Why is cybersecurity so hard?
Cybersecurity is a technology domain that can be hard to learn and deep to understand. Depending on whom you ask, you are bound to get a different answer from each individual. A professional from the subdomain of malware analysis will have a different answer on how to get started in the space than someone in networking. Cybersecurity consists of multiple fields ranging from networking to forensics to compliance, to name a few, and each area has its own set of skills that you need to learn and get better at each passing day to get good at it.
This set of skills can be a concept like " how do two systems communicate? " or learning how to use a tool like Autopsy for forensics or coding a script from scratch to automate specific processes, and the list goes on. Every field or skill needed can be further broken down into bundles of concepts and knowledge. Sometimes, it can be hard to keep track, but the best part about security is that every subdomain is interlinked in some shape or form. To master a complex domain like penetration testing or threat hunting, one may need to master multiple subdomains to have a solid baseline understanding. Mastering a subdomain within cybersecurity can take years, depending upon one's curiosity, dedication, and sponge-like brain to absorb information as you learn something new every day.
So how does one start their cybersecurity journey?
For starters, narrow the scope of topics down, choose a topic, get comfortable & good at it, understand how it is connected to another subdomain, and pivot. This is very important as if you take on the challenge of learning everything at once, you will probably be overwhelmed, get burned out, or give up for lack of understanding. It is imperative to build on solid fundamentals and set a baseline for core concepts, just like math.
What are the different ways of learning?
The first way to learn is to start from the top and go down. Imagine a guitar player learning to play a song or tune by listening to the melody and dwindling their fingers. It may seem incredible, but without understanding the physics of the different guitar chords, it may not be easy to sustain in the long run. That's one way to go about your journey in cybersecurity. This way of learning includes pursuing a certification or booting up a VM on your machine and experimenting, etc. One may know how to run a given tool but may not understand why and how the tool works. It's easy to think it's as simple as that, but this is not the optimal way.
The second approach is to start with the core concepts and work your way to the complex methods and skills. The advantage of this approach is that even when you falter at a complicated stage, you can fall back to the core concepts, better understand them, and find a solution to the problem. This approach will make you a better problem solver as you are in a continuous loop of active recall and spaced repetition of the cybersecurity concepts. One downside to this, however, maybe that it can be time-consuming and well as slow.
Project-based learning is a way where you can enhance your cybersecurity understandings through real-world scenarios and projects. You can combine the 2nd approach and apply them into projects to a) show your skillset and knowledge of a topic, b) Learn and expose yourself to new skill stacks while building projects c) Tackle new problems you run into and find solutions to them. This approach allows a ton of flexibility. Based on your knowledge, skillset, curiosity, and dedication to a project, you can build new things, fix things that are broken or you broke, learn things at a rapid pace, and document every step. An individual doing this on their own will develop a far superior understanding of security. For example, a basic project would be to build a web application, secure it, and test it by trying to penetrate it.
Getting a hand on these concepts and building projects to showcase your understanding of them will also result in you getting better opportunities in the field and help build your experience working with actual use cases. If you are starting fresh, this is one of the most effective ways to get noticed within the security space. After you start working in the space, pick a topic and dig deep within it to enhance your knowledge further and maybe even pursue a certification. Cybersecurity is a vast, complex, and challenging domain but fun at the same time as the learning never stops.