The Case Study: Me
I served in the military for the best part of a decade and left in 2013. I didn't do cyber. I was a communications specialist for the Royal Navy and then a Military Intelligence operator. Like practically everyone in the military, I gained a very broad and unusual skillset.
- How to shoot.
- How to conceal yourself.
- How to do hospital corners.
- How to fight fires inside a warship.
- How to fast rope out of a helicopter.
- How to shine shoes to a mirror finish.
- How to administer Window’s networks.
- How to communicate using Morse code.
- How to go to the toilet in a chemical weapons suit.
- How to climb on a ship’s mast to change the antenna.
- How to find bad people who are meant to be unfindable.
- How to clean your weapon in the dark, in winter, in a forest.
- and a whole bunch more.
It’s a weird and wonderful marriage of so many things.
Not many of those skills transfer nicely into high-paying civilian jobs. But 7 & 11 stand out:
- Network Administration.
- Intelligence Collection.
When I was in the military, I knew I wanted to do something in cyber-security afterwards. I also knew I would benefit from a good understanding of the business landscape. So, I spent 4 years after the military working in Enterprise Risk Management for the world’s biggest building society, trained in cyber-security whilst doing that, and then got my start in cyber.
If you are on a similar journey and want to be in cyber, what follows will be of use to you.
This guide has five sections:
- The Cyber Landscape
- Cyber Education
- Finding a Role
1. The Cyber Landscape
The cyber-security industry is absolutely massive. There are companies building hardware and software. There are companies consulting about how to do cyber-security well. There are companies that run their own cyber-security teams. It’s big. And it needs to be even bigger if we stand any chance of defending the world from cyber-attacks.
But before you start learning about cyber-security you need to know what part you want to play. Or at least a few different parts you think you’d like to play.
What do you want?
There are a lot of different roles within cyber. Some are highly specialised and are quite hard to get into as an outsider. Others are relatively easy to get into. I’d pick three roles that you know you’re interested in and forget about the rest for the time being. This website from the UK Cyber Security Council will give you an idea about what common cyber roles do. Sometimes roles get bundled together too. Some companies will have Cyber Threat Intelligence teams, yet others will just have Threat Intelligence listed as a skill within their Incident Response Analyst job description. Here’s a list of common roles that you’ll come across:
- Identity & Access Management
- Security Operations Centre
- Vulnerability Management
- Attack Surface Reduction
- Cyber Threat Intelligence
- Awareness & Education
- Security Architecture
- Security Engineering
- Penetration Testing
- Incident Response
- Red Teaming
- Cyber Audit
Market Research Challenge
Pick a company that you’re interested in. Maybe you’d like to work for them or maybe you’re just a fan of the brand. Spend some time on LinkedIn trying to figure their cyber operations out.
- Who’s in charge?
- Who are the people doing the work?
- How big are the teams?
- What skills and certifications do they have?
- Where do they operate?
Maybe you can have a go using something like Maltego to help map it all out. Maltego is a tool you’ll come across in your future cyber-security career. It’s free too. Get it here.
2. Cyber-Security Education
There are many different ways to get a job in cyber-security.
Talk to one person: “you need a degree.”
Talk to another: “you haven’t got your OSCP cert!? Noob!”
And another: “show me your GitHub projects.”
There’s no perfect answer.
That gives you an opportunity to experiment and chance your arm. You can’t do that with a career in brain surgery or law. There are hard rules to follow to be allowed to do that sort of work. Cyber, not so much. There are people out there, highly talented people, that can hack into almost anything you throw at them, that have never done a single certification or exam. And there are people out there who’ve done every exam, and no one wants to work with them because they’re difficult to work with or they have a bad reputation. Cyber is a great place to be.
Here are some cyber-learning fundamentals:
Always learn the basics
Networking, the Internet, how computers work, etc. If you don’t do this and go straight to hacking, you’ll be missing some fundamental knowledge that will catch you out later down the line.
Cyber information is free
I’m going to go on a limb here and say that all cyber-security knowledge is freely available online in some form. There are blog posts, YouTube videos, online conferences, vendor handouts, and a load more. Once you’re happy that you’ve learned enough in a particular space, consider proving and consolidating your knowledge with a certification.
Want to learn to hack?
If you’re interested in getting your hands-on-keyboard and doing some hacking or defending: Join HackTheBox or TryHackMe. Technical skills are hard earned and prove commitment and willingness to learn. These are fantastic platforms that make learning to hack about as easy as it can be, through gamification. Then go back to point 2 and nail a certification.
Take notes like a ninja
Sign up for a free GitBook account and start getting organised. You will never be able to remember everything that you learn. Cyber-security is just too big to do that. GitBook is a free and easy way to make very good notes that will last throughout your new career.
Don’t stop learning
Learn something new as often as you can. In time you will start to feel like you know the world of cyber-security. You’ll be well-read on the latest breaches and bugs and you’ll start to know the players. The cyber landscape is always evolving, you must evolve with it.
Nail the basics, then specialise
Let’s look at some of my courses as an example.
I did CompTIA Security+ → eJPT → OSCP.
- Security+ is a foundational course that proves you know the basics of security and its place in the modern world.
