How I got started in Cybersecurity

Reading Gary Hayslip's LinkedIn article to aid veterans in their security job searches inspired me to write this article. I came across many in my career who asked how to get a job in cybersecurity, and how to transition from their current role to cybersecurity so I thought this article on how I started my first job in cybersecurity would inspire others and let them ponder to approach their next steps with precision cos’ that’s exactly what I did - with precision.

I started this journey in 2001. As a Singaporean citizen (obviously I’m born and bred), I am required by law to enlist into the National Service. Whether the Army, Police, Air Force, Navy or the Civil Defence, we were not given the option to choose. For four years during my secondary school, I was in the National Cadet Corp (NCC) as my extra-curricular activity after school. I excelled and got a Senior Staff Sergeant rank and thought then that the Basic Military Training (BMT) in the Army would be a piece of cake.

You can imagine the look on my face when I received the letter that I was to report to the Police Academy for my BMT. All that experience in NCC had just gone down the drain though it groomed me to be tougher and I appreciate those four years.

While in BMT, I was at crossroads when the day came to decide whether I was going to earn the salary of a National Servicemen or a full-time Police Officer. Not having the funds to go to university straight after national service made me choose the latter. Also, I was a Squad Leader during my BMT and I graduated as Best Trainee, so I received the recommendation to graduate not only as the Best Trainee in my squad of 40 but also a full-time regular Police Officer. At that time, as a regular Police Officer, I was given the option to choose my posting so since my Diploma was IT related, I chose Police Technology Department as I wanted to do IT Security.

Flashback many years before since the age of 12, I got my 486 with a pathetic 2.4kbps modem. I was appreciative. My family was not well to do, but my parents still managed to get me a computer. I hope my late dad is proud of me on what I have achieved today. Anyway, I started with DOS, and moved up to Win3.1, and obviously explore the realms of Bulletin Board Services (BBS) via telephone line and had to hear my mum screamed over the phone every time she wanted to use it. I started off with Turbo Pascal, moved to C, Java, HTML, Perl and a couple of programming languages down the road but my main interest was hacking. I got hooked with BBS and downloaded security tools. I bought CDs at night markets where they sold security tools and reverse engineered most of them. Learning them, applying them till the wee hours. Sometimes I slept, often I did not. I was a student by day but a coffee-drinking hacker at night. Obviously, I can’t detail my adventures here but I was more offensive, I did not think defensively which was the reason why my PC was infected with all sorts of virus back in the day. I was into three things; Hacking, Coffee and obviously as a hormones-raging teenager; girls!

Now back to Police Technology Department, I was lucky and grateful to be given the opportunity to work in the IT Security division which basically was the technology arm to protect, detect and respond to security threats for the Singapore Police Force but I got bored easily. That is the reason on why I am a builder. As a builder, it allows me to use my creativity to develop a successful function. Back then, I was just responsible for access control and crypto servers, but I wanted to do more. I was passionate about security and I was hungry to learn. Hey, I was just in my twenties. So, I mustered the courage and went up to my manager and told him that I wanted to be involved in more things related to IT Security. Surprisingly, he agreed. I probably caught him at the right time. So, fast track five years later when I left the Singapore Police Force, I had experience in Security Consulting, Security Audit, Security Incident Response, Forensics and knew how to manage a variety of IT security solutions. I was everywhere cos’ I made sure I was everywhere absorbing all that knowledge and applying them.

When I was in the Singapore Police Force, I thought of what I should do after 5 years when my bond ended. I had no degree and no certifications. I had just the experience. So, I pen down my career roadmap; basically I wrote down what I wanted my next three jobs to be and in which industry I would like to work in. I indicated Big 4 as my next job after Singapore Police Force, followed by Investment Bank and the oil and gas industry in the middle east after that. I wrote what I needed to do in order to achieve those goals. For Big 4, I got into Ernst & Young. Barclays for the Investment Bank and Qatar Petroleum in Doha for the oil and gas industry. So, pen down those dreams, know what you need to achieve them, work hard and leave the rest in the hands of god. You’ll be surprised but I would like to caution especially the young ones. You must be patient. Rome wasn’t built in a day. I had to take the very long route.

When I left Singapore Police Force, I was the first one in my team to achieve the Certified Information Systems Security Professional (CISSP) and Certified Information System Auditor (CISA) certifications. I also got a Specialist Diploma in Infocomm Security and a Master in Internet Security Management with Distinction. I was laser focused on what I needed to work on for my next role in security. Many of my friends go for a generic degree in IT, but not me. I wanted to do security and nothing else. I figured that if I wanted to do well in my studies while working full-time, I might as well do something which I am passionate about. After months of burning the midnight oil, I top my cohort for my Masters, but obviously had more than $20k loan to pay back which I borrowed from family and friends. I thankfully, though painstakingly paid off every cent.

Before I left the Singapore Police Force, I already had almost 5 years of experience under my belt, a master’s degree in security, CISSP and CISA, and thought that it was a walk in the park to get a job. Boy, was I wrong! I sent out god knows how many CVs’ to many different companies, but none came back. I looked at my plan again and saw that I needed to do one more thing; NETWORK. So, as a CISA, I knew that there was a local chapter in Singapore. Back then, there was no local chapter for ISC2 in Singapore. And so, I attended my first Annual General Meeting (AGM) for the Information Systems Audit and Control Association (ISACA) at some hotel. Not only was I probably the youngest there but also I had the lowest ranking job in security. Most of them were either VPs’, Director or at the very least a Manager. I had none of that title but it didn’t matter and I was going to find out why.

When it was time to select the board members, there was a shortage. There were not enough volunteers who wanted to be part of the board of directors. They had to open it up to the floor and everybody was just looking at each other. I was at the back of the room, obviously away from the “bigger” guys, trying to stay as low profile as I can when the chap beside me said “I propose Noordin”, and another chap right at the front shouted, “I second”. In that split second, I was elected to the board and had to give my introductory speech at the front of the room. That was a surreal moment!

As a board member and obviously a member of ISACA, I had the privilege to attend many networking events. Though now, I speak at least in ten seminars and conferences per year, I was bad at public speaking back then. I had stage fright. I was always quiet during meetings. I gained the courage to speak up by attending Toastmasters so that I can be better at speaking in front of the audience. When we know what our weaknesses are, work to improve them and don’t just let it be. I made sure that I spoke to at least 10 persons in every networking event and I got to know a partner in Ernst & Young then who knew that I wanted to get a job out of the government sector. That’s where I got my interview and the rest as they say, is history.