A Career In Security

I'm not introduce him who does not know those are not your friends so I'm going to introduce I'm not going to this Gabriel he's going to come and take over the session I'm generalizing a bit but the two general ways you can get security right as part of an internal organization say for example you're a bad part of our bank's internal security team or you develop security products just for urbanization or you can be an external resource doing work for an organization say you are a consultant who does fantastic incident response I'm generalizing a bit but that's how the two general forms are I've done a bit of both now I'm trying to get up on gospel

Consultants it can be exhausting but both of them have advantages both and have disadvantages I personally prefer at the moment this moment in my career I want to do internal security okay now getting started the most common question I get asked most people don't know how to start especially if you see those weird career maps and stuff like that and the advice I give them unsure you can reach sites to use and start with the stuff that is going to be helpful regardless of the career you get into there are some things that are just basic whether you're doing blue teaming right teaming or the application security whether you're doing forensics there's some Basics that you should do

some of the most common ones is just getting familiar with working operating systems like Windows and Linux especially using the command a lot of tools that don't have uh uis and stuff like that so you might want to learn how to use the command not you sure that battery is a command line the coding and scripting okay I should mention you can be successful in security without coding and scripting but uh a lot of jobs this requires some level of automation so I'd recommend at least learning one popular speaking language I can't relate to recording when I was living in there actually I got it to security because I was avoiding recording not because passionate about security I was avoiding

coding and eventually I did Passion came along the way but um now I actually wish I'd started earlier because it's actually it's added so much value to my life because quality allows you to be created it allows you to you know put your ideas that you might have in your hand on into something that other people can do here so I'd recommend that you start with a simple ones python go those ones can be used for pretty much anything I always recommend python because it's very easy to start and a lot of jobs these days you see some level of scripting language required especially the technical room whether it's Bluetooth I can't explain how valuable this is

when you're starting out Homeland and everything can be allowed to actually and we'll even talk about it later in the series section uh and then also things like you know this ID security things and Frameworks you know the CIA try those things will happen at the beginning they're kind of boring but I promise you they make a better security professional later on down the line um yeah the reason I'm recommending those skills is because the add value regardless of the failure so even if you don't know why you're doing yet don't want to provide a good foundation where to start I wish this is the one Center which existed about starting security anyone here is extra hack me bunch of

people yeah please Mr hack me like I can't explain how valuable it is at first I thought it was just for fantastic and stuff but they have so much content and even if you go to the site with zero knowledge like you have no clue how to use Linux you have no clue what security is that somebody is popular learning Parts like I said the slide solution so the links will get some later so start with this try hack I mean there's a lot of free content but if you can afford the 10 per month just put it a lot cheaper than paying for this professional search I think Pennsylvania is like about 1500 yeah

fifteen hundred dollars it's not cheap and paying for such things so track me is why some people to say had a lot but the reason I don't recommend ask the box is active box is great when you're learning ctfs but if you're coming from a point where you don't know anything they don't have that beginner level content like if you want to do suggest like boss is definitely the best but if you're just coming from a point where you don't know anything starts to try again um then how to focus on a specific field as you bounce around these different things trying out different things you might find that thing that you like doing a bit better than the other things

that's actually how I started to execute because I like a lot of people who are here like I said at the beginning try to track things like someone do a bit of everything then you'll find one or two things that you actually enjoy a bit more than the others uh try diving deeper into those topics you know find content like one thing I'd like to search for is on this GitHub on GitHub there's this awesome favorite team engage is awesome I really haven't seen those things and I got some specific topic you can now start looking for specific content around that subject area you're interested in and that's how you might end up now specializing and

beating a specific so that's actually ended up specializing for offensive security um if you don't find anything you're passionate about or it will come over time or you can just do the thing you hit uh you don't think it's doing as much as your other stuff like that person engage mobile off I really hate it so I I did other things to avoid the mobile and eventually I landed in stock but I do enjoy like Windows environments um and other things like that this is another common argument we have in security or just a popular debate you know do you prefer doing the thing while you're a bit of a generalist and competent in multiple topics or do you

