As a counterpoint for this fluff piece for Pluralsight (mentioned 29 times), I'd like to offer the following links with very good information by well respected people in the industry:

- https://www.corelan.be/index.php/2015/10/13/how-to-become-a-...

- https://tisiphone.net/2015/10/12/starting-an-infosec-career-...

- https://danielmiessler.com/blog/build-successful-infosec-car...

As a hiring security manager: go break shit. I don't care if you have a CEH, I care if you can bring me good vulns. Show me you can break things I care about and that you're not a horrible person and you'll go straight to the top of the list. It's that simple.

How do you get started breaking shit? Github has tons of shit. Go break it. More interested in hardware? Go buy some crappy iot gear and break it. Vulns are not rare and they do not require a damn piece of paper to find. Find them, and you will have no problem finding jobs.

If you are reading this and still don't know where to start, I am happy to help you find things to break and suggest approaches that might help. But seriously,don't waste your time and money getting certified. I don't care at all.

I like Troy, but I need to put in a word here against pursuing certifications.

There are no employers in security that I know that anyone wants to work for that take certification seriously. The best people working in security --- not just in application security but in network security, red-teaming, exploit development, and cryptography --- don't have certificates.

If you want to work in startups, a hiring process that even asks if you have a certification is a big red flag. This is less true in the broader tech industry, but while it's probably not a good idea to discard a prospective Fortune 500 employer just because they ask if you have any certifications, it is certainly reasonable to pull the ejection lever hard if an employer cares about them.

Every minute you'd spend pursuing certification is better spent building programming skills.

For whatever it's worth, I still stand behind everything in here:

https://krebsonsecurity.com/2012/06/how-to-break-into-securi...

I'll echo what debatem1 and tptacek said here with what I tell everyone:

0. Do not pursue certifications at all.

1. Learn to code. C + Python is a great choice, to start with (or C + Ruby).

2. Start with application security, because it's the easiest place to get your feet wet.

3. Work through The Web Application Hacker's Handbook (don't just read it).

4. Find bug bounties in as many programs on BugCrowd or HackerOne as you can. Extra resume points (and money!) for bug bounties in Google, Facebook etc.

5. Join a reputable security consultancy (NCC Group, Optiv, Bishop Fox, etc.) and mature your skills.

6. Decide how you'd like to specialize.

On a related note, here's a quick guide to infosec in the defense industry:

1. Graduate from any school with a degree in CS/CE/Math/Physics.

2. Solve one crackme in your free time.

3. Apply for all entry level jobs at GENERIC DEFENSE CONTRACTOR that involve keyword "ida pro." Prepare to move to a deserted town in Florida or the DC megalopolis.

4. Die on the inside when you spend years working on unbelievably complicated problems that do nothing else except get a government employee promoted. Have everyone else in the news/online tell you you're evil.

5. Spend several months working for a government employee that is amazing at what he or she does. (part of the 20% of employees doing 80% of the work)

6. Watch as that employee is immediately promoted and replaced by someone else who doesn't care.

7. Try to transition to non-defense and discover that for all the talk about "cyber!!!!" and infosec in the news, all anyone actually wants is an IT professional that took a one week course at Blackhat on exploitation/has meaningless certificates/knows how to buy and install Nessus products and Palo Alto products. That has to be 90% of the job postings out there.

In all seriousness, if you do think you want to go down the government route, stick to a dedicated research institution or try to get a federal job. There are a very, very small few defense contractors that truly do good work, but they burn too bright and are eventually snuffed out by corporate greed or insane management.

I've enjoyed Troy's posts explaining past high-profile hacks, so I assume the content he created for Pluralsight is pretty good, too. I'm glad he didn't directly tailor them to the CEH, because from what I've seen it's not the most esteemed certification. Most managers I've talked to on the security side of things have said something like Security+ is a good starting point for newbie hires, and CISSP or OSCP are a decent indicator for mid-to-senior hires.

In general though, the prevailing sentiment has been that demonstrated experience is the #1 factor. Infosec isn't a career path that begins as a totally oblivious hire after floating around in college. It begins in your bedroom in the evenings poking around bug bounties or playing on hackthissite.org and its forums and that sort of thing. A professional setting isn't required to gain some good real-world experience, so there's no reason you should be inexperienced by the time you're sitting for your first professional interview.

Content-wise, CEH is probably one of the worst infosec certifications in existence. And EC-Council is nothing more than a paper mill. This can't be emphasised enough.

