Kurt Pomeroy: How to successfully transition from IT generalist to Penetration Tester
Show transcript [en]
all right guys uh we'll start so uh my name is kurt pomeroy i am an i.t security specialist uh with ion united um this is my first ever speaking uh engagement so i'm excited a little nervous but it should be fun um so the topic of my talk today is about how i transitioned from an i.t generalist into cyber security professional so you know this this will just be um just my talk you know my my personal experience everybody's going to have a different um you know a different road i guess and most of you guys are probably already working in cyber security in one facet or another but this is just my you know
my experience what happened to me how i transitioned uh you know from being the regular i.t guy you know that wears many different hats to cyber security which is something that i always wanted to do anyway it was always a passion of mine and so you know this is pretty much it um so the uh the first thing i want to start off with here is let me see if this transitions okay okay so i'm a i'm a newfoundlander so i moved to calgary two years ago and just some some observations that i that i noticed here when we moved out from newfoundland is you know just to break the ice a little bit um the first thing i noticed
actually is just about everybody has a some sort of crack or dent or chip in their windshield and i guess it's just funny to me because we don't really see that back home but you know i walk the dogs every day and i see all these cars and you know traffic lights and things and everybody's got a correct windshield so the uh the insurance companies and these auto body shops mostly making a fortune but i guess it's probably because um you know you use a lot of sand and and whatever for for road maintenance and i guess the salt doesn't work after you know temperatures of minus 10 and below so i just thought it was funny
and you know there's no wind here there's very little wind uh newfoundland's very windy all the time of course you know right on the ocean so that was a nice change you don't you just don't have this blowing you know crazy wind every day to deal with um you know and of course the driving i mean everybody has their own experiences but i find the drivers in western canada and calgary very very you know courteous especially downtown if you're in the wrong lane put your indicator on somebody always lets you in so it's nice to see uh back home you know not so much but uh you know another observation i find drivers here are much better um on
the whole uh this fourth picture here is just a picture from uh strathmore so i moved from calgary to strathmore last year it's about 40 minutes away from the city and just you see all these hay bales and those flat lands so it's just a nice it's very different you know then in newfoundland and east coast it's very rocky and hilly and you just don't see that flat landscape so i thought that was kind of nice uh and the last funny observations was the snow blower uh contraption or leaf blower i guess uh you know back in newfoundland uh the snow is so heavy and wet and rain was a fog all the time you'd
never get away with something like this but here you see people downtown with those those snow blowers leaf blower devices and you can just blow the snow away so i just i thought that was funny but yeah just just some of my observations as a newfoundlander you know living out west like you know so many uh newfoundlanders have done over the years um so next slide so that the obligatory who am i slide right again uh i'm a newfoundlander now living in alberta for the past two years 40 years old uh two of my doggies over here so you can see them uh roman is on the left and junior's on the right um and so we don't have any kids or
anything uh you know just a conscious decision i guess we just just didn't happen for us my wife and i but you know we've got dogs roman over here in the left he's a rescue dog so we'll we're happy with that and we'll continue to to rescue dogs and we have a soft spot in our heart for senior pets so we'll we'll probably uh you know the next the next dog or two we get will be from a shelter and probably a senior pet it's just something really nice about caring for an old senior who's just lazy and you know just wants to lay down on the couch every day so so that was nice
um oh yeah and one more thing uh for me um i also like you know besides of course i.t security i like um you know stripped strategy games i like to play chess and i used to play online poker you know semi-professionally about 10 years ago i played online uh six days a week uh you know eight or ten twelve hours a day so that was interesting but all of these you know strategy games and things that helps i find that you can you can use those skills and you can relate them to cyber security you know for pen tests and things like that so okay so just a quick slide about you know why why should we
get into cyber security why should we work in cyber security um very fun and challenging let me just move my laptop a little bit uh you know you learn new stuff all the time you're exposed to customer environments where they have different technologies whether it be microsoft atp or edr technologies carbon black or you know splunk or something like that so it's really nice to get exposure to different um environments and different technologies that you probably normally wouldn't have the chance to to normally work with of course job security right i mean cyber security is a hot market does it's not going anywhere anytime soon the canadian government's investing a lot of money in it that's kind of like
a mechanic and everybody needs a mechanic so i feel like everybody needs some sort of cyber security work in some aspect so it's a really great industry to be in i mean most of you guys are in it already so you obviously know but it's nice to have that job security it's nice to know that um you know you're you're in demand right if you work in cyber security uh in any aspect and you've got some years of experience under your belt um you probably shouldn't have a hard time finding some meaningful employment uh you know and another thing too recruiters uh once once you're in cyber security you get your name out there recruiters will come to you i mean i i
typically get um an email once a week from a recruiter from linkedin or from monster or indeed asking if i'm interested in this remote opportunity or that opportunity so it's always nice to have that you know in demand aspect and it's nice when recruiters come to you for work instead of the other way around of course the salary is good and there's some benefits there you know depending on who you work for there can be performance benefits there could be um you know additional time off uh paid training or reimbursement for training which could be huge depending on the type of training you want to go for um you know performance bonuses travel allowance gas things like that so it
