Our mentorship program is organised around two areas: The Autodidact Academy, which includes our recommended curriculum as well as hints and tips on organising your studies, and the Career Hacking guide, which is provided for people who have completed (at least part of) the Greenbridge curriculum and are trying to land their first job in information security, preferably remote.
Autodidact AcademyThe four core elements we include in our curriculum are the following:
- Good communication skills in English
- A solid foundation in Computer Science
- A genuine, passionate interest in Information Security
- A curious mind in non-digital realms
Before you dive in: please double check that Cybersecurity is right for you! If the answer is yes, let's get you started with some preparatory work:
For someone who is completely clueless in all four modules, the entire curriculum would probably take -and that is a very unscientific and rough estimate- 2000 hours to complete. This would include approximately 1000 Hours for the Computer Science material, 500 Hours for the English module, and 250 hours for each of the remaining two modules. For reference, there are 8760 hours in one calendar year. If you were to work for 5.5 hours per day without missing any sessions, and you were able to stay focused and acquire everything you were learning during these sessions, you'd need one full year to complete the curriculum.
It is our humble opinion that you should create a _slow_ work plan spanning several months, and avoid the temptation of rushing into the project, expecting instant gratification. If you are impatient and push yourself too hard, you are more likely to learn superficially, make mistakes, dislike the whole process and burn out early. While the exact number of months depends greatly on your current skills, availability and timeframes, it is our experience that six months provide a good tradeoff between what we perceive as the hard bounds of greenbridge self-education projects: a minimum of three months and a maximum of one year.
In order to work in information security, you must speak English.
Almost all communication and material that you will come across will be in English, including the material that we recommend to you here. This means that you must acquire the English language as a matter of priority. This includes reading, writing, listening and speaking the language. The goal here is not to gain complete mastery, but to be an independent User (B2) who will be able to communicate efficiently, both in the consumption (reading & listening) and the production (speaking & writing) department.
A few ideas on how to practice:
In order to understand Information Security, you must first understand the building blocks of Computer Science.
We'd like to point you towards the excellent resource Teach Yourself Computer Science, kindly compiled by Oz Nova and Myles Byrne. This guide contains all the core areas you should work on, together with high-quality resources on books and other material, in most cases freely available on the web. The baseline time investment for each of these nine topics is 100 hours, which means the the whole "teach yourself CS" project would require approximately 1000 hours, but it is unlikely that you'll be completely clueless in everything Computer Science related. See which topics you are already familiar with and tweak your learning schedule as required.
The goal here is to gain familiarity in several core areas of technical Information Security, and spark your interest even more in the field.
You can do this with the assistance of MOOCs. At the time of writing, all these courses are all freely accessible in "audit" mode, i.e you'll be able to see most of the course materials for free, but you won't be able to submit certain assignments, get grades for your work, or get a course certificate.
For a newcomer with no familiarity at all with these areas, we'd recommend investing 50 hours on each of the subjects listed below. The MOOCs are designed to take 20-30 hours each, but, bundled with any exercises and additional study material that they point to, they should easily fill up 50 hours each.
- Software Security: This is a good course from the university of Maryland teaching you some key concepts about software vulnerabilities and how they occur.
- Cryptography: A very good primer on cryptography from Stanford. Cryptography is the foundation of a surprisingly large number of elements in Information security, and, quite often, the only reliable tool we have.
- Cybersecurity Roles, Processes & Operating System Security: From IBM. This one covers several interrelated concepts around Operating System security.
- Network Security & Database Vulnerabilities: Another one from IBM, covers well the key concepts on two important areas of computer security.
Use the last 50 hours of the total 250 in this section to study a cyber security topic of your choice. A few ideas:
- Threat Intelligence
- Risk Management
- Cloud Security Basics
- Digital Forensics
or anything else that you are interested in, as long as it is related to information security.
Besides attending online courses, you are encouraged to sign up on one or more cybersecurity training platforms. The most popular ones are Hack the Box, Try to Hack me and Cryptohack. These can be very valuable learning tools as, besides the actual training material, they provide you with access to fora and chatrooms where other associated lifeforms tend to dwell.
A passion project
It is important that you invest time in something that is interesting to you, and unrelated to technology and computers. There are many reasons _analog_ passion projects prove to be very useful to people interested in cybersecurity, two of the most important of which are the following:
- By learning to decode and understand a completely different realm, your brain becomes more agile and more apt at identifying patterns.
- Taking a break from all things digital gives you valuable time to internalise and achieve a deeper understanding of all the cool things you are learning in cybersecurity.
Try to trust us on this: the skills you acquire in the non-digital realm of your choice will be as useful as your technical skills in information security. And the more your hobby interests you, the less it will feel like working.
Your interest could be literally anything as long as it is a clearly defined discipline, and you are committed to it. It would be preferable, for your own mental health, if your interest is not dependent on a device screen; however we do realise that, as more human activities get digitised, traditionally analog endeavours like studying history are done with the assistance of a screen nowadays.
Lastly, five book recommendations:- Evan Ratliff - The Mastermind
- Ryan Holiday - Trust Me, I'm Lying
- Alan Watts - The Book
- F Adams & G Laughlin - The Five Ages of the Universe
- Richard Thieme - Mind Games
This section contains our recommendations on how to seek a remote, entry-level job in technical information security with good chances of getting hired. Similarly to the Self-Education Academy, this guide is not panacea. It is mostly tested, and mostly reliable, but it's clearly not the only path to follow. You are encouraged, in true hacker spirit, to make adjustments and changes so that the process fits your personal requirements. Make this work for you.
