Why You Should Start a Career in Hacking
There are people in infosec who remember the old days before you could get paid to hack: think scrappy, DIY scenes of hackers driven purely by curiosity rather than a paycheck. The sort of stuff that the 80-90s movies are about, and that gets romanticized, especially when you’re walking past the multi-thousand dollar display booths at RSA and other big conferences.
This was, fortunately or not, before my time. Nostalgia for days gone by is not always a good thing (especially for underrepresented groups in tech, of which I am a part), but that’s a topic for another post.
Cybersecurity is now a serious business for a lot of people, and one that you can make a good living in. There aren’t a lot of jobs that pay you six figures to (legally) hack into other people’s software, break things, continually grow your skills, and stop the bad guys.
For people who love tinkering, taking things apart, those who are driven by curiosity, who want flexible (and oftentimes non-traditional) working arrangements, who get bored easily and love challenges… having a career in hacking can be a dream come true.
Not a bad lifestyle, but I had some doubts
My 9-5 job pays me to hack into websites, electronics, etc. (fun!); write up what I did and how to fix it (I love teaching so this part is pretty fulfilling too); sends me to conferences; continually puts me on different projects to learn new technologies (I love learning new things); and I get to do all of it from home with my dog next to me (dog cuddles ftw). And I get to see silly stock photos for the rest of my career? Sign me up.
I’ve been interested in security for a long time but didn’t take the jump for years. I wondered, do I have a place in infosec? Did I miss the boat, and the fun, glory days are over?
Am I even smart enough to get a job as a hacker?
Funny story: I had such strong doubts about myself and my abilities that I almost turned down the opportunity that got me into the field.
I don’t believe that there’s a single “correct” way to get into the industry, and I think that the more diversity and perspective we have, the better we all become. Enough with the gatekeeping, let’s pool our knowledge and level everyone up.
So if you’re interested in a “cyber” job and don’t know where to start, this site is for you.
So if you’re interested in a “cyber” job and don’t know where to start, this site is for you.
Obligatory Job Stats
No one wants to join a dying industry, even if you do get to hack things. I’m not one to tell you to prioritize financial stability above all else, but a job is trading time for money, so let’s pick something that has a decent return on your invested time.
The Bureau of Labor Statistics says that cybersecurity jobs are projected to grow 33% over the next decade (7x faster than other occupations) and that the median pay is $103,590 per year.
But you probably didn’t need a government website to tell you that. If you read the news, check Twitter, or browse Reddit, you’ve probably noticed that companies are getting hacked left and right.
That means that cybersecurity will only grow in relevancy and value, and a lot of these jobs were remote before the pandemic.
Don’t I need a degree or something?
Ehhh, maybe? It certainly helps to have a degree or background in a technology-related field such as programming, IT/helpdesk, or engineering, but there are many opportunities that don’t require it.
And this isn’t a “go back to school for four years and rack up more student loan debt” job change, either. Many employers will accept DIY learning or projects as proof of knowledge or interest in the field, in part because ‘official’ credentials are still pretty new. That means that motivated, curious people can make their own way into the field without having to go through official credentialed routes (although those are certainly becoming more of an option).
People’s paths into infosec vary wildly, which means there’s a place for your path too.
As for certifications: you will find no shortage of discussion online whether certs are required or not, useful or not. I’ve got two pieces of advice here:
1. certs are more useful if you are from a group that is (unfairly) expected to ‘prove’ themselves more, and
2. don’t prematurely optimize for certifications
If you are at the job hunting stage and all the job posts require a given cert, then yes, you need to get it. Doubly so for government jobs. But don’t rack up certs ahead of time (again, another post for another day).
Cool, but I still don’t know what a hacker actually does
The real answer is “it depends”, but let me give you some examples:
- Red team and pen testers: yes, I know I’m being spicy by grouping these together. These roles get to hack into websites and networks with the goal of demonstrating the most damage to a system (credit card numbers? taking over the network?), often times without getting caught. Then they write up a report detailing what they did so that the issues can be patched.
- Blue team: while being on attack might sound more fun, blue team, or defense, is what holds the (tech) world together. You need to be able to know all the red team tricks, automate systems to detect and defend against it, and keep your organization protected.