depends on depends on who you work for but overall you know another benefit to working in cyber security and of course travel and a flexible work environment i mean we a lot of people are working from home now but uh you know i when i started with ion after a month or two i transitioned to working from home and i absolutely love it you don't have to get up and you know get into a cold car in the morning and drive into the office so that's really nice um and you know obviously a lot of us now are working from home so we all get to enjoy that that advantage um and of course report
writing is a it's a big part of what we do so you know it's just kind of put in there it's tongue-in-cheek but you know it's just one of those things that if you're going to work in cyber security especially if you want to be a pen tester or something like that you'll have to you know get used to writing lots of reports and meeting deadlines uh so a little bit about my background before we get started i graduate i'm old now i'm 40 years old i graduated high school in 97 and then i took a three-year computer support specialist program so that was just a general introduction to i.t you know we did hardware and
software troubleshooting networking programming operating systems windows nt and windows 98 of 2000 i think at the time uh so that was you know that was sort of an introduction to it but that's where i really started we had a linux course which was part of that program that's what really started my interest in cyber security was that linux course and once i sat down at the uh at the console and i remember i specifically remember mounting an image mounting a cd putting the disk in and typing the mount command listen to the disk spin up i thought oh this is really cool and around that time you know i started to read about uh linux security and it
was the hackers operating system so that just that really piqued my interest so i really uh that's where my my cyber security kind of interests started way back then but it actually took a long time before i could actually get into the industry um so you know and actually part of my um my three year ift program was an eight week work term so i was able to convert or pivot that work term into full-time employment uh for the last uh seven or eight years the uh yeah the disc ban right we all had that and the anti-skip and all that stuff so i thought that was kind of funny but you know like i said we're uh the
kids don't know the struggle and yes yeah the cable was definitely short sometimes for sure um so i'll just talk about sort of the early years and the medium years and then there's a transitional period there so for me my early years at it uh i was in an ita bin at two private uh k-12 schools so that was my first real job and that was actually where my work term uh was at the st pona veterans college there during my it program so i made some good contacts there they liked the work i did so they hired me part-time i worked part-time at st bonds and the other half of the day was at lake crest schools in
in st john's newfoundland so that's where i had my first real job my first real um exposure to i.t i mean i wore many hats you know you connect up av equipment uh printers you know computers anything that had a uh you know cell phones wireless devices anything that had a cable or a power cord you know they expected you to know how to do it because i was the only i.t person there um you know these these private schools are they're not government funded so there wasn't a whole lot of money for salary and for hiring you know a full full staff of i.t support people but that was good because that actually got me into the
into it and i was working with different hardware and software every day working with people kids um old and young you know parents uh teachers so i made a lot of good contacts there and that really helped me develop the personal aspect because you know you need to you deal with people at the end of the day right so you have to learn how to talk to people on different technical levels and you have to you know deal with kids and teenagers and parents and teachers so that was really really um really got me started you know i had a good foundation and um also i just wanted to mention i did do a little bit of work in alberta
in 2012 i worked on the uh the curl oil science project just as a contractor uh i just did a couple of rotations of fly and fly out but it just wasn't for me um i think it was 13 and 7 13 days on seven off but one day has gone for travel two and one day i was gone travel from and that's a long flight from edmonton to uh to st john's uh you know once every couple weeks so um yeah i didn't really like it the work was the work was fun but just to travel i really didn't enjoy so i had i did have a little stint in alberta uh years ago
um so we have so that was the first you know five or ten years just getting that experience and i'll talk about why that's important in a little bit uh so then i had a middle years i guess you could call them 2012 2016. i was an i.t data manager at an oil and gas company and they had a lot of custom developed software they did a lot of 3d and seismic imaging of uxos or unexploded ordnance and pipelines below the seabed so that was really cool for me because it was a heavy heavy linux aspect and they have all these high-powered systems and gpus and rendering there was a lot of intellectual property that needed to
be protected and archived and stored so i got to sort of use some of that linux security experience while i worked at this small oil and gas company and there was a there's an office in aberdeen so i had to kind of work with um you know active directory in both locations but it was really cool because i had a good chance to flex some of that linux security muscle and again that just that just um in i guess increased my desire to learn more you know i want to make sure the systems were secure the ip was secure of course that information had gotten out you know you know could have been detrimental for
the company and one just funny thing i guess about my time at this smaller long gas company is anybody who knows me knows that i love the sun in the summer but i hate the water anything over my neck you know i freak out so my boss asked me one day if i wanted to go to aberdeen for this uh offshore training and i only went because i had never been to aberdeen before so it's beautiful place and then reality set in that i actually had to take this underwater survival training and um you know it was really really nerve-wracking for me very stressful anxiety levels through the roof uh one of the one of the three day
