How I Landed My First Cybersecurity Role in 10 Months

(7 minutes read)

I want to preface this by saying that what I’m sharing is not necessarily the best path. It’s simply my experience, what worked for me, and what I learned throughout my journey to become a GRC consultant. Additionally, I was very lucky to be able to do this full-time as I could afford to leave my job, and had a strong support system. Please do not use my timeline as a benchmark, and manage your expectations realistically based on your circumstances.

TL;DR

(7 seconds read)

1. Determine your role with (a) inherent talent, (b) talking to folks, (c) trying it out.

2. Pursue relevant certification(s) and practical experience on hacking platforms.

3. Hunt across departments. Improve skills daily. Keep the faith: 1 yes > 1,000 no.

4. Profit.

Background before infosec

I’ll touch briefly on what I had been doing prior to taking the plunge. Most of my young career has been spent in environments where I dabbled in market research, analytics, operations, and programmatic advertising. Basically, my IT experience was nonexistent, be it professionally or recreationally.

In this journey, I’d make the case that the ability to learn fast and apply concepts is crucial. There’s a wealth of resources on this, but the book I used to get started was Ultralearning by Scott H. Young.

That concludes my origin story, and here’s how I planned to storm the beaches of cybersecurity.

Game Plan | Aug 2020 - Sep 2020

Please note that this section is mainly applicable if you’re undecided like I was. If you know which role you want, hone in on it like a heatseeker and find the most efficient path to achieve it. For instance, if you aim to be a pentester, start looking at the OSCP, eCPPTv2, and hacking platforms like TryHackMe and Hack the Box.

At this point, I saw the value in helping an organization secure its assets. However, I wasn’t sure which role I’d enjoy even after reading up on the usual array of penetration testers, threat hunters, SOC analysts, etc. It was like being hungry, but unsure of what cuisine to have. Fortunately, I didn’t have a partner to list options till we ended up arguing.

So here are some resources I used to shape an idea of my ideal role:

• Cyberseek

• Cyber Security Education

• NICCS

Once I knew what roles are out there, I used these 3 factors to narrow down the suspects:

1. Inherent Advantage(s)

   I’m a firm believer that everyone has a natural talent. Your talent may not make you the best at it (ie: your artistic talent =/= best artist in the world), but identifying and capitalizing on it will put you in a much stronger starting position.

   For instance, I enjoyed and was experienced in developing, implementing, and optimizing replicable processes. I also knew I lacked the technical experience of folks who had years of hands-on experience from help-desks or degrees. So I concluded that a role which involved working with standardized best practices (aka frameworks) would likely be the most accessible to me, while I raced to build up the foundations I needed.

2. Networking

   Aside from being a technical cornerstone of infosec, I realized that a notable characteristic of the industry is how connected the community is. This ranges from the open source nature of bug bounties to the sheer amount of resources made available for those looking to learn.

   To better understand a role, I reached out to folks with that title on LinkedIn. Naturally, there were some who ignored me (maybe because of this), but I can confidently say that there are those who will respond and help you. This also applies to platforms like Twitter, Discord, Twitch, etc.

   I’d strongly encourage getting familiar with the role before the chat. This will allow you to ask questions which are difficult to Google, and make for a more contemplative conversation for the other party. I would prepare for it almost like I would an interview.

   Expanding on my earlier statement of the industry’s connectivity, joining the communities of personalities like the Cyber Mentor, Neal Bridges, and John Hammond help with keeping up with new developments and getting invaluable pointers on breaking into infosec and thriving.

3. Tryouts

   Reading blogs and chatting with experts should be a means to prioritize where to start, because trying out the tasks which will make up most of your day is the best way to know if you’re going to enjoy it.

   You may be an innately creative problem-solver, and gravitate towards pentesting after reading about 1337 exploits. But you may find that having to test the various services to identify every vulnerability is not your idea of a good time.

Getting Paper | Sep 2020 - Dec 2020

I’m writing from my point of view - an absolute beginner. To make it clear how little I knew, my prior technical knowledge began at buying the keyboard with the flashiest RGB lights, and ended at getting cussed out on CS:GO for not rushing B. сука блять.

So yeah, I started from rock bottom.

I’ll split the process of building a foundation into theoretical and practical sections.

Theory and Concepts: Certification

I decided that the best way to start my journey was to get an entry-level certification.

Three reasons why I decided on this:

• get a basic understanding of IT and its fundamental principles

• demonstrate my commitment to infosec

• check the box on HR’s keyword filter

A quick Google search on best beginner certifications will yield plenty of resources, but the general consensus is to go with CompTIA’s Security+. This is mainly because it’s a widely recognized beginner certificate, is a requirement for a lot of entry-level roles, and satisfies a DoD requirement if you plan to go that route.

However, I decided to go for the CompTIA Cybersecurity Analyst+ because it’s the next step after Security+, and I’m broke and unemployed. Also, it’s supposedly more technical (eg: reading logs) and I felt that was something I needed to learn and demonstrate competency in.