Check out a few sample questions: http://www.gocertify.com/quizzes/ceh/ceh1.html

Also review their attrition.org page that exposes how they just copypaste their material from other authors. http://attrition.org/errata/charlatan/ec-council/

Especially this part: http://attrition.org/errata/charlatan/ec-council/history_and...

Oh yeah, EC-council keeps your passport scans and other PII unencrypted in their gmail inbox. I would know, I hacked them once. https://cdn.arstechnica.net/wp-content/uploads/2014/02/EC-ha...

Stay away from CEH and EC-Council, don't support these scumbags. They're just a bunch of charlatans that managed to grow their paper mill by spamming and stealing material from others.

EDIT: Oh! But there's more! Apparently they like to serve ransomware on their website http://arstechnica.co.uk/security/2016/03/ethical-hacker-web...

tl;dr: stay the fuck away from CEH and EC-Council.

10+ year info sec veteran here. I think first order of business is do you want to be a specialist or a generalist? Application security is but one piece (albeit in many cases a very important piece). I chose generalist and I am happy to have done so. Today I am diving into Strict Transport Security, yes, but also working with HR and IT on our employee onboarding and off-boarding process, reviewing vendor and customer contracts and federal compliance requirements. Privacy, Regulations and Law, Compliance, IT and infrastructure security, corporate IT security, and yes application security - every day I deal with all of the above and I love that. And a great foundation into all the things a security person may do, I cannot recommend the CISSP enough go for the CISSP (or, alternatively, CISA) certification.

When we hire skim the list of certifications and look for indications of experience. A list of CVEs, a blog or several years in a serious role rank much higher on our hiring queue. And when we interview, we specifically check for depth on the areas the resume indicates depth on, and we look for breadth everywhere else.

I'm surprised that he didn't mention CSSLP from (ISC)², the same organization that created CISSP. Certified Secure Software Lifecycle Professional (CSSLP) is a certification focused on all phases of software development lifecycle and is for those who want to add security to the whole development lifecycle instead of focusing on 'finding bugs'. It's great to find bugs, but application security is much more than that, so is information security. This is how I become certified https://dadario.com.br/what-it-takes-to-be-csslp/ and more info about the certification https://www.isc2.org/csslp/default.aspx

>That's also reflected in how well rewarded security pros are

>That’s bad for employers but good news for cybersecurity workers, who can command an average salary premium of nearly $6,500 per year, or 9% more than other IT workers.

Why are the technical skills (in this article specifically) so demanding, but yet the salary is only 9% higher?

Same for the other career-starting directions given here -- most of which seem like multi-year time investments. Many of them ask even more of your technical ability than the article before entering the field with a salaried position, and yet that's only worth 9% extra salary?

> That’s bad for employers but good news for cybersecurity workers, who can command an average salary premium of nearly $6,500 per year, or 9% more than other IT workers.

$6,500 / year? Am I misunderstanding the term "salary premium"?

Also the bar graph confuses me. Shouldn't cybersecurity positions be included in "all IT positions"?

I believe an area that goes unnoticed by new security analysts looking to work in penetration testing and exploit authoring is that of OpenVMS and VMS-based systems hacking. I've worked on these systems for years and the word floating around out there is that they are "unhackable". While some have arguments against why this would matter in this day and age, why it really does matter can't be discounted. [1] Finding OpenVMS vulnerabilities and discovering ways to own boxes running the system is not only important but a great resume bullet.

[1] https://www.defcon.org/images/defcon-16/dc16.../defcon-16-ob...

" A cert like CEH may open doors and create opportunities you wouldn't have had otherwise, but that's only part of the story"

1. I would be embarrassed to admit passing this. This is so basic, and so general, it's not even worth the 49.00 price tag for the book.

2. This is a profession where there's going to be a lot of "trust me's".

3. If I was hiring for this position, I would ask the candidate in the interview to find my network password. I would look for a packet injection wifi. I would want to see how they used Kali. I would want a true Hacker. Ties would most likely walk. I want someone who looks like they have broke into systems before.

4. I guess so much in this profession is self promotion, and confidence. Maybe not even earned confidence; just bold confidence? I do not have that confidence.

"That’s bad for employers but good news for cybersecurity workers, who can command an average salary premium of nearly $6,500 per year, or 9% more than other IT workers."

I think $6,500 per year is very low...