I’ve enjoyed a fascinating and deeply fulfilling career in cybersecurity that has taken me all over the world, and now I want to share my experience of working in what I consider to be the most fun and exciting industry out there. That’s why I held a live event to answer questions on what it’s really like to work on digital defense’s frontline. If you’re curious about how to advance in the industry or have a friend or relative who wants to work in cybersecurity, these insights from me and from the CQURE team are for you.
A problem-solver’s paradise
Before I get to the audiences’ questions, I’m going to start this knowledge drop by answering one of my own – what does it mean to me to work in cybersecurity?
I consider working in cybersecurity as exciting and challenging because there is a new obstacle to overcome every day. You must be prepared to face problems that you haven’t seen before as no two infrastructures are the same.
Not only do you have to use your skills and knowledge in new ways, but you must make sure that you keep up with the latest technological advances and threats. While it may not be the easiest industry in the world to work in, it is incredibly gratifying. You can often quickly see that what you are doing is making a difference, like when you discover vulnerabilities during a penetration test. Or when you manage to stop a cyber-attack on a client’s site.
Besides being intellectually fulfilling, cybersecurity is about making the digital world safer. It also has a fun and creative side in which coming up with new scripts, codes, and solutions are encouraged. Current regulations consist mostly of guidelines and recommendations, so you have a lot of freedom to experiment and approach problems in whatever way you think is best.
This cutting-edge industry is hugely social. So not only do you have the chance to create something the world has never seen before, but doing so will bring you many new friends. And what’s great is that you are always working with smart and creative people so there’s no sitting through dull conversations.
Finally, it’s a highly profitable industry that shows no signs of slowing down. The increase in cyber-attacks over the last few years has made this business even more lucrative, so you don’t have to worry about your financial security. For these reasons, I log off my laptop every day feeling happy.
The satisfaction factor
Q1: How do I know if cybersecurity is the right career path for me?
Like working in medicine or law, a job in cybersecurity will be interesting, difficult, but ultimately satisfying. It is fast-paced and there will be a lot of challenges but also loads of opportunities for you to grow and earn good money.
Your skills will be tested every day and continuous education is a requirement. So, you will need to read the news and know what’s going on in the field. If you are not a hard worker with a drive to succeed and you don’t want to have to learn new things all the time, then maybe this isn’t the industry for you. However, if you want to work in cybersecurity at a slower pace, you could try the more static governance side of the industry.
It can be tough, as you only have a very limited time to do your research, learn what is happening in the world, and find and test new tools that could improve your efficiency. But those of you who want a high-energy job and who thrive under pressure will get a kick out of being in a blue team or red team. You may not get all the sleep you want all the time, but you will never be bored.
A diamond in the dust
Q2: How can I distinguish myself from others in cybersecurity and be recognized?
Standing out in the field of cybersecurity starts with doing your research. Whether you want to make a name for yourself by writing some new tools, or by becoming a sought-after speaker on a particular topic within the industry, you need to know what information is out there.
There are some news portals with fantastic articles and summaries that will help you. And in every country, there is an IT club where you can swap stories and share knowledge and experience with other people. Start a conversation and see where it takes you.
Once you have built up a rich stash of knowledge and skills, the next step is finding a way to share it. You could do this through writing a blog, sharing some tools you’ve made, or giving presentations at conferences.
You could also write a book, create a how-to video, write an article, or find a fun and different way to review new tools. Another way to gain notoriety could be through making a discovery. Perhaps you will find the next SolarWinds attack or earn the highest ever bug bounty by detecting vulnerabilities?
Whatever way you choose to stand out, what you offer must be unique and of excellent quality. It doesn’t have to be big, but it does have to be outstanding. My advice is to start small and build up from there. You could simply write a blog post, and since not many people are doing that, you would already start to stand out.
The great switcheroo
Q3: I’m currently changing careers. What advice do you have for someone starting in IT and in cybersecurity in particular?
It’s important to know the details of how solutions work. So, for example, you can’t just learn how Windows OS works. You also need to learn about its weak points, how to break them and so on, if you are going to give anybody good advice.
If you are entering the industry as a junior consultant who is going to be trained, then you may not have to know as much before you start. But you must invest time in studying the basics, in learning the principles of cybersecurity which are the internals of the operating systems and how things are technically executed.
If you want to focus on Windows, then you need to read a book called Windows Internals that explains how the operating system works. This is fantastic knowledge to have because whenever something happens in Windows, you will be able to understand why it’s happening.
I recommend finding out about the different roles that people can have in cybersecurity, so you can consider what you want to do. You could, for example, work in a Security Operation Center and respond to incidents and escalate problems.
We count threats, not sheep
Q5: How do you stay up to date with all the latest security threats and still have a private life? Do you only sleep four hours a night or something?
If you work in the incident response side of cybersecurity, it’s your job to jump in and help when you get that call or email, from, for example, a customer who has just been hacked.
