Sercan Azizoğlu's Personal Website
June 9, 2024

Cybersecurity Career Master Plan by Dr. Auger, et al. - A Book Review

Posted on June 9, 2024  •  11 minutes  • 2174 words  • Other languages:  Türkçe
Table of contents

The Book

Firstly, even though this book is dedicated to cybersecurity, it has tips for every field to improve. As written in the title, it is primarily for the cybersecurity field for people eager to start a career or already have experience.

The book is written by four different authors and published in 2021 and can be purchased on Amazon:

In three sections, they begin by explaining what cybersecurity is, potential career paths, personal and educational background, starting to work in the field, and lastly, improving while in the field. It would help even if you are thinking of starting your career in the field or have already made progress.

There is an excellent point for selecting a career in cybersecurity: “The primary purpose of cybersecurity professionals is to chase knowledge to help others, rather than be focused on knowledge or general knowledge. As cybersecurity professionals, we want to ensure that we get experience for ourselves that we can use to help others. (p.87)” The focus of expertise may take work due to the various business needs of the cybersecurity professional. It would be difficult to cover many subjects. Still, we have large language models to ask any difficult questions to learn.

The first chapter explains the working conditions, like flexible working hours and remote working life. The second one, which is very useful for people to decide which topic/field under cybersecurity they should focus on, covers different fields like Governance, Risk and compliance (GRC), Threat Intelligence and Security Operations. Third, they explain different industries, like finance, government, and healthcare, to understand their needs and the regulations they must comply with. Fourth, they focus on certifications, which is a beneficial point for people with non-technical degrees to start their careers. CISSP of ISC2, CompTIA’s Security+, ISACA’s CISM and CISA are introduced in that part. In the fifth, they guide readers to gain technical experience. The sixth explains creating and managing a personal brand on various social media platforms. As seen in this post, writing and sharing in a blog is an easy way to give to the community. The seventh section mentions points to consider while preparing a resume to apply for positions, platforms to search for jobs and interview processes. In the eighth section, collaborating with the community and helping others in the field while also taking care of ourselves are explained. They covered the subtopics of burnout, toxic working environment, and public speaking. In the last part, the career planning and goal setting, mentor and mentee relationship, and organizing of the network with professionals concluded.

Before sharing some citations from the book, I’d like to highlight again that most of the points and tips are interdisciplinary and not only dedicated to cybersecurity professionals. Whichever field you work in does not change if the working environment is toxic and those related points are applicable to your situation.

Citations

It is recommended that eventually you should stay put long enough to become an SME (Subject Matter Expert) in your job. Make sure to take the time to develop 1-2 excellent skills. This could be a coding language, threat hunting, or pen testing. (p.24)

Risk Assessment field helps businesses and companies determine how many security controls are needed and what kinds. These assessments are made based on many different factors, such as cost, effectiveness, businesses tolerance, and more. (p.33)

Offensive Security practitioners require permission from organizations to perform their job. This permission can be demonstrated through a contract, a Pentesting Permission Slip, and so on. Otherwise, any attacks without authorization can be deemed illegal. (p.33)

Security Architecture refers to a high-level combination of different security processes, designs, methods, and purposes to produce the overall security structure for a company’s entire infrastructure. (p.43)

A Threat Intel analyst must stay up to date regarding national and international news, cybersecurity research, and trends, all while understanding companies’ internal security situations and regulations, to provide strategic cybersecurity defense plans. (p.50)

Another common misunderstanding about being a cybersecurity professional is that you only need to do cool hacking stuff, yet in reality, documenting your findings is just as important. (p.51)

According to a Deloitte and Touche 2020 analysis, financial institutions are spending 10.9% [1] of their total IT budget on cybersecurity. This equals about $2,700 per employee. (p.60)

Putting this in perspective, APT38, a known North Korean state-sponsored group (also referred to as Lazarus) is primarily financially motivated. They attempted to steal $1 billion (yes, you read that correctly) from the Bangladeshi Central Bank in 2016 and almost got away with it. They were able to successfully steal the lowly sum (sarcasm) of only $81 million and would have got the other $919 million if not for a typo one of the attackers made. (p.61)

Research has shown that some individuals with uncommon lifestyles or existing conditions that are shamed by society will choose to not seek medical treatment for fear of having their privacy compromised and facing guilt and embarrassment. (p.65)

…shows the Health and Human Services (HHS) Office of Civil Rights (OCR) breach portal, also known as the wall of shame. HHS OCR is a United States government entity responsible for investigating security and privacy complaints concerning individuals protected health information. (p.66)

I assure you the business is not going to replace a million-dollar system they bought 6 months ago because you told them Windows 7 is no longer supported. (p.67)

Clinical professionals and cybersecurity people talking to each other can sound like people trying to speak in two different languages. (p.67)

I’ve seen some private sector businesses offer unlimited staff paid-time-off (PTO). That’s a recent program that has seen some success. Some research has even shown that this benefit attracts high performers to organizations offering them. (p.73)

This is a major saving for cybersecurity personnel at businesses as physical security, OS patching, and middleware maintenance are huge areas of risk that are now just taken care of by enterprise-grade service providers. (p.75)

