How Did I Get Into Information/Cyber Security?
I receive approximately a message a week from someone asking me how I got into IT Security and what advice I can give them to help.
With my Imposter Syndrome hat firmly on, I am under no illusion that I can offer any meaningful practical advice other than telling my journey of the last few years, which I feel worthy of a blog post on.
To cut a long story short, in 2011, I found myself at The Trainline, an awesome company, but one that I struggled to find the right role with. Out of the blue, I was asked by my then manager whether I wanted to take on some security tasks, notably PCI-DSS, which I knew little about. I owe a debt of gratitude to that boss because it was a decision that was to change my career and life.
My work ethic was perhaps still somewhat ‘relaxed’ as I embarked on a period of learning. I attended a week-long CompTIA Security+ course, much of which was entirely new to me. Cryptography, authentication, encryption, penetration testing, hacking; these were all terms I had heard of, but knew very little about. I didn’t take the exam, but I found it very useful (more info here; https://certification.comptia.org/certifications/security). It helped that I had a reasonable baseline knowledge of networking and tech in general.
I moved to another job where I was the only security person. Despite only being there 11 months and it not being the success I had hoped, it certainly meant I had to upskill in all aspects of security, because I had no choice. I began investing large amounts of time on Twitter, reading blogs, visiting prominent security websites and staying abreast of industry developments. I attended industry networking events with the likes of Phil Cracknell (@pcracknell), Ed Tucker (@teddybreath) and the like. We would ‘talk shop’ over a beer, with the crowds their events would attract.
However, it was during my time with Skyscanner where I undoubtedly learnt the most. I was able to invest real time in training; using sites such as Cybrary (https://www.cybrary.it/) & Pluralsight (https://www.pluralsight.com/) , watching presentations from the likes of Zane Lackey (someone I admire hugely), Ben Hughes, Troy Hunt and many others. I sought out companies I loved, found their security team on LinkedIn and went hunting for anything they may have put out publicly.
Zane was someone who I spent an hour with on Skype, discussing the very problems I was trying to solve, that he had already encountered. I learned more in that hour than weeks of research. Don’t be shy, most reasonable security people will give you an hour of their time.
I would read the security sections of company websites, check their youTube channels or open-source projects (Netflix were, and still are, the holy grail for me!).
I’ve spent hours watching DefCon talks I barely understand, just in case a valuable nugget of info jumps out at me!
I also started speaking at conferences and networking. I chose events I found valuable for content, not just vendor-led sales events. I also started blogging about the experiences I was having, which in turn increased my ‘profile’ (gah!) in the industry.
I spend my time on planes, trains or buses reading about infosec. I have a dedicated Twitter account (@stuhirstinfosec) and spend well over 30 minutes a day on it, keeping up to date and reading articles.
I am still a novice in this industry. So many more infosec pros are smarter than I am. They know more and they’ve achieved more. But I treat every day as a day of learning and I commit the time to it. I also try and give something back to the industry I love and has offered me the opportunities I now have, by organising Meet Ups – another great way of networking and sharing information. (come along! London; https://www.meetup.com/London-Cyber-Capital-One/ & Edinburgh https://www.meetup.com/Security-MeetUp-Scotland/)
If the only advice I can offer is the following, then I hope it’s valuable…… commit everything to learning. All the time. Read. Share information. Network. Seek people out. Pester industry people for stories of the work they have done.
Many people I have interviewed over the last few years have also built their own labs, began legally practicing hacking (see https://hackyourselffirst.troyhunt.com/, https://www.hackthissite.org/ or https://www.ethicalhackingtutorials.com/2017/08/01/10-vulnerable-sites-for-hacking-practice-legally/)
AWS is a major part of my job on a daily basis; they offer great training - https://www.aws.training/Training
I hope this helps.
Senior Network Security Engineer at Salesforce | DevSecOps | DevOps | Python | Security Automation | AWS solutions architect associate certified | 10 years experience
7 年nice blog ??
Principal Professional Services Consultant at Palo Alto Networks
7 年Apparently some of the most committed professionals have one of those hats you were talking about. Thanks for sharing!
Talent Acquisition Lead at esure Group
7 年Ellie Brown great article to read :)
Trusted Cybersecurity Recruiter - Black Hat USA & BSides LV Speaker, BSides Canberra, Melbourne & AISA CyberCon Career Village Organizer, BSides Gold Coast Co-organizer & SecTalks GC Co-organizer
7 年Great article Stu Hirst, there is excellent advice and tips for people wanting to get into the industry. One of the amazing things about infosec is that it's just like a hacker breaking into a company, there are many ways in.