Stop Breaking Into Cyber Security by Michael Ndon

welcome everyone um today I'm going to talk about breaking into cyber security finding the right Keys just a little bit of an intro as to who I am my name is Michael I'm a security engineer with a background in software and infrastructure management I've mostly worked in small organizations or startups um but I am priding myself more with the volunteering opportunities I do so I volunteer with a lot of communities as a CTF challenge author a mentor instructor and in many different roles and I think one of it's been one of the nice parts of my career I think I've been in the industry for about four or five years now and most of it really has just been

getting involved with different communities and I couldn't really ask for more and really it's coming off the back of one of my engagements as a mentor that I've sort of crafted this this talk which has to do with stop breaking into cyber security finding the right keys and really what we're going to talk about is is understanding The Narrative behind it you know what what led to this talk actually happening um what's the drama behind breaking into cyber security do we have a better approach the downsides to that and then practical steps that we can take and then finally if anyone's got questions we'll I'll take them at the end um so let's start by digging through the

narrative and I think this probably started um during covid and lasted past post-covered now um since 2020 where there's been this um very nice wave at the same time very shocking wave of breaking into cyber security and for me personally the way of seeing it and the way I've seen what it's done is it's trying to frame the idea in people's minds that hey look there's an easy role waiting for you you don't need to do much just jump right in and I think it's nice because really the cyber security industry is is looking for a lot of talent but I I believe that the way it's been framed has affected um people's approach into getting into

security as well as how the results at the end of the day and so I did have a men um a mentee say to me once hey I wish no one um they shouldn't have said break into cyber security they should have explained what what really I was getting myself into and this is obviously down the line when she had started learning let's the next slide just sort of has as a couple of um would I say randomly grabbed articles and this is no show at the writers in any way this is just um just for illustration purposes where I'm just trying to show the different sort of headlines that are being used out there

for example the one in the top right says how to break into cyber security make and make 200k in a decade which is not bad again um it's it's also another idea around certain realistic expectations um we have the other one here cybernovas Britain cyber security Now um urgent call to Brick and cyber security your pathway starts here now these these aren't are not bad in themselves but having gone through the actual um details of some of these articles and a really post Community forums things that are being said um oftentimes they paint this perfect picture or picture-perfect scenario where um it's all Rosy and I think this is this is a misleading and it's happening

and it's having negative results on um entry-level people beginners in the industry and just uh the next slide sort of shows some quotes some of these I've gotten from mentees some of these I've gotten from articles a few things people have written um the shows first off what what's what it's doing to people for example someone says hey I need a quick certification to get me a job in six months not necessarily bad again but after speaking with this person and obviously it's it's a lot you'd understand that a lot better if you had the context but after speaking with this person it was very clear that he's from this mindset that he could just grab a certification for

example called the Security Plus and head straight into into a role and start making some some good amount of money which isn't necessarily I mean I have seen some people who have done something similar but again it's about paying painting the right picture and setting realistic expectations someone else says I've applied to multiple jobs for a year and ended up trying to find other work to make money I think I saw this post about two days ago or yesterday on LinkedIn and this guy was going on about how he's been trying to look for work in the industry for about a year um and it's just been a bust and now he's gone back to driving or something like

that and this is no shot to him in any way but I just feel that his approach obviously looking at his profile and what's happened is is a result of what's what he's been fed um another one and this is an article I I quite agree with um was written by Igor on LinkedIn and he said this approach is ultimately disingenuous and enables the less scrupulous in our field to generate High cash flows by selling those looking to break into cyber security much abbreviated and superficial training just enough knowledge to clear the entry level interview and this isn't wrong entirely um I can't count how many content I've seen between 2020 and this is what 2023

around getting into cyber security um there's just so many content creators coming out nowadays and it just feels like everyone's just trying to sell their own materials as opposed to really help people get get jobs in the industry and oftentimes you look at what's what's in there and it's not practical enough to really help someone land that role that they want and apparently someone did say this is of course my mentee's um um quote here I didn't realize breaking cyber security was this hard they shouldn't have said breaking cyber security um I thought once we're done with the course we'll just get jobs again this is all just showing what happens when we try to paint the wrong picture to people