- eJPT is a junior penetration testing course that culminates in a practical hacking exam.
- OSCP is a brutal 48-hour exam that really tests your determination in the penetration testing world.
If you’re massively into penetration testing, I’d implore that you don’t just go straight to OSCP. Build the foundations first, especially if you don’t have experience in the world of cyber-security. Building a strong foundation will set you up for success as you progress throughout your career.
If you’re still reading this article, your CV probably doesn’t read well as a cyber-security CV. Why would it? You might be a baker, a salesperson, a sailor or something else.
You’ll need to figure out how to translate your existing roles and responsibilities into something meaningful for cyber-security jobs. This is not an easy task.
You can use tools like JobScan.io but I’d recommend zooming out and thinking about making your CV more generic. It’s a good way to look at the hard facts about your work.
Let’s say you’re a baker.
You made some changes to a recipe and now sales have gone up.
You added a new mixer, so now you can make more bread each day.
Don’t write this: “We sell way more bread now because I tweaked the recipe and I also added a new mixer to our bakery, so we are now able to make more bread each day.” You’re not going to be able to put this on your cyber-focused CV.
Instead, write this: “In my current role, I analysed our workflow and made two key changes. I’ve brought a new piece of equipment into our environment and made adjustments to how our product is made. These two changes have increased sales by 25% and efficiency by 10%.”
- Use Canva for free to make a beautiful CV.
- Get someone to check your CV before you send it.
- Use Grammarly to check your spelling and grammar.
- Don’t include a photo of yourself or list your address. Discrimination is real.
- Keep it focused. You might have had a great career in something else, but only focus on what matters. Feel free to leave certain experiences out and float the most relevant points to the top.
- Focus on numbers. “Reduced alerts by 300%” is better than “I was responsible for tuning our alert system.”
- Tailor your CV to the job you’re applying for but do not copy and paste content from the job advertisement.
- Do not lie. You will be caught out.
Without a brand, you’re just another face in the crowd. In fact, worse than that, you look like you don’t care. So complete your LinkedIn profile as much as you possibly can. Check out my LinkedIn 101 workshop if you'd like to go deep on your LinkedIn strategy with me.
Use portrait mode on an overcast day - bright sunlight and photography don’t go well together.
Take a load of headshots. I repeat. HEAD. SHOTS. Just above your head to the top of your chest.
Make sure you shoot a range of expressions: serious, smiling, grinning, looking to the side.
Ask a friend to choose their three favourites. Send those three to all your close friends and family and get everyone to choose their favourite. Say hello to your new profile photo.
Use Canva to remove the background if you want.
Don’t leave this blank.
Don’t throw in some meaningless stock photo.
Use this space to draw the reader’s attention and tell them more about you.
Maybe you want to talk about your mission or the jobs you are looking for.
Spend some time scouring LinkedIn and researching banners.
Make it interesting.
Do not simply write what your job title is 🥱
Use this formula: who you are, who serve and how you serve them.
Example (mine): “A veteran helping build secure businesses.”
Example: “A photographer helping fitness models showcase their achievements.”
Example: “An investor helping graduates get out of debt.”
Because mine is so short and to the point, it will be seen in full, everywhere I comment on LinkedIn. People don’t have to click to read it all. If your headline is longer, it might get clipped. So design it wisely.
Write a nice ‘about’ section. You should be able to use the same content from your CV to help make an about section. On my CV I have an opening paragraph that gives people an overview of me. You could simply paste that into your LinkedIn about section.
Use this section to showcase your best work or links to your other accounts that matter. GitHub, Medium, YouTube, personal website, etc.
Or maybe you’ve been creating content for LinkedIn that teaches people about cyber-security incident response techniques you learned in a course. You can put those in this section.
5. Finding a Role
Before you even start looking for a role, make sure you know your wants and needs: salary, remote working, train ticket loan, etc. If you don’t know this…you won’t know what to look for and what to exclude.
Connect with cyber-security recruiters & hiring managers on LinkedIn.
Message them and ask them to do an introductory call. If you don’t ask you don’t get.
Sign up for job alerts on LinkedIn. Search for a job “SOC Analyst, Edinburgh” and then toggle the alerts features. You’ll be instantly notified when new jobs pop up.
Connect with desired industry peers i.e. people with the same job title you want to have. So if you want to be a Cyber Threat Intelligence practitioner, you might want to connect with me, for example.
Lastly, be active on LinkedIn. It is how you will find a job. Make so much noise that your profile rises to the top above all the trash. Make it so that when your profile turns up in hiring managers' searches, they call you first over anyone else.
It’s completely doable to switch from being a baker to being a hacker. It might take a little longer than say “being an IT admin to being a hacker” but if you want to do it, you can. I did it.
Don't let anyone tell you otherwise.
If you learned a few things from this short guide, you might benefit from my online course, SWITCHFIRE. It uses a few examples from my military background but is relevant to anyone trying to get into cyber from another profession.
Alternatively, if you need something a little bit more personal, I do private 1:1 coaching sessions that you can book here.
I also run a YouTube channel where I create all sorts of cyber content.
See you online!