10 minute read

That is the question.

I’ve come across many thoughts and opinions on social media and blogs and everywhere else on how someone should start their cybersecurity journey. Here are some of the questions I see a lot:

  1. Do I need a cybersecurity degree?
  2. Should I join a bootcamp?
  3. Which certifications should I get?
  4. Do I need to know programming?
  5. Should I start with a help desk job?

I think the answer to all of those questions is… “Maybe?” I didn’t realize until much later in my career that I wanted to get into cybersecurity, but I wanted to write a bit about my journey and what got me to where I am now. Hold onto your hats because this will probably be a long one.

In 2003, I joined the military because I had no idea what I wanted to do, and they said they would pay for college. Score. I already had an interest in computers, having messed around and building websites with Geocities and Homestead (remember Homestead?) way back in the day, and convincing my friends over IRC to download my Sub7 executable, so I could have some fun with them. But that was the extent of it. I really didn’t know much about computers at all. My recruiter convinced me that I should get into commo (short for communications), because I would learn about computer networking and operating systems and satellite and radio communications. Seemed interesting enough, so I went for it.

And I hated it.

I promise you, there is nothing like sitting in a classroom installing and uninstalling Windows 98 over and over again from a CD-ROM, just to learn how to create users and groups. I remember taking a small handful of caffeine pills right before class just to stay awake to avoid having to do push-ups if the drill instructor caught you dozing off. Granted, there was much more to it (we did eventually mess around with hardware and COMSEC, which was a little bit more fun), but the point I’m trying to make is that this didn’t really work for me.

After I got out of training, I figured I’d take advantage of that college tuition assistance, so I enrolled in an Associate’s in Information Technology program. I still wasn’t quite sure what I wanted to do, and I thought this was generic enough, so I explore many different sides of IT and find out what I liked the most. The only thing I remember about that course is building Windows applications using Visual Basic and wanting to slam my head against a brick wall.

I hated this too.

Eventually, I graduated and got a job working at a call center for a large domain registration and hosting provider. I was taking inbound calls for customers who were looking to renew their products or needed some basic support. If you’ve never tried walking someone through setting up their Outlook client email settings over the phone before (there was no remote support at the time), I encourage you to try it. You’ll learn a lot about how much patience you actually have.

Anyway, I actually learned quite a bit working there. I learned how domains and DNS records work. I learned how web hosting and FTP and SSL certificates work. While I did learn a lot, the role was heavily sales-based, and I was required to try and upsell customers at every opportunity I could. Someone calls in to renew their domain name? “I see you don’t have a website! We should set you up with a hosting package, and you can work with our designers to build your brand! Let’s get you up and running!”. I wasn’t all about that.

At this point, I still wasn’t sure what I wanted to do, but I was chugging along and learning what I could along the way. I decided I wanted to go back and get my Bachelor’s degree.

Computer Forensics sounded like a blast, so I enrolled and had some of my credits transfer over. I made it one or two semesters in, and quickly discovered something.

I hated it.

I remember sitting in the first computer forensics class and having to manually convert hexadecimal to ASCII to read filenames and created and modified dates out of deleted files on a 3 1/2” floppy disk. While this was a bit better than installing Windows over and over again, I wasn’t convinced this was going to get any better, so I dropped out. I needed a break.

At this point, I needed a job and couldn’t worry about going back to school or anything like that, and I ended up getting a job working retail. I was looking forward to dealing with customers again like I did when I worked at the call center, but this time it would be face-to-face (sarcasm)! Believe it or not, I stayed at this job for almost 6 years. If I didn’t have such a great boss, I likely would not have stayed that long. But one great thing did come out of working retail, and that is learning how to work with people. I learned a lot about how to talk to and read people and effectively communicate with them, and this has been invaluable to this day.

Let’s make video games.

During my time at the retail job (a few years into working there), I enrolled in a computer science course at the local university. I knew a bit of HTML (from my Geocities days) and a little bit of PHP (from messing around with web application stuff in my free time) but I really wanted to get into game development. I had been tinkering with Unity engine and wanted to take it to the next level. This school offered a computer science track that focused on game development, which sounded great (and they transferred a decent handful of my credits too, which was an added bonus). I studied many of the typical computer science topics you see in any CS course, such as programming languages, data structures, algorithms, etc., and I learned about some game dev concepts as well. While the game dev stuff was fun, much of the research I did on the game industry was a major turn-off. While I’m sure this is not always the case, working contract after contract did not sound appealing to me. I really wanted something more stable than that.

