My Journey into Cyber Security

Now, this is a story all about how my life got flipped-turned upside down and I’d like to take a minute, just sit right there I’ll tell you how I became convinced to work in security software.

Sorry I could not resist this introduction but last year working at various conferences I met a lot of young people who were eager to break into cyber security and asking me for advice to get into the industry. I normally start off with asking a few questions such as:

• What area of cyber security are you interested in?
• What have you done previously in cyber security?
• Have you ever built a system or service and tested it?

I normally adapt my questions after this but essentially I’m trying to ascertain whether they have done anything outside of curriculum and understand how things work practically. If not, I begin to list several free resources that helped me learn more about cyber security whilst making sure the fundamentals are covered. After a dizzying amount of websites and material, the excited individual moves on and I feel like I’ve done what I could in the 10 minutes I have with them.

But recently I’ve been looking at things a little differently. At the end of the year I attended a conference where a graduate was demonstrating how attackers can poison AI systems by manipulating open source data and then use a backdoored prompt to access unauthorised systems. There have been similar techniques used in the past but I realised the domain, specifically opportunities into cyber security, are changing. The landscape is evolving rapidly and what is true today may not be true tomorrow.

So I’m going to focus on experiences that have made me the person I am today and helped me on my journey into a subject I love.

tl;dr

For those who don’t want to persevere through my ramblings, in short:

• All the things you do, even when it feels insignificant or unimportant, add up to valuable experiences and knowledge.
• Don’t let limitations stop you, learn to work around them and innovate.
• Don’t underestimate how much time you have when you are young.
• Be open to any opportunities that are presented to you.
• Listen and respect the opinion of your elders but adapt the advice to your situation.
• Never underestimate the importance of building connections and socialising with people.

“Naturally Gifted”

I know the exact day I got into cyber security. I was working at a research and development facility when we had a visitor come to the lab. They were a senior fellow within the company, specialising in cyber intelligence and the visit had taken the business by surprise. For one reason or another there was a mix up of dates and the place they were supposed to visit wasn’t ready so a colleague and I were to take the senior fellow around the facility and demonstrate the technology there.

When we finished, we sat down and the senior fellow started to discuss cyber security with us. We both had plenty of questions but based on our knowledge of systems, he could see that we could move into the field but wanted to see our desire to do that. So we were given an overnight assignment to gather information from various open sources and produce a report on two different topics. My colleague and I completed the work and the senior fellow was suitably impressed, and suggested we had the aptitude for cyber security. But it got me thinking, what made me good at cyber security?

Growing up I’ve heard the term “naturally gifted” batted around a lot. I used to be pretty quick and there weren’t many people who could catch me. Sure there is a physiological element to it but honestly, I use to run…a lot. In fact, I never stopped when I was little. I had boundless energy which my mum used to take me down the park and burn off. My belief is that all that running at a young age shaped and conditioned my body to run. So when I got older, it would seem that I was “naturally gifted” but actually it was hard work.

The same can be said about computers. For as long as I remember there was always a computer in my life and for that I was very fortunate. The first computer my brother and I had was an Amstrad CPC 6128.

It was the first experience of the command line, trying to figure out what cd actually meant whilst selecting the disc drive. But it was at university I got my first exposure to programming. At the time I remember thinking how fun it was and then I heard that expression again from my peers “wow…you’ve never done programming before, you must be natural”. At the time, I did think it strange that I picked it up so easily. But is it really that surprising? I had spent so much of my childhood in front of computers, with different operating systems and interfaces, messed around with system settings and even got local networking working with a friend using coaxial cabling.

What I found is that all the things you do, even when it feels insignificant or unimportant, add up to valuable experiences and knowledge.

You can always debate the usefulness of that knowledge, but even working as an admin assistant in a store gave me skills in time management and social skills dealing with difficult customers wanting refunds. This was crucial in landing my first graduate role where it wasn’t just assessing my technical skills but my soft skills in producing a customer proposal with a team in 15 minutes.

Limitations Breed Innovation

Growing up, I was fortunate to have a lot of things to stimulate my mind and keep me busy. Not to say we could have whatever we want, far from it. I remember times I had to use my imagination to find new and interesting ways to play with what I had. It was instilled into me at a young age that you only need a little to have a lot.

