What does a cybersecurity beginner do?

[00:00:05] Chris Sienko: Welcome to the InfoSec’s Career Video Series. This series of short videos will provide a brief look inside cybersecurity careers and tell you about the experience needed to enter them. Today we'll be speaking with InfoSec skills author, Mike Meyers about the role of cybersecurity beginner. This is going to be a good one for all of you, who are just getting your toes dipped in the water. So, let's get into it.

[00:00:24] CS: Welcome, Mike.

[00:00:27] Mike Meyers: Glad to be here, Chris.

[00:00:28] CS: Always a pleasure to talk to you. So, Mike, let's start with the basics. InfoSec’s created the job role of cybersecurity beginner to show novices how to get started in the industry. Can you talk about the day-to-day task that a cybersecurity beginner might take on?

[00:00:44] MM: It's fascinating because that question can be so varying, Chris, probably one of the bigger things we're seeing these days is a lot of these managed security providers of different forms, managed service providers, but its security. A lot of people don't even know what I'm talking about when I say that. So, let me start by going – most of you talked about an MSP. Pretty much, if you own a server of any type anymore, that's plugged into the Internet, it's cloud based. The days of Rackspace of God bless, Rackspace, boy, I’m sure, you used them a lot over the years, that has been moved into more of a world where you just spin up a VM with Amazon or IBM or whoever you're using, and you go.

So, once you get this spun up, well, then they get to the next page, and the next page is, “Oh, so would you like real time security or anti malware or anti denials?” All these little things that you can choose to add on for $1.25 a month or something like that, and these are service security providers. The nice part is, is they're managed, which means they got somebody actually watching you, or at least, or have you watching a screen that's watching 100 different clients at once. That's the entry level gig right there.

You're talking about your first job is – in this one particular area, they're going to pop you down on a screen, you're going to get about a week's worth of training about our stuff, and they're not going to be asking you, if you know what ipv4 at this point. They just assume you know these things. Your job is to sit there, watch that. And if that little button there goes red, then you press this. If it goes yellow, then you call Bob, or whatever that is.

It's not the most exciting work, and if you're the new person, you're probably going to get the midnight eight in the morning shift. But it is the place from which a huge number of other security jobs are born. So, that would be one really serious example. The other example you run into, and equally not glorious, but that let's say, now you're working for Amazon. So, you're in one of the big Amazon, where the computers are. Remember, when you're on the cloud, you're just using somebody else's computer, right? So, Amazon hires tons of folks in there, and their security people stuff like that, tend to come from within, and you might be starting a job there, swapping out big racks of Dell servers, or something like that starting out, but you tend to move up fairly quickly from there.

I mean, that'd be a couple of examples. The thing you got to remember is that any entry level job you're going to get security, you're not going to be given any real authority, because you don't have any skills yet. You don't want it. No one's going to throw you in a van and say, “Go.” You're going to be heavily monitored, you're going to have direct supervision, and the job is usually going to be simplified to the point where after about six months, you're ready to try something new.

[00:04:03] CS: Now, obviously, I think what I was hearing, especially in what you were saying there, too, is I think, having this comprehensive breadth of foundational knowledge is also going to kind of evaporate some impostor syndrome that people might be bringing to a beginner role in the sense that you're not sitting there saying, I know pen testing stuff really well, but I hope they don't ask me about how to set up a network. If you know all these things, to some degree then they can throw anything they want at you realistically. Can you do this? Can you do this? Yeah, I can do that. I can do this. I think that really puts you on such a more confident footing into what is maybe a new industry for you.

[00:04:47] MM: Worse than that, is that we run into the exact opposite of imposter syndrome. What will happen is, so a new a new person gets a new entry level job, and they do have that impostor syndrome. “I'm not qualified to do this.” And then after about a week, they're like, “Oh my god, I'm the smartest person in the room.” That's just reflective of how fast IT security industry growth is.

We saw the same thing happened back in 1990 with the old Novell CNE. I saw the same thing happened back around 2001, 2002 with Microsoft MCSE. The demand was so huge we didn't care about impostor syndrome. We had so many people coming in, we have to make sure that good qualified people are coming through. That's actually a big part and I'm sure that you guys at InfoSec grind your teeth on that, what is the perfect type of courses? Nobody has a perfect one. But I'd say you guys are as close as I've seen.

[00:05:46] CS: Let's talk tools. I always like talking tools here. What are some common tools that cybersecurity beginners use? You mentioned, push this button, do that. You're going to be working with things and you're going to be working with them repetitively. But what are some examples of these kinds of basic level cybersecurity tools?

[00:06:04] MM: Well, there are no basic level cybersecurity tools. There are basic level cybersecurity employees who are then coming into some fairly inner – I mean, like Splunk, might be a good example. Any type of the same tool. Most of the time when you're going to be coming into a, in my experience, especially with the MSP type folks, is you're coming in empty handed, and you're using their tools that they have issued, that they have highly customized, and it's not so important that you know the tool, Chris. They're prepared to teach you that. What they don't want to do is that you have no idea what's on the screen. You know what I mean?

A lot of these tools almost look kind of spreadsheet like, and you see, well, here's a bunch of IP addresses. Here's a bunch of port numbers. You should be able to look at this thing, and kind of see what they're trying to do here. And then it's just your training is like, “Okay, how do I play with that?” You ever heard of Chuck Yeager?

[00:06:55] CS: Oh, yeah.

[00:06:56] MM: Alright, so Chuck Yeager was famous. Man, I got to tell you, certain people, when they passed away, I remember where I was, Yeager is one of them. Anyway, Chuck Yeager would walk up when he was at Edwards Air Force Base and this is like in the late ‘40s, early ‘50s. And back when America was making all these new fighters, and he just kept going up to every time there was a new fighter, he'd come up to go, “How do you start it?” Because there's a million different ways to start a jet fighter. And that was his way to indoctrinate himself into the new F101 or F104 or whatever. We kind of have to have that same attitude when it comes to tools.