After graduation, I had taken advantage of the career counseling services offered at the university and found a job as a Help Desk Technician, so I applied. I sent in my resume and a few days later they asked me to come in for an interview. But here’s where things got interesting. They didn’t want me to interview for the Help Desk job. They had a web development position opening up soon and thought I would be perfect for it. So I interviewed and got the job. I was a developer!

I worked there for almost a year doing PHP development before my wife accepted a job that would move us out of state. My employer did allow me to work remotely for a while until I found a new job, but working remotely permanently was not an option at the time. Eventually, I did find another position doing PHP web development, but to make a long story short, that didn’t work out very long.

Don’t burn bridges!

Fast-forward a few years and my wife and I are moving back to our home state after the birth of our first child. I sent my old boss a message letting him know we were moving back and asked if he had any positions open. While the web development position had been filled years earlier when I left, he did have a need for another help desk technician (full circle, right?). Because of my programming background, he believed I could take on a bit of a hybrid role where I would be doing some automation via PowerShell scripting and other tools (this was an MSP, to put it into perspective). While working help desk, I quickly learned a lot about basic computer configuring and troubleshooting, domain controllers and file servers, antivirus, and Active Directory, including on-boarding new users, creating OUs, and reviewing Group Policy settings, just to name a few. I would eventually become the Microsoft 365 subject-matter expert and begin learning about other cloud solutions as well. I had also been given opportunities to learn and configure our MDR/EDR and managed AV offerings.

This is where I really started to gain an interest in the security side of IT and wanted to shift gears and discovered Neal Bridges and his Cyber Insecurity streams, where he talked about what it takes to get into cybersecurity. I also began watching videos by John Hammond on the regular. Both of these guys are incredible, and I highly recommend checking them both out. I am so incredibly grateful for these two and all the content they put out. If it wasn’t for John, I don’t think I would have discovered TryHackMe, which has been invaluable to my learning. And if it wasn’t for Neal, I would not have discovered the INE Penetration Testing Student course, which will eventually become my first cybersecurity certification.

I read a lot about how to break into cybersecurity at this point, and I knew I wanted to become a penetration tester. I also knew it wasn’t going to be easy. Much of the advice and suggestions I found recommended starting in an entry-level blue teaming role, such as a SOC analyst, and pivoting from there, so I began searching for jobs. I had my eJPT certification at this point, experience in web development and PowerShell scripting, experience working with all things help desk, and developed strong communication skills through customer service jobs. I had built a pretty solid foundation that I hoped would be sufficient to progress me forward.

I submitted my resume, but I also need to manually fill out the application? /facepalm

Many tailored resumes and job applications later, I would apply to an organization looking to fill an entry-level pentesting position, and they were willing to give me a shot, even with my lack of pentesting experience (aside from TryHackMe and eJPT certification). I couldn’t have been more ecstatic and accepted their offer.

That was almost a year ago. I’ve been a professional pentester for nearly a year now, and I have learned so much along the way. My employer has supported my ongoing learning by putting me through Offensive Security’s PEN-200 course to get my OSCP, which I received just a few weeks ago. I’ll be enrolling in Zero-Point Security’s Red Team Ops course next year, and looking forward to expanding my knowledge and become a greater asset to the organization.

So, to answer the questions:

  1. Probably not. I didn’t get a cybersecurity degree, but I’m confident my CS degree helped push my career in a direction that would eventually land me the job.
  2. Maybe? I didn’t join a bootcamp, but one of my co-workers in the same entry-level pentester position as me did, and it helped him gain the skills to land the job.
  3. I went with the eJPT certification because I wanted the hands-on experience of the certification and already knew a bit about networking and security from prior experience. Otherwise, I would suggest having a solid networking and security foundation and check out CompTIA’s Network+ and Security+ certifications.
  4. At some point. Learning the basics of Python is a good start since many exploits are written in Python and you may need to modify the code to suit your needs. Any web development language like PHP or JavaScript would also be good to grasp since you will likely be doing web application testing at some point and it helps to understand the technology behind it.
  5. I did, I’m glad I did, and I highly recommend it. Find an employer that will allow you to explore a bit outside just responding to tickets, and you will learn a lot.

I hope this was insightful, and if you have any questions, please feel free to reach out to me on social media! I’m happy to connect!