How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
If global headlines have you interested in ethical hacking, you’ve come to the right place.
Experts like Ning Wang, the CEO of Offensive Security, are calling on aspiring pros to help address cybercrime, improve practices and promote better habits overall.
But, having a background in security doesn’t mean you’re cut out for the job.
Learn how you can break into the industry and impress employers with advice from this week’s Cyber Work Podcast guest, Ning Wang.
Tips to secure a job in your desired specialty
While there are many roles under the umbrella of ethical hacking (i.e., pentesting, red teaming, ethical hacking, etc.), the main goal is to determine what potential threats could compromise an organization. However, the exact tools and techniques depend on what you specialize in.
So, how do you know which route to go?
Wang, a former physicist and celebrated business leader, says to listen to your heart. “Figure out what your passion is,” she advises. “When you do things you’re passionate about, it doesn’t feel like a job.”
Taking courses, reading blogs and practicing on the job can help you determine what you want to do. Once you’ve narrowed your focus, Wang lays out three key steps to help you get a job offer.
1. Start somewhere
Landing your dream role right off the bat isn’t realistic, says Wang. No matter your level of foundational knowledge, some jobs require more hands-on experience than others. But don’t let that deter you.
Whether you’ve got a security background or come from a completely different field, Wang says anyone can succeed.
If you want to be a penetration tester, you might start as a system, network or security administrator. These roles offer you the opportunity to master systems, networking and security processes. That way, you’ll know exactly how things work when you get to pentesting.
For those new to cybersecurity, Wang encourages you to embrace the learning curve. “If you don’t know IT, learn the basic stuff,” she suggests. “Learn how coding works, how software development works, how to write code and how to write scripts. Learn what a network is. This basic stuff lays the foundation of the digital fabric in which we live and work.”
Regardless of your starting point, Wang reminds all cyber pros to be patient — and persistent. “Do any job and keep on learning. If penetration testing is what you want to do, you will get there in due time.”
2. Get involved in the community
While a resume highlights your professional skills, Wang says the best way to get noticed is by networking. “Either get involved to ask questions and learn from the other fellow ethical hackers on their journey or get involved as a way to share your learning.”
From writing blogs, presenting data, attending events, staying active and showing interest in relevant topics is how you get proactively recruited. After all, you never know who might be watching. “When you are involved in the community — you know what? A lot of the companies and a lot of the hiring managers are there, too,” says Wang. “They notice you.”
3. Study the methodology
Perseverance and personal investment show employers you’re dedicated, but to prove your technical prowess, you must be able to think like a hacker. “Don't just study for the exam,” Wang says. “You will rob yourself of the opportunity to really learn something that will set you up for success. Study because you want to learn the mindset.”
The truth is that most professionals will have the same baseline, theoretical knowledge. What will really set you apart, Wang explains, is proving that you can go off-script and solve problems yourself.
By adopting an adversarial approach, you’ll be able to offer new solutions — and confidently answer any curveball questions. “When you learn for the right reasons, it will show through in the interview,” Wang says. “That’s how you get the job.”
The importance of adopting the right mindset
When you land your first role, you should be prepared to think outside the box. Like the medical field, ethical hacking requires an in-depth understanding of how and why things work. That’s why memorizing test questions won’t help you excel.
Instead, Wang challenges aspiring pros to harness a “try harder mindset,” the baseline philosophy behind the courses at Offensive Security.
Because the real world doesn’t come with an answer book, this method trains you to experiment with different techniques and try new approaches. The goal, Wang says, is to get you comfortable with problem-solving. "In the beginning, you may not know,” Wang explains. “Go in with a hypothesis. If you disprove your hypothesis, then come up with another one.”
As you work through new scenarios, you will run into roadblocks. However, these moments of uncertainty shouldn’t be viewed as a failure — they should be used to learn and grow. “You have to know not everything you do will deliver instant gratification,” Wang explains. “You have to be able to say, ‘OK, I tried that. It didn’t work. What did I learn? Let me step back and let me see what else I can try.’”
Instead of stalling at perceived dead ends, you should also practice giving yourself space. "When you get stuck, take a break. Move away from the screen,” Wang advises. “By doing that, things can come to your mind in a very organic way, giving you a really good hint, idea or direction you haven’t thought about."
By training yourself that giving up is not an option, you’ll prove to employers (and yourself) that you can handle any challenge thrown your way.
Phishing simulations & training
Prove your proficiency with OSCP
Certifications won’t make up for lack of work experience, but they can help you prepare for on-the-job scenarios. After all, certs show that you’ve got an in-depth understanding of different attacks, practices and procedures. That’s why Wang encourages both attackers and defenders to become an Offensive Security Certified Professional (OSCP).
Created to help pentesters put theory into practice, this comprehensive course uses real-life exploits, systems and networks to help you learn the latest ethical hacking tools and techniques.
While the course load is rigorous, completing your OSCP shows employers two key things:
- You have the skillset to solve problems and successfully defend systems
- You have the persistence and determination to succeed in the role
To learn more about OSCP, listen to Becoming an ethical hacker with Offensive Security CEO Ning Wang, a Cyber Work Podcast.
In this Series
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization