There is a clear distinction between a security researcher and a security analyst. Most often, security analysts are responsible for penetration testing and they find weaknesses. While a security researcher looks for new ways to map attack surfaces, and new attack vectors and finds new methods to exploit the vulnerabilities. However, In a smaller organization this is likely to not have separate responsibilities, while in larger organizations, these both are clearly defined.
When I worked in my earlier company as a security analyst, my day-to-day activities included performing Vulnerability Analysis, Penetration Testing on Web, IoT, and mobile applications. The outcome could be a report of vulnerabilities. While in my new position, I do research on how we can gather more data that can aid governments to find more information about terrorists or criminals. This includes a ton of open-source intelligence data gathering. Also, on tactical systems, we do research on Cellular, Wifi, and satellite systems and, once we have found ways to gather intelligence, we do spend time writing computer codes and building products, intelligence on top of it.
Back to your question, on starting your career as a “security researcher, analyst, or whatever”. Since you are not looking for a specific role, henceforth I would not define a clear distinction between any roles, and my suggestion would be on starting out on any security roles or to be precise how to get into Security.
Please note that this is not an exhaustive list, I am writing this from my experience, so please do your own research.
Education:
Let’s get to your education first. Most of the people in security have these as their bachelor’s degrees.
- Computer Science
- Cyber Security Specialization
Information Science:
or any bachelor’s degree closely related to mathematics, computer science, or engineering. This may also include your CSIT courses.
The purpose of these courses is to build your foundation in computer networks, protocols, cryptography, how the internet works, and yes, programming as well.
Certifications
This is controversial. Whether you need certifications or not, the answer may vary from person to person, recruiter to recruiter. I was a part of the hiring team until last year and my basic rule of thumb is, that I need to have something to judge somebody if he/she has a background in security or not. Right out of college, if I have to hire somebody, certification is one of the parameters I take into consideration. Having a certification shows that you have a better understanding of security. Most recruiters know that Cyber Security is not in the curriculum of the majority of bachelor’s degrees. So having a certification is preferred but not a must-criteria.
Having certifications also shows that you take extra effort and demonstrate your commitment to learning other than your college curriculum.
Even if you advance in the field, getting a certificate can make you a more competitive choice for employers.
Some of the entry-level certifications you can consider:
CEH Practical, CompTIA Security+, Cisco CCNA, eJPT, etc.
Career prospects or job roles available in Security
- Penetration Tester (Web/Mobile/IoT/ICS Industrial Control Systems/OT/Automotive etc)
- Incident Response
- Identity Access Management
- Security Research
- OSINT Specialist
- Threat Investigation (Threat Intel)
- Governance, Risk, Compliance
- Data Privacy and Protection
- Cloud Security
- Forensics etc
Skills
The skillset required for various roles are different, but since you are starting out, here are the things you need to know.
- Networking (Understanding of how computer network works, different protocols, OSI network model, TCP/IP, etc)
- For Application Security – app security, you’ll need an understanding of how applications work, if you are going to be a web application penetration tester, an understanding of HTTP, how web applications work, and common vulnerabilities are required. Understanding of common vulnerabilities(OWASP top 10), how to exploit, remedies, etc
- Programming languages, especially for scripting (Python or Bash), is because you’ll need to automate a lot of tasks, and having knowledge of at least one language will save your time and efforts
- Threat modeling
- Understanding of how the OS works: Linux, Windows, etc.
- Reverse Engineering Skills
- Knowledge of Data Privacy and Regulations etc.
Also, go to LinkedIn and find a junior penetration tester or whatever role you are looking for, look at their skillsets required, and make a list of skills companies are seeking. This way you know what skills the industry is looking for.
Getting Started and Practicing
I do not have experience in governance, risk, compliance, data privacy and protection, forensics, etc., so I cannot tell you how to get started on these. But for Application Security here are a few ways to get started and where you can practice
For web applications: If you want to get started in web applications security, here are some labs and materials
- Portswigger’s web security academy is an excellent resource. They also have free labs.
- Pentester Lab where you can practice on vulnerable web apps, they have videos and text materials as well (Paid)
- Learn and Understand OWASP top 10
- Hack the box.
- Bwapp, Juice Shop, Webgoat (These are intentionally vulnerable web applications for you to practice and test skills, can be installed locally)
For OSINT
For IoT Penetration Testing
Companies
- Here are also a list of global companies that hire on a regular basis
- Product Based Companies (Research as well): McAfee, CrowdStrike, Palo Alto Networks, Darkmatter, Veracode
- Consulting Companies(Little or no research work, more into security consulting) EY, Deloitte, KPMG, TCS, Accenture, PwC
- Things that are emerging in Cyber Security
- Cloud Security, IoT Security, Automotive Security, ICS/OT Security, DevSecOps, Smart Contract Auditors, Blockchain and Cryptos, etc
I hope this helps.