1

CyberSecurity Apprenticeships are on the rise mostly offered by private sectors or through collegiate programs. I assume this will help those who are looking to jumpstart their careers in CyberSecurity , even after finishing a four year degree in this division. If you’re thinking what I’m thinking and know what I know , the degree is not enough to get you in even as an intern. I’m really hoping the apprenticeship influx is a game changer. Thoughts?

9 Spice ups
2

I got offered one recently by work.
I told them I’d rather have in depth training on the cybersecurity packages we have, rather than a lot of theory.
“But what if we change providers?”
Well, then I’ll probably need more training in the new software. But even if I did the apprenticeship, I’ll still need to know what our packages are capable of. We use the bits we know about. And we use them quite well. But there are so many bits we don’t, because we don’t know what they do or how to use them.

3 Spice ups
3

I’d also clarify their red vs blue team if they even have that level of security. Most companies are not there yet. Small companies give you a shot. In the past I have proposed shadowing with an ISA who willingly set aside time to train. Hopefully you have supportive leadership. If you’re okay with it , please share your current role to help out others who are on the same path , thanks man

4

Companies need to be willing to take on new talent and train them. We have a shortage in the hundreds of thousands of cyber security positions, but everyone wants a min of 3-5 years of experience. They don’t care that you graduated with a degree in it.

That’s a recipe for disaster long term.

2 Spice ups
5

Over the past 3 months, I’ve received about 100 job applications looking for “a job in cybersecurity.” These applicants have no experience, just an associates degree or some certificate. Even more important, they have no knowledge.

They know nothing about layer 2 vs layer 3, routing, switching, network principles, operating systems, application installation, troubleshooting, or hardware. In a word, they are completely useless. But, like Patrick, they expect me to pay them while I train them and they produce no value for me. Even a college charges you while they (supposedly) train you.

If you want to become a surgeon, you don’t walk into a medical practice with a collection of kitchen knives and say you’re willing to learn if they’ll teach you.

Engineers study advanced math, chemistry, properties of materials, statics and dynamics of mechanics, electricity and electronics, and more before walking into a company and demanding to be made a “rocket scientist intern.”

Employment is a value-for-value exchange. If you want to get paid, bring something marketable to the table.

2 Spice ups
6

In my view, to be a good Cybersecurity operative, you would need plenty of relevant industry experience. To properly harden a server, you need to have worked as a Sys Admin. To harden a network, you need to have experience as a Network Analyst. Then you need the specialist training on top of that. Then experience as a junior, before you work as a lead.

If you are fresh out of college, and claim to be a Cybersecurity expert, don’t be surprised if I am giving you a funny look!

3 Spice ups
7

It’s worse than that.
I have various interns pass up on my small business as they don’t think it will provide anything of value. They pass in favor of trying to make it in some larger firm.

And thus, they don’t learn any type of practical application for the little knowledge the degree has provided.

People are stuck with stars in their eyes at what they think they can do while passing up on what is readily available that provides practical experience.
General unwillingness to climb a ladder is one of the biggest problems.

I am willing to train interns. These people pass it up thinking they can just start at the top of the heap.
I get no one to help out that can be trained. Robert ends up with a bunch of useless applications. And this ‘cyber security expert’ will not get a job…but will blame the system.
I believe it is called hubris.

8

Obviously someone out of college should not be applying for a senior position or anything demanding years of experience. People have to have a way to get started and grow in the industry or the industry dies.

Note to employers in general who may see this: Entry level means you are hiring someone without experience that you intend to develop. The requirements should be, bring a brain, a work ethic and a desire to learn. I have had people work for me who brought that without skills and they turned into incredibly talented IT people who have good careers now. If I see a posting with “Entry Level” and they want 3-5 years, that means entry level pay. Stop wasting peoples time and drop that term from your job postings. It’s hard enough for new people to find things with ghost postings and what not without dealing with that.

When my son was looking for his first IT job out of college, I poked around a bit to see what the job situation looked like and I saw that far too much. I saw exactly one position that was true entry level and it happened to be cybersecurity. They were hiring for a position and they wanted no more than 1 year of experience max. In other words they wanted to develop you their way and not have to undo habits you picked up elsewhere. That was the only true “entry level” position I saw. It was honestly depressing to see what the market looked like for new people getting into the field.

This of course brings about an IT problem in general: How does one get real world experience when nobody will hire someone without real world experience? I see this not just for cyber security but all sorts of IT jobs. I’m fortunate that I have decades of experience, but for someone starting out just out of the gate, it’s rough out there.

You can take all the online classes you want and have desire and motivation but until you are actually in a production environment, you don’t know anything because most peoples production environments do not look like textbook examples. No courses that I’ve seen, ever, have any type of experience to give with what happens when the network or server goes down. These are all things you learn as they happen so that you are prepared when they happen again. No home lab is going to help you here either. You learn by doing and solving problems. You do enough and solve enough, you get good at determining the best place to start when hit with a new problem.