prefer the Deep dive into a single topic code but who are something that they prefer so write this like deep dimensions of specific topic becoming an expert in something blue is more like where you balance what do you think is the right answer here

like the people who can become experts at one who can become successful because they only know one thing and that people who can become really successful because they juggle a bunch of things so it really depends on who you are what kind of building my girlfriends will become very successful by just knowing one thing really really well not to one or two things really really well but also a lot of people who've gone very far right German so it also depends on your job on the generating me it's very hard to focus on one thing because the scope is always changing you know now cloud is a big thing so if you're competent writing me you might want to touch your Cloud uh

you might almost start team I need to know at least something about Windows Active Directory I need to know a bit about web application security so it depends on her job also for me like I actually prefer doing a bit of both right you're competent you know a bunch of things but then there's some specific topics that you're pretty good at or at least above average and in European and awesome team like I've worked with somebody foreign

unfortunately a lot of jobs still require a degree as a minimum but don't let that smoke you don't don't let that you're not doomed if you don't have a degree they're not the people who still become really really good at security we have a friend in Africa who has the other degree but it's an architecture that's like such as a business degree or something yeah so you can still make it pretty far in security with with or without a degree whether it's relevant or not such questions I would say they are their help when you're drunk hunting but of course 90 percent of the time mostly starts up usually hard to reach or someone who

just start again if you're just pressure 20 years you know and now you're paying 150k for a single set but that doesn't mean you can't get such so um one popularity to get certifications and especially in your starting office making use of these offers and stuff there's this thing called Microsoft training days I just learned about the juicy juicy if you attend a Microsoft training there the calendar is that but when you open the link you can actually get a free certification attempt for the AZ 900. so that all these big big sites tends to have offers tend to have this kind of promotions these are the kind of things you can you can use and also when

you're beginning um try Hackney and udemy and some of these other people they have of course completion certificates when you're beginning you can use those things as certificates yeah because if you don't have the cash for the recipes or whatever societies you're interested in you can use sites like this to get offers on these things and then you foreign

one really important thing I should have mentioned is please start learning how to take notes as early as possible in your career it's one of the most important it's actually my biggest regret executive has started taking note a bit late proper notes later on in my career pick an app right now and start documenting everything um I'm sure you liked from everyone here that security around us feels when you're constantly learning now all the time when I lose you have to go back to the idea of organoids now imagine security what used to keep happening is I have to keep going back to topics and already touched on which because I didn't have the notes so now every time

you learn something they can do that I'm not going to try and convince you which no talk is better but these are the most popular ones for pretty much everyone obsidian notion I know a lot of people like Kenosha just speak and you don't character and use but start taking notes as early as possible because you really don't have to be going through a process where you're relearning stuff you already touched on another moment to personal branding a lot of these topics to feed on into each other um yeah it's a personal value so this is also a really really important one I can't explain just how much your personal brand helps when you're hunting for jobs what I mean by

personal brand personal brand is everything how you appear to the world like not be like a dressing but not not silly stuff like that like I mean how your presence on them you know where if someone Googles you what do they find do you have a Blog do you have a data do you have a Twitter things like that so that's really really important again it's another regret I health because I joined some I started doing things very late I started my program not to be late I wasn't on Twitter for a while my friends who convinced me to join Twitter that's what infosec people turkeys hang out I was ignoring most of those things

but I wish I started earlier and it's not about getting you know all the followers you know 100 000 it's not about that it's more about connecting with people in your field because uh as I'm sure people here mentioned that Network matters and especially when job hunting yeah you know if you job at it but the easiest way to get look for work is if you have a good network if you have a bus Network someone knows your name somewhere that's how you get your recommendations that's how you get jobs um so let's start on which sites you can use so of course there's a lot of social media sites these days but primarily for