Some large recent data breaches were due to improperly configured AWS S3 storage containers that were left open to the world. The service has the ability to be secure, but when improper configuration management leaves the storage containers open to the internet, all your data is on Pastebin. (p.76)

Books, hacking challenges, and other labs, such as TryHackMe and Hack The Box, are always recommended as a great supplement to your learning while training for the OSCP. (p.98)

Certified Information Security Manager (CISM), an advanced certification that teaches test takers how to manage information programs properly. Noted as having a 50-60% pass rate on first attempts. (p.107)

In fact, studies show that entry-level cyber positions typically pay anywhere from 10% to 15% more if you have a degree. (p.108)

WebGoat is an intentionally vulnerable web application that is designed to educate individuals on web application security concepts through actual hands-on exploitation of web application vulnerabilities, as well as descriptive write-ups on why the vulnerabilities allow exploitation. (p.114)

Docker is a containerizing platform that allows us to install a preconfigured WebGoat container that contains all the dependencies, settings, and configurations we will need to make sure WebGoat runs correctly. (p.119)

One of the best ways to learn about Wireshark for security operations work is to actually look at malicious traffic, work through it, and analyze it. When you’re done, you can add to your resume that you have analyzed malicious network traffic. (p.126)

If you don’t feel confident with sharing your unique thoughts about a cyber topic, then share the original article. It’s about audience engagement while showing your personal passion related to your brand. When you do share articles, a good rule of thumb is to write at least 1-2 sentences about the article. When people share articles with no context, it can appear as spam. (p.154)

CyberSeek is an example where demand and supply data for cybersecurity jobs all over the US is provided. (p.181)

One thing to note when looking at the job descriptions is that some companies might require more years of experience than others. This depends on their standards and needs. Therefore, do not let the required number of years of experience scare you. If you really have the skills, knowledge, and willingness to learn, companies will want you. (p.198)

Understand that at the stage of scanning résumés, employers are mainly looking for the technical and soft skills, education, and technical projects. (p.199)

In most cases, before your résumé is viewed by an actual person, it must past the automated screener, commonly known as the Applicant Tracking System (ATS), where AI is used to match your résumé with the specific job posting you applied for. (p.200)

There are resources available that can help you check if your résumé is ATS-friendly to specific job postings, such as resumeworded.com and skillsyncer.com. These systems show you the percentage of critical keywords that were met, the likelihood of your résumé getting passed the automated screening route, suggestions for improvements, and more. (p.200)

Along the way, every time you have any new achievements, make sure you note them in the master résumé, as well as other versions if appropriate. (p.201)

…provide the quantity and quality of your work by changing the statement to something like Implemented a security automation system for organization A, which reduced the risk of cyber attacks by X percent. (p.201)

As mentioned in previous chapters, technical skills are not everything in the cybersecurity field. Communication, mentorship, leadership, and teamwork skills are just as essential. (p.202)

For each project, experience, or activity, include no more than three to five bullet points, and each bullet point should be a maximum of two lines. Anything longer than that can look like clutter and hard to read. Overall, keep the number of experiences and projects to two to three each. (p.202)

After applying for several positions, chances are you might forget the details of the postings, which means you may show up in interviews, not remembering what you applied for. This is never good. So maintain a record of all the job postings you have applied for. Do not save the URLs of the postings; instead, copy and paste the contents into a document. Why? Because the URL might become unavailable in the future, which means all its contents, too. (p.204)

Keep records of situations you have faced at work and school; note down how you have handled those situations, what you have done well in those situations, and what you could improve on. (p.207)

Companies like to see you grow and move up after working for a while, and if you are in such positions, you need to be able to mentor and guide others, letting the whole team grow together. (p.207)

The BSides conferences are organic, small, and humble conferences held in their respective areas, and are generally coordinated by local cybersecurity professionals. (p.220)

As you can see, we do not need to worry if the topics we are presenting are seen as “cool” or “technical.” We only need to consider whether we wish to share them. If the topic will only have an impact on two people, you should still do it! Two people benefiting from your topic means you still made an impact. (p.221)

There is an article written by Jon Helmus that details the stress and balance of burnout. You find the article here: (p.225)

Part of being a new employee or junior employee is to understand the way your company works, the systems and tools it uses, and integrate within the culture. (p.227)

When looking for jobs and filling out applications, check sites such as LinkedIn for employees that have worked within that company. How long did they stay? Was it a year? Was it less than a year? It could be argued that if you were to survey 10 previous employees of a company you’re interested in, and collectively they have an average of a year spent with that company, this may be a good indicator of a toxic company. (p.228)

Conclusion

Lastly, the Cybersecurity Career Master Plan is a handy reference for people considering entering the field, people in the field and people in the other fields. I want to thank Dr. Gerald Auger, Jaclyn “Jax” Scott, Jonathan Helmus, and Kim Nguyen, especially for their excellent work giving back to the community. I personally took my new notes from their work. That website and posts also reflect having a similar opinion regarding giving back to the community. That duty will be fulfilled even if two people get support to achieve their dreams or purposes. Thanks again to the Authors for their admirable work and recommendations.

Social Media

LinkedIn