Career Crossroads - Ethical Hacking?
Discussion
I’m after some career advice as to what to do next. At present, I’m 33 years old and have worked in IT Support for just over 16 years. I currently manage a team of IT Technicians across two separate sites/networks. If I’m not involved in meetings, I’m assisting with 2nd/3rd line issues.
I recently decided to leave. I finish at the end of November (3 months notice) and will be taking a few months out to go on holiday (!), enjoy Christmas, and then find something else. I should hopefully fall into a 2nd/3rd line support job fairly easily. In fact, the next logical step would be IT Services Manager or Project Manager, although Prince2 qualifications possibly required for the latter ...
However I’m wondering whether specialising in something would be more beneficial long term, financially speaking i.e. learn Azure/AWS, or Java, or become an Ethical Hacker?!
Obviously, I’ve had no real world experience of the above, let alone any official training. I’d be starting out with YouTube videos and online guidance. Am I barking up the wrong tree? Am I likely to spend many hours attempting to learn as much as possible, but not actually obtain a job in said field due to my background in IT Support?
Ethical hacking/penetration testing looks pretty interesting; does anyone on here do this as a job? How about Java Developers? Is it exciting work?
I feel quite frustrated. I believe I have a good work ethic, a real positive ‘can do’ attitude and I have plenty of soft skills/good communication skills. However my downfall is having no IT certs, other than A Levels.
My frustration is that I do not know how to channel my ambition. A friend of mine suggested I would be good as a car salesman! If I were to sell anything, then it would be luxury watches. However I doubt that would pay enough, unless I had my own business. Procurement could be fun, but certifications would be required. I still like IT, but I do feel I need to move away from the support side of things ...
Apologies for the ramblings. Honestly, any help is hugely appreciated!
I recently decided to leave. I finish at the end of November (3 months notice) and will be taking a few months out to go on holiday (!), enjoy Christmas, and then find something else. I should hopefully fall into a 2nd/3rd line support job fairly easily. In fact, the next logical step would be IT Services Manager or Project Manager, although Prince2 qualifications possibly required for the latter ...
However I’m wondering whether specialising in something would be more beneficial long term, financially speaking i.e. learn Azure/AWS, or Java, or become an Ethical Hacker?!
Obviously, I’ve had no real world experience of the above, let alone any official training. I’d be starting out with YouTube videos and online guidance. Am I barking up the wrong tree? Am I likely to spend many hours attempting to learn as much as possible, but not actually obtain a job in said field due to my background in IT Support?
Ethical hacking/penetration testing looks pretty interesting; does anyone on here do this as a job? How about Java Developers? Is it exciting work?
I feel quite frustrated. I believe I have a good work ethic, a real positive ‘can do’ attitude and I have plenty of soft skills/good communication skills. However my downfall is having no IT certs, other than A Levels.
My frustration is that I do not know how to channel my ambition. A friend of mine suggested I would be good as a car salesman! If I were to sell anything, then it would be luxury watches. However I doubt that would pay enough, unless I had my own business. Procurement could be fun, but certifications would be required. I still like IT, but I do feel I need to move away from the support side of things ...
Apologies for the ramblings. Honestly, any help is hugely appreciated!
Hello OP
I have some advice here as I work with pentesters, but I'm on the network engineering side.
From chatting with our current pentesters they all started in networking, then moving into a more security based job and finally doing their CEH or computer science degree to become a pentester / ethical hacker.
There is a lot of info online for this topic, but for starters have a look at Kali and research its tools. It's fascinating and such good fun.
Also, recruiters for jobs are doing box ticking when you apply for a role, so having certs behind you will definitely open doors. CEH is one of the more entry level certs, but will definitely help you reach you goal.
Best of luck OP. 'Hacking' is really good fun, especially once you've cracked an exploit (in a closed lab obviously).
PB
I have some advice here as I work with pentesters, but I'm on the network engineering side.
From chatting with our current pentesters they all started in networking, then moving into a more security based job and finally doing their CEH or computer science degree to become a pentester / ethical hacker.
There is a lot of info online for this topic, but for starters have a look at Kali and research its tools. It's fascinating and such good fun.
Also, recruiters for jobs are doing box ticking when you apply for a role, so having certs behind you will definitely open doors. CEH is one of the more entry level certs, but will definitely help you reach you goal.
