How to Get a Job in Cybersecurity by@jamesbore
1,516 reads
1,516 reads

How to Get a Job in Cybersecurity 

by James BoreNovember 5th, 2022
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

Remembering that you can always pivot and change your career path, and that anything you've learned so far is only a model, not the truth (along with anything you will learn in the future) gives you a vital ability to adapt and change as you go.
featured image - How to Get a Job in Cybersecurity 
James Bore HackerNoon profile picture

This story is a part of Hacker Noon’s **How to get a job in tech **initiative. The series is intended for tech professionals in any field to share their experience of building a career in tech and help bust the common myths beginner techies are facing.

If you too would like to share your experience, you can do so here.

What is your current position?

Running my own company doing bits of consultancy, bits of training and teaching, bits of speaking, bits of writing, a lot of learning.

These days it’s hard to define under one label as it’s the overlap between whatever I find interesting and whatever provides value to clients. It certainly brings challenges when people ask me what it is I do.

How long have you been working in tech?

Over two decades now, so it’s been a while. Up until the last couple of years it was always as an employee, until I sensibly went independent shortly after lockdown came in through the UK. Just as a note, I would not recommend voluntarily leaving stable, secure, and enjoyable employment in the middle of a global crisis to try taking over and running your own business. It worked for me, but I’ve had plenty of anxious nights thinking what could go wrong.

Over the time I’ve been in tech, I’ve done tech support, field laptop repair, development, architecture, SOC monitoring, engineering, management, risk, compliance, and a number of other things. There’s been no career plan or carefully plotted path, simply eagerly grabbing onto the next opportunity when I felt the time was right - even if it meant I had to sprint to catch up.

What is your educational background and how did you end up in cyber security?

University dropout originally, with a smattering of A-levels. I did end up going back to university to earn a masters in 2017, but for most of my career my education was more based around professional certificates and self-education - or support from people I’d count as mentors.

My journey into security is really difficult to judge. Arguably I was involved in it way back at the start of my career, managing school networks shortly after the second UK Data Protection Act had come in - so information security was fresh in everyone’s minds. At that point, information security was still the new buzzword and cyber was a long way over the horizon.

Nowadays I usually say that I’m in security, not narrowing it down to a specific domain like information or cyber, but up until a few years ago I still described myself as in cyber security. Pointing to a specific point where that happened is more of a challenge.

It’s one thing I strongly suggest now to those trying to get into security, it’s easier to break in by accident than on purpose. If you’re in something even peripherally related and can get involved with the security team in an organisation you can find yourself in the field before you even know it.

We’d love to know a bit more about the mentors, was it a format arrangement?

Very much not formal - the best mentor/mentee relationships often aren’t.

There are two people I’d point to as mentors throughout my career though, and working with them corresponds to my two longest tenures in roles.

The first was in one of my earliest roles, a guy who saw potential in me to do more than sit on the helpdesk and brought me in to help with architecture and virtualisation, which gave me a huge boost at the beginning.

The second was much later, a few years before going independent, and really filled in the missing pieces. She had worked with my employer at the time for 17 years, and her guidance on how to operate through organisations, juggle with the politics, and engage people’s self-interest where needed has been hugely effective ever since.

What was the best piece of advice you got over the course of your career?

“Remember it's only a model."

There's various forms of this, but it's been vital through the years. Far too often in this field we slip into the trap of thinking we have the answers because we've decided one model or another is the 'truth'. This soundbite is a reminder that no matter what model we're using we shouldn't get too attached - it's only a guide to thinking and understanding, not a rulebook.

I’ve come across people far too often who’ve latched onto one idea as the truth and cannot let go of it. Whether that’s the CIA triad, out of date password advice, particular risk models, approaches to testing, or anything else it is vitally important to be able to let go and rethink things through a different lens.

One thing I keep telling my own students, to the point where it’s become an in-joke (although nowadays there’s enough of them it’s not really in so much as just a joke) is that there are no right answers, just ones that are less wrong. It’s flippant, but in security it’s true, there is no end goal or perfect answer - we work on a mix of aiming for good enough and continuous improvement. Stopping and deciding any one answer is right is where problems start.

The Importance of Self-Learning in Cybersecurity

Mixed. I’ve gone through professional training, academic training, and a lot of self-learning. I wouldn’t say any one of those was more or less important than the others, it’s the blend that’s been valuable and got me to where I am. Mix and match, don’t devote yourself to one way of learning.