infosec people hang out on Twitter actually if you think it's from multitasking it's even cold as primaries they hang out on Twitter yeah so Twitter is available are the Tech players you know people have to argue there and be depressed and everything but that's also uh that's why also around the majority of turkeys are not so if you want to start connecting people in the field both locally internationally you want to join Twitter um if you're happy without social media I'm not going to try and convince you to join social media but honestly it's very hard to connect with people if you're not on say you have a really good blog you want to share Twitter is the easiest

way to get it outside actually look get used to sharing your progress and achievements even if it seems the name I'll talk about your imposter syndrome a bit later on but you've heard about little a lot about it even if it's lost to small small achievements you know you finished a city I've got used to sharing that stuff um now this side is it's not my favorite site I truly truly do not enjoy it and I'm sure you've all heard the stories but some stories inspirational stories but I'm married to an interview I find a stray dog I was late for the interview and I walked into interview guess who was the interviewer yeah and that is 90

percent probability and honestly that is 90 percent but I'm not a fan of the site I'm not a fan of the search but unfortunately the my policy for LinkedIn is it's one of those things you'd better have and not need and need another time yeah because remember other example if tech is equals Twitter for HRS and recruiters why do they are not LinkedIn yeah so you can't avoid it unfortunately if you see my little bunny you think I love it you think you think I'm a professional religion user but I hate I really do his research but I think it's here what I actually do with LinkedIn is take it seriously at the beginning you

know invest in building a serious profile then from that just updates it's updated you know you get as new set go and update go and share you know 2013 there's lots of people sharing the job that you wish you but you see that a lot go congratulate your friends celebrate your friends means your colleagues and stuff I personally don't enjoy it LinkedIn implants as always my existence but uh just let us know it's really you know to be very happy for me to tell people who are just starting off to not create Community programs honestly create them create them as soon as you can start connecting with your you know fellow students your fellow professionals and then their Prof their

profile will grow over time and but they recruiters if you have a pretty impressive profile recruiters actually end up reaching is that you can reach a point where you're the one talking about jobs you could just can actually start reaching out to you quite a bit that's happened to me it happened to a bunch of friends so get a serious profile and uh even if you hate it it works now this is one of the most important things in security and muscular Fields you have to create some form of contact but it's the one way to really stand out from the card content comes in many forms it can be blogging it can be YouTube it can be Zoom webinars it can

be a podcast like when I was talking this is one of the ways to stand out from the crowd um one I've seen people get held purely based on a Blog they have or that on code projects they've shared on GitHub people love business people without anything even now personally people reach out to me just because of things like micro and stuff like that and that's why you also help build your network and create your strengths if you don't like writing you can you know record the videos if you don't like recording videos you can maybe learn to code and start trying stuff on GitHub um but it's the easiest of making presentations a lot of platforms these

days she hacks is awesome because they have the weekly sessions both for campus and for professionals so you can do sessions that they don't discriminate a type of content you have you can take it but start putting start creating content in your eye as possible to another thing I wish I started a lot earlier and then sharing it to the community and this and it's any form right here um I hear people using this saying they can give a nice suffer through this like when you're beginning especially you really feel like you don't have anything to share with the university you don't feel like you have anything to share with professionals you're happy you've done basic ctrs but it doesn't matter

honestly someone wants to see your perspective just DM me into like someone wants to see what you've done someone wants to see your perspective how you approached it yeah for that much of the 200 write-ups or 200 blocks about the same topic just put it all down and you'll never be ready that's what's actually to keep telling myself like I'm not ready yet I'm not ready yet I promise you there's no day you wake up in like you know today is the day just do the thing yeah fine you might suck at the start but you'll get better at some point and another thing is people say is my contact is basic for beginners do you

know what's the most popular type of content the most valuable type of content is content for beginners now that is a little even when I look at my blog traffic the blocks the posts that are the most popular to this they are the ones that were written for like you know for beginners or I was learning about your topic and I just wrote about the topic in case I also wanted to learn about it that's what makes more of an impact than the Deep technical topics than networking so I've mentioned this networking is really really important this I learned from my friend twinsky said people want to work with our friends it's just exactly people want to