course and one part of the course whoops sorry they actually put you in a simulated cockpit like this picture here and they um they dunk you underwater they flip you upside down and then you have to swim out through the window and pop up to the surface and so you had to do that i think five or seven times and the red helmet here indicates somebody who's not strong in the water and i think the blue helmets were you know if you're comfortable in the water so of course i had a red helmet um but um you know i i was really really worried and i remember in the hotel room in the morning i got in the bathtub and
i put my head under water and plugged my nose just try to get used to that uh that feeling and you know water in your ears and just uh yeah it's very very uncomfortable for me but anyway i ended up doing it so you know it's one of those things where um you're glad you did it and i'm still surprised to this day actually that i was able to to do that because i'd never do that again never ever sorry never ever again it's just something that's not for me uh but i did it and i'm proud of that so that they'll come back later in the presentation where i talk about you know taking a
chance and doing something outside your comfort zone because that was really big for me um you know in my whole transition from i.t to cyber security as you can imagine you know transitioning from one role to another not really having any real world experience can be very stressful and you know it can impact your confidence and so doing something like that stepping outside your comfort zone doing something that you don't like and then you know achieving your goal or whatever is just really rewarding so i thought i thought it was interesting but uh you know i'll never do it again never that's funny because when they flip you over and you come up they put you right back in the divers
they grab you and they put you right back in and then you go up you come down you flip over so you know you have no time to say no it's literally five or ten seconds after you pop up they're grabbing me by the by the the vest or suit or whatever you're wearing they put you in and flip you upside down again so i didn't even have time to say no but the good thing is it was over before you know it was probably five or ten minutes and that was it so you know just a just a fun little tidbit there about uh you know never ever again will i will i want to
do that and i hope i never do um and of course newfoundland is big for oil and gas right so so here we go so crossroads so 2018 um i was a contractor for exxon mobil and i was supporting this hebron offshore oil platform you know it's this huge 14 billion dollar project um you know they sit out in the middle of the atlantic ocean which is drill for oil for the next 50 years or however long the reserves last out there um but i was you know it was my first contractor role and i didn't like being a contractor i kind of felt like i was you know just i could be disposed of at
any time he didn't have that job security uh anytime there was a snow holiday or a storm or you were sick you didn't get paid for it so there was a lot of uh a lot of things about being contractor i didn't really like i was always an employee a salaried employee so i might you know my contract was expiring um and to be honest after 18 years i.t i was bored i was i had no interest in it anymore i didn't keep up on the latest cpus or ram or new boards or any kind of stuff i just i was i was i felt like i was at the end of my career in it 18 years is a long time and
i just kind of felt like you know i got to do something else in it or just quit it all together and i always had the desire you know going back to those linux days right of of of um you know working with linux and security uh i actually went to a sans conference in 2003 a long time ago fire forensics investigation response and ecrime um and that really really had me hooked i got to meet like steven northcutt and a couple other sans guys and that it cemented you know my desire to work in i.t but it just didn't work out the the roles i were in were always generic general i.t support like you
know reset a password fix the printer install some software you know that kind of thing so i was ready to make a change and you know i had to think long and hard about it but i decided that i really wanted to go for you know a cyber security role and like i said for the reasons mentioned earlier it's very in demand good pay you know lots of lots of benefits so i went for it uh next slide actually this this picture is of the hebron platform of course this is a giant it doesn't really give you this the scope but uh this is a massive massive uh piece of equipment a lot of these
different modules were created in like korea and they they um ship them over to newfoundland and they put them together so really really cool to be part of something like that so i was really proud of of the two years that i spent working with exxon and helping i was doing the it support for the project so uh that was a really really cool accomplishment accomplishment for me i think i've got a couple pictures here on the next slide um that's me there all bundled up uh you know as you're so high up this is this is january it's really really cold and windy at the top of this this thing it's probably uh up here somewhere and
hope you can see uh at the top of the structure i don't know who this guy is so i took his i just blocked his picture out but you can kind of kind of give you a scale this is sort of tugboat here so just a really really massive structure i think the the power requirements could i think it could power something like 30 000 homes uh in st john's so just just a massive project um and actually there was no elevators so every day when i was walking around this rig deploying i.t equipment i had to walk everywhere so i think i averaged 15 000 steps a day for five days a week so as you can imagine when i got home i
was completely wiped out and there were long days there were 12 hour days five days a week so but it was really good exercise and i i really really enjoyed it and um of all the i.t equipment that i deployed nothing went missing and these type of projects are known for uh things either getting thrown overboard or just missing or stolen so i was really proud of that also i was able to keep really good track of all the equipment deployed and all that so it was kind of cool i've got another picture here this is the actual um the toe out so when everything is completed they they towed it out from the harbor and they
dragged that there was about eight or nine tug boats and they pull it out to the atlantic ocean and that's where that's where it's gonna sit for the next 50 years or whatever so i just just figured there's a cool picture i throw in there you can kind of get a sense of the scale just just from the little tug boats there and actually there they weren't small either so okay so from for now uh we're going to do sort of a step-by-step plan of step by step how i transitioned from ite to cyber security the other stuff was just kind of a recap and a little bit a little bit about my history and how i got started and some of the
