What I’ve learned during my Rookie Year in Cyber Security

My Starting Point

One year ago I finally decided to make a dream come true for myself and to get into the field of cyber security. At this point, I was 36, happily married, father of two kids and had a good job working as a product owner for a large German based e-commerce company.

I already had some practical experience with hacking tools, like nmap, John the Ripper and the like and also had a solid foundation on IT concepts like networks, system architecture, programming languages, APIs and so on from former jobs.

But since I’ve written my first lines of code in QBasic and Turbo Pascal for the first time, I always wanted to become something like a “Hacker”. So because, I already knew that I was unhappy with my job at this point and that it was time for a change, I decided to give my old a dream a chance to become true.

At this time I’ve had a somekind romantic imagination of what it would be to work in IT security. I had hoped for hacking all kind of things and becoming something like a cyber ninja warrior or black magic cyber wizard that could hack into any system and do all kind of crazy things.

And it took me a while to get rid of this idea…

Where to start?

I played around with Hack The Box and OverTheWire Wargames to ensure, that I was realy intrested in learning more about information security and whether I was even able to learn stuff like this. Both are great options, to play around for a while without investing any money. All I needed was time and mental will. (I’ didn’t know Web Security Academy at this moment.) After two weeks I decided to continue this path and to take my initial idea more seriously.

From Noob to OSCP

I’ve read tons of blog posts about the Offensive Security OSCP certification and decided to take this cert for three reasons:

  1. OSCP has a very good reputation and is valued among experts.

Since I had a family, a job and a real life I decided for the biggest package with 90 days of virtual lab time. — And during the next months, I’ve learned sooo many things about the in-security of computer systems, about other people and also about myself and how my brain works.

But I’ve learned even more from it:

  1. Getting the mindset of a hacker.
    “Trying harder” is only one small part of it. — Changing your perspectives over and over, escaping from rabbit holes, googling everything you don’t know and how to document your progress is the bigger part.
    I’ve seen this video so many times during these days and it still makes me smile today.

Becoming a Certified Ethical Hacker

I actually wanted to do the Certified Ethical Hacker course before the OSCP, but at this point the certification course was to expensive for me. The price was around 4.000 Euro for five days of on site training and an exam attempt. Then after the OSCP I catched an offer to do the training online over a period of 12 months, for only the half of the original price.

I wanted to get this certification for two main reasons:

  1. At least in Germany, this cert helps to get recognized by HR people.

Lessons learned from doing the CEH:

  1. It’s good to show possible employers that you have a very good understanding of IT security basics, networking and general tools like nmap. But for me it was very boring after doing the OSCP, because of it’s heavy theoretical approach.

Where to go from here? — Focus Daniel-san, focus!

A friend of mine is working at Google and in his early days in this small search-enginge company one of his colleagues told him, that if you want to be succesful, you just need to focus on one thing and be dedicated to it.

That’s an easy saying but hard to do, especially if you work in IT and even more especially in the field of IT security. For me as a creative minded person, who always strives to learn something new, working in IT security is like being that little child in toy paradise. There are so many options and cool things to play with. So many things to learn and so many ways to become better. — But my time is limited and I’m not payed for playing around with all this cool stuff, so I need to focus for at least certain areas.

I’ve created this, not comprehensive (!), overview of possible areas I could pick a topic from to become something like a master, or at least an experienced practitioner, if I would focus on it long enough.

I personally decided to focus on Web Application Security and AWS Cloud Security until the end of 2021. That’s why I’ve chosen to achieve the eLearnSecurity Web application Penetration Tester and Offensive Security Web Expert certification in 2021.

One lesson along the road is to don’t get crazy about certifications. There are many companies, which business model is based on the trust in IT certifications and the belief in a growing need for cyber security experts. And I see a lot of promotional campaigns that offers big discounts for security trainings. — Don’t freak out and avoid to become a cert hunter! Spend your hard earned money, your time and health only into those trainings you realy need to become an expert in the field you have chosen.

Benefit from the Boom

I’ve already mentioned the growing demand for IT security experts above. And with a more and more connected world, the Internet of Everything, hacked elections , industrial spionage and events like the SolarWind hack happening, there is a big growth in this industry for years.

That’s why I personally, beside other ETFs, invest monthly into L&G Cyber Security UCITS ETF.

It has a growth rate of 118% during the last 5 years, almost 33% during the last 12 months and is a good chance to participate in the cyber security boom.

Difference between Hackers and Managers

There is a big difference between the management perspective on IT security and the Hackers perspective on it. If you want to get paid for doing things you love and if you want to be successful, you need to learn to switch between both perspectives.

The ability to communicate the things you know to different audiences and to explain more sophisticated topics in simple words and especially to point out why they are important for the management and their organization is crucial for you to succeed in your job to secure the systems.

Yes there is not much glory in prevention. But there is absolute none glory for not being able to get the resources which you need, to secure the company that pays your salary.

Some general Learnings

  1. Don’t get obsessed by tools, learn fundamentals instead.

I hope this article was helpful and you could learn something from my experiences.

Well known secret superhero - Cybersecurity enthusiast #OSCP #CEH 🧙‍♂️

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store