“How do I become a hacker?”
This is a recurring theme/question that's cropping up more and more. I will be frank and honest: I get a bit bored seeing this. And, if that's your first and initial focus as a path into InfoSec, then it's a bit narrow.I will say hats off to KnightsCode
for their articles “Learn to be a Hacker with Cybrary
” and “How to be an Ethical Hacker in the U.K.
” I like the latter best, as it lays bare that pentesting is not easy and requires a lot of hard work.It's excellent, to the point, concise and re-enforces what you need to do. Don't run off and get a certification and think you're an expert. You aren’t. If you pass your driving test, does this mean you can be F1 World Champion? No, you learn to walk before you can run.I recently met two pentesters who were conducting work for my organization, and they eat and sleep pentesting. Their spare time is used for research and more pentesting. Any hobbies, let me guess? “More pen testing.” They love their job, but don’t have much time to do anything else.They were very busy. As well as the travel, and staying in hotels, it's a lot of work and a lot of report writing. Being a pentester at a company that has a reputation to maintain, those reports not only have to be done on time, but also have to be written well.So, if you think being a hacker is glamorous and something anyone can do – think again.So do I want to be a hacker/pentester? Well, not exactly.I don’t want to be just a hacker or pentester. I want to become a better InfoSec Professional. Studying and learning pentesting will help me on my journey, but I will not necessarily become a pentester full-time.Funnily enough, in my line of work, this will involve vulnerability assessing systems (in short, this is pentesting), but my job will involve other tasks as well. Immediately, if I'm exposed to pentesting in my current role, could this be something I could pursue and develop further? I can still be a hacker/pentester, but not too involved. This is something I will be working at, building my skills over time.If you're new to the game, I'd suggest that you don’t just ask “How do I become a hacker?,” ask “How do I become a better Infosec professional?” If you can become a good Infosec professional, then you're on a path towards being a pentester (also Infosec professionals) or something else. You have to start somewhere, right?I would ask people to be a bit more realistic about their goals and wants. Explore and look for opportunities.How to become a better InfoSec professional has already been covered by others, but I'll give my take and offer a few suggestions.Two vids I recommend people watch:BreakPoint Labs “How to Start Your Cyber Security Career
” and StevenE
has released an excellent S3SS1ONS Wednesday vid “Breaking into Information Security
”StevenE re-iterates what others have said. Get a Twitter presence, engage with the industry, get involved and share knowledge. Don’t just follow people - research and pass things on. We thrive on kudos and acknowledgement. Go get some. Add value to the community. Write articles. But, if you have some oddball questions – ask them in the forums – that’s what they're for!If you already work in IT, and want to move sideways, find a sponsor. There are ways and means of doing this. Being genuine and pragmatic will win you more respect. Desperation and wanting to be “a pentester” with no proven track record will not open those doors. You need to explore opportunities and sell your skills – but in the right ways.You need to do the legwork. Getting your knowledge and understanding up is key. It demonstrates to your current or future boss that you're serious about your aspirations. Also, understand your business. What are the company goals; how can you help with them? Cybrary will certainly help you with this.The next element of progressing to what you want to do, is to first understand yourself. Do a SWOT analysis. What are your strengths, where can you improve, what can you contribute?If you can sculpt your skills into a role, and understand what those roles do and how it can help develop a career path, you're on your way and it's a lot easier to achieve. Don't forget: you don't necessarily have to look outside your organization for opportunities. Look at creating those opportunities internally.If you have the skills and see the need, sell those skills, and more importantly, identify with your organization. Where is it going and where you can add value? I cannot stress enough how underrated that word is. Value
. C-level management loves value. If you can add value to something, you are onto being a winner. Get your skills up, make your skills valuable, become valued and you'll go far.Okay, it might not be a "hacker" job or your ultimate dream job, but like everything, things are earned - not given. Work hard, do your best and you may get there. If you can give yourself a good self-assessment and do your “legwork,” guess what? This actually helps prepare you in a job interview situation.There are some good resources on the internet about career paths, etc. Perhaps the best one I have come across is by Gary Hayslip
(check him out on LinkedIn/Twitter). He has written some excellent resources on Cyber Security career paths, and they can be found here: https://app.box.com/v/path-to-cyber-slides
Best of luck in your chosen career path.