things that kind of guided me towards cyber security so of course the very first thing you got to do if you want to transition you want to get into cyber security you've got to make a plan that's what i did you know six months before my contract was up i said to the wife you know this is what i want to do i put a plan in motion i wrote it down put it up on the board um you know there's an old chest saying that says if you fail to play and you plan to fail and that's that's exactly right if you don't set a plan and set these goals and it'll just be more
difficult i think to to go where you want to go and to get to that next level or to break into cyber security or whatever whatever it is that your goal would be but you know life is short right i'm 40 years old now i was ready for a change i was prepared to move anywhere so i'll talk about that a little bit i mean i was ready to go to the u.s spain uk wherever the cyber security job was i was ready to move um so you know and that's what i said to the wife uh be prepared to move um so of course step number two is you've got to figure out if you want to
transition into ite you've got to figure out what you like what you want to do i mean there's there's all kinds of different subcategories out there to choose from there's of course penetration testing ethical hacking which is very in right now but there's plenty of other options out there maybe you like incident response that can be a very very lucrative area road to go down uh forensics i mean you could end up doing working for um law enforcement government agencies um you know there's no shortage in compromises and breaches as we all know every day so forensics is huge you know you could be the firewall guru you could be the database guy you know
you could do web application pen testing you could just focus on web apps i mean everybody's got a web application these days so that's another area where there's huge demand and a big shortage i think you could work in a security operations center as an analyst and that actually might be a good introduction if you want to get into more more defined cyber security role is you could work as a stock analyst because then you get exposure to you know the day-to-day right all the noise and all the the alerting systems and and seems and and just different incident levels and all that kind of stuff so i think that's probably a good area if someone was
interested in moving in from i.t to cyber security uh sock analyst might be a good way to go but for me i always had that linux security background and i consider myself a bit of a linux guru i've been using it for you know 15 years or more with astronomy focus on security so i knew for me it was a perfect fit uh to move in you know from i.t to penetration testing and ethical hacking so that's that's what i did that was my plan um so the next step is you know these these certifications um they can be expensive especially some of the the more popular and more well respected ones so you know i started to save my money
uh i cut back on expenses and i did review finances and found ways to save money um you know fifty dollars or twenty five dollars a week here or there like you're able to save twenty bucks a week or twenty five dollars a week i mean that's a hundred dollars a month and in the years time that's twelve hundred dollars that's uh it's security plus or that's uh ceh certified ethical hacker certification so you know i i get it especially in this economy uh you know money is tight right um but if you can find a way to save uh you know it's an investment in your future which is the main thing and for me
particularly um the investment that i put in i mean it it came back around right away because it actually got me an interview got me a job and so i mean it paid for itself you know 20 phones right away once you land a position you know you've already you've already paid for your certification so there's lots of ways to save money there's little money saving apps right i'm going to cut out the mcdonald's it's important uh you know save five or ten bucks you know 20 bucks a week or something and before you know it you've got 800 or a thousand dollars and and of course there's other options if you want to go for something more
expensive uh you know you could get a small loan bank your loan for your parents credit cards you know you name it however however you want and you don't have to get a certification it's just for me in my story um that's what helped because i i applied for positions with you know in my resume that said i had this experience and that experience but it was mostly self-taught and i never had that um i never had that piece of paper so if you get the piece of paper of course doors are going to open up um you know a lot more and that that's what happened to me um let's see so of course okay so you
figure out what you want to do you picture discipline whether it be incident response forensics pen testing whatever uh you start saving your pennies right uh so once you've saved up enough money you know you've got to study uh and that's a big that's a big one people can say all the time you know i don't have the time um [Music] you make the time right for me like we don't have kids as i mentioned so it was easier for me to find the time to study in the evenings um you know walk the dogs every day so i had the the audio course so every day i'd walk the dogs i'd listen to an hour or so of whatever
whatever days um courses you know for that day that really helped kind of sink in the training material and as opposed to just reading a book and making notes of course you know i used to listen to the presentations in my sleep um you know so subconsciously that might have helped me retain some of the material at work on my lunch breaks i take one of my books a highlighter and i go into the cafeteria and i take notes and study so wherever wherever i could um you know you just you have to find the time if you have to get up at six o'clock in the morning and study for an hour before you get ready for work then
you know if you really want it that's what you'll do so you know like anything if if you if you really really want to put in the effort you know you'll find the time you know if you find three hours to watch tv in the evening well then there's time to put it you know an hour of study a day for for you know certification so for me i think it was over a couple of months i i set a goal to um you know have have a book completed in two weeks or a couple weeks so i think for the sandspan testing course it was five or six books so you know that was a