coming into the industry we do want people to come to the industry but we need to show me to be make it realistic to them we need to make it appealing to them such that when they come and things get tough which they will they are not disappointed they're not met with a lot of setbacks and they're able to pull through and and still stay in the industry which is what we want long term and so this is obviously just a real quick light touch on um basically what's been going on in the industry and what's been happening usually LinkedIn is like a major platform for this and now what I just want to talk to and spend most time

talking about is okay how do we go from this this picture of trying to make it look like we're forcing our way in um head first without really thinking about it to actually trying to find um the right keys so to say to the door at the entryway the right path into cyber security and that's what we're going to be looking at um at next and I just did a disclaimer I'm going to say there's no hard and fast way to get into cyber security however from my experience as a mentor my experience personally coming into the industry I feel that some of these steps I'm going to be highlighting on the next couple of slides should in fact be a

good guide and should help you um be in a better position to get a role in security and of course this isn't just for people who are starting out in their careers in cyber security this also applies to people who are in um who are professionals or mentoring positions who are trying to get people into the into the industry you know it's good that you take some of the lessons from here and you can share that with them so that we can help work together to build a better industry for ourselves and so we've got a couple of steps I Sky them across multiple slides but we'll just go from from top to bottom some of them are sequential some of them

is just there you just have it um at any point in the in the pipeline so first off I would recommend that you determine where you want to be in security it's a very it's very crucial to establish a why now why is this having the reasons for doing what you're doing will be very key when things get tough and from my experience from the experience of a lot of people I know in my network they will get tough um and of course as I've said already I've seen a lot of people fall through the cracks once Things become tough because quite frankly they didn't have a reason for getting into this and and they were just moving with the waves so

to say I'm not saying there's a right reason there's a wrong reason but the point is establish a why and we're able to tell yourself hey this is why I'm doing this this is where I'm headed it's it becomes a lot easier for you to navigate difficult um obstacles that will come along the way once you have that the next thing you want to do is research research different aspects of of security and Bitcoin and oftentimes I think this has been talked about um in one of the talks earlier today but I'm just going to say it again look for transferable skills that map your current role to one within cyber security for example a software

developer might be easily might easily switch to application security testing or someone who's worked in in the lawyer industry might quickly switch to grse or compliance you know I'm not necessarily painting um a direct link I'm just giving you examples saying hey you could have this skill that's transferable and oftentimes with my mentees people I Mentor I usually say to them um how about you just spend some time going through each of the roles that you've done in the past and you highlight some skills what would you say going being in this role for this period of time what would you say you have developed what is that skill sometimes it's something as little or I say as

little as patience or attention to detail so those sort of things help you to sort of map and say okay here's what I have here's who I am as a person then look at the broader picture of the roles different rules and security and I think that very that talk earlier on um with white Rosie and Natalie was really nice because that showed us a grand huge scope of roles and security and you can sort of map your way across then say hey look this this looks like where I would nicely fit in with given my current skills and this isn't really something you have to do on your own which is why the third point is get a mentor

I look back to where I am now and honestly I wish I got a mentor sooner in my career and the reason for that is because it's a lot nice if you have someone who's experienced and knows what they're doing he's actually concerned about you obviously not every everyone who says their Mentor is concerned about people they Mentor but get yourself a mentor because what they can do is they can use their knowledge to see things from a different standpoint I've seen a lot of people look at look down on themselves and um the usual imposter syndrome where they don't feel that they they have the capacity they have what it takes to be in a role in cyber security

where they don't see how they fit into things um in this industry whereas someone else is coming as a third party you're coming as a third party you know saying hey look I can see this this and this and I think you do really nicely in this role and that's where it's really important to have that Mentor um in place there's a lot of things you can get out of a mental which is why one of the things I do outside of my day-to-day role is is mental people because I feel this is a huge way we can help people get into the industry because we give them that extra guidance that they need right now you have a mentor this full

point on the screen isn't necessarily um tied to a particular stage but it's just something you should know and it's something I've seen um often people don't um acknowledge is the fact that we need to break the understanding of security while being independent um there is this traditional hey this is the security team and then this is the rest of the organization no security is embedded and why am I saying this particularly sometimes you could start out for example a software developer and I'm just using that because it's a lot easy to use that as an example a software developer and he wants to switch into security well how can you show that you have the understanding that your

