Hawl! Gonny Gee Me a Puddy Up?!
How to actually get into the industry. An explaination on different topics to better aid you in getting in. Some hints and tricks from Andy Gill about his journey
It's been a few months, and I've not tweeted or posted any blogs, but here's one for you to help out!
'Puddy' when you stood on someone's interlaced hands, and they gave you a wee shove to gain access to lock-up roofs, high walls and the like to retrieve errant footballs etc. Or in 'English' giving someone a hand up, giving a leg up etc.
You may be reading this right now and wondering What is this post actually about? Why would I need a leg up onto a roof?! Or What is this gent even on about??!!
Well simply put .I want to help further your journey into the information security industry, I want to grow the industry and educate you all with my experiences, take you through the good and the bad: the 'gotchas' and the 'oh f*ck' moments and everything else in between.
At the time of writing, I've now delivered a few talks on how to get into the industry and some tips surrounding how I got to where I am. I have previously written a post just over two years ago about How To Get Started. I want to start this again and try to give helpful, useful advice on what I have found works for me and what has helped others. Understand though that it might not work for you as there are seven billion versions of ordinary on this tiny blue dot.
Learning From Delivering Talks
To date I've delivered around fifteen public speaking talks all following a similar agenda of breaking into the industry. Here are some of the most common questions I've been asked:
- How Did You get into the industry?
- What should I be looking at to learn more?
- Do I need to go to Uni?
Taking some time to answer these questions, hopefully they help you get a leg up into the security industry.
How Did You get into the industry?
I got to where I am today by taking chances and learning new skills. Essentially I did three things, attended conferences, self-taught some topics and started a blog to write about them. My blog has gained a lot of traction in recent years since I started #LTR101 it has helped lots of people get into industry and sparked an interest in security for many too.
My path followed me applying to university and falling short by failing at school, I literally failed every exam I sat at school. I took this opportunity to go to college instead and started a HNC(Higher National Certificate) in Computer Networking. This taught me the basics of computer networking and gave me an insight into how infrastructure security works. I thought I'd have another go at the whole uni thing, after a year at college I managed to get into second year at Glasgow Caledonian University studying Digital Security, Forensics and Ethical Hacking.
Following my degree I got involved with the Cyber Security Challenge who invited me to take part in their Cyber Camp in Glasgow. This gave me a better insight into the real life flavors of security, the event took part over three days. Took me through digital forensics, security in business and actually hacking things! Got my feet wet in hacking on SANS Netwars which made me want to do it as a job.
Fast forward and I left Uni with a BEng and proceeded to start as a junior pentester in industry, the rest is history and here I am now writing about how you can too join the ever-growing industry!
What should I be looking at to learn more?
The answer to this depends on a lot of factors, primarily it depends on what you're wanting to do and see yourself enjoying more. Maybe blue-team might be for you as you enjoy malware and forensics or maybe you're amazing with Wireshark and carving out logs or you might be like me and enjoy taking things apart, so pentesting might be for you. There are so many different areas of security these days that there is something for everyone, there will be something that piques your interest somehow!
In terms of learning more, pick an area that interests you and go read about it. My primary focus over the past few years has been pentesting and I've started looking more into threat intelligence. To learn more about pentesting I'd recommend checking out the posts on this blog as a starting point, then maybe pick up a copy of my book. Following this there are a few more books I'd encourage you to read and some sites to check out and have some hands on fun with these are:
- Metasploit: The Penetration Tester's Guide
- Hacker Playbook 1,2,3
- Learning The Ropes 101
- Web Application Hackers Handbook 2
Where should I start?
Following on from what to look at and learn more. There are some necessary steps you can take to try and jump-start your progression into this world. These are my top three tips for starting:
- Go to conferences and local meet-ups to meet folks who are like-minded and expand your social, professional network(no this doesn't mean having a million connections on LinkedIn!). Speak to people, if you're a student get some business cards made up with your email and name on them, maybe even include your blog?
- Start a blog, write up about projects you're working on and some write-ups, this does a few things for you. 1) It allows potential employers to see how you write and learn more about your interests, 2) it serves as a reference guide for you in years to come you can reference write-ups and help others and yourself and 3) it can allow you to try new projects and things while keeping track of them.
- Do capture the flag and problem solving-like challenges to better build your understanding of topics and subject areas. Doing so will allow you to feed content into your blog too and again expand your horizons.
Do I need to go to Uni?
A simple answer, No. There are many, many paths into industry, Uni isn't the be all and end all. A lot of pentesters and professionals alike didn't go to uni!
Matching Technical Skills with People Skills
The next section explains how it is not all technical, to work in security some roles are 100% technical and you can spend your time hacking all the things. However, if you want to move into pentesting, you'll need to have some form of people skills to marry up with your technical ones. The main reason for this is you're not only a hacker as a pentester but you're also a consultant and being able to articulate issues to clients is a crucial part of the job!
In addition to the requirement for work, it is also advantageous to practice good people skills for making contacts in the industry. As it does pain me to say this, it is not only what you know, but it also helps who you know, so get along to meetups, conferences, talks, exhibitions or anything similar and actually TALK to people!
Starting Your Journey
Now you've read through this post; hopefully, you're a little wiser than you once were. Maybe even have a better idea as to how you're going to approach things and speak to people. Good luck out there!