Practical Experience: Hacking Platforms

Simultaneously, I knew that getting some form of practical experience was necessary.

Three reasons why I decided on this:

• demonstrate ability to perform tasks on actual machines

• practical application of knowledge to solidify understanding (eg: ports, SSH, etc/passwd)

• determine interest in penetration testing

While the argument can be made that CTFs do not resemble an actual pentest, I feel that it’s a good place to start for an absolute beginner to learn the fundamentals and even build a basic methodology before graduating to more “real-world” scenarios.

Personally, I was LOST™ when I started to learn to hack. So here’s a non-exhaustive list of platforms, in order of priority to get started in hacking.

• Rooms: a virtual machine which has specific vulnerabilities to practice exploits

• Path: a series of related rooms to help you gain competency on a certain topic

1. INE’s Cyber Security Path

   • Free and prepares you for the eJPT

   • Practical labs for a lot of basic concepts

   • Step-by-step guides for labs

   • 3 free blackbox pentests

2. TryHackMe

   • Plenty of free rooms and beginner friendly layout

   • Has guided rooms; as opposed to needing to Google walkthroughs

   • Straightforward paths for beginners (Paid Feature)

3. OverTheWire

   • Free and no VPN necessary

   • Wide range from fundamentals like Bash commands to exploitation

4. Hack the Box

   • Huge number of rooms to choose from

   • Requires subscription to access retired rooms

   • Very likely necessary if pursuing certifications like OSCP

Encountering the infamous “Try Harder” quote is inevitable. From my limited experience, I’d say to be honest with yourself. If you’ve exhausted all the techniques you know without headway, check the walkthrough just enough to reach the next step. Naturally, maintaining detailed notes goes a long way in improving your methodology. If employed successfully, this should accelerate the learning process without sacrificing the habit of thorough examination.

However, I’ll make the caveat that there will be times where taking a break may provide the necessary perspective or inspiration, instead of looking up the answer. I’ve definitely had my fair share of breakthroughs just by taking a breather.

Hunting Season | Jan 2021 - Jun 2021

Main Course

I won’t touch on CV writing and crafting introduction messages, because I didn't do anything extraordinary. However, I’ll share the methods I used to find more companies, and an anecdotal insight on who to approach.

To ensure a steady stream of leads, I set a daily target of people to reach out to regarding roles. I tracked this in Excel to ensure timely follow up and that no leads dropped off my radar.

My primary source was the same as everyone else: LinkedIn. I set up alerts for positions with keywords like “cybersecurity”, “cyber risk”, “SOC analyst”, etc. This covers most big companies, but it also meant that competition was stiffer from the larger audience. Also, there could be smaller companies which preferred to list openings on their own website.

To expand my search to unfamiliar companies, I would Google lists like “top MSSPs 2021”, and “cybersecurity startups to watch”. Additionally, Twitter has a good stream of hiring managers posting openings and companies announcing expansions which may translate to increased headcount.

Initially I stuck with reaching out to the listed HR, but quickly found responses to be rare. I figured they were probably inundated with enquiries, so I started introducing myself to people from other departments of the same company, and had better success this way. While this is entirely anecdotal, I noticed senior Business Development folks to be the friendliest. Matter of fact, my first contact with my current employer was from Business Development.

But this is only my experience, yours may vary. While you may encounter silence a lot, I promise you that there are also amazing people who will help you along the way. Look at it as expanding your network, and engage with those who are willing.

Side Dishes

As job hunting can be unpredictable, constantly having a project will improve your skills and provide new content for your CV.

In my case, I chose the OSCP as my primary goal. Additionally, I would pursue small projects such as learning Splunk fundamentals due to its popularity as a SIEM. Cybrary’s free monthly courses also offer a taste of a new topic. Also, picking up a coding language like Python is a useful tool to cultivate.

Aside from projects, following infosec personalities through their blogs, Twitch streams, or YouTube channels gave me a clearer picture of the cybersecurity landscape. Here are some notable figures who positively influenced me:

• Neal Bridges: His Twitch streams are fun and informative, with good advice on networking.

• Daniel Miessler: This post was recommended by a LinkedIn connection, and significantly shaped my journey.

• Heath Adams: Aka the Cyber Mentor, has no-frills, beginner friendly courses ranging from OSINT to Buffer Overflows and Privilege Escalation.

Lastly, the previously mentioned hacking platforms aren’t the only options. CTFTime has a list of current CTF events, some of which offer prizes too.

Headspace

I’ll end my novel with 2 ideas that I struggled to adopt, but were very necessary to keep going.

Arguably the hardest part of my journey was the lack of responses and rejections, but I believed that if I kept improving everyday, it was a matter of time before I’d get noticed. A wise friend told me that I only needed one “yes” out of the many “no”. Coincidentally, this holds true whether you’re trying to land a job or a date.

Finally, don’t forget that you are more than just cybersecurity. It’s easy to get lost in its ever expanding universe, but don’t lose sight of yourself.