You will get a lot of advice about platforms like HacktheBox and TryHackMe, and they are incredibly useful if you want to get into penetration testing. Where this goes wrong is that penetration testing is a tiny subset of the cybersecurity field, and it’s one of the most competitive to get into since it’s seen as the ‘sexy’ pathway. Going down those paths to the exclusion of all else will not help you with GRC (Governance, Risk, and Compliance), security architecture, cryptography, architecture, forensics, or any of the other dozens of options that are available to you.

Security Blue Team and Immersive Labs are two organisations who provide a measure of blue team self-training materials, and there are plenty of YouTube videos available on technical areas such as incident response and forensics that you can find.

It’s when you step outside the technical that things can become challenging, and the best advice here is to turn to books and advice from those already in the field. Given the vast range, I’m not going to provide a complete list of books I’d recommend (it would be far too long, maybe another article), but many of us in the industry are always happy to talk to those looking to break in and provide some recommendations. I will provide a few I always suggest though.

  1. The Cuckoo’s Egg by Cliff Stoll

    One of the earliest narratives of cyber espionage, this tracks an investigation and illustrates the foundations of modern digital forensics and investigations.

  2. The Goal by Eliyaho M. Goldratt

    While nowadays The Phoenix Project may be better known, The Goal is the work it is based on and there is something about the much more concrete examples of manufacturing that I find make it more relatable and grokky.

  3. Influence by Robert Cialdini

    Often recommended by social engineers, Cialdini’s work is worth reading for everyone as you will come across many situations in your career where it’s relevant - it’s also a great work for recognising the principles being used against you.

  4. The 7 Habits of Highly Effective People by Stephen R. Covey

    One of those books that people can be a little cynical about, 7 Habits is a classic for a reason and still has a lot to add. Definitely worth a read.

  5. Information Theory: A Tutorial Introduction by James V Stone

    While everyone knows a little about cryptography, Shannon’s work on information theory is often overlooked. While most people in security will never use it directly, taking some time to understand it can give you a completely different view on things that will make a difference throughout your career.

Knowing what you do now, where do you think one should start learning if they want to work in your position one day?

Wherever you can. Having said that, I still say that schools are a great place to start - not studying, but managing systems. Schools are often under-funded, have a huge range of technologies, take security seriously at a management level, and are a brilliant way to dive into the deep end and learn really fast.

Certificates are a difficult topic - there’s a lot of marketing and snake oil around them, and many are ultimately only assessed by multiple choice tests which makes them less-than-useful as a way of measuring ability, and far too easy for people to abuse. Some have useful knowledge in their curriculum, but you don’t need the certificate for that, so it’s often best to treat them as keys to unlock roles where they’re required - but not go credential-chasing unless you have to (ideally once you’re in and a company is paying for your training and exam).

A few things I would suggest are trying to learn to let go of pride - that took me a good few years and cost me plenty in that time - and always reserve the right to be completely wrong about things. Also be ready and willing to fail, learn, and try something different - don’t hold on to failing situations, it’s perfectly fine to give up when something isn’t working.

What is the work-related achievement you’re the most proud of?

That the family company I took over is still going from strength to strength after two years of me running it. It's even growing, despite (or possibly due to) our rather unique way of working. Just keeping it going would have been a triumph, but the way we’ve developed since I took over is something I’m truly proud of.

What do you think is the biggest myth about starting a career in cybersecurity?

That application forms are the way to go. While the whole idea of the ATS system that looks at keywords is a bit of a myth, the sheer number of applications you’re going up against for the advertised entry level roles puts you at bad odds. It’s far better to network and bypass the system by getting dropped in with a personal word for someone.

On a less serious note: What do you listen to while working?

It’s fairly eclectic - a lot of instrumental stuff when I’m doing anything that requires a lot of thinking as I find that vocals distract me. Otherwise it ranges through country, jazz, trance, and whatever else pops up.

Thanks so much for taking the time to tell us more about your career path. Any words of wisdom for aspiring techies?

Forget following your passion. When most people talk about following your passion in a career, they’re looking at it backwards. The passions you have at the start will not be the same as later on, they are changeable whims and trying to strictly adhere to one - or worse, believing there is something wrong if you don’t have one - is a good way to kill them dead, fast.

Instead, indulge your curiosity. Follow what interests you, and don’t hold yourself bound to those interests as and when they change.

True passion follows curiosity and effort to satisfy it, not the other way around.