These roles are fun and exciting, but they can make it challenging to maintain a work-life balance. So, if you like to go and disconnect, you should consider a different area of cybersecurity.
Personally, I don’t sleep a lot and that’s the way I like to operate. I only need four or five hours a night. To keep up with the news, I read Twitter and various news portals. I have the favorites that I browse pretty much every day to verify what’s out there and what’s up to date. I also sync up with the team. That’s my way of doing it.
Over the past year, we’ve been crazy busy, and we all have had to space out time with our families. But we shared the responsibility as a team and took steps to get a bigger team.
Getting your foot in the door
Q6: After completing a cybersecurity degree last year I’m finding it difficult to get entry level roles. I’m thinking of doing some certifications like CompTIA, CySA+, CISSP, but can’t help worrying about the job prospects given my age (47). I spend a lot of time on hands-on hacking platforms, but what can I do to gain some real cybersecurity work experience?
I wouldn’t say your age is any kind of an issue. My advice is to be careful which platforms you use. Some of them can be quite good – we use them in our team for our education and we test things using our competitors’ labs as they have good ones – but some have too much automation. You are often shown a quick way of handling an attack without any in-depth explanation of what’s going on.
In my opinion, it’s good to take a classic step-by-step approach where you technically try to understand what kind of attack is happening and how it works, and then you try to find the appropriate tools to use against it.
To get work experience, my advice is to become familiar with internals and apply for a job as a junior in a consulting company. This is one of the fastest ways to gain knowledge as you will be thrown into the deep end straight away (which depending on you, can be a really nice splash!).
Another option is finding a job in a SOC (Security Operation Center) where you could play a monitoring role or be responsible for identifying threats. Or you could try applying for a role at a customer site. Most companies used to outsource cybersecurity, but we have seen a trend where companies want to develop their own in-house skills. All this usually requires IT skills and you can learn the rest.
It takes all sorts
Q7: Do you need a tech background to work in cybersecurity?
There’s a relatively new role in cybersecurity called the TISO (Technical Information Security Officer). For this role, like in other C-Suite roles, the manager doesn’t have to know the technical part of what’s going on, they just need to manage it.
TISOs don’t need to know all the technical details, but they do need to know the risk to the organization. They must know, for example, the business impact of a data breach and how an attack could affect each part of the company or system. They must also be aware of things like what would happen if this system that banks rely on was down for two hours. How much would that cost in recovery time and fines etc.?
It is possible to switch to cybersecurity from other careers. I can think of one example – an independent cybersecurity consultant who works with our customers. He gained a psychology degree and started out with us in the sales team. He converted to being a techie and spent a year learning all about it.
How future stars are made
Q8: How can I help my daughter become the next Paula J?
What is most important in cyber is to work every day and to work hard. And when you keep working hard at something, whether you work fast or slowly, you always get a good result.
Cybersecurity is my passion, so I enjoy working hard at it. Anyone who is as hyperactive as me and who has the will to learn, could become the next Paula.
I’ve learned that it’s important to be willing to share knowledge with other people. Although I am more of an introvert, I’m curious to find out what other people in cybersecurity are doing. It’s always appreciated. We can learn a lot from one another as we are all spending our time on great things.
Sometimes you might get negative feedback, but you also receive interesting insights, especially when you take part in conversations. Generally, the more of yourself you are willing to invest in acquiring knowledge, the more likely you are to succeed. So, get stuck into reading articles and trying out tools.
It’s not all about the tech
Q9: What is the most useful cybersecurity skill you’ve learned that you still use today?
The most important skill I have learned is to share whatever is interesting. For example, we might create new tools for a project if none exist already and then share them.
And, although it’s not a cybersecurity skill, I also appreciate working with a team of great people who are happy and not afraid to share or to admit that they don’t know something.
Q10: Is CIS worth getting?
CIS is impossible to get at entry level since it requires five years of experience.
I think that although it takes some time and effort, it’s always worth getting additional certificates. They show potential employers what you know and that you are committed to professional development. However, it depends on the job and the situation.
If there isn’t a requirement for a certificate, you can still challenge yourself to learn something new. If you apply for a job in the future and come up against a similar candidate, those extra certificates could push the hiring decision in your favor.
We’re eternal students
Q11: What strategy do you use to learn things quickly?
The more we do something, the faster we get at it. Since I read a lot, I can now do it quickly, only taking a deep dive when I come across something interesting.
At CQURE, we make sure everybody has some peaceful time that they can use for learning since it’s not an easy process. Each team member has allocated learning days every month during which they go into a quiet zone, and no-one is allowed to book them or bug them.
Q12: What other industry requires this same level of technical expertise and constant learning?
I would say medicine is a good comparison as you need a lot of education and it’s constantly changing and growing. You need to know more to be better and to be more precise.