Best of luck OP. 'Hacking' is really good fun, especially once you've cracked an exploit (in a closed lab obviously).
PB
If you have any interest in the commercial side (you mention a friend spoke of sales), then it is worth exploring Pre-Sales / Sales Engineering (if you have not done so already). I did this many years ago, and it was the best move I could have made. It was a big enough jump to get away from always dealing with problems and unhappy customers, and move to planning integrations, explaining complex ideas in commercial terms and feeling more involved in the fun stuff! It was great to be able to use my technical background, and if you are the right personality, enables you to communicate with the buyers technical team with real credibility.
It is not for everybody. You must be personable, rather than an introverted techy (nothing wrong with that, but not best suited to this role), forget 9-5, be willing to learn to present well, and depending on the company, you could loose some of you technical depth, but for the right person, it makes an excellent step.
Vendors are always on the look out. You could even step into the security space, so you have room to move should you have a change of heart at any point.
As with any skilled job, then you need to have the passion and determination to want to do the role. Hacking of any sort, whether it is white hat or black hat, requires thousands of hours of experience - and there will be thousands of people better than you at it still.
From a certification point of view, then I don't think your CV will be considered if you don't have a CISSP.
As suggested above, presales is a good route. Different companies perceive the role of presales differently, so you might find you're just a nerd in a suit who is presentable enough to stand in front of customers potentially willing to pay millions for your product, or you might get the opportunity to carve your own niche and get deep down and technical, give talks and generally just be a guru at your employer. A downside is that you are often perceived as lower down the food chain by the account teams that you work with as a necessary evil. But of course that can be negated by just being bloody good!
Soft benefits are usually good too - people generally are happy to see you, you get to travel a lot, expenses is usually on the cards, etc.
Don't go into car sales - £100k+ earnings is generally a lot more easily achievable in IT presales than car sales!
From a certification point of view, then I don't think your CV will be considered if you don't have a CISSP.
As suggested above, presales is a good route. Different companies perceive the role of presales differently, so you might find you're just a nerd in a suit who is presentable enough to stand in front of customers potentially willing to pay millions for your product, or you might get the opportunity to carve your own niche and get deep down and technical, give talks and generally just be a guru at your employer. A downside is that you are often perceived as lower down the food chain by the account teams that you work with as a necessary evil. But of course that can be negated by just being bloody good!
Soft benefits are usually good too - people generally are happy to see you, you get to travel a lot, expenses is usually on the cards, etc.
Don't go into car sales - £100k+ earnings is generally a lot more easily achievable in IT presales than car sales!
Edited by devnull on Wednesday 9th October 07:44
A lot of my friends are working as ethical hackers and pen testers, they don't have any formal qualifications, just hours and hours of messing with computers, and backgrounds in hacking/cracking right from their mid teens.
The company/organisation they work for has tried computer science graduates and found them to be utterly incompetent.
Turns out there's a big different between doing something you're obsessed about and doing any random degree course in order to get into uni, to enjoy the social life.
The company/organisation they work for has tried computer science graduates and found them to be utterly incompetent.
Turns out there's a big different between doing something you're obsessed about and doing any random degree course in order to get into uni, to enjoy the social life.
Edited by lyonspride on Tuesday 8th October 15:44
lyonspride said:
A lot of my friends are working as ethical hackers and pen testers, they don't have any formal qualifications, just hours and hours of messing with computers, and backgrounds in hacking/cracking right from their mid teens.
The company/organisation they work for has tried computer science graduates and found them to be utterly incompetent.
Turns out there's a big different between doing something you're obsessed about and doing any random degree course in order to get into uni, to enjoy the social life.
Computer Science is not any way representative of real world computing, though. It's the theory of programming languages, compilers, networking, graph theory etc - highly mathematical and has a small handful of actual practical courses thrown in. The company/organisation they work for has tried computer science graduates and found them to be utterly incompetent.
Turns out there's a big different between doing something you're obsessed about and doing any random degree course in order to get into uni, to enjoy the social life.
