Despite a lack of exposure to issues in computer security during my undergraduate education, I now work as a senior threat researcher tracking advanced persistent threats as they relate to nation-state actors and cybercriminal organizations. I reverse-engineer mobile malware and analyze the infrastructure these threat actors use to both distribute and communicate with malicious applications. (For example, last month my team identified a new rooting malware, AbstractEmu, that was distributed on Google Play and prominent third-party stores, most likely for malicious financial gain.)
I love my job and I love having a hand in stopping the bad guys, but I took the scenic route to get here.
I started programming when I was 9 and began exploring the possibility of studying computer science while I was in high school. I was advised to avoid computer science as it was an impractical, theoretical degree that would never land me a job. As a result, I entered university as an English and political science major and planned to study international law. During my first year, I enrolled in a computer science class as an elective, and our class attended a lecture from a recent graduate who spoke of how useful her degree had been in her role as a video game developer. Inspired, I transferred to the computer science department the following semester.
It wasn't until five years after I graduated that I found my way to cybersecurity, however. To become a better software engineer, I enrolled in a security certification program and met a wonderful mentor who was working on a security engineering team at the time. He encouraged me to apply for an open position on his team and helped kick-start my career in cybersecurity.
All too often, the best things in life happen serendipitously, like my career in cybersecurity. Despite our interests in high school or even university, most people don't land their dream job immediately after they graduate; some may not even realize their dream jobs exist! In an informal Instagram poll of approximately 500 participants, 52% responded that they transitioned into cybersecurity either from another area of tech or an entirely unrelated industry.
How Do You Find Your Niche?
One of the biggest challenges with transitioning to a new role in cybersecurity is figuring out the area of security you're most interested in. Traditionally, roles have been broken down into two main "teams": red and blue. Red teams typically handle offensive security, "attacking" the corporation with pen testing or social engineering to find vulnerabilities. Blue teams are responsible for defensive security, which includes incident response, digital forensics, and threat intelligence. Recently, new team names have been created to represent overlaps in roles (for example, "purple" teams that handle both offensive and defensive security duties). You can further explore the cybersecurity "colour wheel" and what these roles entail through summaries online, like Hackernoon's breakdown.
One of the best ways to narrow down the exhaustive list of possibilities of a career in cyber is to explore the finer details of these roles through online job listings. Ask yourself questions such as "Does this look exciting and interesting to me?" or "Can I see myself working on this problem for a prolonged period of time?" or even "Would I enjoy the pressure or expectations set by this role?"
For example, in some roles, like incident response, you may be required to be "on call" and available to handle issues that arise — day or night — for a set time on a recurring schedule. If you're someone who struggles in high-pressure environments and can't see yourself performing well in that situation, then a role with those expectations may not be a great fit.
I often advise those interested in multiple areas of cybersecurity to participate in a "capture the flag" (CTF) event. These are available online (for example, https://ctftime.org) or in person at security conferences. Participants compete in teams, or individually, to solve challenges that span multiple areas of cybersecurity: network security, pen testing, reverse engineering, and social engineering, among others. This is a great way to gain exposure to other areas of cybersecurity with which you may not be familiar, and most of the challenges are real-world examples of problems you might face in a role within that area of cybersecurity. It was at a CTF event where I discovered my love for reverse engineering!
The cybersecurity industry offers so many opportunities for curious, eager problem solvers. Most importantly, it's a career path that will only continue to become more valued in the years to come. With a little patience and research, you can find your niche in this exciting industry and discover a role you love that also protects those around you.
First of two parts. The second part of this column is here.