Cybersecurity is really hard to learn. It’s not just broad and deep, but also consists of many other fields in technology and computing. I get a lot of questions asking what course to take for learning cybersecurity, which is kind of tough to answer because the real answer is: there is no course, just a journey. And everybody you ask is going to give you a different answer, since each of their journeys are all different as well. It’s almost like asking several UFC fighters on how to fight. Everybody’s going to give you a different recommendation, depending on where they came from. Which is why in this video we’re going to go over why cybersecurity is so hard, three different learning approaches you can use to overcome this challenge, and the overall mindset you need to maintain to be successful on your own journey. So the biggest reason cybersecurity is hard to learn is because it consists of many different fields, each with their own unique stack of skills. Every component within each skill stack could be a concept, tool, or even an entirely new field. Take networking for example, a few components that come to mind might be IPTables, which let you set packet filtering rules in Linux, PCAPs, or packet captures, which are static snapshots of data in motion, TCP, or transmission control protocol, which segments data into conversations between devices. BGP, or border gateway protocol, which governs the routes between autonomous systems on the Internet. Or switches, which connect physical devices together through cables and relay ethernet frames between them. Now that’s a lot of different things, but they’re really just a few examples of many different concepts that fall under networking, and the list could go on and on. Each of these components that I’ve mentioned can themselves, be broken down into smaller bundles of knowledge, rinse and repeat. This idea of skill stacks can apply to all the different subfields in the cybersecurity world too, some of which you see here. What makes things complicated even further is that all the stacks are also interrelated to one another, kind of like a skill network. So to learn something that’s more high level, like penetration testing, you might have to master a network of skill stacks before having a solid enough baseline to really understand it well. This applies to other more cyber-specific areas of concentration, like privilege escalation, security monitoring, incident response, threat hunting, et cetera. If you wanted to learn all about cybersecurity, there’s really too many different things to know, since it could very well take ten to twenty years mastering just a few of them,at which point, your mind might be oversaturated, and not so interested in the other fields. The reality is that you’ve got to start off with just one or two areas to concentrate in, before expanding to others. Whether you choose to become well-rounded in a few different skill stacks, or to be elite in just one, there’s a lot of different journeys you can take. Personally I’d consider myself as a mix of highs, mediums, and lows, depending on the area we’re talking about. So before you ask the question, “How do I learn cybersecurity?” and don’t know where to even begin, the first principle is to discover what topics are out there and how they all connect together on a broad level. Then, you can start to narrow down the learning scope to just the ones you might be interested in starting off with. So with that being said, let’s go over some techniques you can use for learning and training in cybersecurity. Generally there’s three main ways to learn complex topics: top-down, bottom-up, and project-based. Top-down is a really common approach, where you pick a subject to tackle, and then go after the resources specifically tailored towards learning that topic. An example of people using a top-down method might be pursuing a specific certification on “ethical hacking”, for instance. It’s easy to think it’s as simple as loading up Kali Linux to sling some tools at targets, or by grabbing some courses and books on the subject, then brain dumping everything just to pass an exam or test. Then you walk around thinking that you're a Jedi, but the reality is that your baseline fundamentals are really weak, and your true abilities aren’t good enough to operate in most real-world scenarios. People at this stage in their journeys are often known as skiddies, which stands for script kiddies, referring to all the young aspiring kids that only know how to run tools written by other people, but not the principles behind why or how they work. In my opinion, the best way to be successful if you’re looking to use a top-down learning method is through an apprenticeship. Back before education was institutionalized through schools, the only real way to learn a skill or craft was to apprentice under a master, someone who had a few decades of experience under their belt. The knowledge transfer process was rigorous and methodical, to make sure that an apprentice was actually teachable and useful in adding value. The main advantage to an apprenticeship is that masters can point you to the skill stacks that are relevant, while filtering out the ones that aren’t. It’s also handy that they can be there for questions that are really hard to find answers for all on your own. The net effect of being an apprentice is the huge amount of time saved in the learning process, which in my experience, can reduce years into months. The drawback to top-down learning through an apprenticeship is finding one in the first place. Unfortunately, the truth is that without having a solid baseline first, many of the journeyman-level and master-level practitioners are either way too busy or not interested in coaching you. It’s a huge time investment on their part to teach students, since it takes them away from research or actual work, with a high risk of failure, especially if the students don’t have very much grit or the drive to succeed in the first place. If a senior practitioner doesn’t see much potential in you, it’s easier to just walk on by. This is why on-the-job training and experience for cybersecurity is so helpful because you’re surrounded by co-workers you can learn from, most of whom are likely better than you in one or more areas. Try to identify the most technical people in your social network, even if that means the IT helpdesk guy, and spend time learning as much as you can from them. Once you’ve developed a decent relationship, find out which experts they personally look up to. Then reach out to those guys. If you’re not able to get mentorship through professional circles, you might consider building a solid baseline knowledge through the bottom-up