You Can Do It:
Every single person has a journey. No one path can be retraced. This is a story about my personal journey from being in a non-IT related field, to a full-time offensive security consultant. Everything written in this blog should be taken as a suggestion and not as a hard fast rule to breaking into the industry. With enough dedication to study, preparation for an opportunity, and a whole lot of luck, anyone can earn their shot.
My first attempt into a professional career was in the real estate world. I had a medical schooling background but chose to pursue other ventures coming out of college. This forced me into taking a job that was just that – a job. I have no ill will with my former company, but it was not something that was going to last long term. I believe that situations like this are where most people spark their desire to make a career transition.
Note: Cybersecurity is the latest buzzword in what could be a luxurious and high-paying position. While this may be the case for some, it is important to note that a lot of businesses see cybersecurity as an expense. No immediate financial gain comes from proper security and it is often expensive. So, unless a company has been hit with a recent data breach, cybersecurity positions are seen as expendable. Just something to keep in mind for the current world.
Beginning the Journey:
Having no computer science schooling, certifications, or real-world experience, I was where a lot of people are. Window shopping in the vast cybersecurity field can lead someone chasing multiple rabbits. It is important when starting out to chase just one thing at a time – I had to find my passion. Thinking being a developer was cool and as easy as learning a new language, that was where I started. I learned the basics of coding for popular languages like Python, C++, and SQL. This is where I think everyone should begin. Knowing the root level of how applications work will better serve you in all cybersecurity positions. This went on for about 8 months. I built a portfolio of sample projects and websites. I am ready to build things!
Now that I was on track to being a full-stack developer, there was a nagging problem – I hated debugging. With a passion. So, time to find something new. I had a friend that was a cybersecurity analyst at the time. He suggested looking into cybersecurity. That opened every door, window, and other home orifice in my mind. Offensive security in particular was super cool. We all have that mental picture of a hacker with their hood up in the basement with the lights off. I could do that. I owned a sweatshirt and didn’t care to see the sun.
Where to go next from just having an interest in offensive security was the big question. A lot of forum readings said to attempt the Hack the Box and TryHackMe introductory courses. In hindsight, I think that was a huge advantage to lay as a general knowledge base for security. I purchased the VIP programs of both websites. As I dove in, it helped reinforce my coding, as I was able to read a lot of the scripts that were being used as examples. I did this for around 6 months in my free time while working a full-time position. There is a basic understanding of what the job will look like at this point. Now I need to prove it on paper… somehow.
Building a Resume:
Schooling seemed like the best option to do that. Having a degree is a great way to academically prove you know what you are doing. While this is not something that is for everyone, trust me, I get it. School is useful. Not only for the learning aspect but for the networking. Your professors deal with former, current, and future professionals in the industry. They can introduce you to folks who may lead you to your next job. If school is not your route, getting certificates for the basics like COMPTIA’s Network+ and Security+ is achievable. Kennesaw State University (KSU) was my school of choice *Go Owls*. They offered a cybersecurity degree that engaged everything from networking, coding, and managerial courses. At the expense of my free time, I was able to complete a master’s degree within a year.
Let’s backtrack a second. Toward the end of my first semester, I began to mass apply for internships, junior positions, or entry-level positions on Indeed, LinkedIn, and Google Jobs. When I say mass apply, I mean hundreds of applications. There was a half-hour block minimum daily that was set aside just to send applications out and to follow-up on every single one of them. Ultimately, it led to nothing.
Side Story: One company responded back, but lost touch with me after our first touchpoint. I decided to put my hacking skills to use and found the work calendar of the recruiter that reached out. There was an option to book a time slot and I took that chance. She joined and her first question was, “How did you get this interview?”. Honesty is the best policy and I thought was a great segue into getting the job as a junior. Long story short though, I absolutely BOMBED the interview. My suggestion to all is to be well prepared. Often times though, a failure will teach you more than a success. It is okay to fail.
Back to the story. During my mass applying, I found an application request through Georgia State University (GSU) for guided internships. By some miracle, I was accepted. The internship shipped me out to Atlanta’s main county. I was working out of the Fulton County Government Building. That internship had me and a partner work on Governance, Risk, and Compliance (GRC) audit preparations. This was super important work for me because it showed me the foundations of what all security programs are built on. Most companies are required to be compliant with certain standards like NIST and PCI compliance. These are frameworks that every security practitioner should be reading and updating themselves on as much of what a business does is predicated on complying with said standards.
This was a one-month internship. I quit my other real estate job, so time to find something new. Back to mass applying. KSU had a job board called Handshake. My current company, Abricto Security, was open to positions for a Junior Security Consultant. A Junior Security Consultant at the time, Dre Porter, was already at the company. He helped me out and was the reason I got a chance with Abricto. Everything I had learned so far led up to this moment. Interviewing was tough. There were many shortcomings I had to admit. Cornel du Preez and the rest of the team still decided to give me a shot. I am forever grateful and know that most people do not transition directly from school to working immediately on the red-team side. Having a junior program is also atypical for a position like that. That is another blog post for the future where we discuss our junior program here and how it can benefit any company.
Through lots of hard work and self-study, Abricto offered me a full-time position as a Security Consultant after 6 months in the junior program. This has been a dream job that I never knew about 18 months prior. I would recommend anyone looking to break into the world of cybersecurity to really work on their preparation. Whether that be through school, certificates, or real-world experiences, be ready. This industry is challenging as much as it is rewarding. If anyone ever needs help or just wants to talk about what they can do next, feel free to reach out to me on LinkedIn.
Good luck and go hack the world.