Getting into Infosec/Cyber Security
My journey into cyber security/infosec.
By Sp3ctrlM0nki3
So, I’ll start at the beginning. My passion for cyber sec started in a computer lab in high school where I created my first ‘virus’. It was a little .bat virus which would remove the System 32 Folder from your windows system.
del c:WINDOWSsystem32*.*/q
[1]
TL;DR
The Learning Curve
Skills loading in progress
The Wild Hunt
He shoots, He scores
Mamma I made it
Pay It Forward
Be a Part of Something Great
From there I was hooked but unfortunately in the pursuit of career vs passion, career won, and cyber sec had to take a back seat – although never leaving. Fast forward many years later and I find myself the victim of a global pandemic [along with many others] and with the onset of COVID19, I lost my job, and the world went into a lockdown. I was left with the daunting question of what to do now, I spent most of my working career in the Hospitality sector, dabbling here and there in the IT sphere. In my previous position I was the Contracts & Negotiation Manager for a Tour company but also, IT support/ Helpdesk / the IT liaison for our external supplier / Database admin as well as IT procurement. Clearly an abuse of my passion by the company but I digress.
The Learning Curve
So left with the decision of what to do now, I took this as the opportunity to pursue my passion of cyber security. I now had the opportunity, and this was it, I took everything I had and invested in myself studying and learning all that I could, and between April 2020 through to October 2020. I studied remotely and earned 14 certifications/course certifications all ranging from – A+ / N+ / Sec+ / Server+ / CASP+ / CISA / CySA+ / CCNA and my CEH v10
Tangent to my story, I did not pursue the CompTIA A+ N+ etc. recognition certification because during my studies, I decided that I wanted to do pentesting/hacking. And from what I understand, you only need to understand the networking and server concepts but don’t really need to have the CompTIA recognition - It’s probably nice to have.
What I wanted is basically, I wanted to break into things legally and get paid to do it. Why you may ask, because no system will be the same, no network will be the same, environments are forever changing and each new one brings on a new challenge and that’s what I wanted.
So, I now had certifications, what now? I studied hard but I have no practical skills, no way of practicing either since we only had 1 laptop in the house, and it was my wife’s work laptop. So, trying to hack her laptop or messing around with potentially dangerous items could be detrimental to her business.
Skills loading in progress
This is when I discovered TryHackMe THM and HackTheBox HTB. TryHackMe was my go-to platform since they offered a more convenient option when practicing skills than HackTheBox at the time – it could be different now, I’m not sure. But I made sure I at least did one machine a day in THM to keep my skills relevant [on free only, because broke]. I nicely got my rank up and got my skill level to a decent level for any entry level job, or so I thought.
Another tangent – in the time of THM and HTB, I also discovered HackerOne and Hacker101[for CTFs]. Youtube channels of The Cyber Mentor who I have been following long before I got into cyber sec, John Hammond, David Bombal, HackerSploit and NullByte. I also learnt that I needed to re-evaluate my twitter account to tailor it to my passion, as well as learn discord and get involved in groups there.
The Wild Hunt
Now the real challenge was about to begin, and this was finding and landing that first job in cyber sec. and to make it even harder let’s do it during a pandemic. I had more failures than success in this area, but more on that later, and it was starting to feel like it was never going to happen. I had my CV on all the ‘major’ recruitment sites and I was looking for any Entry Level Job within infosec. I was searching for keywords such as: Entry Level / No experience / Minimal experience / willing to learn / remote / work from home. Job titles I searched for started out like the following: Junior Pen tester / Cyber Sec Analyst / IT Analyst / Pentester / Blue Teamer / SOC Analyst / IT Security Analyst. There were instances where I would have received some communication regarding an application, first round interviews, very few screening calls, but unfortunately I still had no luck.
I then switched up the search criteria on titles to the following in the hopes of landing more interviews. I started searching: Database admin / IT admin / IT support / IT helpdesk. Because I had experience in these areas and thought if I could get my foot in the door, I could work my way up into where I wanted to be.
This also didn’t help, I was still in the same position as before, the change didn’t make any difference. I still wasn’t getting any interviews or callbacks etc. One thing I did learn however from changing my search titles, was that I was selling myself short. If you want to be in infosec, persevere, search for that title, search for that job, go after that company and don’t deviate.
I eventually started sending my CV to companies who weren’t looking and said that when they are ready to open the doors for new people to keep me in mind. “You lose 100% of the chances you don’t take”[2]
This stuck with me throughout my journey, I figured if I backed myself to study and make it through that, I should back myself in my pursuit to find that job. Stats for the geeks:
Just a few rough numbers to paint a picture of how difficult it was to get into infosec, in an entry level position. In 2020:
Jobs applied for | > 180 [approx.] |
Rejections | >= 126 [approx.] |
Feedback [good/bad] | < 50 [from recruiters regarding my application] |
Interviews | 17 interviews |
2nd Round Interviews | 4 |
Job Landed | 0 |
As you can see it was a really grim picture to the point where at the end of 2020, somewhere around mid-November, I decided to take a break from applying and searching for jobs. I then started looking at how I could stand out from the rest in 2021.
