Yesterday, I left my first job. Four years in an organisation is neither a long nor short time, but it was the organisation that made me who I currently am today.
My journey into cybersecurity was different from most. I was not a 16-year-old whiz kid who conquered the OSCP. Neither was I a Computer Science, Computer Engineer or Information Systems student prior to my first job. In fact, I did Physics, which would make any cybersecurity interviewer hesitate. But I was hired out of good faith. Without said good faith, my cybersecurity journey could never have started. For that, I can only express my eternal gratitude to my first organisation.
I thought of writing my journey to inspire those who could be considering a transition to cybersecurity. This is in light of COVID-19, where we see structural unemployment happen; some industries have slowed almost entirely, making a return to the career of the past difficult, but there are opportunities in new areas such as my current industry. Others may wonder how it is like to start in cybersecurity from zero. I shall document my own thoughts; there is often no standard template in charting a life course, but only guidance.
If I had a FAQ list, on top of it would be the question on transition to cybersecurity. I always answer that it is “arduous”, but I “try harder”. To give a glimpse of how hard, I spent my first year after work reading up on basics, and my second year doing the OSCP and taking many hard knocks. All of that was willing sufferance during my free time.
I think all cybersecurity professionals need to keep learning. The cybersecurity landscape evolves in tandem with technology. One such area of advancement is in containerisation of application deployment. The rise in containerisation (e.g. Docker) to deploy applications quickly and orchestration of said containers (e.g. Kubernetes) have changed the way applications are deployed on the Internet. All of these require secure configurations, resulting in a rice bowl for my fellow cybersecurity professionals and I, to ensure said technology is not abused by unintended parties. But none of these existed before 2013, so no one can claim 10 years of experience in Docker/Kubernetes and claim they are a “team principal” (as of time of writing)! New solutions will emerge, forcing us to keep up.
How difficult is it to learn? Quite difficult, but not impossible. I spent my time fiddling with all sorts of software outside work, which meant plenty of fiddling with open-source components to understand how they work. Sometimes, these lead to interesting side-projects, such as one where I built deliberately vulnerable machines. These have been fulfilling because I could contribute to the open-source community to pay it forward to the next generation. None of what I have learnt could be replicated easily through just reading a manual, or a PDF guide. To learn, one must do. But if it is not impossible to do, it is always possible to learn.
In the cybersecurity domain, many also discuss the value of certifications. I will describe the Offensive Security series of certifications, because these are what I primarily took. Certifications are valuable on resumes because of how resumes are being scanned today for a first assessment. There is limited time to look through every resume, which means optical character recognition (OCR) technology is frequently employed to identify keywords to sort out relevant resumes for further reading from irrelevant ones.
The OSCP has become valuable, at least to show proof of willingness to learn, considering the breadth of introductory penetration testing material it covers. However, I personally found certifications valuable for the journey to learn as well. The OSCP gave me a good taste of penetration testing, especially for someone who started from zero. Predictably, my journey was difficult, failing my first exam attempt, but I tried harder and eventually obtained my certification. While the journey was arduous, it taught me mental fortitude, not just some acronyms to beat the OCR reader.
I realised what keeps us relevant is the joy of learning. But what stops us from this is often the psychological barrier, and the fear of failure. This was the greatest lesson I took away in my first four years of my career — if you never try, while you’ll never fail, you’ll never succeed either. To succeed, one must first try, and then try harder.
Cybersecurity is broad. There are people who do technical work such as reverse engineering of both hardware and software of all kinds. Others do good work in governance, risk and compliance, which are not as technically-oriented but require an interdisciplinary mind. Many people in cybersecurity, in fact, transition from other domains such as software engineering, network infrastructure and even business risk analysis. One can appreciate the breadth of cybersecurity professionals and learn from them through the different cybersecurity interest groups in Discord, Telegram and more.
The industry is still short of qualified professionals, but I hoped I have used my journey to show that it is possible to level up accordingly, from zero, and try transitioning to cybersecurity. The journey will be hard, but the community is supportive in making sure fellow cybersecurity professionals can level up.