Career pathways for pen testers and ethical hackers

Career pathways for pen testers and ethical hackers

What is commonly known as the cyber security ‘career pathway’ isn’t a pathway at all – it’s currently a bit of a meandering mess through impenetrable standards, acronyms and confusing training options that not only result in people taking tests and then finding out they mean nothing in the ‘real world’, but even worse being put off from entering the cyber security industry completely. There is a common perception that there is a ‘skills gap’ in this industry, but the reality is that there is a ‘recruitment gap’. There are people out there who would be amazingly suited to a career in cyber security, specifically pen testing, if only they could understand the requirements and navigate a simple route through the mess. The Cyber Scheme are working to close that ‘recruitment gap’ through a series of initiatives, using our innovative industry sponsorship scheme to gain access to the thought leaders and technical experts in this area, using their experience and listening to their needs to influence changes in the way people are recruited.

The Cyber Scheme was established in 2013 so we have many years’ experience in running assessments accredited by NCSC to CHECK standards. These are formal certifications that recognise the holder understands the theory and practical elements of penetration testing, otherwise known as ethical hacking. CHECK team member and CHECK Team leader exams in Infrastructure and Web Applications are the core exams we currently provide.  We work closely with industry experts to create, monitor and run these exams which are both relevant to real-world industry and of a high enough standard that they are perceived as ‘best practice’ for penetration testing. In an industry where accreditation and assessment of penetration testing is largely unregulated, CHECK standards are seen as what ‘good’ looks like, as they not only allow people with this level of accreditation to work within government bodies, but they are also valued by future employers as a credible standard – a qualified CTM practitioner can expect to be in demand.

The challenge we face as an industry, and the reason why The Cyber Scheme has expanded its remit in recent months, is that demand for these people is outstripping supply. Graduates entering the industry are often ill-prepared for the practical challenges they will face, and may have to spend 3-6 months being mentored and trained by colleagues who would otherwise be on billable contracts. This is a huge opportunity cost, especially when you consider that even with this training there is a high failure rate of those attending our CTM team member exams. It’s not unusual for 60-80% of candidates on any given day to fail their exam – an exam that they or their employer has paid for, and without which they are unable to access government-backed work.

The quicker a candidate achieves this accreditation, the sooner they can be contracted out and start to earn the big money, so it’s frustrating that so many candidates arrive unprepared, both for themselves and their employers. It’s a delay that industry can’t really afford as well, given the rise in demand for pen testing. It’s in everyone’s interest to improve the success rate of these exams.

We are not of course suggesting that the exams themselves should be made easier. This would expose UK companies and leave UK PLC under-prepared in the event of cyber attack. We can however help companies perform a basic skills gap analysis that will help them understand where their greatest weaknesses lie. We have recently made the entire syllabus of all our exams accessible online on our website as open source material for anyone who wishes to view the required assessment methodology; this is a great starting point for companies and also for candidates who wish to check whether they are ready to undertake this step towards CHECK accreditation.

One of the main innovations we have established in recent months is face-to-face training with a lead assessor who is intimately familiar with the syllabus, assessment methodology and practical skills required to be able to pass a CTM exam, or indeed any qualification a candidate is studying for at practitioner level (CEH/GPEN/CSTM/LSCP certification and more). Core subjects such as network protocols, vulnerability analysis and cryptography are studied in depth, as well as the regulation and law around ethical hacking, allowing candidates to fully explore different areas and discuss topics they will need to understand in order to pursue a career in pen testing. The small class sizes and personalised training approaches mean each candidate can highlight and focus on their knowledge gaps. Hopefully this will result in a higher pass rate for those attendees who go on to take a CTM exam.

“My reason for taking the course was to initially introduce myself to Cyber Security, and to learn more about the different areas, Blue and Red teaming being a big part. I am exploring the idea of being a pen tester as a career option.

The assessor was fantastic, he knew vast amounts of information, and could pitch it at every level, he went out of his way to provide me extra. A true professional who allows creativity and ideas to be explored. I hope one day to be able to work with him, and show what I have achieved with the foundations he has given me”.

Another area we are looking at is the creation of ‘mock’ exams which allow a candidate to practice their skills without paying for formal accreditation. We are discussing the viability of this with industry, as we understand the need to balance a better pass rate with the pressure to get candidates to a billable standard as soon as possible.

A new collaboration with APM Group will also hopefully allow us, in conjunction with the UK Cyber Security Council, to establish a series of foundation level courses and exams, following a multiple choice format with an online interview section, allowing us to create an accessible entry level series of standards and assessments which can help to introduce cyber security career pathways to anyone interested in this industry, regardless of whether they have a university degree or any prior experience. These exams will be developed as modular sections, using the expertise of APM group to develop assessments suitable for candidates from any level of education, from a neuro diverse background and for those who don’t speak English as a first language.

