Tips for an Information Security Analyst/Pentester Career - Ep. 98 - 5 Unpopular Infosec Truths

Nowadays, on social media, on news channels and all over the place we are bombarded with "experts" and marketers complaining about a huge cyber security skills shortage.

All these guys keep re-sharing and re-circulating the same pile of crap over and over through copy/paste without understanding a thing.

This industry needs to face unpopular but necessary truths once and for all, like a sick man needing to chug down a bad medicine. Enough is enough.

 

 

via GIPHY

1. No certification guarantees a cyber security job, even though someone has the audacity to charge $ 5,000 for an OSCP bootcamp these days, just based on this assumption. Please cut this crap! If I was asked to hire somebody and I should choose between a candidate having OSCP with zero experience and another one with a longtime background as a help desk, I’d always pick the most experienced candidate.    
2. Infosec isn’t only pentesting/hacking. There’s a whole world out there beyond that, including blue teaming, IoT, ICS, DevOps, you name it. Don’t narrow your focus unnecessarily. I started out as a SOC Analyst and experiencing the other side of the house made me a better hacker than I’d have been otherwise.
3. Pentesting, and especially consulting, isn’t for everyone. It’s a matter of hacking mindset and soft skills. Without those requirements, sorry but it might not be for you. People who don’t know how this work is done think we discover stuff out of magic. There’s one only secret in this industry: never give up. Giving up is easy but gets nowhere. Most people overly rely on automated tools and believe that, if the vulnerability scanner didn’t discover anything, there’s nothing else to do, or that, if a page is protected by a WAF, there’s nothing one can do to hack it. A hacking mindset implies the firm belief that anything can get hacked, and there’s always something to discover. Tools like firewalls are implemented by humans, and humans sometimes mess up and make mistakes. A hacker needs to think of what a non-security-aware user might do, because this often sets them up for the win. Remember, humans are lazy and they're always going to choose convenience over security. Especially for consulting roles, soft skills are also important and much harder to be taught than technical skills. Knowing how to deal with clients and communicate with them professionally is paramount to make sure clients are happy and keep coming back. For this reason, IMHO guys having a background as help desks/sysadmins can thrive in info sec, compared with other guys having a different background, because they already know how to deal with difficult clients and make them happy.
4. The industry isn't as thriving as they let people to believe. I often see professionals of a level comparable to mine announcing on LinkedIn they got laid off. Well, not so infrequently I see the same guys still unemployed after 6-8 months. I don't know what exactly is going on but I heard of situations when they have been asked to take a pay cut by potential employers, which is a huge red flag. Also, the harsh truth is companies don't want to hire people with zero experience, they want a superstar for an intern's pay, which is called being a user, where I come from. Clearly, these job postings go unfilled; people aren't as dumb as they'd like for them to be.
   
5. If one wants to stand out, create experience from nothing: volunteer for hacking conferences, create a local hacking group, start a technical blog, play around in your own lab, but avoid at all costs sitting on one’s hands waiting for something to happen. Doing what 99% of people do will get what 99% of people get, i.e. failure.

 

It's time to say exactly where things stand in infosec and they're not like they want people to believe. This deception will lead us nowhere and hurt both security actors and their clients, so we're in for a lot of pain.

 

Are you ready?