Decoding Cyber Careers by Rosie Anderson & Natasha Harley

I'm Rosie Anderson as well as being one of the organizers for besides the irresponsible adults as we're calling ourselves um and one of the founders for besides lancs I'm also a recruiter which is actually my full daytime job um although not all the time I'm also one of them well I head up the mentoring for capstock and my wonderful technically competitor but I um call her more like a friend Natasha also I will let her introduce herself but she's also a really well respected recruiter in the industry hi everyone um really pleased to be here so um yes I'm also a recruiter I run a business called cyber Talent partners and we specialize just in cyber security across

all the different disciplines and domains I've been in recruitment for about 20 years I know I don't look old enough um and I've also done some of the mentoring as well for caps lock uh probably last year now so yeah really pleased to be here today and hopefully share some insightful tips Etc and I'm sure Rosie is probably just about to say this anyway but please do ping all your questions through um Rosie if you let them know sort of how um but yeah we'll be happy to answer as many as possible yeah if you you can either put questions in the chat or if you want to put your hand up you can ask

us a question at the end so okay so the Natasha and I have done this before but when you're kind of figuring out either where you want to be in cyber or where you want to go next in cyber you really need to look internally first and sort of figure out well what are you like this what are you good at there's no point pushing yourself down a path just because somebody else is done and sort of treading that path before you need to follow your own Journey because the Cyber industry definitely is a path of continual learning and there's no point doing something that for example if risk you really hate doing risk reports and audits you hate writing

pen test reports don't go down those paths think about what are your strengths make a list of those and what you really enjoy doing because you know this industry is hard work it's not easy it's full-on so at least if you're really enjoying what you're doing day today it doesn't feel like work it feels like a passion I'll hand over to you Natasha yeah I completely agree with all of that so you know this is a process of some soul-searching and some digging into you know some of you may have just come out of um you know sort of academic studies um others you know maybe transitioning their career all together and so you know what's really important is

understanding as Rosie said what you're good at what do you enjoy and actually if you've worked previously whether or not you've worked in Tesco's or in retail or what have you do in your studies or whether or not you've had an entire career before thinking about transitioning across let's think about you know sort of within your role within your responsibilities what have they been you know what have they been and what do you enjoy doing of those areas because what you'll find is as you start to pick through job descriptions there'll be so many different or so many similarities in terms of what you've previously done or all you're now doing versus you know sort of the the main requirements of the

role the same sort of applies for the industry and the teams and the businesses that you're going to work in if you know that you like working on your own um you know you don't want to be in an environment where you're going to be sort of micromanaged or you know you like to be in an office you don't want to work remotely you need that people interaction you've got to think about the sector the the organization that you're going to go to there's plenty of examples of people who've kind of tried to go down a path and then found that actually three months into the role this isn't the right environment for me and

that's also okay if you find the right environment where you can grow and develop and you know you're going to work well it's not necessarily just about the job it's about the boss and the team that you're going to work with because a great manager will make or break your career you know if you know that you need a lot of support you want training and development and you you do that better remotely than being in an office which is an open plan office sort of four or five days a week isn't going to be the right environment for you as well so if you kind of have a bit of a wish list of what you want both from a role

as well as what you're good at you can start to marry up together and when you go through that interview process haven't you're assessing them as much as they're sort of assessing you yeah sorry to interacting just the only thing to add on to that very very briefly is actually you know what's your why why do you want to come into cyber security you're already here which is amazing um and if you've been to any other conference events or meetups or you know Discord channels or what have you you know you're absolutely on the right path but I do speak to a lot of individuals who want to come into industry who just can't answer that question so you know

that's a little bit of your elevator pitch you know why why does cyber security interest you what difference do you want to make where do you want to add value what interests you about it you know whether or not it's you know sort of that continuous learning opportunity whether or not that it's such a broad industry that you know there's lots of opportunities to progress in pivot Etc but understanding that will allow you know when you go through to interviews when you apply for jobs you know allow those hiring managers those recruiters to really connect with you know what it is you yeah fully agree with that and it's okay for your why to be that this is a

