My Cyber Pathway: Cyber Security Consultant

What initially sparked your interest in cybersecurity and made you decide to pursue it as a career?

I’d heard of hacking from a young age and it sounded fascinating, but back then it was all black magic. I found it hard to find resources or learning material. Slowly over time hacking receded to the back of my mind until Mr Robot came out, and I remembered how interesting it all was. Resources were a lot easier to come by and I was looking for a new hobby, so this was perfect. After messing around with immersive labs, going to talks and meetups, and making a great network of friends in the industry, I found it far more fun than my current job. It was then I decided to take it up full time.

Could you provide an overview of your current role?

I’m currently managing clients’ external attack surface. This involves discovery of external facing assets, monitoring assets for vulnerabilities, or changes that could leave them vulnerable, and keeping up with relevant cyber threat intelligence to stay ahead of current threats.

How long have you been in the industry and specifically consultancy?

I’ve been a consultant from the get-go and been in the industry for just over four years.

What steps did you take to transition into the field of cyber security consultancy from your previous background?

I already had a couple of years of cyber security as a hobby behind me and a good network I could rely on. So, I just needed a certification of some sort to back up my knowledge and an opportunity. I ended up taking a big risk, I quit my job with no prospects. This gave me the time I needed study hard and pass eLearnSecurity’s Junior Penetration Tester (eJPT) course and to attend as many security conferences as possible. I talked to absolutely everyone which eventually led me to the IRM stand at InfoSec Conference. I managed to pass their technical interview with the knowledge from the eJPT course and land a position on their Grad Scheme. I got very lucky; I was only four months unemployed in the end.

Were there any specific certifications or training programs that you found particularly valuable for developing your skills?

Yes, a great many, but these are the first that come to mind. eLeanSecurity courses, now part of INE. Immersive labs, Hack the Box, Station X, Pentester Academy, VulnHub. And I only wish I had TryHackMe.com when I was first starting out. My go to blogs were DigiNinja and HackTricks.
However, A considerable amount of help and support for developing my skills came from the community. A big shout out to the three main events I attended and the great people who share the wealth there, DC4420, IOActive’s Hack::Soho and 2600 London. I highly recommend that people seek out these kind of events.

What are some of the key skills you believe are essential for a successful career in cyber security?

Report writing and empathy. Being able to relay concise and coherent information is extremely important. Doesn’t matter how well you can test if you can’t explain to the client what it is you found; that’s what they’re paying for at the end of the day.
Empathy is another layer on top of that. It is good to engage clients with a level of empathy to help understand their concerns, how best to communicate, and work with them to discern what will be of most value to them. This will be reflected in your reporting and communications.

How do you stay up-to-date with the latest developments in the cybersecurity landscape and the evolving tactics of cyber threats?

Reading! Reading a hell of a lot. There is a great deal of news outlets dedicated to cyber such as BleepingComputer, The Hacker News, or The Register. Social media is another way, a lot of people are sharing information on Discord servers, Subreddits, LinkedIn, Telegram, etc. I find talkback.sh to be a great feed to throw in the mix.

In your opinion, what are some of the most pressing cyber threats that organisations are facing today?

Social Engineering is certainly up there. There are so many avenues an adversary can take to contact an organisation and their employees; you really have to be diligent on all fronts. Adversaries seem to leverage every part of the food chain, everyone from helpdesk workers to CEOs.

The speed of hacks are also a challenge. Some threat actors go in loud and fast, especially with ransomware. They won’t be doing anything fancy, but they will be quick about it. It is a real challenge to limit damage once they are in.

What advice would you give to someone who is considering a career path in pentesting?

Not to be overwhelmed by the amount to learn and not let imposter syndrome phase you. Both are easier said than done!

One of the easier things to do when starting off is to start your own Wiki. This was some of the best advice I received when I was starting out. Use it to make notes on everything you learn, especially commands. Build your own cheat sheets on it and create a knowledge base. My personal favourite is Dokuwiki, but I hear good things about Obsidian or ZenWiki. I am sure there are others worth checking out.

How has pen testing evolved since you started your journey? Are there any emerging trends you find particularly interesting?

Pen testing doesn’t seem to have changed much since I started, but it seems like Threat-Led Penetration Testing is the way forward.