couple of months of study um but of course you know it pays off because you're you're confident you're you're ready you know you you feel like you've done your study you've done your preparation uh so of course you know i'll use sans as an example because i you know i took the sam's course the pen testing course um you can create an index and you can google for that so basically an index would be if you had you know the book number and then the term and then a description and the reason why you create an index is the sans courses or certifications exams are open book so instead of bringing in you know a pack
of six books you can have all the information condensed into an index and actually creating the index is a good way to study because you're looking up information you're putting it in the spreadsheet so what i did was i put everything in a spreadsheet and then i went to a copy shop and had it bound and laminated and then i had little sticky tabs to tell me which book was which so that really really helped um because you don't have time the sans pen testing exam is 125 questions and i think you have a couple hours so you you do not have time to look up every answer and honestly when i was doing the exam
i would say eight out of ten questions i knew the answer as i was reading the question but there was a couple where you know i used my index just to make sure but creating the index is very helpful for for lots of reasons and sans actually comes with two practice exams so what they recommend is you do your study create your index do your first take your first practice exam and they will rate you on the different areas and you'll see where you're strong and where you're weak go back and restudy in those weak areas and then take the second practice exam and if you score 80 or better then uh you're ready so then
that's what i did i took a practice exam i scored 88 percent uh oddly enough and that's the same score i got on the uh on the final exam which was kind of weird but once i was over 80 i took my first practice exam that i booked my real exam right away and um actually you can donate or gift a practice exam to somebody else so that's what i did i didn't need the second one so i just i gave it to somebody else who was studying for the same uh same exam um so of course once you study then of course you've got to write your exam you know as i mentioned i took the sans 560
pen testing course for lots of reasons i was a big sans fan anyway uh you know i i know that they're very well respected in the industry having that certification carries a lot of weight with recruiters and with potential employers so i noticed when you see various job applications you know people these uh certifications are preferred or recommended it was always sans or the oscp or a certified ethical hacker something like that so um you know having the certification of course i mean writing the exam and passing it'll certainly open up a lot of doors for you and of course it's in high demand right cyber security is huge it's not going anywhere and there's other options you don't have
to do the sans one there's the ceh i'm not brave enough for the oscp maybe someday but security plus and i believe security plus is not that expensive but that would give you a good um a good framework for moving forward and having that certification on your resume and versus someone who didn't have it that would be the deciding factor whether you get the job i would imagine you know over somebody else so just a couple of you know observations there about writing the exam and yeah so i mentioned i got 88 in the exam which was the same score as the practice uh test oddly enough um so you know you study you uh you write your exam you pass
that's great you know now what do you do so now you have to uh you gotta get your name out there right you've gotta you've got to update that resume of course um you know look at it once a year uh i put the little fancy little sans logo on there just because of the gpen logo because i was proud of it first ever certification real certification that i guess i i never studied for and obtained um so i you know for your resume i always had trouble writing what i thought was a good resume so i paid somebody to write one for me so it's not really lazy but i think that in my unique situation where i was
trying to transition from i.t to cyber security and i was sort of in that middle area i needed someone to who could articulate that better than i could so top resume was something that i think i found on monster and they they put me with a resume writer and we had a couple of chats and i gave them my background and my information and they actually came up with a solid resume for me which we tweaked a little bit but it was really really good experience i would recommend it i mean there's so many there's all kinds of things out there online how to write a good resume but for me it was just one
thing i i didn't really have the time or want to put the effort in to writing and i was always struggled with writing a good resume so you know just putting it out there that is an option uh you know you could probably get someone to look it over for free or whatever but that's just what i did um you know professionals professional resume writers know what to look for and know what employers are looking for so that's fine and it's just another investment so again you know save a few dollars here and there um and you know obviously you certainly don't have to but just something that i just felt comfortable handing off to
somebody else so and it worked because it got me an interview and eventually lighted a job so yeah your mileage may vary uh so you know you passed your exam you updated your resume the most important factor now is you have to start networking you've got to get your name out there you have to you know upload your resume to monster and linkedin and indeed and all these different resume sites um because employers are on there all the time and especially for linkedin you know like i said i get emails from recruiters once a week you know from from linkedin and just from a couple from monster and a few from other places you know asking if i'm
interested in this position or that position so definitely definitely start networking join different linkedin groups you know comment and like other people's posts just just start getting your name out there interacting with other people there's a couple of settings actually in linkedin to let employers know that you're open to opportunities so i just wanted to highlight those here in case people weren't aware you can go in and set these options to let recruiters know that you are interested and open for opportunities and you can pick if you're looking for full-time work or part-time work or whatever if you're willing to relocate the areas you're willing to relocate to and of course all of these sites have
some sort of you know manage your resume type feature and a lot of them now linkedin include has a you know easy apply a quick apply button so if you see a job advertisement that looks good for you you know a lot of times especially for linkedin and indeed you can click the easy apply button and it uploads your current resume and has all your contact information so uh you know don't be afraid to apply apply for all kinds of jobs if you if you can do it i mean a lot of people have kids and families and things they may not be able to to do what i did and move you know across the country
