We’re going to get a lot less technical in this post. This is partially because I’ve been traveling lately and haven’t got my hands on the keyboard as much as I’d like, but that’s life. If you’re curious about what it takes to become a cyber security professional, whether it be a penetration tester or a similar role, then this is for you.
I’ll preface this with saying that I am in no way entitled to decide what makes or breaks a good cyber professional. All career paths are unique and all people are unique. This is simply my own opinion, crafted through sitting on both sides of interviews countless times and many sleepless nights fixing what’s broken in production.
A strong technical foundation is key
This might be super obvious, but you’ll need the technical skills for the job. How you get those skills is becoming less and less important to employers as time goes on. If you do this by attending college and receiving a four-year degree, then great. If you do tons of self-study and prove your skills through certifications, projects, or some other method, that’s also great. What matters is that you are coming in with the building blocks necessary for the role so that you can capitalize on every opportunity to grow yourself.
If we are going to get specific, some building blocks that I have found valuable include: programming languages, TCP/IP networking, computer architecture, algorithms, the OSI model, logical reasoning, cryptography, a basic understanding of the cloud, and software development.
Get good at learning
You’ll probably start getting good at learning as you familiarize yourself with the building blocks of the computer security world. Once you have those building blocks, that’s when things really start to kick off. Newsflash – there’s a lot of tech companies and vendors with a lot of products out there. Use those building blocks to learn as many operating systems, databases, devops, and cloud technologies as you can. This will not only give you more knowledge that is applicable a new job, but also the necessary skills to quickly pick up new tools while on the job.
I had the amazing opportunity to be a Privileged Access Management engineer as my first cyber security gig. If you don’t know what a PAM engineer is, they keep any and all privileged accounts in your environment secure and only accessible by those who need them. This means I needed to learn many different tech stacks, including how to use them and how to secure them. There was also a lot of network and security architecture involved, as the PAM software needs to interface with virtually every team across the company. I could not have been successful at it had I not come in with my building blocks and the ability to pickup on new technologies quickly. Call me crazy, but this job is the reason I actually enjoy reading documentation and white papers nowadays.
Specialization can be both good and bad
You’ve probably come across job postings that have requirements like something along the lines of “10+ years of experience in technology X” or “must be proficient in Y”. Sticking with a technological skill for an extended period of time can certainly have its benefits, such as becoming a subject matter expert in a particular area. It can also have its drawbacks. On the flip side, the tech and cyber industries are growing at exponential rates, so it is entirely possible that some technologies or software will become obsolete in the matter of years. A simple solution is to find what you like and diversify your skillset.
People enjoy working on the things they like, and others definitely recognize that. Find what makes you tick and show passion for it. Maybe it’s cloud computing, or maybe it’s reviewing code. Potential employers are more likely to hire someone that shows passion for their skillset, and your leaders are more likely to put you on projects that involve your interests.
Whatever it is that you cannot get enough of, make sure that you don’t put all of your eggs in one basket. Specialize in a few things as an insurance policy. Going back to the previous example, if you like cloud computing, maybe pursue AWS and also dabble in GCP and Azure. If you like code review, make sure to learn a couple static analysis tools and languages. Even better yet, if you have some level of interest in both, invest time and effort into all of the above. Not only will this provide some reassurance that you will be forever employable, it will give you a diversified skillset and make you more valuable than the other resumes in the mix.
Learn how to play the game before figuring out how to cheat
This is more specific to penetration testing, although it might still be relevant to other cyber roles, especially the more technical ones like vuln analysts, incident responders, and SOC engineers. If you’re wanting to figure out what a target’s weaknesses are, you first have to understand how it works and how it is meant to be interacted with.
There is a reason why the information gathering and enumeration phases of a penetration test are often the longest. Sure, you can have some of your work cut out for you and be handed documentation and architectural diagrams, but it’s still on you to know them in and out. Spend as much time as possible fully understanding what you are working with. Do you know what tech stack is being used? What are the different actions that can be performed on the application? What are the cryptographic and networking protocols being used? The list goes on. The point is, once you fully understand the rules of the game, you can more easily find ways to cheat.
Soft skills are just as important
I cannot stress enough how soft skills are just as important as your technical ones. Employers and your teammates want to know that you are capable of interacting with others. How do you respond to feedback? Do you work well alone and also in smaller groups? Are you adaptable to situations like shifting project deadlines? Half of being in a cyber security role is being able to interface with different teams and changing direction at a moment’s notice.