recession-proof industry where you can earn good money but money shouldn't be the primary motivator uh when you're in an interview you you should have other reasons as well um one of the previous talks that um was you know lie on your CV don't make money the only reason you want a job when you're in an interview scenario um you know it's okay to be that for that is if that is a motivator but maybe just polish that answer that it's more of a recession-proof industry that you can sort of get into and develop and you know that's there will be jobs for life within cyber we're always going to need more people um okay so if you're completely new to

the industry and you're starting out or even if you're sort of two years into your career and you don't necessarily know what's next there's so many Fantastic resources for you to find out at different roles within cyber um The Crest Day in the Life videos are a really really good resource I use them all the time you know there's always new positions sort of coming out but if you want to find out more about red teaming if you want to find out more about Security Management Crest have been great at putting together a whole list of um videos interviews with individuals that showcase what that role actually means and I think particularly with this industry when it's growing so rapidly

um it is a good place to start and another thing you can do once you've watched those videos is reach out to those people to sort of be building your network hey yeah just watch the crest uh Day in the Life video and wanted to find out more about what you do I thought it was great would you be happy to grab a coffee with me yeah and I think once you've started to get a a bit of a Hands-On you know understanding of what a day-to-day can look like and the different roles that exist and actually you'll find a lot of that through those types of videos and what have you as well and some of you

may be further along in that path right now so you know things like cybery you know you have the box so try hack me Etc actually you know if you're if you're already working towards you know let's say you're working towards certifications or you know you've done some work in a home lab or started to build a little bit of a home lab and actually you want to start testing those skills in a more slightly practical environment in some scenario-based environments and actually they're really really good and you know try hack me hack the box I think they offer free subscriptions initially don't they so not free subscriptions but there's a couple of you know um

sessions that you can do that don't cost anything to begin with yeah there's a there's also a blue team path as well as a red team path on there I think um the other we can send these slides out as a resource afterwards but um there's loads and loads of great influences for their um LinkedIn that share loads of advice people like Jojo Davy for soccer advice for people like Molly chard she's regularly hiring people as well um into cap jam and I she shares loads of resources and another great resource that's come out from the NCSE recently is the Cyber careers framework now it's not perfect there's never going to be a perfect framework for the climbing

ladder within cyber but it's a great starting point that showcases roles like GRC roles like Risk Management roles like consultancy security engineering and I think the the point to get across here is there's so many resources available to you to start learning and developing and to get on in terms of building your technical skills but I think whatever way you go that try hacked me that Hackler box the team online they are great Technical Resources to build those skills but even if you're going to go around the risk route there's that you're still going to have to build on your knowledge of those Frameworks and resources and build that into your portfolio whether that's Project work or

whether that's actually working in a role yeah and that leads us nicely on to the Cyber domain snap there are this is constantly growing and this is kind of the the main decoding of cyber there's so many different roles that class within cyber security and information security that you can go down it's so much broader than just pen test and sock there's so many different places you can start um in terms of and also so many places that you can pivot you know as recruiters we speak to people all the time who are security Architects it's that's a role that you build up to you can start anywhere on these sort of Pathways and specialize and get into

security architecture the same with software developers who decide they want to get into security and want to sort of shift left to go into application security if you're interested in Risk Management that's a massive growth area in the industry as well and it's a great way to get in if you understand risks and Frameworks I'll let you carry on Natasha yeah and you you know you hit the spot there is that a lot of people think that you know coming into the industry is all sort of penetration testing or soccer what have you but you know those yes those roles are common um and they're very very good entry points you know the stock for example it

can provide you a really good basis to begin your career um in sort of learning also you know sort of building those analysis skills um technical expertise as well um and and I think so many people you know think that roles in the industry are purely technical they're not you know it is important that you know to have or have a sort of basic at least understanding of sort of networking or Computing Concepts because obviously they'll help in whatever role that you go into you're going to need to have a base level of understanding but then if you look at the map sort of to the right there sort of that red area um which is sort of defines risk

management um and then sort of alongside that you'll see um you know some penetration testing and you'll see how the tuning to connect so we know that the map sort of looks really distinct um but they're all interconnected in one way or another and so if you think about risk management for example and penetration testing so risk management essentially identifies and assesses kind of potential security risks and vulnerabilities within an organization system and processes and then of course penetration testing in terms of their role as part of the risk management process so you know a penetration tester will simulate real world attacks to identify vulnerabilities and weaknesses and then the results of penetration testing essentially help inform risk

