Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
Hello, Infosec Resources readers! I’m Chris Sienko, and if my name isn’t familiar, I’m the host of the Cyber Work Podcast. Since 2018, I’ve talked with guests from the spectrum of cybersecurity jobs and careers. I’ve talked to CISOs, pentesters, incident responders, red teamers, secure coders, cybersecurity startup founders, and cybersecurity professionals at all skill and experience levels.
In this new monthly column, I'll be highlighting key points and insider's expertise about — you guessed it — the work of cybersecurity! (Cyber … Work. Get it?) I hope this column will provide tips for your career, get you excited about exploring past episodes and maybe even entice you to check out a subject or a guest that you didn’t think was relevant to your work specialty or career aspirations.
Nearly every guest I’ve spoken to has said the same thing: knowing as much as possible about every facet of cybersecurity is vital to staying fresh and relevant in this industry. Time spent learning new things is never time wasted! Besides, you never know when someone’s inspiring words or example will set you on a new career path!
With that in mind, here are some insights I gleaned from my guests in December and January. I hope you’ll also find them interesting and actionable, or maybe they’ll help you see your own tasks from a new perspective!
What should you learn next?
Ameesh Divatia on the perfect triad of skills
In December, Baffle CEO Ameesh Divatia shared what he considers the perfect triad of skillsets to keep aspiring cybersecurity professionals relevant for the long haul. He says he sees “a big paradigm shift from bare metal to virtual machines.” With more companies requiring personal data collection, security practitioners will be ahead of the pack if they are fluid in three skills:
- Best practices for data collection and storage
- Methods of securely using data without making it a business liability
- Implementing security systems for cloud-based transmissions of data
In short, newcomers who want to deepen their skills simultaneously within cloud security, file security and data privacy will be front and center in building a safer future.
If you’d like to hear more about these skillsets and Divatia’s pro bono volunteer work on his city’s technology council, check out the full Cyber Work Podcast episode.
Ken Jenkins on the US Cyber Games and kicking Imposter Syndrome
December also saw Ken Jenkins return to the podcast to discuss his work as the head coach for Season II of the US Cyber Games.
The US Cyber Games bring together young adult cybersecurity students, ages 18 to 25, in a spirit of friendly competition as they work individually and collaboratively on a series of Capture the Flag (CTF) events and challenges ranging from forensics to web app pentesting to real-time exploitation/defense challenges.
Even though we talk about these as “Games,” Jenkins is quick to note that the skills learned will be vital to professionals entering the security space:
“Being able to continuously hone your skills through competition and through a team of events really helps overcome imposter syndrome,” says Jenkins. “You can come out and compete with like-minded folks, similar academic backgrounds, and try your hand against all these different specialties in capture-the-flag events or the more real-time Red Team vs. Blue Team challenges.
“Learning to write code in a computer science class, but never dealing with a determined adversary during incident response; that’s quite a gap to close from a classroom. Many of the athletes will go on to work at product companies, cybersecurity companies, or data science. They may develop behavioral analytics, machine learning or AI from what they’ve learned through capture-the-flag challenges. It just moves the whole profession forward, in my opinion.”
Whether you want to listen to some good stories of the US Cyber Games or learn how to take part yourself, check out the Cyber Work Podcast episode! If you’re short on time, jump to the 40-minute mark, where Jenkins explains how to get involved as a player or a coach, as well as strategies to build up your own problem-solving muscles around minute 48.
Matt Lorentzen on “intelligence-led pentesting”
In January, I learned a term that was new to me: “intelligence-led pentesting.” I asked Matt Lorentzen, principal consultant at Cyberis, to explain what it represents for the pentesting industry. Matt said it’s basically red teaming but with a twist. Rather than an all-out assault on an organization to simulate a full-scale internal and external attack on a network, intelligence-led pentesting narrows the focus to industry-specific and location-specific types of attacks to specifically strengthen the security posture in the places where it’s most likely to be hit.
I love hearing red team “battle stories” as much as the next career advice-focused cybersecurity podcast host, but Lorentzen’s description of using red team operations not simply as an indicator of where a threat actor could get in but what would happen if they were already there seemed like a more practical and less scattershot approach.
“That’s kind of where we as a company placed a lot of importance on that initial access factor,” says Lorentzen. “If an attacker is successful…then what? That’s always a good place to start: ‘then what?’ Because that’s going to be the starting point for whatever good or bad will happen.”
The rest of the Cyber Work Podcast episode moves into suggestions and recommendations for school districts that want to protect students using school accounts. We also discussed the right way to think about doing CTFs, and the uptick in your skills when you learn not just how to capture a flag but how to approach that same problem from many different directions.
Even more inspiring is Lorentzen’s passion for post-pentest reporting. He says, “In the last ten years or so, there’s been a huge influx of people open to sharing [their insights] and bringing other people along. That makes for a great time to be in here. I don’t have to be the smartest person in the room. Quite often, I’m not. But I love learning, and I’m always enthusiastic about learning and will learn from anybody. I think you need a very open mind when it comes to this industry as to how you’re going to build your skill set.”
FREE role-guided training plans
Capture the flag, capture the gold, or capture the perpetrator?
Whether you’re trying to future-proof your cybersecurity skills with advanced data privacy and cloud skills, solve the trickiest head-scratchers the US Cyber Games can concoct, or use your Red Team skills to document industry-specific exploitation strategies, I hope this month’s episodes of Cyber Work get you excited to start 2023 with a renewed determination.
If you don’t have an hour of listening time or you have a particular question, we’ve also launched a brand new series of shorter episodes aimed at answering your specific work and career questions. We call it Cyber Work Hacks! At the time of this writing, we’ve released three episodes focused on:
- Acing tricky cryptography exam questions
- Understanding recent ISACA CISM exam changes
- How to set up a digital forensics lab (featuring Paraben's Amber Schroader!)
Have a topic you’d like us to answer? Drop us a line at cyberwork@infosecinstitute.com and let us know how we can help.
Keep listening, keep watching, and keep learning! And please comment on our YouTube pages about other topics or guests you’d like on the show.
Talk to you next month!
In this Series
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
- I failed my CREST Certified Infrastructure Tester exam: Here’s my story
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity