Kickstarting in Cybersecurity: Strategic Advice for 2nd and 3rd Year Indian College Students
How to get started in cybersecurity?
This is the first question I get from many students attending Null Bangalore meetups, security conferences, and more.
Recently a student reached out to me over email asking for advice on the same question. He is currently in his 2nd year of B.Tech (Electrical Engineering) and is from a prestigious (three-lettered) institute. He said he’s interested in cybersecurity and wants to evaluate it as a career path but doesn’t know a good way to get started.
I replied to him back over email.
Given that this is a very frequent question and the advice is almost similar, I’m publishing this as a blog post.
Disclaimer: This advice is from my own experiences. The strategies I have mentioned in this blog post have worked for me and helped me get job(s) in the cybersecurity domain. I highly recommend experimenting with them. If it doesn’t work, feel free to move on. Also, this is a blog post written for students studying in Indian colleges/universities. This is on “how to get started in security” and NOT “get started in security, make millions in bug bounty, become famous over a short period” post.
Now, enjoy my advice.
Nice to e-meet you. It’s great that you are asking this question in your second year. I could have given you advice even if you are in your final year, but that would be tougher for you - as you will have your final year projects and less time to experiment and learn from mistakes.
Let’s get started with a quite long answer.
Cybersecurity (security for shorter) is a huge domain in itself. There are lots of subdomains of this domain - pentesting, blockchain security, IoT security, forensics, etc. Matter of fact, for anything that’s created - from the basic Python code to hardware/quantum computing - security will be a part of it. So for all that ever existed and will ever exist, security will be part of it, thus making it a huge domain.
Based on my views, I categorize subdomains of security as follows:
- Most popular: Pentesting (mostly Web App and Mobile Pentesting), Product Security, Cloud Security, Enterprise Security, DevSecOps, and SOC
- Hot right now: AI/LLM security & Blockchain security
- Non-technical: Infosec & GRC (think of it like doing work to make people outside security understand security, many times in the name of compliance and with checklists)
- Niche: Threat Hunting, Malware analysis, Forensics, IoT security (it might be upgraded to most popular in the next 5 years), etc
You can learn and make a career out of each entity I have mentioned above and I’ve seen folks successfully do it. Each of them has their pros and cons.
For example, people working in non-technical (Infosec & GRC) don’t do pretty cool stuff in their first few years, however, they probably reach CISO level compared to technical folks (at least in Indian companies).
People doing niche stuff, there’s less to no good-paying market in India, and most opportunities are in the US. People doing “hot right now” kind of jobs look cool till the coolness wave goes down. (Remember the buzzword “Big Data”?) It’s easy to break into SOC analyst job roles at the beginning of a career but a bit harder (but not impossible) to switch to other domains within security down the line.
So it’s up to you to decide what to work on. The best answer will depend on your interests, goals in 10 years, views, personality, etc.
If you ask me to recommend a role to get started within security, then here you go.
I suggest a Product Security Engineer role or a Pentester role (web app + mobile). These roles are something that will be present everywhere - from small startups to large corporations. There are a lot of opportunities for these roles across companies.
All other categories, its niche/not present in small-mid level startups. Unless you are very passionate about it and don’t care about lesser job opportunities, then take a plunge at it.
Also, I would rather recommend a Product Security Engineer role in a mid-level startup than only pentesting because Product Security engineers touch both sides (attack and defense) in a lot of parts - Web App, Mobile, Cloud, Pipelines/DevSecOps, etc. If you get started with this role it’s easy for you to figure out what you like based on the actual work and then pivot to some narrower role that you find interesting.
It’s one thing to say you like pentesting and finding interesting bugs, it’s another to work as a pentester and find bugs within a specific period, multiple times in a year.
Let’s say you didn’t like the ProdSec role (and you’re clear it has nothing to do with your first company’s culture) you can try switching job roles - Pentester, Security Researcher, etc. Even in your new job role, Product Security would have taught you something that you can showcase (say convincing developers to fix bugs, analyzing the actual impact of issues rather than saying every bug is CRITICAL/HIGH, etc).
There’s no alternative to active learning. First tricky question you need to answer is which subdomain within security domain do you really like?
In case you are not able to answer the question, don’t worry. Make it a daily habit to read things happening around security, find something that interests you and read more about it.
Apart from these there are some other recommendations as you are in 2nd year:
- Network, network, network. Visit meetups like null.community, attend conferences like Nullcon/c0c0n/BSides, etc. Networking will get you more opportunities once you pass out. If you’re an introvert at least create blogs of your own.
