Stepping into Cyber - My Story
Because "Breaking into Cyber" is overrated. :)
Anyone with a LinkedIn profile and interested in the Cyber security industry would have come across a post with a statement such as 'How do I find an entry level role in Cyber security' and more often than not, the reply in the comments section is 'Cyber security is not and entry level job'. Some argue, that there are always ways to enter the industry such as undertaking an IT help desk job and others will say that there are entry-level roles, such as junior or apprentice (they're just few and far between). As someone who did neither, I thought I would share my own experience with landing that first role as a mid-level Penetration Tester in the industry.
My background has been very much learn what you can from where you can. This journey of self learning started from a very young age. Malcolm Gladwell said it takes 10,000 hours to learn a new skill, however recently Josh Kaufman disproved this theory stating that it takes 20 hours not 10,000. I am by no means saying you can learn cyber security in 20 hours maybe just not as much as 10,000. When someone asks me what is takes to land a job in cyber the answer is passion, (more passion, more energy) you may be rolling your eyes and thinking cliché but it's true. Cyber security no matter what the role, is a rabbit hole deeper than you can ever imagine. You have to have the passion and interest to engage in the subject and tumble down that rabbit hole faster than Alice.
Back in the early 2000s my teenage years were spent in my room on the computer but back then there weren't so many social media platforms like Twitter(X), Facebook, TikTok, it was internet relay chat (IRC) and that's where I became interested in Cyber and the possibilities that it posed. Of course, at that age it's not the security side that interests you as the chat groups were commandeered by Black Hat hackers, in a way as a young teenager it was like being in a room full of grown-ups talking about things kids shouldn't hear, and I was there hiding in the darkness of the chatroom, invisible, listening.
That was where I learned about security vulnerabilities, what they were and how to exploit them which is what others seem to be doing and on a mass scale for fun at that. I also learned how to secure vulnerabilities as when a hacker got hold of a server, they wanted to secure it and protect it from other hackers, this double-sided sword taught me the basis and fundamentals of Cyber security just not in the traditional sense.
Growing up in Romania we didn't have access to as much as other Western Countries, so I spent most of my time online and for years that is what I did. I quickly learned various sides of Cyber security, my love for Linux terminals was set in stone. I travelled to several countries such as Spain, Greece, Germany where I resided for several years but wherever I went so did my computer (and internet connection however stable) enabling me to have one foot in the virtual world no matter where in the world I was.
You're always told that if you want a career you need an education. Be that in the form of a college Diploma or University Degree. I chose the latter. I will admit this is the only reason that I went to university was for a job. For me university wasn't stimulating as what we were being taught I already knew, I was for the most part going through the motions. My real cyber education was at home, doing what I did best, learning on my own.
Hungry in my quest for knowledge I was on every platform you could imagine. Try Hack Me wasn't as challenging so I tried Immersive Labs and then Hack the Box. This is where I obtained Guru level, top 10 UK and top 50 Worldwide. The novelty of solving challenges soon wore off and I was ready for experiencing real world vulnerabilities.
Vulnerability disclosure programs are fantastic, companies allow testers to test their web applications, external infrastructure and disclose anything they may find. I started doing disclosures for the top companies and organisations in the world, however it is very easy to step over the line and this can become problematic. You may ask yourself, why? Well, because it's very easy to step out of scope and wonder into areas that are not part of the vulnerability disclosure program.
I loved the real work experience and wanted to continue, and for that I joined Synack (SRT). I feel the combination of the three is what ultimately landed me my first role as a Cyber Security Consultant (Penetration Tester).
Try Hack Me paved the way for Hack The Box and Hack The Box helped with passing Synack's vetting process. Synack is where I gained some real world experience, In my opinion, some of the best penetration testers or red teamers come from a bug bounty and black hat background. This is because they have a different way of thinking. It takes a creative and infinitely curious mind to figure out new ways to break into a system, bypass security mechanisms, or use known vulnerabilities in novel ways. This is particularly true since the obvious ways into a system are undoubtedly blocked first.
While creativity is undeniably vital in hacking, it doesn't stand alone as the sole mental attribute ensuring success. In reality, there's a distinct trait that sets accomplished hackers apart from the less skilled.
That crucial attribute is systemising, or the ability to build systems and understand them. As per research in Frontiers in Human Neuroscience, a positive correlation exists between systemising and general hacking skills. This correlation frequently leads to a comprehensive grasp of systems extending beyond those confined to computers. For hackers, mastering this trait is of paramount importance.
Synack and other bug bounty platforms can enable you to test your skills on real world organisations and gain experience. I spent a month getting used to their processes and submitted several vulnerabilities for which I got paid almost instantly. Going through this process also taught me the importance of staying within the scope of a program to precision and writing high quality reports showing the risks posed to the organisation. I would also say that writing blogs helped, this may seem insignificant, but blogs are becoming more like portfolios of work rather than Dear Deirdre. When you have to explain to an audience you have to know the ins and outs of the subject to a high level. This became home to all the vulnerability disclosures I completed and articles relating to interesting finds. I often notice job seekers struggle to land a job in Cybersecurity because they don't have experience. You just have to find your own way to showcase your skills to a potential employer and by this increase your chances of getting employed.
Believe it or not this article was meant to be about my first two years as a Consultant in Cyber Security (Penetration tester), but as you have read it turned out more about my journey and landing a full-time Cybersecurity Consultant job with no prior experience or certificates other than what I've discussed above.
Last words of wisdom, please don't set up your LinkedIn profile the day after you graduate. Network, share your knowledge, and so on – long before you're ready to look for a job.
Have you got any suggestions or questions for me ? Get in touch!
Thanks for reading my article, until next time!
Your friendly neighbourhood Hacker.