Christian B. Henriksen

A Security blog from the perspective from a fairly new security nerd.

11 minute read

In this blog post, I will try to enlighten some of the questions that a new candidate in this industry might stumble upon. I will build my points on my own experience being fairly new, therefore this might not apply to you. However, I’m sure that you can relate to at least, some of the upcoming points. This post is inspired by a talk that @David Thejl-Clayton gave on an internal FDCA webinar.

I hope you enjoy this post. Feel free to reach out to me by either of the provided links on the left side panel.

:pencil2: Why even write about this?

So, why do I even care about writing this blog post? It’s simple… I could have used some of these points when I was about to pursue a career in this industry. The industry is very complex, and there are tons of ways into this, which can make it hard for new people to join the spaceship.

These new candidates might have fancy bachelor’s degree from the University, vocational education, or be 100% autodidact - my point is, that they (to some degree), have the same fundamental way into this field.

:space_invader: My way onto the cybership

If you don’t want to read about my journey into Cyberspace, you can skip this part.

My way into this field has (maybe) been quite different, compared to what others might have done in the past, but nevertheless - I’m here now.

Let’s start with my education.

I graduated from Aalborg University with a BSc. degree in Information Technology in 2020. The degree was focused a lot on business continuity and evolvement within the IT industry. This gave me a lot of theoretical knowledge about “how it should be done”, but no oppertunity to build practical experience, which might be valuable for a company. However, as a side hustle, I worked as a Software Developer for a small start-up - where I developed some of the missing lack of knowledge.

After i graduated, I was unsure whether to pursue a Masters degree, or go straight for a entry-level position. Two things I however was sure about, was that I knew that I wanted to work with security, and I knew that i had to get some more knowledge within this field.

So i had two options:

  1. Spend two futher years at the University, to pursue a Masters degree in something “conventional”.
  2. Apply for an entry level position within a security company.

And while surfing the internet for open job listings, and degrees, I stumbled upon a new conscript the Danish Military is offering - Cyberværnepligten (The Cyber Conscript).

I quickly read through the material, and immediately applied to this. Here in Denmark, you usually have to go through 4 months of conscript, but this education had additional 6 months of cyber-education untop - which for me sounded super interesting and fun. At that point, I hadn’t served my conscript yet, and I found this opportunity a great way for me to take a year off, and think about my future - which turned out to be a great decision.

I got accepted to the conscript, The Cyber Conscript, and for the first time had to experience what it was to be in the military - I had to get fit. :muscle:

After serving 4 months in the Royal Danish Navy as the initial conscript, I moved to the Army to get my intensive cyber education. In the six months I served I got educated in:

  • Networking(CCNA)
  • Server administration (Win & Linux)
  • Microsoft Active Directory Services
  • Powershell Scripting
  • Backup Solutions
  • Governance, Risk & Compliance (GRC)
  • Red teaming techniques and tactics
  • Incident Response

There is probably something else to add to the list, but this was just what I had in mind.

All these skills were used at the end of the conscript, on a week exercise. In this exercise, we had to act as System administrators for a whole battalion of actors, which exposed us to a lot of different cases. At the end of the exercise, we had to act as Incident responders, as our infrastructure got infected with widespread malware, which we later found out was ransomware.

All of these skills touched upon a lot of different subjects that are widely used within this industry - at least this was a good way for me to get more practical experience and knowledge about the more technical aspects.

Even before my conscript was over, I applied for an entry-level position, as a First Responder within the Danish Healthcare, at a huge organisation with over 35,000 employees to manage. I got the job based upon my understanding of people, processes and technology, but primarly my drive to learn.

Now I have worked for this organization for 11 months, and really developed some valuable skills, because one thing is to get an understanding of the technical skills, but there are also soft skills to be added to your resume.

For example, something simple as just working for a big organization, where everything is tied to processes, guidelines, and policies - was something new for me. Or the experience that I’ve gotten from the military where you had to work in different environments with people with different backgrounds and culture.

Based upon these skills I got a new job as a Cyber Security Consultant in a private cooperation.

:stars: Enough about my way into cyberspace - let’s talk about your opportunities.

:question: Endless opportunities

Image from Henry Jiang

One of the questions that I hear a lot in this field, is what path to take if you want to work in this industry. It’s a legitimate question, and I had it myself. This industry has so many different areas, and the important part is for you to do you research, and test something out. Do you think vulnerability management is interesting? - Spin up a VM with OpenVAS and try it out. What about penetration testing? It’s easy for you to create an account on HackTheBox and try to see if you can get access to some of the boxes. The only limit is you - there is tons of free ressources in cyberspace.

Of course, you won’t become an expert with these techniques, but you develop some fundamental skills to do further research and explore your interest. That’s usually a valuable skill for the company you want to work for.

