"Computer security, cybersecurity, or information technology security is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide."

Does this definition of Cybersecurity feel fun or scary to you? Or Both?

Cybersecurity can be both fun and scary but also a rewarding experience.

Where do I begin as someone who wants to pursue a cybersecurity career?

The answer is simple. We'll start at the top and work our way down with Cybersecurity Plans and Policies. Plans and Policies are the foundation and should be implemented for every business that has a connection to the internet.

What are Cybersecurity Plans and Policies?

A cybersecurity plan specifies the security procedures, and controls required to protect an organization against threats and risk. A cybersecurity plan can also outline the specific steps to take to respond to a breach.
 
Here are a few Cybersecurity Plans for you to research.
• Crisis Management Plan
• Disaster & Recovery Plan
• Incident Response Plan
• Information Security Plan
• System Security Plan
 
Here are a few Cybersecurity Policies for you to research.
• 3rd Party Policy • Acceptable Use Policy • Access Control Policy • Account Management Policy • Anti-Virus Policy • BYOD Policy • Clean Desk Policy • Data Retention (Backups) Policy • Data Security Policy • E-Commerce Policy • Email Policy • Encryption Policy • Equipment Disposal Policy • Firewall Policy • Guest Access Policy • Identification and Authentication Policy • Incident & Response Policy • Internet Usage Policy • Logs Policy • Maintenance Policy • Mobile Device Security Policy • Network Access Policy • Outsourcing Policy • Passwords Policy • Patch Management Policy • Personal Security Policy • Physical Security Policy • Remote Access Policy • Retention Policy • Router / Switch Security Policy • Security Awareness and Training Policy • Vulnerability Assessment Policy • Wireless Communication Policy

Spend some time reading and understand the purpose of the plans and policies before moving onto training.

Now that you have a good understanding of Plans and Policies, we move onto security training.
Infosec Institute has an excellent Skills learning platform. They have 2 options, a 7-day free account where you have access to the entire content but then are slimmed down to 15 learning paths that are free.
The second option is $299 for the year, which is an excellent price if you are serious about Cybersecurity knowledge.

Can you help me on where to start?

Yes, take advantage of the free 7-day trial and target the paid content first.
Before you sign up, what are your passions?
 
Do you enjoy Engineering? Managing? Coding? Forensics? Analytics? Architecture? Privacy? Penetration Testing?
 
Here are some learning paths to target and the total time of the path. These paths contain videos, assessments, quizzes and downloadable content.
 
Cloud Engineering
• Paid: Certificate of Cloud Security Knowledge (CCSK) - 4 hours, 29 minutes
• Paid: AWS Certified Security Specialist - 5 hours, 26 minutes
• Paid: Azure Security Engineer Associate - 8 hours, 30 minutes
 
Security Engineering
• Paid: Security Engineering - 12 hours, 48 minutes
• Paid: ISC(2) Certified Information Systems Security Professional (CISSP) - 18 hours, 42 minutes
 
Management
• Paid: Cybersecurity Administration - 9 hours, 18 minutes
• Paid: Cybersecurity Management - 11 hours, 53 minutes
• Paid: ISACA Certified Information Security Manager (CISM) - 18 hours, 24 minutes
 
Coding
• Paid: Secure SDLC - 9 hours, 33 minutes
• Paid: Writing Secure Code in Node.js - 8 hours, 4 minutes
• Paid: Writing Secure Code in C++ - 14 hours, 20 minutes
• Paid: HTML5 Security - 7 hours, 9 minutes
 
Forensics
• Paid: Windows OS Forensics - 16 hours, 19 minutes
• Paid: Windows Registry Forensics - 10 hours, 51 minutes
• Paid: Computer Forensics - 15 hours, 15 minutes
• Paid: Network Forensics - 9 hours, 45 minutes
 
Analytics
• Paid: (ISC)2 Certified in Governance, Risk and Compliance (CGRC) - 7 hours, 26 minutes
• Paid: Vulnerability Assessment - 8 hours, 31 minutes
• Paid: Threat Modeling - 5 hours, 10 minutes
• Paid: Cyber Threat Hunting - 10 hours, 52 minutes
 
Architecture
• Paid: SIEM Architecture and Process - 8 hours, 26 minutes
• Paid: Cloud Security Architecture - 24 hours, 43 minutes
 
Privacy
• Paid: IAPP CIPP/US - 15 hours, 32 minutes
• Paid: IAPP CIPM - 7 hours, 34 minutes
• Paid: IAPP CIPT - 7 hours, 49 minutes
 
