Check out this great Q&A and advice from Andy Gill, renowned Scottish hacker (and author!!) and long standing cyber security skills and careers evangelist. Keep an eye on Andy's own popular blog for more infosec hints and tips.
How did you get into the industry?
I got to where I am today by taking chances and learning new skills. Essentially I did three things: attended conferences, self-taught some topics, and started a blog to write about them. My blog has gained a lot of traction in recent years helping lots of people get into the industry, and sparked an interest in security for many too.
My own personal cyber career path started after falling well short at school - I literally failed every exam I sat. I took this opportunity to go to college instead and started a HNC (Higher National Certificate) in Computer Networking. This taught me the basics of computer networking and gave me an insight into how infrastructure security works. After a year at College, I thought I'd have another go at the whole uni thing, and I managed to get into second year at Glasgow Caledonian University studying Digital Security, Forensics and Ethical Hacking.
Following my degree I got involved with the Cyber Security Challenge who invited me to take part in their Cyber Camp in Glasgow. This gave me a better insight into the real life flavours of security. The event took part over three days, and took me through digital forensics, security in business and actually hacking things! Got my feet wet in hacking on SANS Netwars which made me want to do it as a job.
Fast forward and I left Uni with a BEng and proceeded to start as a junior pentester in industry, the rest is history……….and here I am now writing about how you can too join the ever-growing industry!
What should I be looking at to learn more?
The answer to this depends on a lot of factors, primarily it depends on what you're wanting to do and see yourself enjoying more. Maybe blue-team might be for you as you enjoy malware and forensics or maybe you're amazing with Wireshark and carving out logs, or you might be like me and enjoy taking things apart, so pentesting might be for you. There are so many different areas of security these days that there is something for everyone…..there will be something that piques your interest somehow!
In terms of learning more, pick an area that interests you and go read about it. My primary focus over the past few years has been pentesting and I've started looking more into threat intelligence. To learn more about pentesting I'd recommend checking out the posts on this blog as a starting point, then maybe pick up a copy of my book. Following this there are a few more books I'd encourage you to read and some sites to check out and have some hands on fun with these are:
Books
Sources
Where should I start?
There are some necessary steps you can take to try and jump-start your progression into this world. These are my top three tips for starting:
Go to conferences and local meet-ups to meet folks who are like-minded and expand your social and professional network (no this doesn't mean having a million connections on LinkedIn!). Speak to people. If you're a student get some business cards made up with your email and name on them, maybe even include your blog?
Start a blog, and write about projects you're working on. This does a few things for you.
- it allows potential employers to see how you write and learn more about your interests
- it serves as a reference guide for you in years to come you can reference write-ups and help others and yourself and
- it can allow you to try new projects and things while keeping track of them.
Do capture the flag and problem solving-like challenges to better build your understanding of topics and subject areas. Doing so will allow you to feed content into your blog too and again expand your horizons.
Do I need to go to Uni?
A simple answer, No. There are many, many paths into industry, Uni isn't the be all and end all. A lot of pentesters and professionals alike didn't go to uni!
Is it all about technical skills?
The next section explains how it is not all technical. Some roles are 100% technical and you can spend your time hacking all the things. However, if you want to move into pentesting, you'll need to have some form of people skills to marry up with your technical ones. The main reason for this is you're not only a hacker as a pentester, but you're also a consultant and being able to articulate issues to clients is a crucial part of the job!
In addition to the requirement for work, it is also advantageous to practice good people skills for making contacts in the industry. As it does pain me to say this, it is not only what you know, but it also helps who you know, so get along to meetups, conferences, talks, exhibitions or anything similar and actually TALK to people!
Starting Your Journey.......
Now you've read through this post; hopefully, you're a little wiser than you once were, and maybe even have a better idea as to how you're going to approach things and speak to people. Good luck out there!
Go visit our online cyber security careers map for further advice and inspiration.
