Mapping a Career Trajectory in Cyber
I see a lot of discussion around new people breaking into cyber-security. I thought it might be helpful to outline how I did it. It may not all apply still, but at least some of it does.
1.) Take a job in IT, any job. Help desk, sysadmin, network eng. This will give you a foothold in some basics of how things work and exposure to tech.
2.) Read all the forums, papers, books you can get ahold of. Blackhat, defcon, Phrack, Frava, +ORC, Uninformed. A lot of those are old but still valuable.
3.) Learn as much as you can of: scripting, programming, networking, OS internals, development processes, debugging.
4.) Build a lab. Learn virtualization. Then you can build the thing and attack the thing. Get good at mocking up targets. Apache, mysql, web app, Windows Domain. etc. Download, build, and practice with all of the tools. Learn to implement the malware, attacks, and tactics of attackers.
5.) Put in the hours. I would do ~8 hours day job in IT and then 4-8 hours on the above, usually after the family went to sleep.
6.) Learn to document what you are doing clearly. Built how-to's and step by steps for your experiments that are complete enough for others to follow.
7.) Start coming up with your own tools and techniques. Leverage the documentation in 6.) to write white papers.
8.) Submit your papers to conferences and speak as much as possible. Blackhat and Defcon are the big ones, but any of them are beneficial when building your career. This allows you to network and get your name out there.
9.) Convert your tools, techniques, and step by step processes in to training classes. Give those classes at conferences. This allows you to meet people, spread your knowledge, and often get contracting opportunities.
10.) Find a place to chat with other security people. Slack, discord, IRC. Make friends and connections that way, avoid drama.
11.) Find a mentor. I really struggled with this one. I had a few here and there for certain areas but never really found someone.
12.) Realize when its time to back off from conferences, and don't get too caught up in the parties, etc. Don't feel obligated to spend every minute "in it". Don't spend all your time trying to "sell" to other infosec people. Its the other industries that actually need your help.
NOTE: Be very careful with media. I've been interviewed by Forbes, Wall Street Journal, Washington Post, etc. and they always got it completely wrong.
13.) Decide if your trajectory is individual contributor, manager / architect, entrepreneur, etc. and plan / focus accordingly. I played around with all of these and ended up preferring working for myself doing very specific projects. Try out big established companies as well as start ups.
14.) Subcontract and consult. This exposes you to many different environments and personality types. I tried the gamut from pentesting, IR, standards, breach assessment, devops security, product security, enterprise stuff, cloud. Specialization is cool, but having the big picture is invaluable.
15.) Find an apprentice or someone you can mentor and pass it on.
Communication skills are critical to this development. I have a phrase:
"If you didn't document it, you didn't do it".
You have to be able to communicate what you are doing to multiple different levels of audiences. Also, understand how your role supports the roles you are communicating to such as decision makers and IT staff.
When I started doing incident response and reverse engineering I would hand management a 40 page report full of assembly code, screen shots of debuggers, call graphs, etc. They could not use it and did not read it.
I learned to create a 1 page memo with bullet points that cover:
- Key items they need to understand (and that I knew they cared about)
- Risks and outcomes
- 3 or so options for decisions to make
If they wanted additional detail they would ask for it. This was a game changer. The sysadmins got a different report, 5 pages or so, summary evidence proving what was going on, technical options for configurations, changes or alerts, etc. In this way I gained actual influence over major decisions that impacted organizations.
I had a co-worker who was smarter than me, had a graduate degree in CS, and had much more experience than I did. I rapidly passed them in position, compensation, and opportunities because they could not communicate as effectively.
The Takeaway:
Spend as much time as you can learning written and verbal communication, how to speak in a board room, and how to assess what information to give to who, when. This skill set is as critical, if not more, to your success as your technical chops.