management strategies because it gives them insights into areas that require mitigation and Remediation as well so as Rosie said you know you've got areas in policy and governance um you've got you know as we talked about cyber security um risk management Etc as well you've got compliance you've got business continuity another area which is you know sort of growing more and more popular um and more common is cyber security education and awareness [Music] you've got legal counsel and things like that all of those different disciplines that sit kind of really within this heat map but all interconnect in one way or another yeah I think an important thing to think about when you're considering roles as

well if it's your first role where you start isn't necessarily where you're going to finish getting that first roll if you are new to to the industry is always the hardest role to get getting that second for that second role afterwards when you've got 12 months experience it's always a lot easier because you know it's it is done there are plenty of opportunities out there for entry-level Talent but it's not always um they're just cold applying for a role which is going to get you that role it is the networking it is the conferences um and it is those sorts of things which I think will lead us nicely on to our next slide oh no sorry next one is the coolest

careers in cyber apparently according to Sans throughout Hunter red team out like there's so many different roles here that um are apparently the coolest careers in cyber starting as a sock you can very easily get into incident response or cyber threat intelligence um blue team is just as cool and sexiest and red team I'm sure there'll be people uh Glenn's in the corner there um you know blue team Roll Red Team role purple team roles all of these lovely colors um there's so much opportunity and I think anybody who's coming into the industry it must be quite exciting just I want that role I want want to get there um interesting how ciso is number six

um I think a lot of csos would say that isn't the coolest scroll inside yeah a stressful role in cyber and there's plenty of people uh that don't want to be uh to BSC so be in the c-suite um you know if you're an out and out tacky and you love security architect you love Security Management there's plenty of people that when they get to that role that Sally want to take that next step because they're getting away from being on the tools or at least um looking at technical strategy because it's very much business and security strategy at that level uh what's your favorite role to recruit for Natasha watch it what do you think

is the sexiest role in cyber see I love recruiting for the sock like from a technical perspective always um incident response suck definitely um and then consultancy because consultancy has always left left field so if anyone doesn't know sort of what cyber security consultant does essentially you'll work for an mssp or a cyber integration company or a cyber Services business and actually your work across lots of different areas inside us so you know you might be providing advice around cyber Essentials or um you might be doing an assessment with regards to um you know standards and Frameworks like ISO 27001 one minute and then you might be doing some trainer training and awareness with a business the next

minute you know sort of it's it's a really great role to have because the exposure that you get and sort of working across those different elements um is so good as an introduction into cyber security and sort of you know really getting a sense of where you want to be I think that's the other side isn't it Rosie it's um yeah most people coming in don't know where they want to start or actually where they want to end up and I was having this conversation with a client the other day and he said you know people don't seem to know where they want to be in one to three years and I said because their rabbits caught

in the headlights you know this is a really vast industry but it also makes it super super exciting I think because it's not like you know if you think about quite regulated Industries or Industries like in I don't know marketing legal all of those where you start kind of at one level you know what that career ladder looks like you're always working up to the next step on the ladder this is so different yes you can you know you can um skill up in your current role but equally you know I've seen penetration testers then go into consultancy or GRC and actually the other conversely the other way around as well people that are sat in kind of business continuity and

risk management that are then suddenly taken a complete flip and gone down a technical route you know as I say the beauty is is that you can pivot across those different areas because that's based around your soft skill rather than just industry skill um and knowledge but yeah they're my favorites what were yours see I like that I like the security architecture positions and the management roles because they're just so vast but security architecture I've always been fascinated with um because it touches so many parts of the build the business and you think it's a really technical role but it's not you need those soft skills as well like you say or the impact skills to be able to speak to

everybody but yeah as it's it's so vast and it's so true so quickly changing I think there's plenty of sexy roles in cyber but it's you can see here there is blue Timber you know stock there is uh pen tester but there's so many more roles as well that's that's part of that and I think that's just an important message to get across this it is such a vast industry and where you start isn't where you're going to end up you know you can you can pivot it's more like a web like if you go back to that image it is more like a web than actually yeah a linear career path yeah definitely so