Edited by lyonspride on Tuesday 8th October 15:44
You won't need CISSP to get on the lowest pen testing rung of the ladder (probably start you off with vulnerability assessments which form an early part of a lot of tests). Some companies run "accelerator" schemes where they bring in a few people each year with virtually no experience (usually grads in middle of a related degree), start them off and see how they get on, if they do well, and pass their exam, then they're first in line for a job. Not all are grads.
I'm specifically in cyber security presales so feel free to PM me for advice, my experience is primarily managed security services/SOCs but I've worked with plenty of testers and can do high level presales for testing, just not the detail like scoping/proposals for web app or mobile tests.
Although what do I know I got made redundant last week?! F*ckers.
I'm specifically in cyber security presales so feel free to PM me for advice, my experience is primarily managed security services/SOCs but I've worked with plenty of testers and can do high level presales for testing, just not the detail like scoping/proposals for web app or mobile tests.
Although what do I know I got made redundant last week?! F*ckers.
Im not a pen tester, though I work for a company which has a testing business.
As someome said above, the best ones are people who are naturally into this stuff anyway - if you're serious you'll likely already be playing around with hacking at home.
Ive seen and heard different companies take different approaches - like any business field there are those who "stack it high, sell it cheap" and will be after the lower priced end of the market with standard tools (typical customer will be a public sector or quango organisation who have been told to do a pen test and just want someone to tick a box), trading on volume, right the way up to those companies where the testers develop custom tools and playbooks, and combine "testing" with other services and whose customers are more of the "high assurance" type.
Neither are right or wrong to work for, but do your research to find which will best fit your own development needs in terms of gaining the right skills and experience for what ypu want to do (including work life balance and travel).
As someome said above, the best ones are people who are naturally into this stuff anyway - if you're serious you'll likely already be playing around with hacking at home.
Ive seen and heard different companies take different approaches - like any business field there are those who "stack it high, sell it cheap" and will be after the lower priced end of the market with standard tools (typical customer will be a public sector or quango organisation who have been told to do a pen test and just want someone to tick a box), trading on volume, right the way up to those companies where the testers develop custom tools and playbooks, and combine "testing" with other services and whose customers are more of the "high assurance" type.
Neither are right or wrong to work for, but do your research to find which will best fit your own development needs in terms of gaining the right skills and experience for what ypu want to do (including work life balance and travel).
Lots of good info said already.
Infosec is a very broad field with a lot of opportunities for people from various backgrounds - think about infosec risks in your current / past role and how those may be exploited. I used to be a pen tester but have no formal qualifications. Ended my pen test career managing a pro services team.
Cloud security is huge and will only grow.
Software security equally.
Architecture is a great balance across the various domains.
In fact lots are converging - infrastructure is defined as code so it's less about physical networking these days for cloud stuff. Lots of on premises stuff still of course.
For prog languages java is useful but pen testers usually cobble together scripts so look at java script (nodejs), python, go etc.
For hacking web apps you need deep understanding of owasp stuff and I would say deep knowledge of managed and unmanaged languages, various database and the main flavours of OS (Linux and windows). Ability to apply mechanics of an exploit across languages (e.g. port from java to .net or whatever) and understand how data and presentation get mixed up. Deep understanding of browsers and http type proto cols too. It's a huge spectrum and that means opportunities to specialise.
Download metasploit or kali and have a play. Read owasp and NIST 800 etc.
Consulting is probably a good angle to get into cyber sec/pentest/ethical hacking. Ironically.
Keep an eye out for junior jobs at NCC etc and be prepared to apply observations of vulns etc from previous roles to how you would apply in consulting.
Hth
Infosec is a very broad field with a lot of opportunities for people from various backgrounds - think about infosec risks in your current / past role and how those may be exploited. I used to be a pen tester but have no formal qualifications. Ended my pen test career managing a pro services team.
Cloud security is huge and will only grow.
Software security equally.
Architecture is a great balance across the various domains.
In fact lots are converging - infrastructure is defined as code so it's less about physical networking these days for cloud stuff. Lots of on premises stuff still of course.
For prog languages java is useful but pen testers usually cobble together scripts so look at java script (nodejs), python, go etc.
For hacking web apps you need deep understanding of owasp stuff and I would say deep knowledge of managed and unmanaged languages, various database and the main flavours of OS (Linux and windows). Ability to apply mechanics of an exploit across languages (e.g. port from java to .net or whatever) and understand how data and presentation get mixed up. Deep understanding of browsers and http type proto cols too. It's a huge spectrum and that means opportunities to specialise.
