This week I’m doing something a bit different; I’m going to touch upon that really illusive subject on how to break into the Cyber Security industry.

The reason I’m not writing up a review of Kioptrix #3 this week is because I’m actually working on a CTF (Capture the Flag – a much broader penetration test where you look for flags).

What do I want to work with?

That is THE question you need to answer before you even consider the security business. Are you interested in breaking into the penetration industry like me, or are you more interested in emergency response or malware analysis? Try to put your finger on what you actually want to work with, because the spectrum is BROAD and it’s easy to get lost.

Why do you want to work in Info/CyberSec?

I’m on /r/AskNetSec quite a lot, and have made myself a bit of a name for myself as a person who asks a lot of basic questions.

One of the answers I got to a question a few months back (I think I was asking about CREST certificates and how they hold up internationally) was

‘Why do you want to get into InfoSec? Because if you are in it for the money, then you should look somewhere else. You need to live and breathe it to break into the industry.’

This might not always have to be the case; I’m sure there are edge-cases when people have just gotten into the business by pure luck and found themselves loving it, kind of like an arranged marriage. But make no mistake, this industry takes its toll.

It’s not only getting a degree then getting into your first job and doing menial tasks (some jobs might be like that, sure). Because the industry and the threats the industry are facing are ever evolving you need to stay ahead of the game. Meaning you need to learn when you aren’t working, especially if you are missing certain parts in your foundation (again, like me).

So where do I start?

Before I get into the nitty-gritty of the subject at hand I’d like to briefly introduce myself. My name is Joakim, I’m a Swedish software engineer who is based outside of London. My expertise primarily lies in software development (more so in practical, hands-on development and less in the Computer Science side of it).

I work full-time with development, am studying a few courses in programming on the side and I am completely committed to taking the OSCP this summer (to my lovely girlfriend’s dismay. She is the best, though! Completely supportive about it, love you, Beth!).

So let’s get to the subject-matter. The below bullet-points are based on multiple job descriptions that I’ve looked at:

  • Degree. Nearly all jobs in the industry would require you to have a degree (Computer Science, Software Engineering or similar), which generally lays a great foundation to build on at your first few companies. I would suggest getting a ‘wider’ rather than a ‘deep’ (specialized) education as this would give you lee-way if you find that you don’t wish to work with your specialized subject.
  • Certificates. This is where it gets a bit complicated. Depending on what you want to work with you might need to do your own research; the following certs are regarding Penetration testing:
  1. OSCP is King. This certificate doesn’t only give you the theoretical know-how on how to exploit various vulnerabilities in systems, but it also gives you a good practical foundation that you can build upon.
  2. CREST. So the CREST certification are making some way into the international stage. Not as much as the OSCP, but it’s getting there. The CREST certifications are a collection of certifications that are extremely well-regarded in the UK (they are reviewed and developed together with the GCHQ). It’s worth noting that their equivalence of the OSCP (the CRT) can be granted if you already have an OSCP and the pre-requisite certificate (CPSA – CREST Practitioner Security Analyst) for £350.
  3. GPEN (SANS). SANS is a very highly regarded organization, mainly in the US, but also internationally. The downside of this is that it’s very expensive. For people in the UK; there is an annual course given by SANS and the UK government called Cyber Academy. Might be good to keep your eye(s) on that!
  4. CEH. Steer away from this. It’s a good certificate to pass through HR-filters, but in all honesty it doesn’t provide even a decent idea of how good a tester is practically. The only test you are faced with is a multiple choice test, so you might simply luck out and pass regardless of how much you have prepared.
  • Experience. Whether commercial or personal experience with the subject, it’s going to make a big difference. If you want to do break into Malware Analysis it might be preferable to get yourself setup on Github and start bashing code in Python that might help you with analysis, or Bash if you want to work with Emergency Response. Try to keep a journal of what you have done and what your experiences in those fields have been (what worked well / less well), like my blog. Not only does it earn you exposure, but it also teaches you a bunch of things when you are forced to properly debate various approaches to a problem.
  • Verbal / Written skills. This goes without saying. You need to know how to communicate properly to get a job within the industry. It would also serve you well to have a blog or similar (as mentioned above) as this might give you a well-deserved ‘benefit of the doubt’ in case you cock up during the interview. Or it could give you an edge when passing through any HR-filters.

Another way of breaking into the business, arguably one of the better ways of doing so, is to get into an internship or to get a junior helpdesk job. That way you will get more hands-on experience working with some (if not all) the technologies that you will be faced with later on in your CyberSec career. I’ve got a lot of friends who work on various levels in the industry, most of which started doing some very basic IT-job for a company or corporation and worked themselves up.

Where should I work?

This is a question I’ve been asking myself (and friends) about lately. I’m starting to get to a point where I think I would be employable in Penetration Testing. The only thing I’m really missing is the OSCP, which I’m certain I’ll take in the summer.

There seems to be a lot of things to consider before you start getting into the business. One of the main things to think about is ‘What is my goal with this role?’. For instance, going for any of the giants in the industry (PWC, Deloitte, IBM etc) might yield you more money, but less individual grooming and mentoring. Meaning you might gain more financially in the short term, but you might earn more in the long term if you get more mentoring (better employability later). That’s not saying you wouldn’t get any mentoring in any of those companies, but it’s definitely easier to get lost in a corporation rather than a smaller business.

A plus-side of working for one of the big corporations are the sort of hardware and software you might be working with. I’ve got no experience on the subject, but I can only assume that working for a larger corporation that focuses on cyber security would also have a larger budget (ie. working with better sw / hw) than a smaller company, which could mean you might be developing a skillset that is more in line with how the industry’s future might look like.

It might also be worth considering how much impact you will have on the company you are employed by. I’m currently employed by a very small business and am having a huge impact on their revenue, which I feel both financially (due to promotions), but I also feel satisfaction knowing that I’m actually doing something that is helping the business; just feeling like a ‘Cog in the Wheel’ might not be the greatest feeling..

Another factor that might be interesting to consider is how much time you will have for your own R&D and personal projects. You might want to take a new certification or learn more about a certain language / framework; but what does your company think about that? Will they give you financial aid to get the certification or should you be focused on your task when you are at work?

These are all valid questions that you really should be answering before applying for jobs. Basically I’d say that getting your first job in the industry at a huge corporation might come back to bite you in the ass (if I’m to believe what friends are saying). As a young and aspiring professional your focus should be at soaking up as much as you can in your field of interest, not where the money is the best at the moment.

Any questions about this write-up? Don’t hesitate to post a comment!