I was massively into PC gaming in the early 90’s, playing on our shared PC which lived in my brother’s room. As you can imagine, I always thought it was my brothers and desperately wanted one on my own. So I remember saving all my money up and with the help of my parents, I bought my first computer. It was amazing but back then you had to do a lot to keep the thing running.

At the time we did not have the internet and so there wasn’t an easy way of updating firmware and software on the computer. In fact, you were limited to distributed CDs by the manufacturer which were distributed in magazines or with the hardware. The PC I bought was very basic so It would not be long before I wanted it to do something beyond its capabilities. This is when I started to mess around in the operating system which for me was Windows 95, 98 and then 2000. I was already aware of MS-DOS due to earlier versions of Windows so I found myself, unknowingly, tweaking registry settings and trying to change text files to get the games running more smoothly or bypassing licensing (yes, yes, we all used to do it).

After several years of making do with what I had, I had saved enough money for an upgrade. This was not a wholesale change with a brand new PC but changing the parts inside. I bought a new graphics card, sound card (that was a thing back then) and more memory. To do this I had to learn about the motherboard I had, whether it had the required ports and understand whether the power supply was sufficient for everything.

Although we had the internet at this point, information was limited and it was into physical manuals, figuring out how it all worked. So when I ordered the components and fitted them, I was devastated to find on boot up, there was an intermittent issue with the sound and graphics card. It turned out that the firmware on both components wanted to have a specific port number and during boot there was a race condition of who would be allocated it. I could not send the parts back and nor did I want a different one, so I had to modify the firmware of the sound card to another port.

The point of all of this is, I would never have learned anything if I just simply threw away what I had and bought something else. Limited resources, breeds innovation. When I didn’t have something, I had to make do with what I had. If I can make do with a technical manual at the age of 14, there is no excuse. The majority of people I speak to today have the internet and it’s a treasure trove of information and even better, most of the time someone else has already solved the problem you are trying to solve.

All you need is persistence (fed by an end goal) and time. Which brings me to my next point.

Space-Time

Don’t worry this is not going to be a physics lecture about how space and time are intrinsically linked, it is to discuss how much time you have when you are young. It is difficult to see when you are younger, how much others do for you. I would wake up in the morning, fresh clean clothes were ready to put on, breakfast was made as was my packed lunch and I didn’t even have to worry about getting to school. It was only when I reached a legal age that I began to earn money, even then I didn’t need to worry about the mortgage, utility bills, clothing and food. My responsibilities were primarily on school work with a few others such as cleaning all of my football gear and walking the dog at the weekends. All of this frees up so much time.

Don’t underestimate how much time you have.

When I was at university, one of my professors gave me this nugget of knowledge. It is amazing what you can achieve in 5 minutes. This has stuck with me due to several reasons.

1. When you have limited time to do something, it is best not to focus on the time you have remaining but the task at hand.
2. The limitation of time focuses the mind solely on that task and allows significant progress to be made.
3. If you can achieve this much in 5 minutes, what can you really achieve if you had more time?

Putting aside 45 minutes a day to work on something new or expanding your knowledge is hugely beneficial. I know it can feel like more work, especially when you are studying for exams or other curricular activities but here is the important part, focus on something that benefits you. It could be automatically scrapping different websites for the best deal on clothing, collating all the data related to your game you like or processing social media content with the filters and transitions you like. Whatever it is, consider how to make your life better and tackle that problem.

Mastery of anything takes time and trust me when I say, it gets harder and harder as you get older. Not because you aren’t smart enough to do it, more the time you have dedicated to a single area reduces based on all the responsibilities you end up having. Please enjoy your time whilst you are young but if there is something you really enjoy, dedicate some of your time to it to unravel how it really works. If anything it’ll give you something to talk about during an interview.

Adapting to Opportunities

I’ll admit it, my dream was to be an astronaut. It became my objective when my mum saved her spare money to send me to a space summer camp in the UK. It was the reason I ended up doing Physics with Satellite Technology. It was the reason I did an industry placement year in Darmstadt writing tests for a satellite simulator. And it was the reason I ended up performing end to end testing for a new satellite network during my graduate job.

