Skip to content

My rocky road to Cyber Security

I read a LinkedIn post the other day from well-known security recruiter in Australia Ricki Burke who stated that a job in cyber security is not an entry level job.

And I agree, it’s very rare to go into cyber security straight from university – even with a master’s degree in the subject.  You need to get some “IT” knowledge first.  I worked for one of the “Big 4 consulting” firms, and we had a group of fresh graduates starting each year.  They were all smart and hardworking but (and I write this with the utmost respect) almost universally useless.  Most of them came up to speed quickly, and the ones that didn’t were moved on. 

So yes, Australia needs security professionals – but ones with experience.  I’ll tell you how I did it, and hopefully, you can do something similar.

The Early Years

My career choice was easy when I was young.  As soon as I saw my first computer, I was hooked.  One of my friends lived across the street and owned a Commodore 64, and I used to go over all the time to play on the computer.  But there wasn’t that much learning going on.  Two boys, one computer and no internet, and with pair programming not a thing yet, not a lot of learning about coding was happening.

One day, when I was about 12, we suddenly had new neighbours move in next door, and they had an Amstrad CPC6128. I started spending so much time there that they had to move the computer into the sunroom at the rear of the house and leave the outside door unlocked (keeping the internal door locked)—so now I could go next door any time I wanted to use their computer. I guess they got sick of me sitting in their lounge room. 

Soon after, my parents bought a ‘family’ computer and put it in our lounge room, but with my sister and parents not really that interested in using it, it didn’t stay there very long and was quickly migrated into my room.  I wanted to know everything about how computers worked and how to program them.  I pestered my mum to drive me into the computer store in the city – and by ‘city’, I really mean ‘town’ because I grew up in Hobart, Tasmania, so it was a miracle we had a computer store in the first place.  I would then spend what little pocket money I had buying computer magazines that I would read cover to cover.  I spent so much time in the computer lab at lunchtime at school (they had BBC Model B’s) that when it came to choosing electives for year 9, the computer class teacher told my parents I shouldn’t take his class because I wouldn’t learn anything.

In short, I was obsessed with computers, and I still am.

Software Testing and Assurance

The only job I really knew about at the time was programming – I wanted to be the one who crafted code that made these magical computer programs work.  My first IT job was working as a part-time programmer while finishing my final university year.  But once I was done, I found out that there just weren’t that many full-time programming jobs in Tasmania for a new graduate.  You needed at least a few years of full-time experience under your belt (sound familiar?).  So, I took whatever was available, and my first full-time job was as a test/QA engineer – writing automated test scripts for functional testing for the local power company to test for Y2K.  Nowadays, you would use Selenium, but at the time, we used Mercury WinRunner.

After living in London for 5 years and returning to Australia to settle in Melbourne, I spent over 10 years in software testing and automation, performance testing, and, eventually, test program management. When I wasn’t in a management role, I was always in a technical role, where an essential requirement was understanding how interconnected systems work to test them properly.

At that point, I met my (now) wife, who had been in security her entire career.  She said that testing is becoming a commoditised service, would be offshored, and salaries would decrease (all have come true, by the way).  She convinced me I should move into security, so I started planning out how to make that jump.

Transition to Cyber

I’ve gone into so much detail about my background because it’s important to know that I thought I knew a lot about IT.  I had a computer science degree; I had been working in IT for over 10 years in roles that required me to understand the architecture of a system or solution so I could performance test it and interpret the results correctly.  I keep my programming skills relevant by doing small projects on the side.  But as you know if you’ve ever tried to transition into a new job role – it’s very difficult to convince a company to hire you in a discipline different from the one you already have experience in.  I was facing having to take a step back and almost starting from scratch, which meant less money.  Perhaps even a lot less money.

Sometimes in your career, you must move backwards or sideways to enable forward movement.

In my case, the trick for making the jump was to put my hand up for any and all extra work that was even remotely security-related – while continuing to do my current work.  I was also working as a contractor, which made it even more difficult because my contract said I was supposed to be doing testing, not security.  So, I ended up combining the two disciplines.  My client wanted to review a number of technologies in the security space. What’s the best DDOS solution? Or the best WAF technology?  I took a testing approach and then applied it to vendor technology selection.  I devised tests for the hardware and software solutions, then wrote a report based on my findings with a recommendation on which technology the company should buy.

This introduced me to several vendors, exposing me to their technology and, more importantly, building relationships with people who worked for those vendors.  So, when one of the vendor’s clients needed an ‘expert’ in that technology, I had a good recommendation because I’d been working with them for 6 months and had gotten to know the tool quite well.  This got my foot in the door – and I was on my way.

Getting Certified

I still had lots of learning to do though!  Like I said, I thought I knew a lot about a lot. But in reality, I just knew how to run a specific tool – I was about as useful as a new graduate when it came to security.  But, like a new graduate, I picked things up quickly.  I read all the security blogs and books I could find in the evenings.  I went and did a CEH – not because I wanted to be a pen tester, but because I wanted to get some basic knowledge about pen testing and how it works (that certification is not well regarded, as I later discovered).

I started working towards a CCNA but never scheduled the exam because I could see that the cloud was starting to become way more significant. So, when AWS released its solution architect associate certification in 2014, I went and got certified. After a year or so, I really started to feel like I knew what I was talking about.

Getting hit in the face by Reality

Then suddenly, the client I was working for decided they were going to bring the work I was doing in-house, so they no longer needed that service – which meant the service provider no longer needed me.  But as luck would have it, the client had a job going in their security architecture team, so I applied and I just sort of assumed the interview was a bit of a formality.   I have years of experience in IT!  I love computers!  I’ve learned so much in the last few years!

I went to the interview and got hit by questions I couldn’t answer.  I didn’t get the job despite all my “experience”.  And you know what?  The interviewer absolutely made the right call.  Even though I would have come up to speed very quickly (and I did so in my next job), I think that reflecting on it now, I didn’t have enough experience to be an architect in that team at that company at that time.  I just didn’t have knowledge in the right areas so I could put forward a point of view and successfully defend it – one of the main requirements of the job.

Summary

I worked in security for a few more years until I ended up in the security architecture team at one of the “big 4” Australian banks on a Greenfields transformation program.  I was helping stand up a new mobile app and cloud-hosted middleware – essentially a new neo bank inside a larger bank but run more like a start-up.  Cybersecurity is kind of a big deal in banking so many people see banking as arguably the ‘pinnacle’ of security work (banking or military, but I don’t live in Canberra, so banking it is).  In any case, I made it to the (arguable) top, and with persistence so can you.

However, you can’t expect to jump straight into cyber security, even if you’ve been in IT for a while. Even if you have been in security for a while, most people find it difficult to make the jump into security architecture. The usual progression on the technical security path is something like doing another IT role for a while—help desk or what used to be called sysadmin (now DevOps). You could also come via a semi-technical QA path like I did. 

Then, after a few years, move into a SOC analyst or security engineer and then eventually security architect.  You might need to spend up to 4 years in each role – especially at the start.  If you want to be a good security architect, don’t try to shortcut this process.  I’ve heard people say that architects “should have some grey in their hair,” and while that might not literally be true, in most cases, you will need to have a few years in the trenches under your belt. 

Good luck and I hope to see you there one day!

Leave a Reply

Your email address will not be published. Required fields are marked *