The Passion of the Newb
What's love got to do with it?
While scrolling through LinkedIn, I came across a mildly condescending post about how not to demonstrate a passion for cybersecurity. The post came from the perspective of a genuinely passionate cybersecurity professional.
Obviously, he doesn't expect everyone to match his vigor for late-night hacking, but this made me think: how should a newcomer to the field quantify a 'passion' for cybersecurity?
I'll take "Passion" for $500, Alex
The Merriam-Webster Dictionary defines passion as:
"The sufferings of Christ between the night of the Last Supper and his death."
I think we can all agree that a passion for cybersecurity on the level of Jesus Christ's torture and crucifixion is a significant red flag. I don't believe self-flagellation with a CAT-5 o'nine tails is a requirement for passionate cybersecurity practitioners. Let's go with another definition:
"A strong liking or desire for or devotion to some activity, object, or concept."
That's better. Merriam-Webster even provided examples synonymous with our topic (i.e., a passion for chess or opera). Note that a 'strong liking' is sufficient to describe it as a passion.
The answer is "An often unrealistic expectation placed on newcomers to the world of cybersecurity."
Cybersecurity is enjoyable to many people for many different reasons. I find it interesting because it involves a lot of problem-solving, and it's something you can practice at home. However, a common belief amongst seasoned cybersecurity professionals is that cybersecurity isn't an entry-level role. Period. You will often come across comments on social media describing a recommended career path that starts in IT (preferably help desk and network administrator roles), working 5-10 years in the trenches, and then making the leap into cybersecurity. Also, be sure to do all of this:
- Learn 133+ acronyms, not including acronyms for networking, computing, and quantum cryptography concepts.
- Memorize the protocols associated with all 65,535 ports and identify the secure variants.
- Understand security concepts like zero trust, least privilege, the CIA triad, etc. Write a thesis on their application to geopolitical events.
- Know all 237,725 CVEs (preferably identify a few new ones yourself).
- Memorize all 235 techniques of the MITRE ATT&CK framework. Demonstrate any of them on demand using only a Nokia cellphone, electrical tape, and a paper clip.
- Name 37 different APTs, their country of origin, aliases, common attacks, and three closest relatives.
- Code in Python, Ruby, C, C#, and JavaScript. Develop a payload to a zero-day vulnerability you discovered and automate every aspect of your digital life.
- Establish an enterprise-level server rack in your home lab. All family members must access the home Wi-Fi using an account you control with your on-premise Microsoft Active Directory server.
Many believe that unless you do all of the above (or close to it), you have not demonstrated enough skills or passion to enter the cybersecurity world.
Understandably, if you want a job in cybersecurity, you should have more than some basic skills under your belt. Many roles within the field require a certain degree of knowledge, particularly of the underlying technologies. However, those requirements will vary based on roles; not everyone needs to build an OS from scratch or collect bug bounties like Pokemon. For some jobs, a deep knowledge of laws and regulations is more important than cracking VMs. So, for someone just starting, what are some realistic ways to demonstrate a passion for cybersecurity?
Kama Sutra for Infosec Semi-Pros
Breaking into cybersecurity is challenging enough without the high expectations of random social media personalities. Especially when pivoting to a new field, you probably don't have coworkers or work-related tasks that can keep you engaged on the subject. There's a good chance that very few of your friends share your interest in cybersecurity, so comparing notes on home labs is probably not an option. And sometimes life gets in the way when you're trying to do the 'cybers.' Are you saying I have to feed my daughter even though I just fed her yesterday? Sheesh.
In my opinion, there are other ways to show a genuine desire to learn and curiosity about cybersecurity:
- Read blogs by experts in the field. Not this blog, of course. Seriously, how did you even find this website?
- Listen to podcasts. Tons are out there. My favorites are Smashing Security, Hacking Humans, Risky Business, Darknet Diaries, and The CISO Series.
- Read news articles on recent breaches, vulnerabilities, and technology developments. I like to read feeds from The Hacker News, The Internet Storm Center, Dark Reading, and The Cyber Wire, amongst others.
- Read a book. They still exist and can provide a lot of good information on whatever you need.
- Watch YouTube videos about cybersecurity instead of Fortnite. Check out John Hammond, Professor Messer, or Black Hills Infosec for videos covering a variety of cybersecurity subjects.
- Reach out and ask questions to cybersecurity professionals via social media or group chats. You'll be pleasantly surprised to see how many people are willing to chat with you.
- Participate in a CTF competition or use THM/HTB
- Attend local cybersecurity meetups (i.e., DEFCON, OWASP, ISC2)
Any combination of the above works fine; there's no quantifiable metric for doing things you enjoy. Missed last week's meetup? Catch the next one. Don't have much time in the evening to read a book? Watch a Black Hills Infosec video on your lunch break. The real challenge for newcomers is having a place to apply those newly learned concepts and skills. It is all the more difficult if your current job is not tech-adjacent, which is why home labs are so important. However, not everyone needs an on-premise server stack sitting in their office waiting to C2 a botnet targeting the NSA. All you got is an old laptop? Great. Using a free AWS account to run a single VM? Sounds good to me. Getting hands-on experience is great when you can do it, but don't feel disheartened if a day passes without having developed a new payload.
It takes a little bit of grit (preferably with cheese)
Understanding foundational concepts is critical, but more importantly, it is a desire to solve problems, learn new things, and have a genuine interest in technology that matters. Applying your critical thinking is arguably a better indicator of your future potential in the field. When faced with a problem, are you asking the right questions? For example:
- What is the exact issue I'm experiencing? Are there error codes or specific symptoms I should note?
- Can I reach other hosts? The switch? The firewall?
- Who is my father? Where can I find him?
- What is this alert telling me? What are some potential causes?
- Is my SSH connection microseconds slower than usual? It might be an indicator of a significant problem.
- Is it my fault my parents divorced?
Sometimes, aspirations change once you've learned more about a particular career path. For example, my initial aspirations for cybersecurity were pen-testing; I, too, downloaded Kali Linux in 2018 to toy around with the tools and see what I could break. The siren song of hacking lured me in, and Darknet Diaries regaled me with the exciting exploits of pentesters from around the world. However, that aspiration has shifted after several years of learning about the field, talking with mentors, and gaining a better understanding of a pentester's job. I still want a career in cybersecurity, no doubt about it, but I recognize that my particular set of skills is better suited for other roles. Don't feel bad about filing that divorce if your passion for a specific role or the whole cybersecurity field is starting to feel more like a loveless marriage. You deserve better, so follow your dreams and do improv instead.
The bottom line is there's no wrong way to show how much you enjoy cybersecurity because, if it's a genuine interest, it'll become apparent the moment you share your story.