybersecurity. There are a lot of thoughts on the Internet about cybersecurity learning, some good, some bad. I encourage you to spend some time looking into what others say, and only take advice from those that are relatively advanced in their cyber career. DO avoid those who do not have a cybersecurity job but spend time “teaching others how to get a job.” Your first cybersecurity job will be the hardest one to get, but I believe the field is exciting and can be incredibly rewarding. There is stress, lack of praise, constant worry, and a whole host of other negatives, but when you enjoy the work it is all worth it.
That's great content and well researched!
Love this!