Download metasploit or kali and have a play. Read owasp and NIST 800 etc.
Consulting is probably a good angle to get into cyber sec/pentest/ethical hacking. Ironically.
Keep an eye out for junior jobs at NCC etc and be prepared to apply observations of vulns etc from previous roles to how you would apply in consulting.
Hth
I had a similar career path and went in to project management via Prince 2. Bored the pants off me, I am a techie at heart not a pen pusher. I lasted 4 or 5 years and then ditched the industry entirely. I kind of wish I had carried on the hands on route and gone a bit more specialist but things have worked out well in the end.
Taita said:
I do this for a living, hold CCSAS and CCT from Crest.
I'll check back in tonight from laptop but hit me up via PM if any questions.
Eta for f
ks sake don't do CEH. Try OSCP
Hi TaitaI'll check back in tonight from laptop but hit me up via PM if any questions.
Eta for f
ks sake don't do CEH. Try OSCP I'm curious, why not the CEH? Most of the guys I work with all have done the CEH, some have compared it to a CompTIA A+ in terms of its broadness. But most of the chaps would recommend it for entry into the industry.
PB
Taita said:
You will not get hired at any decent consultancy with CEH. No discussions.
It's theory based 9nly,no practical. I'd ignore what your colleagues say, as they are incorrect and don't do this for a living.
Sign up for OSCP and see if you like it.
Listen to this man.It's theory based 9nly,no practical. I'd ignore what your colleagues say, as they are incorrect and don't do this for a living.
Sign up for OSCP and see if you like it.
I work in security industry, and have employed/run/owned security testing teams, amongst other things
CREST CCT/CSAS/CTL are the 'gold standard'.
If you can do OSCP, then points at least to frame of mind towards red-team testing (though this is not trivial).
As others have said, those who have a natural inclination to understand how things work/why, and keep trying until you figure out (off your own back) tend to far stronger than compsci grads etc-
Look at what the major players look for as admission- eg NCC, Context, F-Secure/MWR, plus many many other companies (look at the CREST website for list of CREST member companies).
CISSP is a red herring for pen-testing (though is relevant to other roles in the industry.
I self taught and became a check team leader many many years ago. You need a good understanding of networking, windows, linux, ability to compile code, understand databases and web applications. Back then you did the 'assault course' at gchq - no idea if thats still the case.
i stopped doing it because it didn't earn the company much revenue and it was very hard to keep on top of all the knowledge.
i moved into virtualisation and then cloud - good azure skills are always sought in our place. Thing about pentesting is you need to know everything about anything imo, so difficult to be great at one thing.
i stopped doing it because it didn't earn the company much revenue and it was very hard to keep on top of all the knowledge.
i moved into virtualisation and then cloud - good azure skills are always sought in our place. Thing about pentesting is you need to know everything about anything imo, so difficult to be great at one thing.
eliot said:
I self taught and became a check team leader many many years ago. You need a good understanding of networking, windows, linux, ability to compile code, understand databases and web applications. Back then you did the 'assault course' at gchq - no idea if thats still the case.
i stopped doing it because it didn't earn the company much revenue and it was very hard to keep on top of all the knowledge.
i moved into virtualisation and then cloud - good azure skills are always sought in our place. Thing about pentesting is you need to know everything about anything imo, so difficult to be great at one thing.
The original assault course still exists but isn't used any more for check exams i stopped doing it because it didn't earn the company much revenue and it was very hard to keep on top of all the knowledge.
i moved into virtualisation and then cloud - good azure skills are always sought in our place. Thing about pentesting is you need to know everything about anything imo, so difficult to be great at one thing.
Taita said:
The original assault course still exists but isn't used any more for check exams
When I arrived with my laptops they wouldn’t let me in with them - there was a standoff and suggestions i could bring them in if i removed the hard disks. That’s a bit like telling the plumber to empty his toolbag.I got started and found a little more than i was supposed to using show cdp neighbours - they rubbed that bit off the board and got their flashy thing out!
Gassing Station | Jobs & Employment Matters | Top of Page | What's New | My Stuff