Companies run so lean these days that they don’t want the overhead that comes with starting out someone new, and that’s increasingly becoming problematic across all industries as older talent retires.

1 Spice up
9

In my experience, you are a rare breed and I appreciate you.

10

You know it’s funny, the higher up you go in the CyberSecurity chain the less technical people are. There are a lot of CISOs in my opinion that have almost no technical knowledge. Where as the people farther down are the ones with experience. There are 2 paths in CyberSecurity. The doing path and the paperwork path. The paperwork path seems to pay better ironically.

2 Spice ups
11

But how effective is the paperwork at securing a network?

1 Spice up
12

Well if you compare the paperwork salary to the salary of the tech doing the work you would think very.

3 Spice ups
13

I had an experienced CISO tell me that technical skills are the “table stakes” for that job. The pre-qualification, if you will. Maybe not for some.

1 Spice up
14

Although this is a common statement, it’s not accurate.

No experience means no work history in that job. It does not equate to “no knowledge.” When you conflate the two, you give the impression that anyone with no knowledge should be able to walk into any role and “learn on the job.”

“Entry level” in a law firm does not mean no knowledge of the law. “Entry level” in a medical practice does not mean no knowledge of biology, anatomy, or medicine. “Entry level” on a construction site means you hog materials around and sweep up, not that you are building anything. That’s not an “entry level” carpenter or steel worker.

An “entry level” job means that a properly qualified applicant can find employment at the lowest level of productivity that is financially advantageous for the company.

I get resumes that state essentially, “Looking for a position where the employer will pay me while they train me to do the job.” The only place that does that to my knowledge is the US Army.

1 Spice up
15

I believe that several people have strayed from your question. Your original question revolves around apprenticeships, and whether they can give you a leg up on the competition. I believe the answer is “Yes, but…” You’ll have a small advantage over people with zero experience. You’ll have a slightly larger advantage if you do a good job and a permanent opening occurs with that employer.

With that said, I agree with the general sentiment of what others have said. The best way to get into security is to start out as a system or network admin, so you have real world experience, and then pivot to security. This way, you can say “I’ve seen X and this is how we handled it.”

1 Spice up
16

Hello Robert.
Sorry for jumping in.

I fall into the category of those you mention in your message.
I come from manufacturing industry and have background in mechanical engineering.
I now stand at a crossroads of changing careers and wanted to dive into Cyber Security and Offensive Security in particular. I’ve been studying Social Engineering methods and techniques but only as on a hobby basis/level

You and your peers seem to talk about the fact that people want to get a job in cyber without prior knowledge. Which I understand. From my point of view, as the one who’d like to do so, I’d like to do so because I don’t know what the company wants or requires in the first place. Granted, I’ve contacted all the companies through general enquiry rather than through a career portal.

I’m a seasoned engineer and cyber is something completely different. At my age I have to choose carefully what to spend my time on rather than heedlessly jumping into random cyber related courses and hoping some would be useful. And since there’s so much variation from company to company it seems pointless trying to start with all of them at once with the chance that one particular company I tried to get certified for wouldn’t let me in.

I’ve contacted several companies with same enquiry you complain about and every answer was different in terms of what they require.

Would you mind briefly explaining what should a person from one of those 100 job applications you received have knowledge in and to what extent to satisfy your criteria or what you consider a generally acceptable knowledge to get hired ? Are those “layer 2 vs layer 3, routing, switching, network principles, operating systems, application installation, troubleshooting, or hardware” the basics generally accepted or are they just what you see fit for your company’s purposes or how could you answer that ?

Thank you

Richard

1 Spice up
17

[quote] Would you mind briefly explaining what should a person from one of those 100 job applications you received have knowledge in and to what extent to satisfy your criteria or what you consider a generally acceptable knowledge to get hired ? Are those “layer 2 vs layer 3, routing, switching, network principles, operating systems, application installation, troubleshooting, or hardware” the basics generally accepted or are they just what you see fit for your company’s purposes or how could you answer that ?

Thank you

Richard
[/quote]

Happily. And, thank you for asking.

Let me use an analogy. You want to become a heart surgeon. You hear that heart surgeons are well-paid, work to improve people’s lives, and the job looks exciting. You walk into a hospital and meet with the Chief of Surgery. You say, “'I’m not sure what your hospital wants or requires to be a surgeon. I imagine it varies from hospital to hospital. I like knives and am willing to learn on the job.” What sort of reaction do you think you’d receive?

To be a heart surgeon, you’d have to know things - typically by going to medical school. You start with basic biology, anatomy, chemistry, and so on. When you have built up that base of knowledge (similar to the base of a pyramid) you are then capable of adding on more specialized knowledge - surgical tools, suturing, post-surgical care. Eventually, you may be learned enough to contemplate heart surgery.

