Paths to a Job in Security

Good. All right, folks. How's everybody doing? The last official talk of the day and then Kathy's closing remarks for which I expect to see everybody there because she's put her heart and soul into this. All right, so quick one on this one. Chris Chris Ming is here. We're going to have a conversation about a path to a career in cyber security, which is hopefully we need more people in here. So spread the bloody word because uh I've had a whole bunch of people come up to me today and go, "Hey, how do I get in?" And we've had long conversations about how to get into the industry. So go for it. Chris is CTO over at Alchemy

Core. Uh working in 10 years. That's it. I thought more in security. Yeah, it is more. It is more. I was going to say you got IT background as well. So yeah, listen up. Lots of experience on this one. Um whole bunch of other things uh within the industry. Bunch of good tech stuff. Hence the coffee of the conversation. And when not dealing with our industry, hopefully you're probably doing better than most of us by dividing your time effectively between friends, family, and everybody else. Cool. So, without further ado, please everybody give a warm welcome to [Applause] Chris. All right. Thank you everybody. Um, this has come up because as Chris said, people have always asked me, uh,

how do you get into the field? I actually got a Facebook message from a guy I play basketball with last week. How do I get in? What do I do to make some quick money on the side? So, it just fits right into this. Um, we're going to go through there's three people in here. One of them is myself. So, on the, you know, intro slide, you're not going to learn too much about myself other than what Chris just said. Um, I'm going to try to keep it conversational. I want to be engaged. See what you guys have questions. Go ahead, feel free to ask and, um, we'll go from there. So, I'm a father. I got three

kids, two boys, a girl, uh, my wife. I enjoy coaching basketball and camping. As Chris said, I do a lot outside of uh cyber security. That was not necessarily the case when I first started in my career. It definitely had to learn that um purposely, like I said, not talking about mine uh just yet because I'm one of the people. And then, you know, we'll try to see if you guys can guess who or which one of the people at the end is me. All right. Well, that gets already started. questions to ask ourselves. Do you need a degree in cyber security to get into cyber security? I get this question a lot all the time. And my

answer is, do you want to spend four years in school learning about it or do you want to learn about it on your own? It's up to you. You can really take whichever path you want. A degree can help, but it can also delay getting in, meaning you have to work in fast food or some other career while working yourself through it. Um, another one which is here up here is, uh, what do I want to do? When I get asked, how do I get into cyber security? I ask people, what do you want to do? Do you want to break things? Do you want to analyze things? Do you want to learn about malware? Do you want to

write policy? Are you into compliance stuff? It's just such a broad field that you can do so much. So, what do I what do you want to do is a question we need to ask ourselves when we're trying to figure out where we want to go on our career because eventually being a jack of all trades, master of none doesn't work out for anyone. You get pigeonholed and then you end up being good at it and then it just doesn't work out. Do you need help desk before getting into a job in cyber security? This is a debate that I have with people all the time. I personally don't think you have to work help desk in order to get into

the sec cyber security field. There are other ways and other areas to get in. Do I think that having a help desk background could help you? Absolutely. Could it accelerate your career? Sure. Is it necessary? I don't think so. What can you do to get into cyber security? Well, you can go to school. You can train yourself. You can attend conferences and trainings like this to learn more. You can read books. You can do labs. You can do CTFs. You can go online to free training programs. Many things like that out there for you to get in. You don't specifically have to go to college or work at a help desk in order to actually

get into the field. What is an entry- level job in cyber security? I can't define this and I don't think anybody in here probably can either because on LinkedIn when you look up entry level positions, I looked up one the other day. They wanted a CISSP and five years experience for the job. I'm like, you have to have 10 years of experience before you can even apply for that certification and actually know somebody who will sign off on it for you. So entry-level jobs to me are your sock analysts, your junior pentesters, your, you know, your lowlevel analysts that if they have to can escalate some up or ask somebody in a senior position to help them answer a question or help

them along. So person one, no degree, right? They didn't go to college. They didn't do any school after high school. They worked 15 years in um B2B business sales for a for Verizon, a mobile carrier doing just that. They were a pentester. They got a job after that as a pentester at Acuant. And now they're on the red team for Asenture. And in conversations with this person, they've hacked some big coffee um places. They've done some other big pentests on other places as well. So, this here leads to my do you need a degree? No, this person took the route of going out on their own, studying networking finding internships to gain that experience. started as a junior level pentester and

worked their way up to now being a red teamer on um the Asenture team. This person I look up to whenever I have a pentesting question. So again, I just reiterating there's not one specific way that you have to go in order to get into this field. The searchs that this guy has are the OCP, OCE, and the OSWP. Obviously, when he got into the industry, they were the top of the line, cream of the crop. They still are. And if you have these on a resume, you're going to get and it's a technical person hiring, you're more than likely going to get through the technical uh portion of it to speak with the team. If it's HR, you're probably

