Hello! My name is Mike and I am an infosec engineer with 10+ years experience. I’ve worked in GRC, Vulnerability Management, PenTesting & AppSec. I have 17 SANS certs (I have a serious problem) and I’m also an infosec community enthusiast and creator/mod for /c/cybersecurity. AMA!
How do you get your work to pay for certs? 17 certs would be like 100k for me. And I don’t mean salary.
My old work place had a relatively progressive training policy and a decently healthy budget. The real beauty of it was that the budget was a departmental pool. The IT department did NOT take a lot of training so those few of us who did want to take advantage of it had access to a huge pool of money. Think, 10 people accessing money meant for 100 people kinda thing…
Hi Mike, I recently started working as programming intern for a company doing webapps. I’ve worked part-time gigs in a completely different field before, that means I got no certs, no job experience in IT to speak of, I’m not the young guy fresh out of school anymore. However, my interests have always been to break into cybersecurity and have slowly added some relevant knowledge as bare minimum… linux bash scripting, selfhosting, networking and etc. I’ve been checking out the certs usually recommended plus all the specializations out there and gotta say this is no easy commitment, but I do want to learn.
The thing is, what I’m currently seeing as intern is very different from what people in this field usually speak of online: For example, I was expecting the latest tools and whistles, but the company I’m at uses very old (10 years) frameworks for maintenance and support for corporate clients, windows only, proprietary stuff with very little documentation online. It gets… demotivating? It’s still a job and I have bills to pay, but I’m wondering how many years of experience do I need as a regular web developer (if my contract is renewed, even) to even attempt branching into infosec?
I know this gets asked a lot. Sorry for the long text. TL;DR: just started as intern programmer, company works with ancient dinosaurs instead of latest stuff, years of experience needed to become hackerman (or jumping from first one to others shown here)?
I don’t think there’s some minimum XP (in terms of YoE) bar to hit. You just need to be able to demonstrate your practical XP in some manner. Some people get this through work in IT/cyber, others through academics and others still through personal projects and doing things at home. There is a TON of self-teaching options these days through online trainings, CTFs, cons, meet-ups, etc… And lots of ways to document and market your experience and know-how (blogs, social media, podcast, etc…). Personally, I suggest learning a bit of coding, some cloud XP, start a small blog or post about what you’re learning on a micro-blogging platform and network network network.
As for your current place of employment, having a VERY legacy environment can actually be somewhat good for security as it may be “easier” in some respects to find misconfigurations and Vulns. Does your company have any security resources? If not, try to volunteer to help in that area, if they do, introduce yourself and ask to shadow/help/learn from them.
I see. I will have to document my progress and remind myself the company isn’t actually financing this. I should start by creating a blog.
Haven’t personally talked to the IT dep yet - I am in a small dev team for internal webapps and the last time we contacted them was because of printer problems, hah. Will try contacting them once I feel ready.
Thank you for the insights. Sorry I took too long to respond.
If anything that’s a great learning environment. Offensive security is a lot of reverse engineering, figuring out how stuff works based off (extremely) limited information and understanding how best to attack it.
Moreover, as these are old systems, they’re more likely to be outdated and vulnerable - not that you should try without permission or a clear understanding of what you are doing, particularly on production gear.
At any rate, no company will pay you to learn a completely different job to the one they hired you for. So you’re going to have to spend some of your own time learning about security. Where to start has been repeated ad nauseam online so I won’t attempt it.
Sorry for the late answer.
I haven’t thought of it that way - if I can convince my boss to test my skills on the legacy systems the company is running, it could be beneficial for both… assuming I get permission and enough actual skills to assess vulnerabilities.
Thank you for the perspective. I agree that intro posts are repeated ad nauseam, I will find my own way.
Thank you for the AMA.
Do you regularly feel overwhelmed? - Keeping up with the sec news and patch accordingly, firewall/ips and endpoint alarms, logs, meetings, and more. It shouldn’t be the case, but it seems that everything in security is prio 1.
EDIT: and being the party pooper and saying no to everything, bc people do not think about security.
Honestly I don’t get overwhelmed by infosec. Though my personality is to take on more projects than I can chew and that can sort of overwhelm my time - I don’t get emotionally overwhelmed easily though. Some of that I credit to my personality but I also credit how organized I am, it helps me keep track of everything on my plate and daily prioritization. Inbox Zero, using a task manager, having a personal Wiki (i.e. Obsidian/Simplenote) all help with this.
In the early days of my career I heard that sec people were the “no”-sayers in the group. I have learned over time that we don’t need to be. Instead, we become the - “let us find a way to do that securely”-sayers. It’s about creating that we’re-a-team mentality.
Hey there Mike. Thanks for doing this. With AI/ML changing the face of infosec, what do you predict infosec will look like in 5 years?
Also as a fellow SANS enjoyer, it’s great training. What are your top 5 SANS courses and why is GREM number 1?