So how did I end up in cyber security? Honestly, I always had an open mind to work. My first job was working as a barista in a department store to help pay my way through university. It was only 2 months into the job when the admin manager approached me based on recommendation from an admin assistant I did training with. It meant longer hours, answering telephone calls, making store announcements and I was responsible for counting the takings from the previous day. But it sounded more interesting and as I previously discussed, these skills helped me during my graduate interview.

I’ve already discussed my random encounter with a senior fellow whilst working at a research and development facility which sent me on my cyber security path. When I jumped back into consultancy, I was asked whether I would take on a role designing a security solution to UK government standards. I could have simply said “I don’t have the experience to do that” or “no, I feel a little uncomfortable doing that” but instead I took the opportunity, believing in my ability. I stayed late, studied the UK government standards, reviewed the requirements and spent time over the weekend considering how I would approach the work.

In the end, the customer was very happy with the solution and I moved onto another contract. Low and behold, that contract was looking for someone with experience with a similar security solution that needed to be designed, developed and tested to UK Government standards. It was on this project where I learned about DevOps, CI/CD and Kubernetes, all of which has had a profound impact on my career and opened up even more opportunities.

The lesson here is to be open minded to new opportunities. It takes a strong person to follow their dreams unwavering from the path they have set themselves on. Remember there could be a different path to achieving an end goal and what you think is irrelevant experience actually is a great opportunity to do something else you’ll love.

Listen, Respect and Analyse

I was brought up to respect my elders. As a teenager, I found it hard to listen to older people as they had such a different perspective to me. I only knew a handful of adults who knew how to use a computer which was baffling to me as it was such an amazing tool. How can these people offer me any advice that would be useful when they typed with a single finger? Well I hope by getting this far you can see that there is a lot of wisdom to be learned and the majority of it isn’t my advice!

My approach is simple, if someone wants to offer advice, I listen, try to respect their opinion and say “Thank you, I’ll think about it”. This can seem quite dismissive, I do return to the advice later on and analyse it. I consider the point of view of the advisor, is it relevant to my situation (as they may not understand everything that is going on) and see if there is anything to glean. Then I let it settle in my brain. I’ve been told that my brain works like a coffee percolator, ideas simmer away and a tasty drop of knowledge comes up. At this point, if the advice was useful it gets saved otherwise it will get thrown out with the used beans.

The last thing I’ll discuss is who you take advice from. To me, trust is the foundation of advice. Be careful of who you take advice from, don’t mistake success for situational knowledge. Not to say there aren’t some gurus out there but take your time to learn more about them and whether what they are saying is applicable to you. I find the best advice comes from friends and family but there are obviously exceptions.

Get Lucky

So here is the bad news. I found that luck has a big part to play in my career. Several times I’ve felt that I’ve been at the right place, at the right time or had a chance encounter which has led to a new opportunity. I’ve even had my physique play a factor in landing a new job which is a shame but it was a different time. Although I’ve found this to be the case, you can definitely increase your chances.

Never underestimate the importance of building connections and socialising with people.

I’ve already talked about chance encounters leading to opportunities but the primary reason why it did was that I spent the time getting to know people. This can be as simple as going to lunch with colleagues or, if you are feeling more brave, talking to someone in a queue at a conference. They may not come to anything but they might.

For me, lunch with colleagues built up a rapport with them and they discovered the depth of my security experience. When one of my colleagues decided to create their own security business, guess who they came to for a potential role. For a friend, they spoke to another person in a queue at DEFCON and that person went on to found a security company. Again guess who they turned to for a potential role in their business. For sure, there are more examples where meeting someone led to nothing but you only need it to happen once.

I recognise that the new generation prefer to do their social interaction online, whilst there is nothing wrong with that, in my opinion nothing beats face to face contact. It is how we build trust, how we can read the subtle cues of someone’s true intention and create lasting connections. Potentially I’m a little old school with my thinking but I’ve noticed since COVID and working fully remote, that I’ve struggled to make meaningful connections. The relationships that have stuck involved an in-person meeting or activity so keep it in mind next time you have the opportunity to network or meet new people.