security rule isn't necessarily a separate thing from the rest of the organization we'll start start with what you do you develop software because you start writing secure code you start making sure those functions those validations are being put in place people often say um I've seen a couple people say hey I've been in industry for this long but if you actually look at their job titles what we would traditionally say are security roles um a large chunk of it is is what we would people would typically classify as not being security roles but that's that's not necessarily true because security isn't independent um of the rest of the organization in fact it's supposed to be part of every

unit of an organization and so regardless of where you are try to see try to see that security is your responsibility at the end of the day and so look at how you can start from where you are to show or to apply security now once we've done that we're moving forward to now actually learning and this is where I would say hey do you know what start small and then go big and this really is going back to the the talks around foundational skills that we heard earlier already um people often paint the picture that you don't need traditional skills for uh for a role in cyber security and I don't think that's necessarily true

um while I do make the argument I can agree that sometimes you don't necessarily need to know how to code but you do need every role in security has foundational skills that will definitely help you succeed and oftentimes people try to start big so they try to do a deep dive first into the hard stuff I mean I personally have an example of myself where I try to just go straight into into pen testing about four years ago and I realized I actually got I tried it it was working out well for a little while and then at some point I got stuck I realized my problem I didn't have the foundational skills for that

particular role and obviously pen testing is one of the unique ones um and I had to go back and learn networking I decided to just take a step back and learn different aspects of foundational I.T and that's really helped me along the lines from my career and I've been able to work in multiple different roles in different hats because of those foundational skills that I built at the start now it might seem like you're not doing much initially but really what you do at the start sets you up for Success down the way now I don't think you can really over stress um the importance of engaging with communities and Industry experts whether this is in chat forums in um through

ctfs as we're already having one which should be running now and I think um or even just in terms of contributing to open source um open source documentation open source projects things like that really help to sort of um make you network people people get to know who you are what do you do um I've made some of my free time out to just contribute to documentation of things I use for example recently I've been working with cloudflare which is um what I've I used to secure the our infrastructure at work and what I have been doing recently is as I look at the documentation on cloudflare I look for ways I can improve it and in the process

of my day-to-day work I'm pushing um changes or suggestions to them and some of them have actually been taken taken by the organization and some have not but this way I'm engaging with the community I'm engaged with people and people can clearly see what I do they can make that um assumption or picture of me now um the other thing I want to talk about is is how we actually say hey look this is this is who we are this is what we do and and that's when it comes to when I say evidence you're learning through articles or frequent persons on LinkedIn I think there's a good chunk of people on the internet out there that just make

it seem like hey I'm going to grab the certification and you're going to get a job I think a lot of certifications are quite easy to get nowadays I know a ton of people personally I know a ton of people who are not in it they're not in security but they have um come to Security Plus certificates they have come to n plus certificates a plus certificates you can name um count the list and on and on that doesn't really make them stand out and so what that's done is made a lot of people or employers so to say to just see it as a generic certificate that hey anyone could really have that but what

do you bring to the table how do I really know that you know what you're doing and this is where it's good to evidence your learnings through articles um you could write blog posts about what you're doing you can make postings online things about your learnings um where they're talking about things that happen in the industry oftentimes you have those who post um the next big if they if they read an article about some threat that's going on they post their their thoughts on it now I'm not saying you need to develop um that particular skill just yet but I'm just saying that you need to show some way in some way build a portfolio

of your learnings how can I see evidence that hey this is what you've been doing this is what you know that's what you need to focus on doing yes certificates are going to help you to get past certain um blocks when it comes to hiring um getting hired at the same time they're not going to get you the whole way across the finish line and so you need to do this other bit once you've done this and you're now ready to dive into the industry itself so you're ready to Now find a job what do you need to do first off I think somehow it's when I was listening to the other talks today I was I was laughing

in my head because I was like literally every every speaker is someone said one aspect of what I'm saying and the first one or one of them is highlighting the niche on your public profile people need to know what you do it's it's fine if you wear so many hats and you're able to do so many different roles but you need to have something that someone can think hey I need a security analyst or I need a sock analyst and then you just go oh I know Michael does this that's establish your Niche helps because when you network with people people get to know what you do if there is an opportunity which there probably will be they can

think of you in that scenario and that's probably how you could get your role I think I've only gotten one one of the roles or organizations I've worked I've only gotten it through actual applications and the rest of it has just been word of mouth and recommendations and so when you highlight that next week will know you for something and they can rely on you for that particular thing and obviously you can choose to Pivot your way from there once you're you're in with one organization now in the next thing you want to do is get help with your CV um I will use this opportunity to probably recommend the one of the mentoring platforms I'm on sublimental