work with people they know so if someone if someone had a job someone has a network they'd rather work with people they know that you know put on CVS and get a thousand applications from people they don't know Network goes a long long way it's just a way of the world sometimes a lot of people who don't a lot of people who deserve jobs the market looked over because they know the right people just successful in the world there's nothing it's not changing so you have to work on building a network it's not some even I struggle with networking especially that part where I can build relationship I apart from maintaining it as well as travel

but it's one of those things that everyone just has to do to some to some level and in case you're wondering how to network again Twitter there's some people hang out uh all over here already doing the right thing you're at our conference and actually missed conferences you know I haven't been one to one since called red Youth and all that so interact with people yeah you might not see them again but make sure you at least get some Twitter followers or get to connect to someone get on it someone you get it someone's there talk to someone who's in the field you never know because they might not even be hired but they might know someone who is

hand and they'll meet you and they say like you have maybe you're very passionate feel you put out some content or whatever so that's how that's how I cut again when you're doing course and such channels there's some use courses and stuff will do while you're doing it together as someone else especially like you're doing a try hacking thing you'll meet other people in the community connect with people that um again people also can come to you if you put out the content if you put out a presentation if you put out a Blog some people will sometimes reach out to you so that's another value of creating content Discord is really popular as well if you have a lot of Discord

channels if anyone wants them I can share them there's a lot of people channels so it's just infosight professionals I think there's even one for the local hack the Box Kenya hdb Kenya there's one just for the hack the Box ke so that's another great place to meet people to do the same thing so and yeah unfortunately also LinkedIn LinkedIn is also related for networking essentially it's that I've met people on YouTube I've been offered just so just to really attain so I get greater profit now job hunting um fun fact I'm actually job hunting actively so it's something I can talk about quite passionately like I said I'm consultant at the moment but I'm trying to get out of Consulting

because it's just I'm tired it's a bit tired of it so um well the resume is going to start I'm not going to do a resume session I'm not I'm not in hijab so I'm not going to get deep into how to build your CV but I will ask you to uh research ATS compliance series I don't know who knows what ATS is it just foreign

[Music]

[Music]

[Music]

[Music]

is true to structure and build my own CV she talks about which sections you can include the length and stuff like this up to individual I prefer two to three pages but remember each other people too if your CV is tend to adjust No One's Gonna read it honestly like so uh the shorter the better but I'm not going to tell you you know make I want HD video it depends on your experience depends on your stuff but don't feel extreme don't be too extreme but just go watch this Vlog I will watch this YouTube video I think it's about 20 minutes she said how she just shows how the CV should be to go to a job application at some of the

top funds in the in the in the world actually top security funds in the world and she actually scored on them eventually so just watch the video and talk about it too much um all right so for those of you are job hunting I'm sure you've seen this crazy crazy job requirements for entry level drawings yeah five years experience 20 years leadership experience I it's it's just a problem with the whole language space it happens really it doesn't get any better entry level doesn't get any better at senior level the what I've really learned is organizations are looking for one person who can solve all of their problems yeah which you're never gonna find it doesn't matter how

good you are you're never gonna be the one person sold every security problem in an organization but so you just get used to it you're gonna keep seeing it never regardless of how far you go along and my advice here is just apply anyway by the applying you in that case it's just a problem with the industry apply anyway because you're not what you should try to do is try to meet the most important requirements every job has the most crucial requirement so if it's an Excel mobile app and test our Weber contester you should probably be very competent that you have to mobile application but the other things that they might put that like threat hunting which is not a

thing for mobile people because they put together because again they're looking for someone to solve everything just apply it but there's a lot of what you call landing on the job in security yeah so I mean you don't let those requirements scare you off if research previous experience and you have to read just apply honestly just try like a lot I think sometimes they also try to sometimes those things also complete of people who might not be too confident in themselves yeah so just apply of course I'm not saying if you have one experience go and apply for a seesaw position even you like they should be a limit students but