approach. Bottom-up learning is where you start by picking a subject to tackle, then decomposing it into the most basic principles, definitions, and tools that are related to it. Then you start by learning those component parts first before diving into the target subject. For a boxer it might mean countless amounts of conditioning and training in very simple exercises that build muscle memory and situational agility, which indirectly improves your fighting abilities over time. Even though it takes a lot longer to do, you build a very solid foundation that becomes helpful when you do make the switch to more skill-oriented exercises. In the case of cybersecurity where you’re a mental athlete, bottom-up learning translates into reading, lots of reading. Start with all the books you can find that are related to computer and network security and just marathon away. What’s good about books is that you tend to get higher quality content than the average Internet post and learn a thing or two about each author, most of whom are active practitioners themselves. They might also happen to maintain a blog or Tweet links to resources for you to follow. When you are reading, remember to jot down all the different vocabulary and concepts you’re learning in something like a mindmap or spaced repetition software like Anki. Anki is a free and open-source tool that lets you build flashcards to learn just about any concept. Unlike normal flashcards, the heart of Anki is a scheduling algorithm that decides when to show you concepts based on how well you know it. Research shows that active recall, where you’re asked a question and forced to remember the answer to, is much more effective than passive study for building strong memories. Distributing the process over increasing periods of time consistently, further cements your knowledge because it forces your brain to retrieve it with deeper and deeper levels of recall. Using a bottom-up approach for cybersecurity sets you up for learning new fields much easier, since in cybersecurity, many of the concepts show up again time after time, since everything is interconnected. One downside to bottom-up learning is that it can get monotonous, since doing any activity for its own sake without a clear goal can get boring over time. Which leads us to a third approach for learning, and actually one of my favorite methods, which is through projects. Project-based learning is a bit of a hybrid approach between the previous two, and gives you some more flexibility using both. To begin, you need to define a technical outcome to work towards that forces you to gather and learn resources. One of my first projects, for example, was to be able to use a computer without ever touching the GUI. This process led me to become quite proficient at the command-line and learn many more concepts than the original project entailed. They say you should set smart goals, which are specific, measurable, achievable, relevant, and time-bound. So something like “I want to hack” wouldn’t qualify as smart. A better alternative would be, “I want to learn how to crack WEP encryption on my home wireless network by the end of the month.” Even if it takes you much longer than a month, the process will expose you to all sorts of different skill stacks, from Aircrack, layer 2 networking, the 802.11 protocol, and much more. Project ideas tend to fall into one of four categories: making things, breaking things, fixing things, and knowing things. For instance, you could decide to build a computer, then intentionally install publicly available malware on it, and then try to use host or network forensics methods to detect and eradicate the infection. Documenting your entire process and workflow can help solidify the entire learning experience. Whatever your project is, it’s an opportunity to incorporate both the top-down and bottom-up learning we mentioned earlier. The final principle that’ll help you to get better at cybersecurity is to change your mindset and time horizon for picking it up. The reality is that cybersecurity takes a really long time to master, much like becoming a doctor or lawyer. What’s easy about established professions like these is that there’s institutionalized paths that have matured over the centuries. If someone asked, “Is there a doctor course anywhere”, the answer is pretty clear. In the United States, it takes four years of medical school followed by three to seven years of residency. Medical residencies are basically apprenticeships that involve working at least 60 hours a week. Many doctors that I’ve known have worked 80 or more hours a week, sleeping five or six hours each night. Depending on your residency of choice, this is anywhere from ten to twenty thousand hours of training. Assuming you’re only working 40 hours a
week, this would take you at least ten to twenty years on the job in a cybersecurity role to attain just the absolute number of equivalent hours as a doctor. The author Matthew Green describes mastery of any skill as a function of time and intense focus applied to a particular field of knowledge. In our age of two-second attention spans and instant gratification, it’s easy to just want a simple crash course or quick tutorial to teach you everything. But just seeking out surface level education keeps you at the unconsciously incompetent level of learning, where you’re really confident but not actually skilled. As you grow and progress, you then realize you’re actually pretty
bad, which could be a decision point as whether or not to continue on the path. If you do push through though, you start to feel more comfortable and accepting of the concepts you know and don’t know. At the most mature stage of unconscious competence, you’re pretty skilled without even thinking about it. In a field like cybersecurity where there’s no clear, institutionalized path to becoming a professional, you’ve really got to self-educate using a combination of the different learning approaches available to achieve mastery. So that’s it for this episode of learning cybersecurity. Hit that like button, subscribe, and share it with friends if you think this video has been valuable for you. Hit that notification bell if you want an update for each new video we launch. It really goes a long way in supporting what we’re doing. Thanks so much for watching, and I’ll see you soon!
Great video. Another piece of advice I could give as someone who transitioned a career into cyber security, is to suppress any feelings of the imposter syndrome and just accept that you know nothing. Learn as much as you can from those around you (the OJT part of this video), and never accept that you finally know “Cyber Security”; you don’t. Keep learning.