going to see a certified ethical hacker um request on that uh job ad. Person number two, Airborne Infantry, five years in the Army. Army National Guard, administrative specialist, bachelor's degree, information technology, worked help desk level one for a couple years, cyber security specialist for three years, information security administrator for another three years, cyber security operations lead is a current job. So here again different path ended up with his degree for free through uh the GI Bill. I wor we worked together at an MSP for a while. Uh when he was at the MSP I was the information security administrator. So helped him along helped him mentor him show him you know what he needed to do what he should

learn those kinds of things. I eventually left. he took over as the cyber security specialist. These again not necessarily have to be in any order. These are just showing the path that these guys took to their career and how they got to where they are currently today. Today he loves his job. He's in a middle management position, which is really where he excels. Um not 100% technical, but not 100% management either. He still gets to get his hands dirty. um which we communicate often and you know this he's now the um like I said the cyber security operations lead for a hospital uh in where he was around person three vocational school uh through high

school taking computer technologies associates of applied science computer information systems network technician for two years network administrator for three information security administrator for five, senior security engineer for an MSP, three years, senior security engineer internal for a large marketing organization for three years and a lead security engineer currently. So this person was IT from the start. This is one that got out of high school, continued to work through it, um, and just continued to make the progression from IT eventually to move into cyber security and continue to grow their career from there. These are the searchs that this person has as they worked through their career using on the job training and not had to

pay out of pocket for any of these. So, real quick before we go any further, because I said I want to keep it conversational, anybody want to guess which one I am? Go ahead. That one. Yeah. Yeah. Yeah. Uh I'm the third. Uh I was lucky enough to graduate uh early from college and got a job as a network technician for a local healthcare organization and did not have to wait to get in to the career field which helped accelerate my career. Um I know not many people get that lucky. So I'm thankful for the opportunity that I got which helped launch everything. Um any Yep. Go ahead. You have like college and your workplace for those

certifications as well. So I didn't pay for any of those certifications. My my Yeah. Uh so I my first four years I worked for the um the network technician and the network administrator. Those jobs didn't have any on the job training. They it was on the job training but not paying for certifications. So when I went to the MSP, that was where they wanted to use, you know, hey, we've got this magnificent depth of bench for our engineers. So what I did was I took advantage and said, I need this certification, that certification, and the next one. And then took them all and eventually they're like, oh, we want to get into cyber security. That's when I

took my SANS course and got my GCE. And then from there I just continued to acrewue other ones through whatever the allotted t amount was uh for the company. So if your company offers on the job, you know, uh reimbursement or they'll pay for it, take advantage of it. Don't don't let it um go to waste because it may not be beneficial to your current job role, but if you can tie it to your current job role, it can help escalate and move your career along a lot faster. Because even though I was taking the security plus, I was using it as, oh, I'm going to secure these servers, not necessarily networks, access points, and stuff like that down

the road or doing code analysis or anything like that. But having that security plus helped me get interviews for other security engineering positions and then just continued to build on that. So always use that if you have the opportunity. Any other questions yet? No. All right. So questions that I get asked, we talked about this a little bit earlier. What certification do you need to get started? You don't need one. You don't have to have one. Um you can do a lot of online learning. you can show, you know, in a home lab that you're working on certain things. If you have an interview, you can get it. Um, a lot of job ads have a certification in them,

so they help you get through the automated resume readers. I still get dinged because I don't have a bachelor's degree. So, if there's a job that says, "Do you have a bachelor's degree?" and I say, "No, my resume probably doesn't even get to the recruiter because I don't have a bachelor's degree, but I've got plenty of experience to be able to do exactly what that job says it needs." Um, so you don't need a certification to get started, but if you wanted one, your security plus would be where to start. It's vendor neutral, low cost of entry. um cyber security specifically. TCM Academy has some good ones that are free out there um that you can take to work

through. Um I'll have some resources at the end that are just things I've used for training and one of them is also uh a certificate. The link on the bottom is to a certification road map so you can figure out where you actually want to go to um for your career and there'll be certifications kind of stacked up. Yep. if you're trying to apply for a

job address like the HR department and try to email directly with your resume instead of just like so you could do that but what I tend to do is I'll tailor the resume specifically to what they're asking. So they may have their keywords set to edr or sim or things like that and they may want to see, hey, if they don't have a bachelor's, we want three other words in there. So if you tailor it to the position, you still may get past not having a bachelor's degree because you could have other words in it. So it's all how they define their uh their mechanism for actually reading through the resume. What training should you take? Again,

this depends on where you want to go. You know, if you want to start with um pen testing, you know, try Hackme, uh TCM Academy has got the PNTP, which is competing with the OCP now. Um you've got other ones out there. Uh Burp Suite's got stuff if you want to go web app. Uh Blue Team Security's got the BTL1. Uh there's all types of different types of certifications for where you want to go in your career if you specifically want to go a certain way. I can't tell you where to start. You have to know, you have to research it. A lot of people that are coming out of college are like, "Can you tell me