um don't let such certain things we all not on the job it's a guarantee um so how do you get experience without experience because you're probably going to be applying for jobs that are demanding all sorts of experience and you might never have work you know your fresh out of Union at most of my time and internship or maybe not so how do you what are the kind of things you can put on your CV remember I was talking about doing courses and search on trying to build a certification on spot on your CV put those links you know the completion badges you've got and that really helps um because a lot of people you might you

might have done all these courses but if it's not your CV an employer they're saying we've not done anything yeah so you have to share them with uh you have to share them put them on your CV um content creation if you have blogs if you have a YouTube channel if you have 20 HR page you know any kind of think that you should be on your CV um are you a member of our community are you part of Shiite are you part of Africa visa interview helped through a conference someone if you volunteer to do something those really help those are even now I still put certain those things on my CV links for health

organism conference I still put those things on my

have you competed in any tournaments add that to your CV as well that's really hard because this is helping you stand out from because the thing is when most of you graduate or even like most of you look the same yeah you have the same degree maybe but what makes a difference those people look down those extra steps to stand up from the rest and again I mentioned this uh build a home lab to build a project section on your CV start putting that information on the CV like um sign up for free Cloud credits from AWS Azure try to do a project put that stuff in your CVA because this just shows you've gone beyond what is

expected of the average person yeah so and a lot of this like to give you three credits at the beginning so especially if you have a student or ID on Microsoft I think you'll get the 200 100 200 years in free credits that's it's incredible if a nice sign up for student things so it's incredible so use that try to do a project put that stuff on your CD um yeah and of course volunteer again there's a video about how to get experience without experience and I'd already mentioned this but you're doing all these things to stand out from the crowd remember you're if all 100 applicants are probably 90 of your gonna look the same you don't have

a degree probably you're just you have two years in the last year or two but watch those people stand out if you all have the same experience same number of years it's not small small things that you've done um next up is wait I want to find jobs like I said I don't I didn't want to do a job hunting session because that's something I can take a whole day but network is always number one LinkedIn is actually possible I've actually gotten recruiter so I've had friends getting recruiters from LinkedIn so it's possible apply for those jobs just get used to getting those and those rejections don't let them get to you personally because they'll come they

will come but you know just learn to see them and move on in your life um recruiters as I mentioned and also by the way don't be afraid to apply for jobs outside the country I'll significant number of people are getting jobs outside their country whether it's relocation or remote work don't limit yourself to just looking for drugs here like there are a lot of people who are actually getting opportunities outside the country so yeah um another interviews this is another thing that's really draining um it depends a lot on the company new sites like Glassdoor I'm sure summers are familiar with Glassdoor yeah you search the classroom to learn about the interview process it can change it

changes from company to company but you don't walk into an interview just believing you know in your skills when you learn about what that process might be it can be really exhausting for technical roles it can change quite a bit but this is a very popular interview format that you'll see in technical rules when you have like a phone screening call with HR you have the technical challenge which can be pretty difficult depending on what kind of role it is and actually this I find this is actually more time in this one if a technical Challenge on your own needs you and your skills yeah but the technical interview with the team it can be very difficult because

they do like scenario based questions which are really you know they want to do in this scenario you know they really test your in-depth knowledge of a topic I actually prefer the ctfs I feel like the third part is the hardest one then of course there's a great negotiation and the onboarding but this is this is actually just what I've been seeing a lot especially now as I've been interviewing and looking for jobs but it changes a lot from company to company but don't work in like they do your research on Glassdoor in places like that oh yeah and I should mention this is a very popular thing in interviews this this situational based questions

they are very like they happen actually my majority of companies in 24 use these kinds of questions so they don't just ask you you know what stories or you know what they're trying to do and they ask you if it's whatever video in the last time if you're in this situation what should you do because that's how they did they train your the depth of your knowledge of that specific top get used to answering these kinds of questions um yeah Mentor again um so the last thing this is a one thing pretty much everyone who's been security for significant amount of time will end up talking about imposter syndrome yeah everyone but everyone feels it I wish I

