How It Started
A few months ago, my friends at The Cyber Scheme approached me to write an article. I’ve started at least 10 drafts and have just been unable to settle on a topic. I wanted to put together some guidance on how to get into the penetration testing space, but this also presented a challenge on how I should best format the article. After another 15 or so half-written drafts, I decided to base it on my experience. I’ve been in the industry for almost a decade. Before this, I spent my school years getting into trouble in the computer labs (allegedly), and another 15 or so years working in just about every corner of IT.
I’ve always been interested in cybersecurity, or hacking, as it was referred to in the ’90s, ever since I watched the 1995 movie ‘Hackers’ (if you have never seen it, please stop reading now and watch it). The internet was still very new; it was rare to have access, and whenever you did, it was over a dial-up modem. I was the typical school computer “enthusiast”, learning to program in BASIC and “allegedly” causing mayhem on my school network. When I left school, I attended college for a short while and then took a job as a PHP developer (back in the day of PHP 3); over the years, I fell out of love with web dev, and I ended up working in various first, second, and third-line roles.
One day, around 10 years ago, I was offered the chance to visit a glorified sales presentation by a local pen-testing company. They had a room full of people and an Active Directory lab in front of everyone; they scared the life out of everyone with MS08-067, and then in walked the sales team… thinking about it, that’s a great sales technique. Following this, I was tasked with setting up my then-employer’s vulnerability management programme, with the caveat that when it was up and running, they would let me take the Offensive Security OSCP course as part of learning and development. I passed this not long after, and after a not-so-great day in the office, I rage-uploaded my CV to various job sites. Within 3 weeks, I handed my notice in and was given my first opportunity with a small and young company.
This is where it really started; with my new OSCP qualification, I was handed a laptop, given a day’s induction, and was thrown in the deep end. Everyone is different in how they learn; some spend hours doing every course and getting every qualification they can, while others prefer to be shown once. Then, it’s almost an instant new skill. I fall into the latter, and luckily, I had some outstanding team members to learn from. Over the years, I got comfortable being uncomfortable, had the chance to learn a lot, and had the mentality that if I don’t know, I’ll give it a go. This paid off well, and as my skills developed, the company grew. I was promoted to Senior Consultant, Managing Consultant, and Principal Consultant. In the later parts of 2022, I decided it was time to take on a new challenge. One Friday afternoon, I sent a quick email to Pentest People, and after the Christmas break, I started as the Head of CHECK, which I held for around 6 months. Not long after the 6 month mark, I was given the opportunity to take up a role I had been working towards since the very first day many years ago: Head of Professional Services. In this role, I lead a team of 40+ very talented cyber security consultants, I oversee the great work our academy is doing, and provide leadership to the Incident Response (IR) team.
Courses can teach you the foundation of some good practical skills, but the actual development comes from being on the job.
Today, many online learning platforms, university courses, and capture-the-flag environments help build your skills. These should always form part of your plan and not be the only plan. In cyber security, we tout ‘Defence-in-Depth’ as a strategy, and the same concept should be applied to your early learning.
Learning Paths
Subscription services should form the foundation layer; pick the right one with learning paths in all the different testing disciplines. Take your time, and make sure you understand what is been taught. They provide a safe environment for you to practice your skills; remember, using these skills outside of a safe environment or without the correct authorisations in place can land you in hot water.
Graduate Schemes/Junior Roles
Find a company that can offer training or graduate schemes; even if you are not a graduate, reach out to them and ask for a quick chat. Speaking from experience as a hiring manager, CVs only tell part of the story; having a passion for what you want to do will get you through many doors. Go for numbers; the more companies you contact, the more chance you have. There are companies out there right now that are doing intakes.
Stand Out
One key piece of advice, and if you take anything away from this article, I hope it is this: you need to stand out. There are hundreds of people all trying to achieve the same thing. So you must stand out, but how you do this is your choice.
Stay away from using AI for creating your cover letter or CV. If you are going to use AI, please make sure you fill in the template and do not send something half-completed.
Keep your CV to around 2 pages, tailor it for the job you are applying, and put focus on your soft skills rather than just your technical skills. I’ve seen lots of CVs that highlight what tools people can use and where they are in CTF rankings, but have no mention of soft skills. This is very important to highlight, and if you want to impress in the interview stage, bring this topic up.
Get comfortable, being uncomfortable.
Your first experience in cyber security will be largely information overload. I encourage you to keep notes of everything you learn; don’t be afraid to tell your colleagues that you don’t know but want to learn. Ask questions. There is no such thing as a silly question in cyber – I’ve heard a lot of strange and bizarre questions over the years, but they all had valid points.
This sums up my experience when I first joined the cyber security space. It can be a gratifying career, but you must take your time; cyber security is going nowhere soon, and there is so much to understand, and you always continue learning.