To understand what you don’t understand, start at the top and work down. If I put you into a chair at my company and say, “There is a denial of service attack on facility A and a ransomware infection spreading in facility B - what should we do?” you’d better have an answer. If you don’t, you lack the knowledge required for the job.

If you want to protect a network, and you don’t understand what a properly operating network looks like, you will never be able to do so. If you don’t understand what a properly operating computer looks like, you will never be able to detect one that is subtlety infected.

So-called “cybersecurity experts” are networking and operations experts who bring additional knowledge to the table.

Of course, if you are referring to cybersecurity hucksters and confidence men who are simply selling monitoring products and snake-oil remedies - that doesn’t require as much knowledge. (Like the consultant who insisted with a straight face that having a .gov domain would make us more secure and would tell people our emails could be trusted. And he continued to do so even after I produced emails we had received from compromised .gov domains.) Those jobs are readily available.

1 Spice up
18

I understand where are you going with your analogy. However, comparing a hearth surgeon with some cyber security guy is in my opinion a bit far fetched.

Similarly, if I’d now decide to become a hearth surgeon, the pathway(s) seem pretty straight forward. Medical school, continuing from general medicine, basics, building up experience as an intern and then proceeding for higher specialised roles. I don’t have to do much of a research into where to start as it is pretty straight forward, at least in my country.

Cyber however, in my eyes seems extremely saturated when it comes to pathways. It is very confusing for me to figure out where to start. Unlike hearth surgeon, for cyber I assume it’s not super crucial to start at university or similar school and follow a strictly structured plan like doctors would. The pathways for cyber are much looser and having access to vast amount of information make it confusing for somebody like me to sift through.

If I’d to stay in your favourite theme - analogies, I’d say this is more like trying to become a fabricator rather than hearth surgeon..

Still though, you haven’t told me what are the actual things one has to learn. I’ll ask that again,
Are those “layer 2 vs layer 3, routing, switching, network principles, operating systems, application installation, troubleshooting, or hardware ” the basics generally accepted or are they just what you see fit for your company’s purposes or how could you answer that ?

Your explanation and answerrs to my questions are cryptic to me. While it’s probably obvious to you it is not to me, what’s the top and down in your description and what is the base knowledge you’re talking about ? I’m pretty sure there’s a course or a class that teaches the basics where everything is compressed into one course and gives people a good start. Is it CompTIA ? Some call it obsolete, should I pursue OSCP certification courses ? Some call that dumb, redundant, yet the one of very few companies around me that offer Red Team services require this… I hope you see what I mean now.

It’s similar to as if you’d be trying to figure out how to become a fabricator and I’d tell you you need to start from the top and work your way down and build up a base knowledge. Would the top mean how to weld an Inconel 625 piping and progressing down through figuring out your start and base amperage, up and downslopes, etc or would the top of that mean you having to learn how to cut compound angles on a pipe, etc etc…

1 Spice up
19

If my answers appear cryptic, it may be because you are choosing to not understand. I’m willing to try as long as you are.

The “pathway” you refer to is just that - a path. It’s not a moving walkway with handrails that you could simply step on and ride to success if only someone would show you were to get on.

If you need me to re-state what I’ve already said, I can accomodate you. Yes, you must learn all the fundamentals of networking, routing, switching, packet assembly and disassembly, fields of frames, and so on. You need to know them not because they’re “basics” to get past but because they are the tools of your trade.

Let’s approach it from the other direction - it may make more sense to you. What aspects of “IT” are meaningless in a cyber security (which I’ve taken to abbreviating as cysec to save time and space) operation?

Can a cysec tech get by without knowing anything about layer 2 communications, frame layout, switching, and how ARP and other layer 2 protocols work? Of course not. Put that on your list.

All cyber attacks are limited to one LAN and network, correct? No? Okay. Then knowledge of routing, encapsulation, and other inter-lan technologies seems to be important.

No cyber attack every came in as part of an executable file, correct? Oh, they do? Then I would guess knowledge of file types, formats, exe headers, scripts, and so on might be on your list of things to know.

Being successful in cysec requires knowledge, not just information. Knowledge is a lot like callouses - not easily aquired. Would you expect to walk up to Rembrandt and say, “Tell me exactly what I need to know to be able to paint like you.”

1 Spice up
20

I agree that cybersecurity apprenticeships could be a game changer, but only if they are structured properly to give real, practical experience. Just going through a program heavy on theory without hands-on exposure to real environments does not prepare someone for the field. As a lot of people here mentioned, the basics — networking, systems, troubleshooting — absolutely need to be solid first. Apprenticeships that combine foundational IT skills with security practices could be exactly what the industry needs to start closing the skills gap in a meaningful way.

1 Spice up