for work but uh you know start networking get your name out there you know just just take advantage of all these features and especially the you know the i applied for probably uh i don't know 50 or 100 jobs in the month or two after i had my sand certification and uh you know a lot of them i didn't hear back but some some i did so of course you know you might be lucky if you get one of the 10 no interviews but um definitely just get out there start networking get your name out there and apply apply for everything i mean that's what i did because i i was prepared to move i didn't you know i had
no idea where i would end up but i'm really glad i've ended up in alberta but um you know i really could have ended up anywhere but not everybody has that luxury uh and for me um funny story i i had an interview in ontario with a security company and the interview was went great and it was a practical exam that went really well and uh and then ontario has a breed specific legislation which does not allow people and people type breeds into their province so i was pretty disappointed because it was looking really well and i was excited it would have been my first ever you know cyber security job and we're ready to move to
ontario and enjoy the much you know better weather and warm summers but unfortunately it didn't work out because of the bsl but you know everything happens for a reason and the ion opportunity propped up uh shortly thereafter so you know when one door closes another one opens right um so of course a big a big thing is um you know preparing for your interviews right i mean i i took it serious i my wife asked me interview questions i googled you know what are what are the top 25 ite or cyber security related um interview questions that you that you're likely to be asked and i prepared for for sort of weird questions or like you know where do you
see yourself in five years or or you know describe yourself what makes you tick i remember that was a question i was asked and it kind of stumped me because i wasn't ready for that type of question so you know prepare right never hurts to be prepared uh it just gives that extra bit of confidence uh going in that you're that you're ready for all these questions and i mean the interview is make or break right it's first impressions so very very important i think to prepare um and in this landscape everybody's there's a lot of people out of work and the competition is really high so uh you know definitely uh i highly recommend
you know doing some interview preparation before you before you uh you know apply and try to get some of these cyber security jobs um so i've only got a four or five slides left um but um we'll just get through these last few if you have any questions feel free type them in the chat you know if not that's fine you can reach out to me later if you have anything um so step nine i think of twelve is i mean land the job right uh for me um i like i told you i applied to ontario didn't work out and i applied to a job in new york city and the recruiter came back
and said that they were interested but he knew of an opportunity in alberta and that was with ion so he uh he called me and we spoke for a while and he was able to understand that unique position i was in where i was an i.t person with lots of experience lots of security experience which i applied on the job but i didn't have that piece of paper you know that let me that let employers know that i had some sort of baseline of security knowledge it was all self-taught and you know books online and your home lab and everything like that so um you know he he understood my unique position and he uh he relayed that to
the ion and it's funny i i had a call one day with this guy steve i didn't know who he was he worked with works for dion and uh you know i was fine i wasn't nervous it was just a you know kind of basic interview type questions and then later i found out it was steve matthews who's presented besides before he's presenting tomorrow you know very well respected in the uh in the security industry so if i had known it was uh steve uh i would have been a lot more nervous but uh anyways besides the point um and just answering your question uh yes in the cissp um i don't really feel that's for me i
mean i'm i've only been in it security cyber security for two years so i really enjoy you know being in the trenches and doing the actual work i kind of feel like cissp is such a huge commitment and i just it's just something that doesn't interest me personally you know maybe five years from now when maybe i'm a little bit tired of the day-to-day pen tests and things uh maybe that's something that i would um you know something i would think about uh but right now no i enjoy you know everything's still really new and exciting for me and i learn new things all the time so cissp is not something that i would be
interested in at this time but to men you never know a couple years down the road four or five years it's anything's possible um and so so when when you're doing your interview you know you you want to try to you want to be confident but you want to be honest and and sincere you want to try to make a connection with your interviewer i mean it might be a little bit more difficult now that everybody's doing this over zoom or teams but uh you know at the end of the day that that person who's interviewing you has you know he'll have an opinion of you and he'll be interviewing multiple people so if you can make a connection and you can
be open and friendly and and easy going and try not to be too nervous have a little bit of fun with it i think that will go a long way you know in sort of standing out and for me i was told um you know ion could have hired people who had a lot more experience than i did so i only had i had my gpan certification and my self-taught experience and that was it um but i was told that my name kept coming up just because of my enthusiasm and because of for whatever reason uh you know that's what the interviewer mentioned to me that my name just kept popping up over and over so i felt like maybe maybe there's
there's something to that so thankfully you know they did take a chance on me and they hired me but you know i think if i had done poorly in the interview if i wasn't prepared i probably wouldn't have landed the job in the first place just because there's lots of competition out there and i'm sure there was lots of applicants with three or five or ten years experience so you know i was lucky but uh again prepare prepare for those interviews and those interview questions and you know have a little bit of fun with it i mean i'm a bit nervous i haven't done anything like this before this is my first ever um conference or speaking
