As an mechatronics/research-engineer with great interest in pentesting and cybersecurity I'd like to make a career change. Where do I start? - comptia or cissp certs or is a university degree the only way?
Don't waste your time and money on CompTIA certs or CISSP. They're basically worthless when it comes to pentesting.
Pentesting is learned by doing. Get your hands dirty and start learning basic methodologies by using Hack The Box, Virtual Hacking Lab or Vulnhub VM's. When you feel that you're getting a bit comfortable rooting boxes, sign up for the PWK and go for the OSCP. This is your ticket into pentesting if you're like me with no work experience whatsoever in IT.
I came from +10 years in finance and landed my first job as a junior pentester two months after I passed the OSCP.
OCSP is a hands on test that requires you to break into a system and write up your findings. It's all done in a controlled environment and time-boxed. It shows you have real abilities in a hands-on setting. It's also one of two certs that are respected. The other is SANS.
None of those are necessary, though it depends on what your desired path is.
Here’s one approach:
1) Find several local security meet-ups and get involved. Volunteer, talk, make friends. Network early and often, ask questions and learn.
2) Using the contacts and exposure developed above, find either an internship or contract role doing whatever security-related work you can find. You will (most likely) need to pay your dues, meaning it might be pretty basic security work to start with, but you’re looking for experience and further opportunity to grow your skills.
3) On the pentesting side, you’ll want to learn the target systems well (e.g., use them in practice), learn the common types of vulnerabilities and how to exploit them, and immerse yourself in opportunities to use your nascent skills (online challenges, capture-the-flag events, etc.). Read vulnerability reports published by other researchers, watch relevant videos, experiment on your own setups, and so forth.
4) As you feel more comfortable with your assessment skills, you might consider entering bug bounty programs.
Again, this is just one approach, there are many options depending on what works for you. Best of luck!
They exist; I’ve hired a few myself who’ve chosen this path. But it’s just one of many approaches to get into security as a career, and there are many.
Along these lines, I highly recommend Rachel Tobac’s talk “The Path to Infosec is Not Always Linear”[1].
In my personal experience getting started with cybersecurity career is tricky. Many companies want cybersecurity professionals, but most of them are not willing to train one. It creates the dreaded situation - companies dont hire you because you dont have experience, but you need a job to get experience.
A good way to get started is to take up any opportunity you get (and of course, of your interest), so you get a foot in the door. Other comments have talked about internships and certifications, I would like to highlight OSCP certification. It is hands on certification, and it will give you a good feel about the whole pentesting process. It is fairly respected certification in the industry and getting one will surely help you in getting a good starting job.
Also, keep honing your skills on various aspects of security, on job, you might not be dealing with all security topics all the time, but they show up and it helps to know about them. For example, you might be evaluating a C codebase with some applied cryptography. You may have all your focus on improper memory handling, but knowledge about applied cryptography can be helpful to contribute better.
Many years in security - engineering through leadership. The comments here are quite solid. I'd add that CISSP requires documented security experience + a CISSP sponsor to sign off. I started from a C.S. background, but you can start in many routes: if you have CS background, find a small security services company and apply. You might also do a 1 pivot move, where you use your mech/research background and combine it with security to become a specialist in that area (IoT related may be easiest pivot). Also, check out cybrary.it for significant free learning resources. Too exhausted to add more - but other commenters have great ideas.
It's bit of a chicken-and-egg problem: You will not easily get security job, because you don't have experience and you don't have experience, because you don't work at security. The same goes for e.g. CISSP - they require work experience, but lot's of jobs require CISSP. Go figure.
Having a solid profile - either on Github or Blog and entry-level certification could be a good start. Participation in events like CFG or other hackathons would also help open some doors.
I don't work at security myself, but based on what i've seen, having operational experience will also gain you more respect.
Seems to be a sudden rush of openings in industrial cyber security - eg PLC/DCS and other control systems gear.
You need to have a particular background as well as the IT skills though, there are subtle but significant differences in attitude and implementation in the way things are done, esp where functional safety is involved.
First, there are a lot of people that know security related subjects well but have never worked in infosec. Those people in my experience give bad advice.
Second,what they keep saying about high demand in infosec is true. But like another commenter said there's the typical catch 22.
My advice:
I have known people from a non-IT background do well but you still need to get your foot in the door by doing intetnships or some other work. Another approach would be socializing at local meetups or cons (which I know little about).
Infosec is very broad. It would benefit you greatly to have done some other IT work prior to infosec. I've met a lot of peopoe who can't code, don't have certs,don't keep up with current security news,can't even name a single malware family to save their lives and they do well in infosec. The thing is you can do complaince,architecture,incident response,vulnerability management,penetration testing,security engineering and my favorite: a generic infosec analyst.
A lot depends on the size,maturity and architecture of the infosec team. I have been at a company with dedicated teams for red teaming,IR,SOC,security engineering,etc... With total of >50 infosec staff. And i have been in a team where the whole infosec team is 3-5 people. The smaller the team,the more they need prior infosec experience and the broader your skillset needs to be. On larger teams, they try to diversify skillset so if you bring something valuable to the team they don't care all that much about your certs and experience so long as they can be sure they don't have to train you extemely basic things. In a big team you are siloed which means you can either be complacent or grow deeper into the area of infosec you picked.
Aim for very large companies first. But before that be good enough at everything. Code something and have an ok github,get certs to show you're serious,know enough networking,sysadmin(especially windows) ,etc...and keep up with latest security news and chatter (twitter!). All that is to help you get an interview. You gotta be flexible with work conditions for entry level work.
Exploit/vulnerability research,bug hunting,pentesting and malware analysis get a lot of press. Before I got into infosec I didn't know about the wide range of jobs in infosec. People even tried to convince me I needed to be great at mathematics,crypto,reverse engineering or whatever.
A lot of people give advice with a survivor-bias mentality. In reality if you have passion and specific areas of interest within infosec it's only a matter finding an entry point that will help you get there.
If vuln management (boring) intetests you for example offensive security certs and a solid IT experience will help. If incident response interests you,finding a SOC job which will require basic IT/security certs and breadth (you need to understand context behind a wide range of security events) is natural. SOC or other entry jobs can also benefit you as a starting point for security engineering or red teaming.
For certs, a lot of people would tell you OSCP (and it is great) but in practice Security+,CySA+ and SANS GIAC entry level certs go very far and teach you a lot of things that are out of scope for OSCP.
For entering infosec, your provable ability to understand formal infosec methodologies and various IT processes,network protocols and applications function is what you need to showcase in addition to "passion".
All that said,study MITRE's ATT&CK framework [1] and use it to develop your vocabulary and see what real life techniques and tactics are seen. Regardless of which area of infosec you pick having an accurate understanding of realistic threats is foundational.
I have also heard linkedin social networking helping a few colleagues. YMMV.
Pentesting is learned by doing. Get your hands dirty and start learning basic methodologies by using Hack The Box, Virtual Hacking Lab or Vulnhub VM's. When you feel that you're getting a bit comfortable rooting boxes, sign up for the PWK and go for the OSCP. This is your ticket into pentesting if you're like me with no work experience whatsoever in IT.
I came from +10 years in finance and landed my first job as a junior pentester two months after I passed the OSCP.