I started looking at how I could make myself more marketable and also started asking people in the industry what is it that I’m doing wrong and how do I go about getting noticed. I reached out to a few people in twitter sphere and I will be honest very few came back to help. One person who did help me was 4n6lady. She asked for my CV at the time and took the time to give me a few pointers on how to tailor my CV, to promote my skills, platforms I’ve been using, tools and experience to help me land that job in infosec.
With her advice and the help of my wife, I modified my CV highlighting my skills and all the necessary tools that I have been using. The platforms that I have been practising on [THM and HTB], and the communities that I belonged to.
I also took the time to learn a programming language, as this would make pentesting easier going forward. I started a few Python programming courses in the beginning of January 2021 and finished all 4 courses by the end of March 2021.
So with a revitalised mind set after my December break, the new look CV - modified to catch the eye of the right recruiter and a few additional feathers in my cap for Infosec, I was back on the prowl and looking for the right job.
He shoots, He scores
My job hunting began with new vigour and new hope, my CV went out and I set alerts for myself on the various platforms. So that as soon as something new went live, it would get it immediately and apply.
It was slow in the beginning but I eventually came across a status post on LinkedIn that they were looking for consultants who wanted to get into infosec – little to no experience required and would be willing to help with certifications if you have none.
I thought this is it, if I can’t land this then I need to really re-evaluate what I’m looking for and where I want to be [I’m sure some of you have hit this wall before]. Sent my CV, had an interview, waiting a very long time – almost eternity – for feedback, any feedback really. And I got the job as a contractor for 6 months with the company, as a cyber security consultant – which evolved into a 12 month contract [currently in progress] for Infosec Consulting ZA.
The company has since grown and we now have 6 consultants in total, with varying levels of experience, ranging from 0 to 20 years. Some with certifications and some without, the CEO/Director of the company Bevan Lane, has lived up to his promise of helping you with certifications. I am now an ISO/IEC 27001 Lead Implementer, certified by PECB. My next ambitious step is to get my OSCP and if I can create a little pentest division within this company.
Mamma I made it
I’m happy to have made it into infosec, it’s a tough industry to get into and the strange part is – it’s a known problem. After getting into the industry somehow my social media channels new I made it in and I started seeing posts about how tough it is to get into cyber sec/infosec.
Posts about the ‘gatekeepers’ of infosec and companies searching for candidates who could do it all, had it all and were willing to take home less than what they were valued. I could believe what I was reading, but I could relate because I went through this.
I understand that HR won’t always know what to look for, understand the terms and that sometimes job ads are just cut and paste, but it shouldn’t be so hard. I have also heard of the recruiters who, when reviewing a CV, use CTRL+F and search your CV for the keywords they put in the job ads, and if it’s not there you get ‘tossed’ to the side never to be looked at again – unless they are desperate.
I’m not saying companies should take anyone, but at least give the CV a proper review and if the candidate doesn’t have what it takes to be in your company RIGHT NOW, give them that constructive criticism/feedback.
I would have loved it if someone told me what I was doing wrong in my applications or what areas I needed to focus to stand a better chance to land that interview. So here are my tips to you:
-
Modify your CV to highlight your skills:
Tools – Nmap, Wireshark, Burpsuite etc.
OS that you familiar with – Windows / Linux / MAC OS
platform you are familiar with – THM / HTB / Hacker1 etc. - Learn a programming language, enough to be able to read the code and understand at least 80% of it and add it as part of your skills.
- Put the important things first, credentials should be on the first page of your CV along with the items I have mentioned.
- Put your most recent duties, from your previous job or current job, on the first page as well – recruiters will want to see what you are doing now rather than what you did. You want to hook them to your CV and once they are there, they can read the rest.
- Ask someone who is in the industry if they would mind reviewing your CV, try for someone who has a position you want. Don’t be discouraged if you don’t get a response, but don’t stop asking.
- Highlight your Expertise, list the things you’re good at – this is the time to boast about how good you are in certain areas.
- Don’t lie on your CV, a very basic tip but also very important – if you can’t do something, be honest and say so. It shows integrity and that you are aware of what you need to work on.
- Do your research on Colleges/Institutions that you’re thinking of using for your studies, not all of them are accredited or recognized by any specific body.
Do all the above and keep applying, it will eventually happen for you like it did for me. It’s easy to say this now sitting on the other side, but I went through countless applications, endless rejections [I’m currently still getting rejection emails from companies I applied to last year]. But all I needed is someone to take a chance on me, and someone will take a chance on you.
Footnote
I would like to give a shoutout to all the people who helped me, in their own way, to get me here.
Leigh Botha – Director of L&S People Solutions
Bevan Lane – Director of Infosec Consulting ZA
4n6lady – Twitter contact who helped me with insight into getting into the industry.
You all made it possible.
Thank you for reading to the end but before you leave take a moment to check out the below, you’ll thank me later.
Pay It Forward
If you have the knowledge and skills but need that extra boost to get certified, then check out this blog, Hack South is giving away a limited amount of PWK vouchers.
Be a Part of Something Great
If you want to be part of a growing community of Hackers/Tech Enthusiasts/Tinkerers and all round great people then join the Hack South Discord.
[1] The code is for reference and educational purposes only, I take no responsibility for the malicious use of the code by the reader.
[2] This is an adaptation of Wayne Gretzky’s - You miss 100% of the shots you don’t take.