There's been a trend recently of people in the cyber security industry sharing details of their journey so far. I work as a network and security engineer and didn't take a direct route to the position - this is my story.
I started my IT career working at my secondary school, while I was a student. Initially I and some friends were taken on voluntarily to write the school website but this later developed to include work on the IT environment itself. From year 9 (age 13/14) I worked almost every school holiday in the school's IT department.
Schools are a great environment to start learning cyber security in as the pupils aren't afraid to try and get deeper into the system and potentially cause mischief. Being "on the inside" meant we had elevated privileges already, albeit via separate accounts, but we still took the opportunity to see how far we could get as our limited users. Once we'd found a problem we would fix it. On one occasion we realised students hadn't been prevented from printing to any printer, they just had to add it. This had bigger implications given it meant they could also print directly into the headmaster's office (potential for rude messages abound) so that got fixed fairly quickly.
A few years later the school decided to rip out the old RM system (Windows NT4 Server with Windows 98SE and then RM management tools on top) and implement a vanilla Windows Server 2003/XP environment. My friends and I were largely responsible for its configuration and had 8 weeks to do it. The then network manager celebrated by pushing the old NT4 server off the balcony (I don't think those disks were securely erased though...). From a security standpoint this period is when I learnt a lot about Group Policy, a tool that allows settings to be pushed, and enforced, on users. I wrote a security policy that I called Tron, so named after the film of the same name (Tron was a security program), that locked down student settings. It was fairly complete but sadly got deleted as I was accused of "opening backdoors", something I hadn't done so I can only assume the network manager hadn't understood the reference. No matter, I wrote it again with clearer name (there's a good reason for naming things clearly).
After my A levels I went to work in industry for a company called Adastra. Adastra wrote and supported software used by NHS out of hours doctors services, so understandably confidentiality and security got drummed into you. A senior engineer called Roger seemed to be the security lead and he had some fascinating stories. I'd probably call him a grey hat hacker today, although it was tough to see what was bravado and what was real. Nonetheless, it piqued my interest. I didn't stay at Adastra long, as I didn't like the commute, and the school's network manager had just left so I applied and went back there as an IT technician.
Returning as a technician with more knowledge than the network manager was a pain (and came with a pay cut), but I fixed a number of issues. While I'd been away it turned out the school's IT had had massive issues and file permissions were all wrong, with users able to access literally anybody's files. That took quite some time to fix, but I got it done, my manager watching from the sidelines. He eventually left and after another manager I became the network manager.
While working at the school I noticed I could take my Learning Tree training and use it as credits towards a Masters (MSc) in Professional Computing. I'd already got three out of eight courses, so picked the remaining five to be in security related topics (I've put a list of courses at the end). After learning about forensics I was able to use skills I'd learnt to recover work for students when their USB memory sticks went wonky. I also had to investigate a member of staff's online activities, so made sure I followed a good forensic practice.
I became a British Computer Society (BCS) member while working for the school and had access to more IT related events and groups. There was a call for people interested in setting up what became the Young Professionals' Information Security Group (YPISG) and I responded saying I'd be interested. I became a founding member of the committee, initially serving as the treasurer and later as the group secretary. Through my time with the YPISG I got to meet other professionals working in the IT security industry and helped run events for group members. After a few of our penetration testing training day events, at universities around the country, I became a speaker. I was nervous about this, not wanting to be in front of everyone, but I'm glad I did it. It's really rewarding being able to pass on knowledge and the days were very successful.
I was head hunted from my role at the school by a local IT support company and ended up being their de-facto security engineer. I designed security policies, checklists and a test scheme the company could use as part of a basic health check. The test covered a number of things from the company's network firewalls to Active Directory group memberships. Clients appreciated the checkup and the tests became part of our regular maintenance.
Following on from the security tests the company was also commissioned to undertake a black-box penetration test from a London firm. Being a black-box test meant I had nothing to go on beyond the company name, but the first stage is reconnaissance anyway, so I and my colleague began our work. After three days of research and social engineering we knew their public IP, who provided their IT support, which service companies they worked with and even what locks they had on their doors. I wrote up the report and they halted testing there while they dealt with their information leak problem (their "head of security" had told me the most information, ironically). Sadly security wasn't my main focus, so eventually I moved jobs to become a network and security engineer.
My Masters dissertation project was to build a remote controllable network monitoring system that allowed an administrator to take remedial action from their phone. As part of that I had to design a mechanism to prevent abuse of the system so combined encryption with timestamps, secondary passwords and obfuscation to make that remote control safe. I won't say it was bulletproof (there's bound to be something I'd not thought of) but it seemed pretty good. I demonstrated my proof of concept during my viva at Staffordshire University and was awarded a Masters with distinction after four years of work. I'd done the whole thing while working full time, supported by my wife for which I'm grateful. For those interested, my dissertation is here.
I'm not convinced having my MSc assisted in getting my current role as a network & security engineer, but I've certainly used the skills I learnt through it. I'm jointly responsible for maintaining the security of some local councils and day-to-day work can be anything from giving advice to investigating a full blown ransomware incident (something I'll blog about in future). I did leave this role, for about five months, for a job that looked much better on paper but in reality gave me a problematic boss who wasn't interested in anything I had to say - possibly the worst period of my working life. Fortunately I was able to return to my previous (now current) job but it's worth noting the path to a cybersecurity career isn't all rosy, easy or painless! Working in security is often interesting though, and I had the opportunity to do some forensics for the Information Commissioner's Office.
Public speaking has become part of my life now, giving talks at BCS meetings, conferences and universities. I've given two guest lectures at Canterbury Christ Church University and ran a workshop hosted by them for East Kent College. I've also had the privilege of speaking at a cyber security conference (2018 talk slides here), and will be doing so again this year (2019 slides to follow). I've been asked a few times if I feel I could lecture full time - I honestly don't know yet.
Should you get the opportunity to go to conferences (like Infosec Europe) or meet ups I strongly recommend that you go. They're great networking opportunities and conferences, particularly the larger ones, give you the option of listening to a number of good speakers. It was through a BCS event in London that I met a lecturer from Christ Church university, a meeting which directly resulted in a (paid) guest lecture and our current working relationship.
At some point I need to decide what my next career move is. I could develop my penetration testing skills further and move into that, although I'm hesitant because that will likely involve regular commuting to customer sites. Having a young family I don't really want to be traveling all the time. I could start my own business (or go in with a friend) implementing secure systems and supporting customers but again that likely comes with commuting. Essentially, whatever I do is unlikely to have the short journey time I currently enjoy, so I need to weigh up the pros and cons. Whatever happens, I don't want to be where I am, doing what I do now, by 2023 - there's no funding for training and little interest in developing my skills and that's not good. In the meantime I need to make better use of my Pluralsight subscription! I know I'll have the support from my wife and family regardless (thanks for that).
This is probably the longest blog post that I've written, but I hope you found it interesting. If you're looking to get into this fascinating industry then I hope this has given you some food for thought and the confidence to go for it.
Learning Tree Course list
- System and network security introduction (course 468)
- Securing web applications, services and servers (course 940)
- Penetration testing, tools and techniques (course 537)
- Implementing an incident response strategy (course 589)
- Vulnerability assessment: protecting your organisation (course 589)