Last year, I was interviewed by the Straits Times on the future of work. But I did not predict how many people would ask me about a cybersecurity career in 2023.
I was once in this position in 2016, after graduating with a Physics degree. Knowing nothing about cybersecurity, I somehow applied for one such job, managed to pass the interview and start my career. In a week’s time, it will be 7 years since I stepped foot into this industry. I am glad to say I have not decided to be a cafe owner yet.
Starting from “Nothing”
For many in traditional disciplines such as computer science, computer engineering or other coding-heavy disciplines, it would seem to be the case that they have a natural head-start in cybersecurity. But not everyone begins with such advantages. Today, we have people who transition into cybersecurity from all sorts of previous jobs: system administrators, developers, fresh graduates, auditors, and even arts graduates. I know many who succeed in the industry even if they lack traditional (coding) backgrounds. What makes them succeed?
Setting the Stage: What Types of Jobs Exist in Cybersecurity?
While I’m a penetration tester by training, cybersecurity is broad and encompasses many different domains. Some of these include security engineering, digital forensics, as well as governance, risk and compliance (GRC).
Because cybersecurity is so broad, there is likely a job for anyone and everyone, regardless of their starting point. Even if all you know is the art of slide-making, we have a job for you (and slide-making is difficult in a highly technical discipline that intersects with business).
Where Can I Get Started?
Because different people have different backgrounds and motivations, I often speak with them before deciding on a suggestion for them.
For programming novices, I normally send them a Python course (one of my favourite, which I did in my university days voluntarily, is the Rice University set of Python courses). For others who have suggested some already basic background in computer science or some other discipline, I send them a link to TryHackMe straightaway. I have also recommended other options, but they tend to be hands-on activities.
Here is the bad news: sometimes I don’t hear from these folks weeks after sending them these links. What’s going on?
My intent of providing such courses are as follows: active learning happens by doing. This often leads to fastest results, but requires upfront commitment.
In cybersecurity, we often face opportunities to learn. Let me give some examples from real-world jobs:
- A penetration tester gets an assignment on a PHP web application. When manually testing for vulnerabilities, the penetration tester may want to identify insecure deserialization. But when he did a course (e.g. the AWAE), he was taught deserialization in the .NET context. He’ll have to prowl through the literature to understand PHP deserialization, such as magic methods, because the way deserialization is done is different.
- It is normal to identify the value different security products bring as part of a suite of security products. But customers can substitute products for a variety of reasons (e.g. cost, integration with development pipelines). The security architect needs to perform an analysis to understand the trade-offs in play, which requires an understanding of different sets of products before coming to a conclusion on whether the suite works in totum.
- Suppose a threat hunter seeks to find certain indicators of compromise (IoCs) that could hint at some malware in the enterprise’s operating environment. IoCs, for laypersons, are signs a malware leaves behind as part of its signature. But some IoCs are simple to mutate, requiring us to find more immutable IoCs, which quickly leads to the Pyramid of Pain. Suddenly, we have complicated matters beyond the routine.
Thankfully, the learner has more time to deal with their learning material, but active learning is a per-requisite of success in the industry. I try, through recommending courses requiring time investment to learn, providing a taste of the mentality required by cybersecurity professionals to thrive in the job. You may ask questions along the way, and through that iterative process, we begin the process of self-discovery. Perhaps you enjoy offensive security, like me, because ethical hacking conjures excitement. Then we can try to aim for the PEN-200! Or perhaps the technical material is too intimidating, but you find risk management like fish is to water. Then we can look at the governance, risk and compliance aspects of cybersecurity, and perhaps I would be happy to toss more reading. But the one who never tried will never be able to ask self-discovery questions.
The Mentality of Learning and Force Multiplying
Because cybersecurity requires so much learning, a positive, learning mentality is critical. This is very-well encapsulated by Morten Schenk, a legend in offensive security:
“If you study this domain for next 5 years and even 10 hours every day, you won’t be able to cover everything.”
Morten Schenk (goes by @Blomster), quoted in Linkedin review of a pinnacle course in exploit development done by Etizaz Mohsin.
You can’t learn everything. There are too many certifications, and there are too many new technologies to wrap around. But we can multiply our own capabilities by having different types of cybersecurity networks. Partake in cybersecurity networks. I have personally also taken part in SANS’s complimentary Community Nights, spoken at Singapore’s very own homegrown infosec community (Division 0), and am constantly expanding my horizons. Even if we cannot be the expert at everything, we must identify the expert to learn from/consult.
There’re Now Scaffolds
Nowadays, with the popularity of cybersecurity, the ecosystem also has some options to look at for a more structured programme. Some of us need a more robust structure to keep our discipline in check. Here are two programmes in Singapore that I have seen deliver positive impact:
- For those interested in technical work, Red Alpha.
- For those who prefer management work, TFIP under the cybersecurity risk management track.
As the landscape changes, I expect more players to come onboard with their offerings. Some would naturally have concerns that the offerings they discover are in fact, robust. This simply goes back to the previous points on network. The more people whose wisdom you can tap on, the more likely you are on the right track.
But You Didn’t Provide the Magic Answer
There is no magic answer. For me, I started my own journey because I was thrown into the deep end of the pool. I remembered performing my first web application assessment on Day 4 of my job. I had some mentors that advised me as I went along my learning journey, but this was one tough ride starting from zero background.
My hope is to be able to guide others who want to move into cybersecurity towards a more fulfilling path, since I would have, from my own experiences, be more aware on what doors to knock, and what doors to save for later. But there is no shortcut to going through the learning process to understand if you’ll fit. And if you do, welcome, fellow cybersecurity professional, as we join forces on Team Good and hone our “Defence against the Dark Arts” skills. 😉