This is an exciting development for The Cyber Scheme, but it’s important to point out that we are not trying to just add another confusing set of acronyms and badges to the pool that already exists, rather to streamline and simplify the choices that people entering this industry face. If a CTM qualification is seen as ‘what good looks like’ in the world of penetration testing, the aim is that these new foundation assessments will be adopted as ‘what good looks like’ for all other fields of cyber security in the near future. We re hoping to gain offcial endorsement for these exams through the UK Cyber Security Council.

In addition to our foundation courses, we are developing education and training pathways for school leavers; those who may be perfect for a career in cyber security but don’t yet know it! For example, during our work with CYNAM, a Cheltenham-centric community aimed at enabling networking and collaboration within the cyber security industry, we established a need to educate not just teenagers but their parents and career advisors in the different pathways open to them. If a 16 year old is spending all their time in their bedroom coding or gaming it would be fantastic if this highlighted to their caregiver that a career in ethical hacking or vulnerability assessment would be a good choice for them. These kids may not be able to, or may not want to, go to university to study computer science, but this means they are often being channelled into other career choices that may be far less lucrative or rewarding or suitable for them. We are aiming at building a series of skills workshops, initially within the Cheltenham area but easily scalable beyond this region, where we invite industry leaders and CISO’s to talk with career advisors, parents, teachers and school leavers about the different careers in cyber security. This hands-on approach will hopefully help career advisors especially to steer their students into these careers without the need for them to get into university. These students can then, it is hoped, access the foundation level assessments that are being developed, with the aim being that they end up as CTM qualified practitioners without having gone to university and without needing the mentoring of a colleague in their first job.

We are also creating a library of explainer videos in conjunction with our industry partners, which mirror the CTM syllabus and are a fantastic entry level introduction to the different requirements of a career in ethical hacking. Not only are these videos being produced by leaders in the field who are experts in penetration testing, red teaming and incident response but they are being hosted in such a way that we can monitor their usage behind a registration wall, and identify individuals whose ability to complete the videos means they are motivated and interested in this industry. We have identified future pen testers with no cost!

These individuals may then be given opportunities to undertake our practitioner training for free, or be sponsored by one of our partners to pass an exam with a confirmation of paid work, helping business to fill recruitment gaps, helping candidates to follow a defined career path and helping The Cyber Scheme to expand delivery of assessment and training to meet real time industry needs.

The Cyber Scheme is also very committed to helping military veterans and ex-police to enter the cyber security industry, especially those from engineering, IT and technical backgrounds but also those who work in compliance and governance for less technical roles, whose existing skill sets and work ethic make them ideal candidates. We are currently working with the MoD, helping to grow awareness of the correct pathway a military Vet can take in order to quickly establish a cyber security career. One of the common frustrations we hear from those coming out of the military and wishing to re-train is that they simply don’t know which training to access, and waste money making the wrong choices, so we’re really hoping to be able to open up a career in CHECK work for them which they will find more lucrative than other options.

Finally, The Cyber Scheme partnered up with The Cyber Trust last year, a non-profit charitable foundation aimed at protecting children and vulnerable communities from online threat.  Surpluses created by The Cyber Scheme will be directed at the Trust to help fund their initiatives. The Cyber Trust incorporates The Cyber Security Challenge, a well-established pathway aimed at finding talented young people through a series of games and tests aimed at sourcing next generation talent, without the need for them to go to university. One example is a game run in conjunction with the National Crime Agency aimed at educating young hackers about the Computer Misuse Act, encouraging them into the ‘right’ side of hacking as a career choice – hopefully before they make any choices which could be illegal.

We are hoping to support a post-Covid era regeneration of the Challenge, with the aim of increasing exposure to online competitions which help develop technical expertise as well as soft skills such as leadership, communication and teamwork. We are looking at introducing games that include psychometric testing, in order to identify talent without putting them under pressure – a good fit for anyone with a neuro diverse background.

Traditionally, teams from the UK have performed really well at the International Cybersecurity Challenge in Europe, and we would love to be represented there in the future to help gain exposure for our industry and cement the reputation of cyber security education in the UK as a world leader. The eventual goal for winners is being able to take their pick of the top entry level jobs in the cyber security industry, which they can then develop using the training and assessments previously mentioned here to get them into pen testing, red teaming and beyond. I hope that outlines how The Cyber Scheme is aiming to help career starters get a foothold in this exciting industry, and also for anyone already in the industry that we are worth sponsoring so that you can get involved with and help influence our initiatives from the inside

We have created an informative mini brochure about how The Cyber Scheme are simplifying career pathways into pen testing for anyone who wants to get started in this exciting industry – whether you are a new graduate or career transitioner, looking for some exam learning resources, need training or simply want to find out more.

Please download the brochure below and email us if you’d like information about any of our initiatives.