Don’t get overwhelmed by the tons of options, I suggest you do the following:

  1. Write down your passion. What type of work can you get lost in? What type of work could you do every day, and not get sick of? What interests you? Do you like solving puzzles and breaking into stuff - Penetration testing might be something for you. Do you like keeping yourself up to date with the latest breach reports - Threat intelligence might be something you fancy.
  2. Write down your strengths & weaknesses. What are you good at? Do you want to work with that, or do you want to evolve your skills in what you are not good at? These are questions that you need to address. And it can be very beneficial to work on your strengths, but occasionally it can be healthy to go out of your comfort zone.

If you can enable yourself to go from just going to work because you have to, to going to work because it interest you - then you have found your right place.

:running: Certification Race

In cyberspace it’s common to go for certifications to learn about new techniques and tactics to either hunt, attack or explore other fields in this domain. My own certification path has just started, so I can’t give any detailed explainations or share experiences from OSCP, CISSP etc, as I haven’t completed them.

However, I wont recommend taking a certification from EC-Council, as these courses are focused a lot around tool showcasing, rather than actually getting something useful out. I took Certified Incident Handler from their course-catalog, and I had to admit that I surely regret taking this course!

If you want entry-level certifications, you should go for something like eJPT from Elearnsecurity, or something else they have to offer. Unfortunately I haven’t had the opportunity to take it myself, but will definately pursue it. SANS is also a huge player, if not the biggest, in this industry. They offer tons of top-notch courses, and they actually have a roadmap, where you can see the different tracks to evolve in this industry.

Due to the high price range of the courses, I’d advise trying to cooperate with your firm to have them fund the courses for you, seeing as it would both profit you and your talents as well as the employee development for the firm. A win win for both the employee and employer

There is also a good overview here detailing the different domains, and what certifications to pursue.

:sunglasses: Imposter syndrome

This is a subject that I had been dealing a lot with. It’s the sense of self-doubt related to work capability and accomplishment. And I know that a lot of new candidates are struggling with this feeling, and this will definitely become a hindrance to your career development.

Down below, I have a couple of guidelines that I try to follow, to overcome this stupid syndrome:

  1. Stop comparing yourself to others. This is probably one of the most important facts that I use to fight this syndrome - you won’t get anything out of comparing yourself with others.
  2. Write your accomplishments down in a document - review it often. This can be feedback from your boss, friend, professor, or just some achievement you noticed on your own. Did you just pwn a box on HackTheBox in 25 minutes? Did you receive a e-mail from your boss, endorsing and praising the work you did? Good job, screenshot it and save it for later. It’s the small accomplishments that count in the long run.
  3. Accept that perfectionism is impossible. When you have addressed your strengths and weaknesses, you find that you can’t be good at everything and that nobody is perfect. You need to learn to accept, that failing will every so often increase your resilience, and make it easier learn from your mistakes.
  4. Approach feedback. Have you created or written something you are unsure whether is good or inadequate? I suggest you seek feedback from somebody in your network, your parents or someone else, as this will clarify the state of the work you did. You no longer live in uncertainty, but convert it to something you can act upon. This blog report I actually sent to a couple of people in my network.

:bulb:The good argument always wins the battle..

:collision: Tips & tricks

  • Ask questions. This is probably my number one tip that have gotten me where I am now. I always have a curiosity to understand why things is the way they are. Whether you are at a job interview, meeting or just networking - throw a few questions at the recipient, as this will indicate that you are interested in the conversation, and you dare to express what’s on your mind. It will also be very valuable for the company - maybe they are having a process that should be reviewed and changed, based on your question.
  • Don’t be afraid of doing something out of your comfortzone. I discussed this earlier.
  • Be self-aware. As described earlier, describe your blindspots and work on them.
  • Celebrate your small victories. Described earlier, but this is also a very important point. I keep a folder on my desktop with all my victories. :sunglasses:
  • Keep a motivation to keep learning. In this industry, things are changing constantly, and you need to keep yourself up-to-date with the lastest trends and education to challenge others.
  • Network. This tip is also a major part of where I am today. I attend a lot of community events (OWASP, bsides, Vsec, CitySec here in Denmark), where I get the opportunity to talk to people from the industry, and this broadens my network of people that are likeminded. I actually heard about the job that I’m currently working at, as I was attending one of these events and had a conversation with one of the employees at this company. He told his boss about me, and I got a interview with them.
  • Keep your Linkedin up-to-date. Another tip is to connect with the people you meet, on Linkedin. I use Linkedin as a way of organizing the people I met and had some great conversations with, as long as follow their journey. Linkedin is also a good resource for finding great articles and posts.

Wrapping up

Wow, that was a long speech from me. :grimacing:

I sincerely hope you liked the post and could use some of the points addressed. I know that my experience in this industry is not broad yet, but I feel that I, nevertheless, have something to share with the community.

If your just here to read the conclusion, I suggest that you read the section “:collision: Tips & tricks”, as this outlines the most important points that addressed in this article.

The next post will be about how to write a Curriculum Vitae, or CV - as this can be unfamiliar for a lot of people, and I will try to address what you should write in a CV, templates to use among other things.

Useful resources

You May Also Enjoy