um you don't have to be technical for job in cyber but um you do have to have a basic level of understanding so like some of the earlier talks talked about you need to know the basics of I.T systems and networks even if you're in uh looking to get into a risk role you need those Network fundamentals you need to understand how Network traffic passes you need to understand security and communication principles and it's really important that even if you're going in for a GRC role that they're going to ask you some technical questions to understand where your base level of understanding is uh you know governance risk complaint are still very much technical roles you need to understand

all of how those um how how Network passes how traffic passes across the network to be able to convey and understand those risk reports and to put together those risk reports yeah the home lab Homeland projects are really important even if you you know graduates we always tell them this you need a portfolio if you want to get into pen testing or into sock of what you've done so that if you're asked even if you haven't got that commercial experience um like Joshua said with the it wasn't quite lie on your CV but it was embellished those projects those projects are your passion projects you'll be able to talk about really effectively you can probably tell with

Natasha and I were really passionate about recruitment it comes across naturally that we're passionate so if you have networking projects that you do you know maybe you use the Raspberry Pi to build a network maybe you've got a guest Wi-Fi home Wi-Fi at home there's loads of YouTube tutorials to set up projects that you can then talk about in interviews um how you did it why you did it that way what you learned from those projects so get learning the best way to get learning is Hands-On because don't go hacking into networks of you know your neighbors even if they're all that problem neighbor you've got try hack me you've got hack the Box you've got all

these different useful resources um and there's also sock level 2 courses that you can do an entry level cyber that you can do for free on try hack me to get started out um yeah there's so much resources now as well yeah I think to raise his point you know in terms of um anything you've done previously no matter how basic that you think that may be actually displaying that level of knowledge on your CV kind of personalizes it as well in terms of who you are and the things that you're interested in and actually that you're you know you're passionate for getting your hands on and and giving something a go and even if it's kind of electrical

stuff and you're trying to pull it apart and put it back together and things like that they all count towards because it's actually you know it's um sort of that analytical mindset it's how you you know sort of pull things apart and put them back together is very very kind of similar skills that you'll be using in say penetration testing or you know in in other areas of the industry um even if you've you know I don't know installed a um a VPN on your you know on your laptop on your systems or you've you know set up as as Rosie said kind of Wi-Fi for family or anything around those areas it just it just demonstrates an

attitude and a passion for what you're doing rather than I just want to come into cyber with no reason actually it helps from from a recruitment perspective in terms of you know the things that stand out for Rosie and I when we're looking at CVS all of those things really stand out above somebody who hasn't mentioned you know um or displayed you know sort of the the learning that they've been doing and that could be reading books as well you know what books have you been reading you've joined this b-sides event today talk about it talk about the different events that you've you know and how you've immersed yourself into the community and things like that

the other thing and I'll mention now for volunteering um besides are community events if you can get involved in besides Newcastle I think there's Cambridge coming up there's Basingstoke coming off if there's the one in your area you in volunteer and help out in the day you're suddenly in probably a Discord server with a load of potential hiring managers um you're also volunteering and getting to know people within your local community and that's how you build your networks like Jay I said before it is you know it is networking and meeting people and and being part of that that's going to help you speak to somebody about your passion project that this is what you want to do

and get advice from you know Professionals in the industry next time they're hiring or they hear one of their friends is hiring for a junior if you'll have made an impact because you've had that conversation with them the thing with you try hack me courses and things like that that you do and your home projects as well as doing the tech as you can see I'm not very technical you need to write up about it so you need to do a write-up about the tech how you actually completed that challenge whether it's a CCF with screenshots what you did how you found the flags those sorts of things from a technical perspective as though you are writing that to a tech

you know a vulnerability management within business but then at the same time you need to write an executive level summary which would be part of your pen test report that would go to the board that aren't that interested in the technical they just want to know what's the risk score what's the risk how do we remediate against this risk um and if you can do those write-ups about the project it shows your learning yes you can break in but you understand how you're broken and you understand uh how to convey that what you did to a non-technical audience and would you also know then how to remediate what you've done as well because it's showing