dojo they are really good and I'm going to paste the link to it um afterwards but they are really good when it comes to First offering mentors that you can connect with industry professionals that you can really help um seek guidance from at the same time they have this feature for CB feedback where you can almost go upload a redacted version of your of your resume and have honest feedback from either hiring managers other Professionals in the industry people who have been through this process as well and so you definitely want to get help with your CV because you want to get back past the um the bot selection stage and then you start applying for jobs

now in this bit don't Don't Spray your CVS all over job postings um I've seen a lot of people do this yeah and oftentimes the results is just it's not right because you need to take a time to research what you're applying for sometimes you need to tailor your resume for example to the specific job you're applying for you need to work your CV around just to make sure that you stand out better with in terms of what they're looking for oftentimes job postings will have buzzwords that you could potentially put inside of your um your your CV or just highlight not necessarily um put it but highlight it in your CV so that they can actually see

hey this is what we're looking for but if you're just spraying your CVS everywhere sure maybe you might have a hit at some point but oftentimes I've seen this not necessarily go well with people I mean they only end up being stressed because what you end up having is you're doing 10 interviews if you do get into the interview stage either getting 10 rejections in one week or you're getting you're trying to do 10 interviews in the same week at the same time so it's it's quite stressful if you do it that way now obviously as you're applying for jobs continue to do your learning process continuing to interact with the community and let's just just have that

continuous learning and showing it on on LinkedIn or whatever property profile you choose to use some people use Twitter and I've seen a lot of people who are quite um Junior in the industry and they have quite a large following or like large engagement on online because people are recognizing what they're doing their growth supporting them in their growth and I think that's something that can really help you I'm not saying you should get to 13k followers I'm just saying that your activity online can really be that extra Edge you need to show people what you do and potentially get into a role now this is pretty much the summary of what you should be doing friends upon a career

but for us professionals there's a few notes for us really um because it's not just on people who are trying to get into into the industry for us professionals we need to be mindful of what we post and how we frame it um a lot of us have carry a lot of influence carry a lot of people on our networks and they rely on or they take to heart the things you post about um mainly obviously just I'm talking about in relation to jobs and and how to get into cyber security so really be mindful of how you frame it um let's help them or help our mentees to set realistic expectations we want them to

come into this industry we're not rejecting them we're not trying to be Gatekeepers or anything but we want them to come in with realistic expectations so that when they come in they can actually excel in what they're doing and of course the process is is is always going to be tough regardless of how well your um you you paint yourself out to be you're gonna struggle at some point and if you're if you're a professional support in a mentee you're someone in the field supporting other people you know it's it's always good to provide more support where possible keep encouraging them because uh honestly if you didn't I was I was speaking to a mentee and I had good news

um today she just got a job in a security role and she was just um thanking me because she was saying hey look um I actually would have quit if you didn't say what you said at this particular point and I think that extra moral support we can give to them is is really helpful um but yeah that's pretty much the summary of what I I've got to say um I do have extra resources that I would love to share I think I'll just pop them in the chat um one is a nice article I read a couple days ago by Daniel Keely and he talks about his roadmap for transitioning to cyber security and of course something

that could apply to a lot of people so you might be interested in reading that I'll drop the link in the chat another one is the mentoring platform I talked about already supplemental dojo the link is actually to their website but you can use that you can sign up on their website and find mentors through there you could also join the Discord um Discord Community where you can easily upload your CVS or resumes for feedback and another one which I'm part of but I'm not necessarily active on anymore is cyber jobs hunting and I know they do provide CV support job hunting and I think they also do mock interview sessions um every couple of I don't know

what the schedule is anymore but they do have mock interviews with people who are having interviews and would like to be have that experience but yeah that's pretty much everything I've got to say around this I really hope that we go from trying to um just drag people in through a wave um into get breaking into security and really try to help people find the right path for them and obviously it's going to be different for everyone um but yeah thanks so much for listening um if you'd like to connect with me to talk later on um maybe explore further if you like me to Mentor you you can reach out to me on LinkedIn or Twitter

um and you know I'd be more than happy to to help out where possible but yeah that's it for me if anyone's got questions feel free to bring them on um I will leave it up to you now Lou