As someone with no formal education in cybersecurity, I had to take a rather unconventional path before I could get a good grasp on this broad and complex field. I’m a freelance tech writer who now specializes in cybersecurity, and my journey into this field was initially borne out of necessity.
My first taste of cybersecurity
About 15 years ago, an IT consultant hired me to ghostwrite for his blog. Most of my writing tasks turned out to be about data privacy/data security laws and regulations like HIPAA, SOX, PCI DSS, and GLBA. While I had some knowledge in IT, which was mostly self-taught, I had practically zero background on any of the acronyms I just mentioned.
To achieve compliance with these mandates, businesses are supposed to implement several cybersecurity measures. So, in order to provide useful content to our readers, I had to study the “whats”, the “whys”, and the “hows”. To avoid inaccuracies, I decided to read official documents from the regulatory bodies themselves. For instance, for PCI DSS, I went to the PCI Security Standards Council website and downloaded the document containing the regulatory requirements.
Despite my deficiencies, my client was patient and generous enough to grant me as much research time as was needed to get the job done. To cut the story short, we ended up publishing several articles, and I learned a lot along the way.
When that project ended, one thing became clear to me. I had to focus more on enterprise IT and cybersecurity writing jobs moving forward. The topics were more interesting, the pay was better, and there was less competition. To me, it was the perfect recipe to a brighter future as an online freelance writer.
Diving deeper and going hands-on
A few projects after, I got the biggest break of my cybersecurity writing career. I was hired to write blog posts for JSCAPE, a software development company specializing in network security solutions. Initially, I was hired as a blogger. But because we were a relatively small organization, that role later on expanded to document writing, tech support, and inbound marketing.
The breadth and depth of cybersecurity concepts I learned as a blogger, documentation technical writer, and tech support engineer accelerated my knowledge in cybersecurity. To write relevant, authoritative, and informative blog posts and documentation pages, I had to research about data-in-motion encryption, multi-factor authentication, digital certificates, cryptographic algorithms, Pretty Good Privacy (PGP), Transport Layer Security (TLS), and many other technical terms.
My main reference sources at that time included Request for Comments (RFC) documents, IBM Redbooks, Wikipedia, technical ebooks and white papers, NIST special publications, and Youtube videos, to name a few. I also bought books. I bought new books as well as old, used books.
Books about enterprise technologies such as PGP, application security, enterprise firewalls, web services security, and so on, stay relevant for years or, in many cases, even decades. I also bought old study guides for certifications like CompTIA Security+ and CISSP. While perhaps already obsolete as study guides, those old publications still contained several concepts that remain relevant even up to this day.
At the same time, as part of my tech support duties, I also had to learn how to identify and address Denial of Service (DoS) attacks and brute force attacks in server logs, resolve vulnerability issues, apply security updates, harden file transfer servers, and so on.
It helped a lot that I had the full support of every member of our organization, including other tech support staff, our developers, our QA testers, our sales team, our VP for Sales, and, most of all, our CEO. All of them were willing to answer any question I had.
Ongoing development
Like I said earlier, cybersecurity is a vast field of study. So, even until now, I still encounter clients whose cybersecurity products or services are different from the ones I already encountered in the past. I’ve written content for providers of services such as cloud security, security orchestration, automation, and response (SOAR), offensive security, business intelligence, intrusion detection, and many others.
In each of these client engagements, I’ve had to learn new technologies and new concepts in order to develop meaningful content for my clients’ target audience. Today, my ongoing learning process involves reading existing content from my clients’ websites; going over relevant white papers, ebooks, case studies, NIST special publications, and other reading materials; and watching Youtube videos that break down technical topics.
In addition, I also keep myself abreast with the latest news and developments by following cybersecurity professionals and researchers on social media and Youtube; joining online cybersecurity groups and communities; attending webinars; and reading reports from reputable research firms like Gartner, Forester, and Ponemon. I also read annual cybersecurity reports from Microsoft, SANS, Verizon, Sophos, and others.
How to learn cybersecurity the right way
When I first entered the field of cybersecurity, I had no choice but to dive right into a deep end. While it turned out ok, it wasn’t the most efficient route to take. Many times, I had to spend an excessive amount of time pouring over supplementary materials just to gain a solid understanding of a particular topic or concept.
Ideally, you would want to take a more structured approach when venturing into a complex field like cybersecurity. For example, it would certainly be much easier to digest concepts and understand how they all relate with one another if you enroll in a cybersecurity course or program. You can find online courses in sites like Udemy or Coursera.
Some Youtube channels that specialize in cybersecurity also provide playlists that tackle specific topics. Many of these playlists are structured in a way that present the topics in a logical sequence, building first on foundational concepts before moving to more advanced material. This approach allows you to grasp key ideas step by step and helps in creating a clear mental map of how different cybersecurity concepts interconnect.