um in a portfolio attack project it's showing that you understand what you've done how you've done it and how to convey that back to a technical and non-technical audience and whether you put those things either on a LinkedIn profile whether you have a Blog whether you have a Reddit thread or GitHub thread or um that sort of talks about how you've done it you're building a portfolio then of all these passion projects so okay your CV might not show any commercial experience but actually you've you've got it on there as well so we can send these slides with links out afterwards as well um Natasha and I have kind of put an ebook together that we can share with

anybody uh I'm conscious we're getting close to time um certifications where they you can do certs some people like certs some people don't like certs it's a way of showcasing your knowledge but those personal projects are also important that hands-on experience is important and a great employer would sponsor search for you you can teach the technical um you can't teach passion and you can't teach those soft skills experience as well anything more you want to say on sets just um don't put yourself under too much pressure to do them um because I think you know if there is a specific path that you want to go down and you think by doing a certification it will help you learn more about the

process around what it is you want to do or you know or just get a deeper level of understanding then by all means go down the certification routes but don't use them as the work as a badge of honor is all I'm trying to say it just demonstrate what you've learned and how and how that how that how is that has kind of really added to your knowledge base and your experience in one way or another just you know if you do display your certifications you know just be able to articulate what it is you've learned and how that strengthens your knowledge um not every business looks for them um as Rosie said you know your passion

projects um any sort of personal mini projects and things like that um I personally would say are just as important as certifications and then networking building your network probably the most important aspects um when I'm talking to the Caps lockers I will say to them you probably won't get your first job by Cold applying um if you just want a cold apply for jobs you might need to apply for 150 as an entry-level job as an idea of numbers if you go out and build your network if you're active on social media and I get everybody has different views with social media but if you're on LinkedIn if you're on Twitter if there's meetup groups in your local area get out and

meet the community you're not necessarily um you don't necessarily need to engage straight away but if you're part of a network on LinkedIn you can just connect with people if you you don't have to send them a message straight away um anyone that you meet any any talks that you see if you're at besides tomorrow even if the talks That You Don't See they typically go out on YouTube afterwards so once you've watched somebody's tour if you can send them a message that says hey I just watched a talk besides and the thing is there's loads of b-sides there's loads of years of besides content that's on um on YouTube I'd love to chat with you

because I really want to do the job that you're doing um I thought found this point really interesting you're starting a conversation that's not hey you've got any jobs in cyber um what you want to do inside but it's it's a more informed conversation and people are more likely to engage back with you we love networking don't we Natasha yeah in any way which shape or form um I think to add to that as well and a lot of um you know a lot of people coming into the industry perhaps don't realize is recruiters are not likely to be your best bet in terms of finding a you know your first role in cyber security and the reason for that is as

much as obviously we hire across the industry and we do get the odd role here and there that is at a junior level because a business wants us to manage the process um most businesses will actually rather invest in you than pay your recruiter to find somebody for that role so they'd rather make that investment into you and your training and your development um certifications Etc so you know as as Rosie said you know your best bear is to connect with people in the roles high potential hiring managers you know if you're looking down hypothetically speaking if you're looking down the stock route how many stock managers can you connect with within you know in a week

um and as Rosie said again you don't need to necessarily talk to them immediately but the benefit that you get is actually you know if they're hiring they're very likely to put out a LinkedIn post and you'll immediately see it um or if you've already been building a relationship and have been having strong conversations with them you'll be top of mind um because they'll always go into Network and Community before they'll go out and you know put an advert out for example the other thing is it's not just sock managers it's sock analysts as well people who are doing the job that you want to do they might get asked for recommendations um just conscious of time as well just

very quickly ladies hacking Society if you are a lid um even if you're not a lady uh you're very welcome but it's a it's a ladies first sort of space um the ladies hack Society they've got meetups all over the UK and they're a great Network and they're not just technical uh they do have sort of wrist talks and management talks as well and loads of businesses will go there first to say hey we're going to be hiring and the great the great thing with that is same as with like the tech vets Community you know they already have great Women Within the industry you know um it's a safe space for women to work

so it's a really good networking group as well thank you very much for having us