Into the deep blue
By Noah Heckman
Breaking into cybersecurity is not easy. If you’re reading this, you probably know what I’m talking about. From the first time I was asked to assist the cybersecurity team (while I was just a helpdesk employee with a lot of ambition), I knew I was going to push myself into this industry or grey my hair trying. The reality is that I did a little of both. As bleak as the road may seem at times, I encourage you to keep trying. These are some of the things I learned on my journey into security.
To start, “being in security” is not just a job; it’s a mindset. If your goals are to work for companies with passionate security personnel, that mindset is critical. It doesn’t matter if you are working at a helpdesk, as a developer, or even doing something unrelated to IT at all. Being in security means you don’t say that “someone else will report that phishing email” or “it’s not my job to mention that this service is way outdated.” You don’t stand by and watch as your coworker who lost their keys breaks into the office with a credit card slipped behind the latching mechanism. Calling out stuff like this does two things. First, it establishes correspondence with the security team, which creates name recognition and over time, may mean they remember you when they’re looking for a new analyst. Second, it fixes legitimate issues that would endanger your company and its assets... which is the whole point!
Looking back to when getting into security was my only goal, I can’t help but think about how much time I spent working. And not only for my employer, but also for myself in the lab. Anything I wasn’t allowed to do at work, I would just do at home. (Don’t have domain admin privileges at work? No problem, just spin up a domain controller and attach some workstations to it... but it’s a long-term lab, so I should have redundant DCs, right? Now just multiply that attitude by a thousand.) I had a full dev environment of my company running in my basement on a couple of old Dell servers. Which is fantastic. Do it. You will learn a ton from stuff like that. However, there is a catch.
I was spending 8+ work hours a day patching, automating, and watching for security issues in the SIEM. And then I would go home and do the same in my lab for another few hours. The way I saw it, my company wasn’t giving me the opportunities I wanted, so I made them for myself... and yes, there are some issues with this. For one, do put your lab experience on your resume, but don’t be surprised when companies don’t even glance at it. If you are going to do it, then you do it for your own betterment, not for your employers’. On that same note, don’t give away time to your workplace. If you are supposed to be working a 40-hour week, stick to it. Those late nights finishing up a project because you “don’t have anything better to do” will contribute to burnout all the same. Stop eating your dinner at the keyboard. Or your lunch, for that matter. How can you do your best if you don’t set aside time for yourself?
You may ask, “Well, if I do that, how will my work get done?” To which I would have to ask why you are the only one on your team who knows how to do that work. If you are not the only one, then congratulations, there’s your answer. However, if you are the only person in your team who knows how to do specific things, I would strongly encourage you to reach out about cross-training. Pretty much any IT course, training, or consultant will tell you how important it is to have redundant systems. Why is it any less relevant that there be redundant personnel? To some, it may be a matter of job security. If that’s the case for you, you’re only accomplishing one thing: ensuring that no junior members can fill your role and you will always be in that position, limiting everyone from moving up within your company. Long story short: if you have a team, use them. Share your knowledge with each other and I promise you will learn and accomplish more than you ever could on your own.
I came to BHIS from the Discord, serving as a Nerd Herder (which is hands down one of the best roles I have had the pleasure to hold). If you don’t know, the Discord server is filled with tons of people sharing information with each other while expecting nothing more than you are willing to give in return. The Nerd Herders are a group of community members who donate their time to help make our community better. That includes providing support during training classes, helping new members understand what we are all about, and even showing up on “the news” from time to time. Several do not hold official security jobs but, in my mind, every single one of them are cybersecurity professionals, shaping the industry into a better place. If you are not part of the Discord, I recommend you check out what it has to offer.
So, what happens when you finally make it? You are in a new security role at a new company. It’s smooth sailing from here, right? All that imposter syndrome you have been holding inside you is now validated and gone, yeah? In my experience, that’s not the way it goes. It wasn’t until I realized that I was holding a spot that more qualified individuals wanted, that I realized what true imposter syndrome was. But despite the inner voices telling me that I was just “taking up space” and “preventing better employees from getting stuff done,” I concluded that I needed to use that to drive myself. The fact is, I genuinely love my work and what I do. And the other fact is that I do prevent someone else from having this job. If for any reason I decide to perform my duties with anything less than my very best, then I owe it to those who would to take over my position. The moral is: Don’t let imposter syndrome get you down. Let it drive you to be the best that you can be.
If you take nothing else from my account, hear this: It may be hard now, but remember this time. At some point when you make it, turn your attention behind you and offer someone below you a hand. Remember the gatekeepers, the bad managers, and the close-minded interviewers that you ran into along the way and make a point to not be like them. Because for some of you, there will be a day when you are a hiring manager, and you can make the choice to either give someone a chance or to keep perpetuating the same issues you are currently facing now.
Remember this time.
To join the Black Hills Information Security discord (aka BHIS discord) go to discord.gg/bhis or click the button.
BEHIND THE ZINES
This is only our third zine, and we’re all still learning! This article found its balance a bit more weighted to the “words” side of the scale, rather than the “design” side. We’re not too proud to admit when we’re faced with a challenge we can learn more from. This article, and ones like it, opened a conversation about “word walls” and how much can fit on just one zine page, when to expand the article to an additional page, and even how to build in “overflow” pages early on in the process.
The illustration for our discord was an experimental re-brand of the BHIS discord, with a name change to “Infosec Knowledge Sharing Discord.” Although most of us agreed the little robot dude is pretty cool, the community ultimately won the BHIS name back, and the BHIS branding with it.