I understand basically, a tool like Splunk is going to be divine designed to bring it. But how do you get to it? How did you structure it like this? We're basically – you're asking the base tools, that A it shows your interest, big time, and then B, the person who's teaching you becomes more motivated, because they get to ask – you're going off the script a little bit. A lot of times people like that. Trust me, as an instructor, I always like that.

[00:08:06] CS: Yeah. I was just going to say, I was thinking about that and if you come to a job to me, you need to know how to install software on computers, because you’re a helpdesk person. It helps if you've installed Malwarebytes on your own computer or whatever. They don't want you to feel like, “Oh, I've never done that before.” Some of it is just feeling comfortable with the idea of this, even if –

[00:08:29] MM: You're not going to walk into a new entry level security job. You're not going to be running Wireshark. You know what I mean? They're not going to let you. I would be more tempted to tell a learner to concentrate on understanding the basics of TCP/IP, than jumping ahead and trying to grab a tool like Splunk on your own. Because I'll tell you right now, what you look at as a default Splunk installation, compared to what you'll see on your first day job, you may not even recognize them as the same app. There's that much customization.

[00:08:59] CS: Now, speaking of the sort of dandelion metaphor, whatever of like limitless possibilities. Can we talk about different types of job options available to cybersecurity beginners? You mentioned, sort of like the Amazon computer bank and some of these other sorts of hypothetical situations, but can we sort of talk a little more about the breadth and depth of this without it turning into a four-hour list?

[00:09:21] MM: No, we can't. But I can at least get you started. Most of the entry level IT security stuff, outside of a few very nifty things that I've already described. Most of the bread and butter gigs come from administration. We have more first entry level it texts than we ever had before. Not talking to security, okay. In today's world, you're expected to replace your own mouse, okay. But you're not expected to be able to set up system backup methodologies and stuff like that. So, we're seeing more and more texts. A lot of these guys are remote. A lot of them work out of their house, which I'm not a big fan of personally, but I know for some people, it's good. Here's me working on my house, as I say that. You can tell it's a sunny day here in Houston. I'm flashing to everything behind me here.

They're going to be administrative type jobs. The kind of people who pick up the phone and say, “Have you tried turning it off and turn it back on again?” Which is honorable work. The problem is, it's still a little challenging to get those because what title. A lot of companies have entry-level gigs, but they don't actually say entry level in them and stuff like that. That's where I leaned very heavily on tools like LinkedIn. Some of the super powerful search features that helped me zero in on those jobs.

There's everything, Chris. I know here, the FBI, here in the US, you can tell I've been talking to overseas folks all week. The FBI is a great organization, if you're interested in law enforcement, federal law enforcement, I would tell anybody, they should consider a career in the Federal Bureau of Investigation. They're very technology friendly folks. They have internships. It's collegiate level, but they have internships. We have a regional computer forensics laboratory all over the country, which bring people in. The nice part about the FBI is that they have a dictate to talk to their community. So, every FBI agent in the country is required to spend X amount of time per year, I don't remember what is in outreach. So, you actually call a local FBI field office and say, “Can we have a tour or something like that?” Pending Corona and things like that, and every office is different. I'm not trying to say this is a good thing. But you'll often be surprised how open the bureau is about their job, and they're kind of proud of what they do and there's lots of federal agencies that do that. I've been working with the Bureau since the 20th century, in one way or another.

[00:12:10] CS: Great. Since this is the ultimate beginner job role, and we've already talked about possible law enforcement aspects of it, but I want to talk about some of the different career tracks you can move into, from a cybersecurity beginner and I know this is again, literally like, you’re the queen in chess. You can move literally any direction, but what are some of the sort of common, sort of jumping off points from this type of role?

[00:12:35] MM: What I will tell you is that once you got your toe in the door, anywhere, you better be using that three-foot rule hard. Okay. You know what it is. The three-foot rule means anybody within three feet, you're selling them? And what you're selling is you. Especially when you're the new person. This is your time to ask questions to the point of irritability as I tell people. This is your opportunity to be, “What's happening here?” This is where you start going to conferences, even if they're virtual, you start going. This is where you start looking into –

[00:13:08] CS: Take your boss to lunch and ask what they do?

[00:13:10] MM: Yeah, because even if I start saying things like, I don't know, let's talk about audit, which is an area near and dear to my heart. It's not a good place for entry level to go because it tends to require higher level certs. But they're the people who you end up dealing with administratively when they're checking the levels of what your patches, those irritating things that audit people do. So, by my easiest answer, Chris is always be selling yourself. Don't forget the three-foot rule and see where the next steps are within that company.

[00:13:44] CS: Yeah. Alright, so we're wrapping it up here. For our listeners who are ready to get started, giving you another big open-ended question to wrap it up. What's the first step in becoming a security beginner? What learning study experience you recommend that they do the moment they turn this video off?

[00:13:59] MM: So, I guess I better put InfoSec’s 800 number down at the bottom of the screen.

[00:14:05] CS: You can.

[00:14:06] MM: You guys have a wonderful program. I come in here and it’s always a pleasure to talk to you, Chris. Start with the InfoSec, you'll be doing just fine.

[00:14:17] CS: Alright. Well, Mike Meyers, thank you for your time and insights, like you said, it's always a pleasure to talk to you. So, thank you.

[00:14:21] MM: Thank you, Chris.

[00:14:23] CS: Thank you all for watching this episode. If you'd like to know more about other cybersecurity job roles, please check out the rest of InfoSec’s Career Video Series. I'll see you next time.