- Find a mentor. Find someone who has been doing what you are interested in. Choose your mentor wisely as anyone (including those outside the security domain, in the security domain for the last 6 months, or for the last 1 decade) can give you free advice. Once you choose, learn from their experience, style, and their own greater network. Remember, each mentor is unique. (Sharing from my experience, just talking for 10 minutes with a good mentor, you’ll get a lot of information that’s not explicitly mentioned on public blog posts.)
- Build your coding skills. You must be in a position to write your code and debug others’ code. You don’t have to be a great programmer. There are many pentesters I know who don’t even know how to write good programs let alone scale them. But what makes them good pentesters is the way they find bugs. One other common mistake I find is trying to become the best at many (cool) programming languages - Rust, Golang, etc. Python code for proof of concept still works.
- Have a blog about what you do/did. It’s very important these days. If you’re an introvert, then having a blog is something mandatory (in my opinion). Don’t mix up your tech and personal blog posts - at least have a way to segregate them. (Stay away from taking shortcuts like ChatGPT/other LLMs, time will tell the cost of such shortcuts 😅)
- Participate in Google Summer of Code or similar. Programs like Google Summer of Code, Outreachy, Major League Hacking (MLH) Fellowship, etc give you a glimpse of collaborating on real-world projects along with a stipend. These act as a feather in your cap when applying for jobs.
- Have a GitHub profile. Even if it’s used just to create (genuine) issues and pull requests in popular repositories, that’s fine. GitHub or GitLab - you choose, but keep your contributions public.
- If you are interested, participate in CTFs/Bug Bounty. CTFs are not everyone’s cup of tea. Bug Bounty is competitive these days, try finding bugs but don’t judge yourself if you can’t find any/get them closed as duplicates.
- Join a reputed, product-based company that HAS a security team. Your first company can make you or break you. Your first company tends to define the salary you get down the line. Also note, you can join a company without a security team as the first security person (giving you the right to brag about your position) but trust me it will backfire as companies/organizations are different entities - your role most probably ends up doing non-fancy non-important urgent work (just to tick off some audit checklist). Find a company having a security team with a good technical person leading the team and motivated team members interested in security. Remember, motivation is contagious.
- Security certifications are fine, but let that not be your primary focus. You might need it only if you fail to network or even have a blog. I don’t have any generic recommendations for security certifications. Also, I’ve heard multiple Indians obtain well-known security certifications by paying proxies to take the exams on their behalf, solely to acquire the certificates. Don’t go in that direction. Such certification might get you across the recruiter’s filter, but in the technical round, you will likely fail.
- Your leverage is your time. As a college student in your 2nd/3rd year you have ample amount of time to learn, experiment, make mistakes, fail and relearn. Get GitHub’s Student Developer Pack, check out the offers for students, experiment with hosting applications, spinning up databases, learning CI/CD pipelines, etc. The more you experiment in your college days, the more leverage (in terms of experience and knowledge) you get when you pass out of college.
- Don’t drop out of college unless you are going to create a company/gain technical knowledge and work in foreign countries. Indian society’s attitude towards dropouts hasn’t changed (and might not change for a few generations).
That was my response. If you like it, feel free to share it on social media.
If you feel this blog post adds some value, share it to your siblings or friends looking to get into security.
1. Can you be my mentor?
At the time of writing this blog post, I’m occupied with multiple experiments. I currently don’t have time required to mentor someone. Sorry. I repost LinkedIn posts from credible people who genuinely offer mentorship, you will get it if you already follow me on LinkedIn.
2. This is stupid advise. Why should I listen to you?
This blog post is focused on 2nd and 3rd year students studying in Indian colleges. I can update this blog post with a lot of buts and ifs - it’ll just make it a bigger and unusable.
These are the techniques I’ve used to get a job in security domain outside the traditional campus placements. Oh, did I forget to say - I’m not from any prestigious 3-lettered or 4-lettered colleges or any universities having famous CTF teams.
Give them a try, if it doesn’t work just try understanding why it didn’t work for you and move on.
3. Wow, did you figure out these recommendations all by yourself?
“If I have seen further it is by standing on the shoulders of Giants” ~ Issac Newton.
4. I have one specific question, how can I reach out to you?
I’m active on LinkedIn but gradually reducing my time spend on the platform. You can send a message over there however I don’t guarantee a reply. If I get some other frequent question related to this blog post, I will update the same in this blog post and post it.