How to break into cyber security…
The topic of ‘how to break into the cyber security industry’ is one regularly discussed, with the pros and cons of various qualifications and accreditations weighed up, and the merits of apprenticeships versus ethical hacking degrees questioned. If you were to ask several experienced security consultants, you’d likely receive several very different opinions to the best route to take, the most valuable qualifications to list on your CV, and the vital online tools to develop your cyber security knowledge and skills. So rather than adding to the already murky pool of general advice, I thought it might be more useful to describe what we (Pentest People) look for in CVs, what makes a candidate stand out from the crowd in interviews, and the common traits we’ve seen in consultants who have quickly built a successful career.
We receive a lot of CVs. Candidates from all corners of the globe send their skills, employment history, and cover letters, and we take the time to read and reply to them all as best we can. The problem is that CVs are all very much the same, the majority containing time honoured clichés such as the classic, “I work well individually or in a team”. Consequently, we look for key pieces of information that could help us to narrow the field.
Certain qualifications immediately stand out, such as the Offensive Security and CREST accreditations, both highly regarded in the security community and offer assurance that the candidate has some ‘practical’ knowledge and experience in cyber security. However, there are other key types of information that we look for, most of which can be grouped into three main categories:
We strongly believe that a solid understanding of ‘the basics’ is paramount. This may sound obvious, but we’ve spoken to many aspiring Web application testing candidates that struggle to answer basic questions about HTML syntax for example, and infrastructure focused candidates whose eyes glaze over when asked rudimentary subnetting questions. In our experience, the best infrastructure testers come from sysadmin and networking backgrounds, and the best Web application testers from software development roles. These individuals have knowledge and experience in the underlying concepts and the foundational technologies and languages. This gives these candidates a significant advantage. The various tools and techniques for security testing can be taught far easier when the trainee thoroughly understands the underlying technologies. This isn’t to say that we’re looking specifically for sysadmins and software developers, just that evidence of knowledge in ‘foundational’ technologies and languages is extremely important, and therefore something we look for in a CV.
Building, Breaking, and Fixing Vulnerable Systems
If you want to truly understand a vulnerability, you really have to build a vulnerable system yourself, exploit the issue, and resolve it. This is what our experience has taught us time and time again. This ‘insight’ into vulnerabilities is what we expect from our consultants, and is the basis for all our training. Therefore, any CVs that show evidence of having built vulnerable Web applications, hosts, or networks, stand out from the crowd. These are candidates that have a passion for understanding how systems work from a low-level perspective, so as to better understand how they could be broken. Additionally, identifying and demonstrating to how to actually resolve a vulnerability is important. Some of the best consultants are those that can discuss remediation plans with confidence, and not just how they breached a system.
Active in the Community
Being active in the security community, attending conferences, publishing blogs, building Github account content, and presenting at security events, all demonstrate that the candidate has a true passion for the industry and desire to raise their profile. Anything that we can view online ourselves is likely to draw our attention more effectively than just the typical LinkedIn profile information.
Interviews can raise the heartbeat and blank the mind of most people, especially if they include a practical assessment or gauntlet of tricky technical questions. However, in our experience, doing well in these tests doesn’t necessary secure a position. Some interviewers certainly will focus on technical skills, but others may be more interested in cultural fit, whilst others may rely on a ‘gut feeling’ for whether a candidate will be an asset to the team. Despite the focus of the interviewer, there are similarities that we’ve seen in successful interviewees, such as:
Backing it up
Candidates that do well in interviews are often those that can talk confidently about anything they’ve written on their CV. If the list of skills include a fairly broad topic, such as ‘Vulnerability Scanning’, then the candidates that shine are those that can explain not just the concept, but can relate it to a previous job role or personal project, and also explain how they intend to improve the skill further going forward. A common pitfall is to include a broad topic, but then only be able to describe use of common associated tools. Therefore, great care should be taken when listing the key areas of expertise.
A Genuine Passion
If a candidate has a true passion for cyber security, then it will come across in an interview quite naturally. These are individuals that spend their free time developing their skills because they genuinely find it fascinating, they live and breathe security, and the thought of being paid to continue that is truly fantastic. These are just the kind of candidates a company wants, people who will bring enthusiasm to the team.
Bringing Something New
An effective team needs to have workforce who Brin with them a range of perspectives, approaches, skills, and knowledge. Therefore, any candidate that has researched the business, understands the industry, and confidently explains how their specific skillset could expand the portfolio of the business will have a significant edge.
We’ve seen many consultants build wonderfully successful careers in cyber security. Some are happy on the road, helping clients improve the security of their infrastructure and making a real difference, whilst others feel a calling to train, build teams, and become leaders by example. Whatever the long term goals, there are certain traits that we have identified to be common to those consultants that have been truly successful.
A Team Focus
Being able to work well in a team is undoubtedly a good quality. However, there are many great security consultants that feel far more comfortable working alone, and still do a fantastic job. We believe that it’s not about how well you work in a team, but rather the extent to which you have a ‘team focus’. The consultants that do particularly well in their early careers are those that work on projects that benefit the entire team, those that share the information they’ve gathered, offer to help whenever they can, and encourage other consultants to shadow them. These are people that progress naturally into senior roles, and quite often into management to lead their own team.
The speed at which the cyber security industry moves means that consultants need to develop their skills in response to new threats and technologies. Most are working on some project, learning a new coding language, or testing out a new tool. The consultants that have stood out though, are those that tirelessly work to identify their weaknesses and hit that subject area hard until they feel confident, then they move to the next. It can be good to specialise in one area, and being a ‘Jack of all trades’ can sometimes have its downsides. However, it’s extremely important for a security consultant to have good grounding in as many areas of security as possible. It can give them greater insight into any given problem, and the confidence to approach a security issue from many different perspectives. A common example is a consultant confident in both Web application and infrastructure testing, often the first choice for Red Team assessments where multiple approaches may need to be considered.
The Non-Technical Skills
The non-technical skills needed to be a good all-round security consultant are something that catch out a lot of security graduates and juniors. The reality is that at least a third of a consultant’s time will be spent writing a report for any given assessment. So those that struggle to write good formal English tend to run into issues that are often difficult to resolve. However, more significant are the ‘soft’ skills needed to actually be a ‘consultant’, i.e., to consult with a client effectively and work ‘with’ them rather than ‘for’ them. The consultants that progress quickly are those that touch base with clients before, during, and after assessments to discuss the elements of the testing and the results. These are consultants that take the time to prepare and deliver thorough debriefs, and with the most appropriate level of technical detail for the audience. These consultants spend time understanding the client’s drivers for testing and the specifics of their environment, tailoring the assessment to their needs and therefore providing far greater value. In our experience, these are the consultants that clients specifically request to perform their next assessment, and are exactly the type of consultant that Pentest People look for when recruiting.