engagement but you know it is at the end of the day something that i'm comfortable talking about so you know i try to have a little bit of fun with it with the uh with the slides earlier on about the crack windshields and the uh and the wind and snow um so i've only i've got four slides left and then there's a couple questions there i'll get to also so for me the last step you know i i made a plan i studied i i passed my certification i applied for jobs i landed a really good job in alberta so now i mean i had to upgrade my whole life as i mentioned at the beginning um
i'm i'm living in newfoundland it's just my wife and i no kids so i had to tell my family that we're leaving uh we had a house so we had to we rented the bottom uh we lived in the top so we had to find a tenant and live on the top um we sold everything sectional we sold our car at a hot tub on a deck we saw that we had to send our dogs on different days because we couldn't send our dogs together because of the breed specific legislation and the time of year and uh the size of the aircraft i think there was some restrictions there so we had to send one dog uh one day and one
the other so that was really stressful and funny story actually we had a girl stay at our house and she was to send the dogs to the airport and she messaged us in the morning and she said oh my god i slept in so she missed the flight so we were freaking out and just added more stress right but eventually we got the dogs here so that was nice and we were worried because some people said uh if they're in ontario they could be seized by the government or the police or whomever uh because of their breed so that was a really really stressful thing for us but thankfully they uh they landed in ontario
and they uh they were stored there for several hours and then eventually we were able to uh they sent them off from ontario to uh to calgary so that was really nice to get the dogs off the off the plane and in our hands um so then of course we had all kinds of all kinds of other logistics we had to rent a house um we had to rent a house on scene right we rented it from newfoundland this old drafty house from the 1980s but it was good enough uh it was tough to find a place that accepted pets especially the pitbull type breeds so that was really stressful uh and once we landed on the 24th of
november we had to rent a vehicle we had to get a sectional we had to get a tv a bed so there was no rest and it was very very stressful it was about 30 days it was a whirlwind type thing uh but you know we did it right and that's when i talked about take the shot and don't be scared don't be afraid so that's what we did um you know on the first day like i said we bought all the necessities in the second day we went out and bought you know towels and garbage buckets and cutlery and just lamps and you know everything everything you have to start over from scratch right so that was that was very
interesting um so you know we operated our whole life but you know life is short and i feel i'm really really happy that that we did it and i really would have regretted it if i look back and said you know oh that's too much effort and it's too much work and we wouldn't be able to do it in 30 days but we you know we did it and it's worked out really well so far um so funny story the the first day i landed in calgary as i mentioned was the 24th and uh so it was a saturday and uh on the 26th was my first day so the wife had a brilliant idea of let's
rent a wrangler um so i've never driven one before we always liked them so we rented a wrangler this big huge vehicle that i was not used to driving and then monday morning i'm driving down in a new area i've never been before and five lanes of traffic which which we don't have in newfoundland we've only have only up two and you know deerfoot 7 30 a.m monday morning traffic gps is telling me where to go i've got this big huge vehicle i'm frightened that that i'm gonna scratch it up or get in a car accident um anyway so that was really really stressful so i managed to make it to the underground parking and the the parking
app put me in the compact stall and i didn't know at the time so i was freaking out so they i go to my stall number and i'm reversing the wrangler and i hear this big scrape and scratchy noise so i stop and i get out there's a sprinkler system in the underground parking that i scraped so in the little spot don't know if you can see it this little spot here whoops sorry this little spot here uh i had it it was all scraped up and i scraped all the black off so before i returned the uh the vehicle i just grabbed the black sharpie and i colored in the little you know it was probably that big i cut
it colored in the scraped off area because it was white and uh returned the vehicle and the guy who uh who looked it over didn't notice it so this probably probably saved me a few dollars there but i just thought it was funny that you know driving this big vehicle and of course day one i pulled into the parking stall and i damaged the vehicle right so uh you know it's just just kind of funny i suppose but he didn't catch it so good enough it's good for me um so you know just just to summarize um you know if you want to transition from i.t to cybersecurity which most of you guys are probably already in it um for
me i had i gained i.t experience first and of course as you gain it experience you're exposed to you know the nature of the beast right you're exposed to passwords and active directory you're exposed to account lockouts and and securing devices and servers and you're exposed to you know all these different um aspects of cyber security that you just kind of pick up on your day-to-day work right uh pinpoint detections and antivirus and patching and all these different uh things that that are very important in the work that we do so you gain that experience even just second hand just from putting a fire's day to day right if you're on the help desk for
example um so i really think that would be very very difficult if you were just fresh out of school and didn't really have any i.t experience and thought i want to work in cyber security so i think it's a better idea and a more logical way to go about it is to gain that experience first you know help desk a sock analyst you know help with your mom and dad your co-workers anything to get you that experience and then of course once you get that experience you that might lead you into your passion right for me it was linux security that was my big start uh i always i didn't know it on the time like