could tell you it goes away for me personally it's not going away it sticks with you regardless of how long you permission it follows me around your life that's how I should explain it for me it never gets any easier and social media makes it worse because everyone on social media is winning all the time you know hell all the time no one is sharing their struggles everyone is sharing love and check out this cool exploits and just you know the CV I just dropped check out this cool blog post that you don't even understand but you notice it because there's a lot of a lot of free tweets that is social media it makes it

worth a message and I'd say like you think in my opinion seven years and you take it to go to the better I say it's gotten worse because now I see younger people I'm doing the things that I can't even do now like I had Morgan John was saying he was listening do you know what that is to do is the top 10 um I think the highest I mean like maybe 400. so it's really hard so it gets worse but my general rule for imposter syndrome is you know Village whatever the hell you're going through a village but don't let it stop you from putting yourself out I mean it's going to follow you

around for the rest of your life you might as well do what you want anyway so don't let it limit you from doing the things you want to do if you want to put out that blog that video if you want to try that City if you want to apply for that job just try like Germany you have to you have to do I mean like I don't say like for me I'm still not trying to make it go away I've just learned to live with it but still do the things I want to um another really common thing that you might get in security especially in your later years is by not it's a it can be a

very demanding failure remember most security teams are small and they have a lot of work to deal with um especially like you know um if you're still working for a big bank it can be like five thousand employee thousand employees but you find the security team is maybe just three or four people you can imagine the amount of work you'll be dealing in an environment like that and especially over the years like I remember when I was younger I really used to feel balanced because everything was new everything was fancy everything was exciting as you get older it gets really really draining you might be processed crap um if you find a job if you find a

job you're passionate about you never have to work in a day in your life that's garbage man what I think about a day is work yeah work is working sometimes work sucks actually I'm very passionate about security it's the only thing I've ever really wanted to do but even I sometimes I wasn't this one I want to go down I throw my laptop into being moved to the mountain I never touch another computer again you have those days and that's why I recommend having some things that take you away from the field for around computer my office I'm not gonna try and recommend copies for you personally for me I love gaming I love stuff like that takes my

mind away from these things I love the outdoors but whatever it is your friend now how to identify the symptoms because balance always shows before it actually checks and God is awesome like things you see before injecting to learn how to identify those things and deal with it before it ruins your life it ruins you off because when you buy you can burn out for long periods of time like 20 got the longest you've been burnt out for eight months eight months right why not can be serious it can it can make you literally stop learning so learn how to identify it learn how to deal with it before it actually gets to the point where you can't deal with it

yeah then take away before I take questions is so everyone's experience is different that's why I really don't want to give you Australia my life story because I feel like everyone's story is different and you can rather than focus on that although I tell you things I wish I knew at the time um so yeah I've learned from what I've said but at the end of the day you're back never trust anyone who tells you this is the only path to say you want to become a president or a manual and listen they tell you this is the only path you can follow everyone's path is different you can go you know someone can go straight someone can go around if

someone can take one year two years someone can take ten so don't you just find your own path whatever it is there's always a way to get one where you're going um every single job has crappy passage I don't love what I do but there's no job that's perfect one of the things most of us hates is things like writing reports I hate writing reports but it's one of the most important parts of my job so even if you find the perfect job just understand that I'm always going to be part of the job that you dislike um you can learn from any situation regardless of where you're at and the thing is yeah the only reason these

compilations you just never uh try to avoid settling and never agree because if you're not growing it's very easy to get left behind which makes all the other stuff for us they Busters in your master but not to us so just try and build that consistent character I'm not saying 35 hours every day but it's more important to build that consistency even if it's that part you mix that took me a long time to learn instead of burning yourself out for five hours every single day um focus on you can just putting in if it's just smaller pockets of time that are easier to sustain because the it builds up doing something consistently builds up more significantly than doing

you know one day every week it's better to do like that one hour every single day than doing a single day or out of a week um then yeah I've put in a lot of resources about the staff I've talked for about and these are now more detail blogs because this was only a 30-minute session and I figured they'd probably be questions so these are more detailed blogs about specific topics career guides job hunting videos credit for the icons and stuff I've used so that's it that's my presentation I believe I can take any questions [Applause]