Warning: Lots of corporate jargon being thrown around.

If you’re looking to join the cybersecurity industry, there’s one thing you need to keep in mind: it’s not always like the movies. Unless you’re part of the very, very small group of mercenary hackers that do nothing but lurk in security chatrooms, testing vulnerabilities, and finding ways to break things, you’re not going to be like Hugh Jackman hacking into the DoD’s database.

The premise of ‘hacking’ is to poke at something long enough until it breaks. Technical torture, if you will. In corporate terms, there are vulnerabilities, risks, exploits, and threat actors. These terms are sometimes used interchangeably, which isn’t necessarily correct and are meant to trick candidates during the interview process. Here’s a simple analogy:

• A threat actor wants to punch you in the face.
• A vulnerability is your inability to defend yourself from the punch.
• A threat is the punch being thrown.
• A risk is the likelihood that you’ll get punched in the face.

Courtesy of @cje

The cybersecurity/security industry is much more than stopping hackers. Startups usually hire a few security professionals to establish key programs such as a formal incident response team, product security, and security leadership. These professionals wear many hats, and it takes a special kind of person to take on one of these roles. Why? Because it involves more work hours, but the tradeoff is that you have less structure to follow unlike established security teams. Large enterprises have entire teams built for very specific security functions such as network security, vulnerability management, application security, threat hunting, etc.

If you’ve never been in a security position before and don’t have a formal technical background, networking is where you should start. This isn’t an open invitation to know nothing and expect to get a job in the field, but it’s much easier to make a name for yourself within the community than just Johnny Apples applying to a random analyst role. In the industry, there’s a term called reconnaissance, which means to familiarize yourself with your target, and in this case, it’s the role and the company. It’s also important to contribute to open source projects so that you’ll have something to showcase to hiring managers, even if you don’t have the formal title.

On the other hand, if you’ve been working in IT or software development and want to switch to security my approach is this: reflect on your work. Reflect on your technical solutions, the code you’ve contributed, even the way you would approach entering a building. Was opening up all ports on a machine the best way to solve an access issue? Did you really need to use that insecure python module to get your results? Introspection can give you a way to approach several security type questions that may come up in an interview. I would also add that inserting yourself in projects that are security focused would be great to showcase as well. This may not be completely accessible for Tier 1 Helpdesk technicians, so my ‘hack’ for you is this: talk to your security engineers. They can be weird and awkward but they don’t bite. They just have a heightened sense of paranoia compared to everyone else. Most of the time, they’re more than happy to talk about their projects and its progress. You won’t get to work on these projects directly, but check in once in a while and eventually, there will be an opportunity to work with the team.

You can choose to be more assertive and talk to the manager of team and ask if you can help assist in current projects. I’ve experienced a 50% success rate with this method and it’s because I was too far removed from the organizational structure to be of any help or because of gatekeeping. I’m not saying you shouldn’t do this, but it’s very well one of those,’high risk, high rewards’ scenarios. Proceed with caution.

Fast forward to actually getting the job (yay), your main responsibility is to play defense for your company. That means understanding your organization (humans) and the technology stack (not humans). Understand its flaws, weaknesses, and potential points of failure. You are then given tasks to further increase its “security posture” aka ‘Do this so we don’t get hacked, but if we do, it won’t cost us the company.’ Then you do it again. And again, and again. Iteration is the favorite pastime at large post-IPO companies. Sometimes it goes really well, and your company is safe (for now); sometimes, it feels like you’re covering dog turd with 2-ply toilet paper and walking away, pretending it doesn’t exist. But I digress.

I previously mentioned defense, so there’s got to be an offense. Yes, this exists. Red team, Purple Team, Threat Intelligence, yadda yadda. These roles go out and find weaknesses in the company by finding them internally or finding them in the aforementioned security chat rooms. Think like a hacker, they say.

In the grand scheme of things, security titles are arbitrary. The solutions you provide define your company’s security program. How far is your security company willing to go to protect their assets at the cost of employee efficiency? What is the acceptable risk you’re willing to take to be a member of an industry where making a single mistake can cost a company billions of dollars?

If you haven’t run away, I have some great things for you to check out. Going to conferences will be the chef’s kiss to your network and even your portfolio. Two conferences I’ve been to are RSA Conference and DefCon.

The RSA Conference is a large IT security conference, and it’s vendor city. Every software company that sells security will be there. They also have talks, sessions, and classes you can take to get certified. This is also not a cheap conference, but since 2020, they’ve provided virtual attendance, which is significantly cheaper.

DefCon is the more “indie” type of conference because it’s not as large as RSA, but it’s also the funnest. You’ll learn a lot more than software hacking; there’s hardware and even learning how to pick locks. This is the cheaper option, but if you’re flying into Las Vegas, factor in flights + hotel + food.

Either one is a fantastic way to get to know people in the industry, and there’s almost always going to be an after-party to attend. If that’s not your thing, there are Discord servers/virtual attendance you can join so you can enjoy from a distance.

Aside from networking and attending conferences, keeping up with the trends and industry news. Who’s the latest company to get breached? Why? There’s blogs (hah) and podcasts that can keep you up to date with the latest security news. 

In addition to technical skills, you’ll need to learn how to communicate with people as if your life depended on it. Learning how to adapt your language tailored to your audience can save you time and gain trust from those who can influence key business decisions. You need to be able to talk to an IT technician and explain to them the technical details of a project and in half an hour be able to talk to a director about the same project but “executive” speak. Agility, adaptability, and my personal favorite persistence. Still with me? Great. If you think this is for you, stay tuned.