what to do?" I'm like, "I can help you." One thing my mentor did, which was the guy who was at Asenture, was if I'd ask him a question, he'd send me a link. I'd click on it and it would say, "Let me Google that for you." So, I learned very quickly, Google something, exhaust my options before going and asking somebody. So, do your research, understand the type of role you want, and understand where you want your career to go in order to start and then build your path from there. Having that setting that goal will also keep you motivated to reach that goal as you work forward. What is the way that makes the most

money? It could depend. It's going to depend on the company. You find a good company that's going to pay pentesters really well, great. I you could have a sim engineer that makes the exact same amount of money. Cyber security in general is a lucrative field. And I just read a study, I can't remember where it is, but cyber security is going to increase around 30% in the next year in jobs. It's not necessarily there's a lack of jobs right now. A lot of it is budget cuts and other things like that which have c been caused by the layoffs. Salaries have also recently taken a dive because of that. At least from what I've seen in my research

uh on LinkedIn while preparing this was a lot of um jobs that used to have 200 plus are now down around the 175 area. So that's pulled back a little bit. I don't expect that to last very long. I think that's going to come back very very quickly and we'll be back where we were with people in demand and really working forward uh in the industry. Where do I get practical experience? There's hands-on labs. Um, there's things like Volhub, which is free for you to download VMs, hack against them, and have at it. Uh, again, I'll mention Try Hackme as that was another one uh that you can use. And there are other ones that have online labs out there um

that allow you to really move through your career at your own pace while maintaining a work life balance because if you burn out, it's not going to be good for you or your career. You want to continue to try to balance those. I got to a point where I started to burn out and that was in the middle of my certifications and I realized, hey, I don't need to get all of these at once. Take one or two a year and then one or two the next year and just continue to progress that way because when you pack so much on to yourself and you're trying to continually grow, grow, grow, you're eventually going to burn. Even for me

getting away for a conference like this, when I go back to work on Monday, I'm going to be a little bit more re, you know, ready to go and invigorated to get down, do the work because I've learned new stuff. I've gotten away from the monotony of the day-to-day job. I have a 10-hour roundtrip travel to listen to podcasts. Um, there's a bunch of ways to decompress. So, make sure that you keep some semblance when you're doing it. So, these are the resources that I was talking about. Um, Try Hackme has some free stuff. Volhub also has some free stuff. Creary.it has free stuff as well. Uh, ine.com is a paid subscription. TCMacademy has six or

seven free resources uh that are out there. And um they also have some paid stuff. Um what I will do real quick here since we are Oops. Go back. Well, this is my handle if you want to follow me on Twitter or X. That's my LinkedIn if you want to connect. I'm happy to help um answer any questions there as well. Um but one thing I want to do real quick is I want to show you guys this. Oops. Not that. Come on. Come on. Here we go.

This. So, this is the certification road map that I was telling that I was telling you about. As you can see, you've got your security operations in red, software security in blue, security assessment and testing in purple, security and risk management is in black. Um, what's that other one say? Asset security is in yellow, security architecture and engineering in orange, IM in blue, and communication network security is in green. This just goes to show you how vast a it is with um areas that you can go and develop your career, but b look at the number of certifications. I don't think that would break anybody's bank unless you're Bill Gates um to take all of these. So, what you

want to do is uh pick figure out where you want to be or where you would like to be and then go from there. And I don't know if you can see it, but if you when you guys go to this on the bottom up to right about here are your beginner certifications and then you start your intermediate ones up to here and then you got your expert ones at the top. So it shows you a stepping stone that you can take and you can use it to go back and forth in different areas to help you develop that career road map if you want into how you expect things to go. All right. Well, that's all I have.

Uh I know we're done a little early. Uh is there any questions? Anybody want to know anything else? Yep. Yeah. For

person level one to a cyber security specialist. Did he have any other certific?

Yes. No, he still to this day doesn't have any certifications. Um he is he got the promotion through on the job experience and training. Um he was the best candidate to take over the role after I left. So he was um he got into that role. He may not have been qualified 100% when he got it, but through learning and understanding and training and things like that, he was able to to do that. So, just because you're in help desk, don't feel like you're you're stuck. Uh, one thing I will also say is when applying for jobs, if you feel like you meet even 60% of the requirements, apply for the job because they're never going

to find a unicorn that they want. Um, it just isn't going to happen. Uh, I've actually gotten jobs where I was only 50% of what they had on the job uh posting. So, um, don't don't limit yourself just because you don't think that you can get the position because you can you should at least apply. And if you interview if you get an interview and you don't get the job, the worst thing they can say is no. But interviewing is like any other skill. If you stop doing it, you lose it. So, even if you have a job and a recruiter reaches out, taking an interview never hurts. You don't have to accept a position.

You can always go through the process, learn what new things they're asking, and then use that in your next interview or your continued job search. Anything else? Yep. One thing for anyone else is hack the box. Yep. And then my question to you is kind of customizing the keywords within your resume. Do you find it best to go by hand to do that or use cloud generator? I do it by hand. Okay. Um there are many ways to do it. I just a little oldfashioned in that I like to have my hands on what I'm doing rather than feed it through something else. Anyone else? Any other questions? All right. All right. Well, thank you for your time. I appreciate

it.