Penetration Testing
• Paid: Cloud Pentesting - 8 hours, 25 minutes
• Paid: Python for Pentesters - 14 hours, 5 minutes
• Paid: CompTIA Pentest+ - 9 hours, 14 minutes
 
Misc
• Paid: ITIL 4 Foundation - 6 hours, 39 minutes
• Paid: ISO 27001 Audits - 6 hours, 16 minutes
• Paid: NIST 800-171 - 5 hours, 5 minutes
• Paid: NIST 800-53 Assessments and Audits - 6 hours, 33 minutes
 
FREE
• CompTIA Linux+ - 22 hours, 48 minutes
• Cybersecurity Leadership and Management - 8 hours, 48 minutes
• DevSecOps - 8 hours, 10 minutes
• Enterprise Security Risk Management - 14 hours, 5 minutes
• Identity and Access Management - 7 hours, 30 minutes
• Incident Response - 18 hours, 39 minutes
• JavaScript Security - 10 hours, 33 minutes
• NIST Cybersecurity Framework - 5 hours, 42 minutes
• Python for Cybersecurity - 14 hours, 29 minutes
• Security Architecture - 7 hours, 31 minutes
 

Create your free Infosec Skills account now!

Cybersecurity risk management is the process of identifying an organization's digital assets, reviewing existing security measures, and implementing solutions to either continue what works or to mitigate security risks that may pose threats to a business.

What are some popular frameworks to research?

• COBIT is a framework created by ISACA for information technology (IT) management and IT governance.
• ISO 27001 - Establishing set criteria for evaluating information security risk. Identifying risks for all of the information assets within scope of the ISMS. Assigning owners for each risk. Creating a repeatable, consistent risk assessment process.
• ITIL 4 Foundation - While not necessarily a risk framework but is there risk management steps involved in the overall framework.
• OCTAVE defines a risk-based strategic assessment and planning technique for security.
• NIST provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle.

Awareness training is a level to which an individual knows certain policies, situation, documents or any other important information. Policy of systematical increasing of awareness is an important element of any engagement strategy.

What should our awareness training include?

• Malware
• Mobile Security
• Password Security
• Phishing
• Physical Security
• Ransomware
• Remote Working
• Removable Media
• Safe Web Browsing
• Social Engineering

Popular Awareness Training Platforms
Infosec IQ - Employees are not a security problem. They are part of the solution. Try Infosec IQ and learn how to stay compliant, reduce your phish rate and inspire your employees to adopt security practices to keep your organization safe.
KnowBe4 - KnowBe4 is the world's largest integrated platform for security awareness training combined with simulated phishing attacks. Join our more than 50,000 customers to manage the continuing problem of social engineering.

Cybersecurity asset management is an organization's capability to conduct and maintain an accurate inventory of all cyber-enabled technologies, including hardware and software. Cybersecurity asset management is about understanding all of your assets to strengthen your company's cyber risk posture.

What should we know and have in place for asset management?

• Device Endpoint Protection (Sophos, Bitdefender, etc)
• Device Risk Calculations: (AV * EF = SLE) and (SLE * ARO = ALE)
  Asset Value (AV) * Exposure Factor (EF) = Single Loss Expectancy (SLE)
  SLE * Annualized Rate of Occurrence (ARO) = Annual Loss Expectancy (ALE)
 

Understand the device assets risk vs mitigation costs. Do any of your assets require cyber insurance?

(ISC)2, ISACA and CompTIA are excellent places to start for certifications.
 
(ISC)2 Information Security Certifications
Certified in Cybersecurity (CC)
Certified Information Systems Security Professional (CISSP)
Certified Cloud Security Professional (CCSP)
Security Assessment and Authorization Certification (CGRC)
Certified Secure Software Lifecycle Professional (CSSLP)
HealthCare Information Security and Privacy Practitioner (HCISPP)

ISACA Certifications
Certified Information Systems Auditor (CISA)
Certified Information Security Manager (CISM)
Certified in Risk and Information Systems Control (CRISC)
Certified in the Governance of Enterprise IT (CGEIT)
Certified Data Privacy Solutions Engineer (CDPSE)
Certified in Emerging Technology Certification (CET)
Information Technology Certified Associate (ITCA)
CSX Cybersecurity Practitioner Certification (CSX-P)

CompTIA Certifications
CompTIA A+
CompTIA IT Fundamentals (ITF+)
CompTIA Network+
CompTIA Security+
CompTIA Cloud+
CompTIA Security Analyst+ (CySA+)
CompTIA CASP+
 

Certification in Cybersecurity helps individuals stand out from other candidates in the job market and can also help them advance their careers within their current organizations.