As a former computer science student, I know that it is a little more difficult for us to develop these attributes. The best way to start gaining soft skills is to work on group projects, join a club of some sort, and get work experience (even if they are not cyber security-related).
Tenacity and drive
A successful penetration tester is tenacious and has the drive to give everything they have to their craft. There is a reason that the OSCP and other Offensive Security exams are 24 hours or longer. Penetration testing engagements only last for a set period, and you need to find as much as possible in that allotted time. Giving all you’ve got, yet finding ways to back off and readjust, is key to performing well in the cyber field.
Personally, I find myself having to schedule breaks when doing anything from CTFs to engagements. The process of breaking into something is exciting, and finally finding that way in is super satisfying, so much so that it can almost be addicting. I highly recommend taking scheduled breaks (and even going outside for once) whether you are studying or working. Be smart about how you schedule them and know your limits. It’s pretty easy to continue to do as much as possible while you have your laser-like focus, but you want to avoid burnout. You might come back and find something that you were missing earlier. There have been quite a few times where this has happened to me.
Communication
Going back to the conversation about interacting with others – it’s going to be a part of your job no matter where you go, at some jobs more than others. A great communicator is efficient, effective, and knows their audience. Let’s say you just found an interesting vulnerability. How do you communicate that to a developer who needs to fix it as opposed to your CISO and management? Everyone’s time is precious, including your own, so being able to effectively communicate to your audience will help everyone involved.
I absolutely love bullet points, especially in emails. No one likes being sent a huge blob of text to read. Instead, break it down into easily readable pieces. It also gives you an excuse to not write complete sentences and not be super formal in your writing.
What if you need to explain something that is longer than just a few bullet points? Schedule a short meeting. Make sure to set an agenda or give a one or two sentence description of what the meeting is about. This will let everyone know why they are expected to show up and that it will be a good use of their time.
Confidence
No matter where you are at in your career, you need to have confidence in your own abilities, and just self-confidence in general. You are capable of doing great things, and your mind is your own biggest obstacle. This is not an excuse to be full of yourself – no one likes an egotistical know-it-all. Quite frankly, those people possess plenty of technical knowledge, but they can be difficult to collaborate with. Part of being confident in your own abilities is knowing that you do not know it all, and you are okay with that. If you do not know the answer to something, don’t be afraid to admit it and say that you’ll figure it out.
Confidence is also a two-way system. Show self-confidence and confidence in your team, and they will have confidence in you. You and your team become unstoppable when this confidence loop occurs. There have been projects that I was leading where I had no freaking clue how to do it, but I knew my team had my back and that we were going to figure it out.
Resiliency
When working in cyber, expect that there will be instances where you need to spend some extra time on a task or project, maybe even during some off hours. Did a new zero-day exploit just get released? Time is of the essence, so you will probably have to put in extra effort writing detections or chasing down development teams to get their stuff patched ASAP. Are you responding to a potential threat actor? Again, the clock is ticking and the bad guys do not care about your sleep. Maybe you’re an engineer and are required to deploy something to production during off hours. In any case, you are expected to be flexible and resilient.
This is not meant to scare you away from a career in cyber, I’m only describing some of the realities of having a rewarding career. What I’ve described above are usually not everyday occurrences. However, being prepared and being able to bounce back from them only makes you a better professional and person. We ended up pulling off some stuff we originally thought we weren’t capable of doing.
Final thoughts
To wrap things up, some of the best cyber security candidates are those that can balance themselves with a foundation comprised of both technical and soft skill areas. It’s almost a given that you are technically competent if you’re either getting into the cyber security field or are already a part of it. That being said, there is always more to learn, so get good at learning and make sure that you are technically competent in more way than one. And for my super technical folks, remember to always fully understand what you are working with before you try to break it.
The list of soft skills I’ve discussed is not exhaustive, but they are the ones that I believe to be most important to cyber careers, and probably most significant to any career in general. As cyber security professionals, we have the challenge of needing to be able to think like computers, yet still act like humans. Don’t forget that, and take the time to develop your relationships and yourself as a person.
If you’ve made it this far, I hope that this was insightful, even if you aren’t pursuing a cyber career. I wish you luck in achieving your goals, whatever they may be. ‘Til next time.