So, you work in Helpdesk. You are sitting around and taking calls, answering emails and live chats. After a little while, you are starting to get bored, and want to do something other than answering questions about and giving the same answers of either “Reboot the computer” or “Reset your password”. After a little digging, you decide that you want to work in security. Welcome! This post is for you.

A little background

I have about 2 and a half years of Helpdesk experience within a public university context. I got hired as a Level 1 Tech, got promoted to Level 2 after 2 months, Then took a Lead position after a year. I found the first 18 months or so to be pretty awesome. It helped me learn and grow a ton in a very short amount of time and since I was a student at the same time, I was immediately able to take concepts and put them into practice. Helpdesk for me was a way to take my background as a computer hobbyist and turn me into the technician I am today.

An underrated opportunity

You know how some days the phones and chat windows stay really quiet? Maybe there aren’t too many emails coming in and out? These times are your golden opportunities. This is the time to learn on the job. It shows initiative to management and it shows that you are investing in your career, which can help you now in your current role and it will pay off in the future when you move on to a new position. That being said, don't neglect learning from your day to day opportunities while you hold this position. There is often times a large disconnect between the Helpdesk and the Ops folks in many organizations. Try to remember the pain points as you continue in your role and keep them in the back of your mind as you implement solutions into the future.

What should I learn?

Since you are reading this, I assume you have an interest in security. Generally I say the best thing to learn is the content within the CompTIA Security+. However, as a requisite I would also say learn the basics of networking and programming too. Order doesn’t really matter too much. Often times, security roles augment operations roles. So if you don't know what a VLAN is, how to calculate subnets, or how to write a script to automate portions of your job, you are already setting yourself up for failure (in my opinion). So does that mean you should also take the Network+? Well, my opinions on certifications are complicated and better described here. But in short: not necessarily, but it is dependent on the type of role you are looking for.

If you are looking for a position in a Security Operations Center, Security Engineering, anything Cloud or any other technical role, then you absolutely need to know networking and security basics, and maybe even some basic programming. If you are looking to do more of a business liaison or other business focused security role like auditing, project management, or strategic leadership, its less imperative to know the hard technical details because people skills, knowledge of regulations, risks, and impact will be what carries you in this type of role. However, this also doesn’t mean you get to skip Security 101. That is still critical.

So in general, learn the foundations of information security. If you wish to be in a more technical role, then learn networking prior, and consider getting some programming in there. After getting the foundations, figure out what type of roles interest you. Read some job descriptions, do some Googling, and learn the things that employers want you to learn for those roles.

Okay, where should I learn?

Well. Fortunately for more entry level knowledge information is abundant, and in most cases either free or low cost. My personal go to is Professor Messer. He’s extremely knowledgeable and has everything you need to learn the content on the CompTIA A+, Network+ and Security+ exams. The content is delivered via videos for free (which are also on his YouTube channel), or you can purchase course notes, .mp3 files, and practice tests (if you wish to take the exams). He also has a discord server, and CompTIA offers discounts on their exams on his website. When I was starting university and realized I wasn’t going to be learning in the classroom at all, then I started watching his Security+ videos while I was eating breakfast most mornings. I like to think they helped.

Another resource I have heard good things about for studying is CBTNuggets. They have a subscription model, but they have a good reputation. The best part is if you like their format they offer training for many services and certifications, not just CompTIA.

Another service I have used in the past, again for studying for the CompTIA Security+ that I never took, was Pocket Prep. It’s a mobile app of practice tests, and when I had it you could pay for each certification you wish to prepare for. Nowadays, it’s also a subscription model. It was useful for showing where I needed to improve on (encryption, in my case) and had a large pool of questions. You could also break them down and do larger scale practice tests, or I could use it to do a quick 10 questions while waiting for the elevator, coffee to brew, or for class to begin.

If you are a book reader, then Wiley and Packt both have large libraries of technology books that they publish. What’s better is they both often times partner with Humble Bundle to provide book bundles on programming, cloud resources, security resources, data science, and just about any other technology topic under the sun. I have amassed quite a large library of ebooks over the years from them, but of course you can buy physical copies too. The best part of these Humble Bundle ebook purchases is that $20 will get you about 20 ebooks that you can go through and usually a coupon for a physical order from their respective websites too. Just keep in mind that these are timed releases and once you miss one, you cannot get it again. This also means that you will have to keep an eye out for interesting bundles.

Another interesting offer is Antisyphon Training provided by the good folks at Black Hills Information Security. They offer more specialized training in a Pay What You Can model. One in particular that I wish to call to attention is “SOC Core Skills” with John Strand. I have some friends from school and work who have taken it, and all have said positive things about it. That being said, I have not taken it myself, but I do know that John knows what he is talking about and is highly respected in the field.

If you are not in any formal education, those are what I would recommend taking a look through. If you are working through formal education, then see if there are any classes that align with your goals. The one thing that I will say don’t do, are bootcamps. “How to become programmer in 6 weeks” bootcamps don't really prepare you for the job. Sure, it may end up teaching you the tool. Maybe. However, this is done typically at great cost, and they don’t do a good job of explaining why. Which, is in my opinion, the most important part.

How should I learn?

As previously mentioned, the ability to study when you are experiencing downtime at work is amongst the best times to study. That being said, it’s likely that you will likely need to put in time outside of work too. The way I work on stuff outside of work is that I will usually be selecting a single night of the week for a few hours and I use that time to study up. My company also has a 20% time philosophy where I can take 20% of my time and dedicate it to personal projects. Typically I do that on Fridays to go along with the weeknight learning. This way I can observe Read Only Fridays, level up my skills, keep this blog posted to every once in a while, and keep my mind active on something that isn't just strictly work related.