This guide assumes that you have completed (at least some of) the Greenbridge Curriculum. Though it may theoretically be possible to get a job in cybersecurity while being almost clueless on the subject matter, you will need a very rare combination of factors for this to succeed: a desperate, gullible, opportunistic employer on one hand, and an aptitude for lies, suitably placed buzzwords and deceit on your behalf. To be clear: this is not the career hacking we are trying to help you with here @ Greenbridge.
In order to get a job in Information Security, you'll need some key elements:
The first thing you need to do is spend some time thinking what exactly it is that you would like to do in cybersecurity. Generally speaking, the entry level roles that can be performed remotely in technical cybersecurity fall into three categories, which mostly align with three distinct hackers types:- Security Analysts (Seekers)
- Security Engineers (Builders)
- Penetration Testers (Destroyers)
If you have done your homework and completed (at least some of) the Greenbridge Curriculum, it should be fairly clear by now which of the above appears most appealing to you and compatible both with your future aspirations and your current modus operandi. This will probably be related to what you have been working on so far, either at your current job or as part of your studies, but also to how you relate to information security in a more general sense.
Use your google-fu to locate job opportunities related to these roles as well as their variants. Try different combinations and wording pairs to track down as many relevant opportunities as possible. Try searching for opportunities in languages other than English. Try to think in reverse: what would a prospective employer include in their hiring campaign to attract talent? Consider trying search terms which are adjacent to what you are looking for (i.e "vulnerability assessment" and "red teaming" are different things, but relevant to penetration testing). Here are a few example search terms for penetration testing:- penetration testing jobs
- penetration tester jobs
- junior pen testing roles
- penetration testing vacancies
- penetration testing recruitment
- pen testing careers
Make a shortlist of 20 vacancies that interest you and prioritise your applications according to a set of criteria. We'd recommend the following criteria, but, as usual, feel free to adjust these to match your own goals:
- Prioritise small(er) employers. In smaller companies, you'll get the chance to learn more and be part of a more intimate team with whom you can form strong bonds. This stable and nurturing environment is important for someone at the beginning of their career in cybersecurity. More importantly, smaller companies are much more likely to match your energy levels: they tend to move more swiftly, reply faster to your questions and support you more readily in anything you need. Furthermore, they are not plagued by protocol and bureaucracy. On the "downside", pay and job security tend to be smaller. But is a phat paycheck and job security what attracted you to cybersecurity in the first place?
- Prioritise companies in other countries. It is our experience that both employers and employees manifest better versions of themselves when working with people from other cultures. When working in a non-native environment, people tend to be more alert, more open to change, more tolerant and more likely to act in good faith.
- Prioritise companies that do not have published vacancies but otherwise match your compatibility criteria. This is an intelligent way to avoid unnecessary, toxic competition.
- Prioritise security specialist companies over generalist companies that have vacancies for security personnel. A cybersecurity company will provide a more suitable environment and more opportunities to learn to a newcomer when compared to other types of companies.
- Prioritise companies that operate in your timezone. Working for a company in the West Coast of the US while living in Europe is not a good way to safeguard your personal time and mental health.
- Consider salary levels and sector maturity in different places. If you are based at Bulgaria and apply for a job in Austria, there is plenty of financial potential for both parties: If the employer likes you, you can hope to secure a salary that's higher than what you would get in Bulgaria, while still being (very) affordable to your employer. Conversely, if you are based at a very competitive country with high wages, such as Belgium, you may consider applying to an employer based in a cheaper country where the Cybersecurity Industry is still growing, like Slovakia. Many employers nowadays are willing to pay high salaries to international talent, particularly if they feel that the candidate's presence will heavily boost the company's performance, both from a technical and a marketing perspective.
For some concrete numbers in relation to potential salaries, you may want to play around with our universal salary calculator.
Pay attention to the wording at the job vacancy posting and submit, with surgical precision, exactly what is required. No more, no less.
In most cases, they will require a CV. Your CV is your personal marketing tool. It must be fairly compatible with contemporary-looking CVs, but it should have your own trademark personal touch. Make sure that it is in English, that it is a PDF document (not .txt, .docx or anything else), that is is visually apealling and that it fits in one page. Avoid spelling, grammar or punctuation errors and do not use plagiarised or boilerplate content. Besides the presentation of your CV, the actual content obviously matters too, so make sure to include all your relevant achievements here, including degrees, FOSS projects, programming languages, operating systems, work experience, and any offbeat interests you may have.
If a cover letter is required, tailor your response to say exactly why you are a good fit for the role. A couple of well-written, error-free paragraphs are usually enough to draw attention. If your potential employer is asking for other credentials, such as copies of certificates or anything else that they may need, make sure that you submit them, or provide a valid justification for any prerequisites you are not able to provide.
If you are invited to an interview, make sure that you conduct extensive open source intelligence gathering on the company you are interviewing with. If your interviewer's name is known to you, do your OSINT on them as well. Educate yourself in relation to the interview process and be prepared for any specific tests they will be asking you to take. You may also want to prepare a few things to reply to some of the most common interview questions. Last but not least, to state the obvious: Get a good night's sleep before the interview.
Things to keep in mind for the interview:- Be on time
- Make sure that you are on a reliable internet connection, in a quiet room, and not in motion.
- Listen to your interviewer. Let them lead the session.
- Be alert but do not haste into answering as quickly as possible.
- Try to answer questions with precision. Neither waste nor withhold information.
- If given the chance, show them that you are familiar with their company and their services. Be careful to strike the right balance here: while lack of knowledge on what they are doing may signal indifference, too much knowledge may liken you to someone obsessive or desperate.
- Do not talk too quickly or mumble, and try to clean up your accent if it is particularly thick to the point of potentially being incomprehensible.
- Be honest but diplomatic. If you don't know the answer to something, say so. If "don't know" answers start piling up, remind your interviewer that you are very capable of working and learning independently.