- Embedded systems hacking: this is a lot like pen testing except with embedded devices. Think cars, trucks, airplanes, critical infrastructure. It requires a lot of electronics and hands-on knowledge in addition to the type of skills that you’d use in pen testing.
- Social engineers: this is the “get paid to break into buildings” one. Phishing, account takeovers, sneaking into buildings by means of exploiting social expectations (if the person behind you has their arms full, you hold the door open for them, right?) to find the human weaknesses in security systems that people assume are mainly technical in nature.
- Digital forensics: whodunnit, computer edition. If a hack happens, whether it’s a ransomware group or a disgruntled ex-employee, you work with companies and law enforcement to determine what happened. This is probably the easiest one to explain, given the prevalence of detective TV shows that have a digital forensics element to them.
- Incident response: some people thrive under pressure, which is in no short supply in incident response. If a company gets ransomware’d or hacked in another way, these folks work against the clock to safely restore functionality and coordinate with digital forensics to determine the culprit. You might be flying from one city to another on a regular basis, but your help is sorely needed especially in this day and age.
How to get from here to there
You will need technical skills, connections, and a plan. You’ll also greatly benefit from sharing your learning path with others.
Making a plan
Let’s start with the plan first: Infosec is a wide field. If you wanted to be a teacher, you’d probably have an idea of what you wanted to teach, right? If you were an athlete, you know what type of sport you’d want to play.
So it’s not helpful to just want a “job in infosec”. You need to get specific about what you’re interested in.
From the examples above, did any jump out at you as interesting? Look up some jobs and companies in that space. Find experts in the community on twitter or personal blogs. What skills do they have? What requirements are listed in the job postings? Make a list. The more points of comparison, the better.
Next up, work through the list…
Growing your technical skills
For each thing on your list, find a book, video, or online resource to help you learn it. Better yet, find several. For example, if the job requirement says “firewall management”, it’s time to get some IT security books, read about firewalls, watch some Blue Team Village talks, and maybe even set a home lab to test out firewall configurations on your own.
If the job requirements say scripting skills, get a copy of Black Hat Python, go through the examples, then use it to solve some CTF challenges.
This part is going to require a lot of patience with yourself. Infosec is a field that builds on other fields, so you might need to “back up” and learn foundational networking, programming, or other concepts before you tackle the skills on your list.
Or, maybe you’ve already got some technical skills. If so, great. Keep building them!
For more abstract things, like “interfacing with customers”, time management, technical writing, and so on: you’ve got more flexibility on how to do this. You could find examples of this at your own job, in extracurricular things (volunteering, school/social groups, etc), or in managing your own learning path.
Write it all down
Or make videos, or shitpost on Twitter. Whatever works. But keep a record of what you’re doing to grow your skills, and if possible, turn it into a resource to help others.
Teaching and sharing helps you solidify your knowledge, other people benefit, and answering interview questions just got way easier. Win-win-win.
Connections
You probably thought this was going to be the sleazy part. I don’t mean connections in the gross, business-y sense. I mean meeting other people in the field, some of whom might be future coworkers, some of whom might be able to mentor and teach you, and some of whom can learn from you.
If you’re a curious, interested, and helpful person to be around, people in the community will want to help you.
So what does this actually look like? Joining Slack groups, participating (positively) on Twitter, going to local meetups, writing blog posts, and volunteering at conferences.
You will learn by osmosis, you’ll find great mentors, you’ll be the first to hear about new job postings, and you’ll make the community stronger.
Reality Check
I don’t mean to sound Pollyanna-ish. There are plenty of real obstacles keeping people from learning things, switching careers, and so on, especially in a global pandemic. There are real, systemic issues that shouldn’t be ignored.
But the ability to largely choose-your-own-adventure your way into a career is a pretty rare thing. I’ve worked in three different industries within tech and while it is not without its warts, infosec has been the most open by far.
One of infosec’s greatest strengths is its community and DIY mindset. There are dozens of platforms and websites (one more, now that this site is launched) dedicated to growing hackers’ skillsets and making the community better.
The gatekeeping is real, there are bad actors, but there are also plenty of helpful, curious, driven people in the community, and I hope you join us.