i didn't know about red teams blue teams but i was really interested in the um the blue side the defensive side linux security and hardening servers and systems and modifying kernels and locking down servers and services so that was where i really really started and now my work with ion is more on the offensive side um but that's you know you have to discover that passion right maybe it's instant response or forensics or or web application security whatever it is so once you know uh that's right yeah tj yeah linux all the way right and of course back in the day and silly's linux is the hacker's operating system of choice uh although i will say that i use
i probably use windows about the same maybe even a little bit more um than linux just because if i can avoid switching from one operating system to the other i'll just i'll just do that but when i was younger i was a linux knob and i hated microsoft i hated bill gates and all that stuff so i've softened over the years as a as i've matured and now i have a healthy respect for for both windows linux and mac for example so of course you know create that plan right if you fail the plan you plan to fail so you know i had it up on the board i'm going to study this book and then i'm
going to study this book and i'm going to have my certification exam practice exam on this date and then i'm going to take my exam on this date and then i'm going to take the next month or two after that to look for jobs and network and update my resume and all that kind of thing so you know create that plan uh save your money right i mean certifications can be costly uh you know security plus and ceh and some of those other ones they're about a thousand bucks right so if you can save 25 a week for a year uh there you go there's your thousand dollars or more um and of course you know we talked
about there's other ways there's savings apps i mean maybe there's a maybe you get an income tax refund put away a couple hundred bucks uh to that you know for your certification uh so if you really want it you know you'll you'll find the money somewhere you know write your exam study hard you know pass your exam um get out there and network update your resume i started start applying for work right i mean um if if you can if you have the flexibility that i do or i did and i don't have children i don't have kids in school and all that we could we could have we easily noticed say easily but we moved um
quickly right and we did it in about 30 days uh that's probably not the the norm but um i think you know if you can do it apply for everything who knows maybe maybe the job you apply for um you're not you're not qualified for but maybe there's another position in that same company or maybe the recruiter knows another position another opportunity which is which is what happened in my case i applied for a job in new york and uh didn't work out but the recruiter knew of the position in alberta so that's how it happened for me but apply for everything there's no harm in applying and worst case scenario you get good uh
interview experience and exposure and a lot of these companies will keep your resume on file and sometimes they'll reach out if something comes up you know down the line and you know the last last thing i guess what i've been talking about is is take the shot if you can't you know don't be scared and i was nervous and afraid and sleepless nights and you know many many days i went home you know after a tough day and thinking you know i don't think i can do this i didn't have much confidence but you know everything works out and you gain little bits of confidence here and there and gain more knowledge and more experience so everything gets better
the more you do it so you know don't be afraid to take the shot if you can um what's the worst case scenario you move it doesn't work out you go back home you start again so you know i do realize i was lucky that i didn't have to take kids out of school or anything like that it was still difficult you know moving the dogs and everything and just having to sell everything and move and start over in a new job a new new province and everything but you know it worked out it worked out well for me um so that's pretty much it there's a couple of questions um i think there was one about
i've got one more slide by the way um i don't see it here now ocp uh what are some good websites for beginners to practice va and pt um i haven't spent a whole lot of time but but someone mentioned heck the box is good try hack me is really good um burp has a web application online sort of school that you can use so that's really really good i mean there's tons of free courses out there free material youtube training videos i mean you name it it's all out there you don't really have to pay for anything but i think yeah heck the box is good try hack me uh bonehob is another good one those are
really really nice the only problem with those i find sometimes is um they don't necessarily reflect the real world as much as i would have liked like for me when i took the pen testing course i thought i was ready and then once i actually started working on a client site i knew that i wasn't ready because there's just some areas where you can't you know a pen testing course is not going to prepare you for everything so there was a lot of areas where you know i didn't have any exposure so you just kind of you know you learn on the fly and you pick it up as you go um so i don't know if there's any other
questions there i just have one yeah portsmouth web academy is really really good um and just one other slide um i i told my dad um back in april i think when i was selected for besides you know he was really excited and you know he didn't get to come up to alberta on news back in newfoundland and he was really excited and proud but unfortunately he passed away two months ago so he didn't get to see this talk so i just wanted to dedicate it to him you know he was really really proud and he's excited he's happy that that the move is working out well for us it's this this november end of november it'll be
two years and you know we're doing well and uh you know i'm happy and really glad i did the move but you just want to dedicate that to my dad so you know that's that's pretty much it um i don't think there's any questions uh if there are put them in the chat if not my email address is there you can reach out my linkedin yeah linkedin is in my profile and um you can just search for my name or ion united but in in the participants for this for b-sides in my profile i did put it in there so um you know feel free to add me any time i'm i'm still new to cyber
security i've only been doing this for two years uh i lean on my co-workers all the time chris and chris simmons steve matthesher and everybody else at ion been a huge help in helping me grow and develop so i would more than be willing to provide any guidance or or recommendations for anybody else who is looking to get into that industry but you know that's that's pretty much it i don't know how long actually i was supposed to talk but i think it's probably been about 50 or 55 minutes so if there are no other questions take care and have a good day see ya bye
Related talks
32:23
50:04
50:00
46:55
59:24
55:12