My Path to a Career in Cybersecurity
If I was creating an FAQ list of the most commonly asked questions from people trying to get into the field of cybersecurity, many of the questions would be all about how to get started and how did people who are now working in cybersecurity get started.
I spent a few years where I had a side gig as an SME / learning facilitator on an MIT course for adults students trying to switch into a career in cybersecurity, and I got asked often about how I got into this field. So here’s what my path looks like:
The biggest stepping stones on the way
A job that bored me to tears that I wanted to escape from
A whole lot of luck
Foundational knowledge of IT and networks
Working with great people
Personal knowledge bases (KBs) and note taking
The job that I needed to escape from
I was living in London and working as an account manager for a corporate design company. It wasn’t just boredom that lead me away from it; I was also a terrible account manager. I didn’t have enough confidence for that role at the time and I also didn’t believe in what I was selling, and that’s fatal. I soon found that when I was up at 3am reading or trying to learn about a topic, that topic was computers and the operating system and applications that ran on them. Sometimes that ended up being all-nighters trying to get my PC to be able to recover from a crash, boot up successfully, and run the application that had crashed it and that I really needed to use.
The first big stroke of good luck
Right around the time that my boredom with a job I sucked at and my late nights monkeying around with my PC were both trending way up, I learned that a local company was looking to hire 70 tech support engineers and the job ad mentioned that even those with no experience - just “Computer enthusiasts” - were welcome to apply. They ran a tech support call center and had a roster of big name clients - a PC manufacturer called AST, an early word processing application (Wordstar) an Apple database product, and others.
The team they were hiring for was going to support Microsoft Windows and Office. Here’s how long ago that was - the Windows operating system that that team would be supporting was Windows 95, starting on its launch day. Microsoft paid to be able to use “Start Me Up” by the Rolling Stones in TV ads for it:
I was one of the 70 people who got hired to form that team. There were a few people on it who came in with Computer Science degrees and/or some prior tech support experience, but I think there were more of us who were in the ‘just computer enthusiasts” group.
My next even bigger stroke of luck was that I was one of just three or four of us out of the 70 who were chosen to go spend a month training with the Microsoft team at their European Support HQ a little ways outside of London. I shadowed a wonderful woman who ran the Microsoft Word support team and a very cool laid-back gentleman who was a lead on the Windows 95 team. I learned a ton of valuable technical things during that month, but I also learned an invaluable non-technical principle that served me well ever since. That was simply that when you set an expectation, you have to meet it. On our team this meant, for example, if you couldn’t figure out a caller’s problem with a corrupt Word document on the initial call and promised them a call back within three hours, you always called back within the promised time frame - even if you still didn’t have a solution and were just providing an update. It’s a simple thing, but it still makes a world of difference in my current job role.
Anyone who has worked in tech support or IT will have lots of funny stories about craziest calls, callers, and problems they had to do their best to deal with. I definitely have a whole bunch of those, but I’ll share just one here that still makes me laugh when I think about it:
I had a caller ask me if Excel could communicate with radio tower on the roof of the building he worked in. My gut feeling was ‘no way’ but I was still a full-on rookie and I was scared that if I told the customer no and it turned out to be wrong, I’d get fired. I was very stressed. So I asked the customer to wait on hold for a few minutes and I hurried down to our break room, which luckily was full of veterans from other support teams. I told them what the caller had asked and my new hero, a gent called Clive, told me this:
Here’s what you need to ask him: how many moons does his planet have and is the atmosphere breathable?
And my stress vanished and I let the caller know the answer.
My second job in IT was a step-up to onsite tech support at Hilton International’s headquarters - which owned all the Hilton hotels outside the US and the US Virgin Islands. We had several hundred users to support in the building and also provided many/most critical services to around 220 hotels around the world out of our comms/server rooms. During my time at Hilton I moved up to be a network sys admin. This was back when Novell Netware was by far and away the dominant network software - and while I was in that role we worked on a massive upgrade to NDS (Netware Directory Services) and I also worked a little with the earliest (terrible) versions of Windows NT Server.
After my years in London I came back to the US, I worked for a few years with Unisys. Initially on another tech support team, and then on the network team that supported the TSA and Department of Homeland Security when they were first created. Next up was several years in two jobs in IT Services and Managed services, serving small and medium business clients. Those were lots of fun, and sometimes massively stressful, because you would “wear all the hats” in those jobs. At one client visit you had to deal with a multi-function printer that had everything working except the fax function (at a time where your first thought was “why on earth does anyone need to send or receive a fax?”), and the next visit might have you acting much more as a consultant to the business owner or CEO on potential server / workstation / network upgrades.
I made some of my own luck during the course of those years as well. I devoted a lot of time and effort to obtain Microsoft’s MCSE: Security certification - which was 6 quite tough exams on Microsoft Windows networks and the Security+ exam to add the security specialization. I also spent most of a tax return one year to take a bootcamp course and obtain the CEH (Certified Ethical Hacker) certification.
The CEH cemented me as the default ‘security guy’ at the IT and managed services companies I worked at. Which meant I started doing security assessments for many of our clients. Advising them on quick, easy ways to make their companies far more secure against data loss and disruption to their businesses caused by malware / viruses, and on some basic network security hardware - firewalls primarily.
In 2016 I got my first job with Information Security in my job title, at PayPal. I was ecstatic when I landed that job and I can honestly say I still absolutely enjoy working in cybersecurity.
As for the two other stepping stones, I am enormously thankful that I’ve worked with so many talented, knowledgeable, generous people over the years in IT and cyber. So many good people as human beings. I consider many of those people mentors and many others are good friends. And that’s still just as true and real today as it was in my first tech job.
The last stepping stone is one I made for myself. It’s in the ‘always be learning’ sort of area. Right from the start on that team supporting Microsoft, I decided I did not want to be a person who asked the same question twice. I had a table in Word that I added to every day - that listed product (Windows or Word, Excel etc), the issue, the solution, and notes on the problem/solution. My own personal knowledge base. At Hilton I learned just enough about Lotus Notes to create a knowledge base using it as the database. Since then it’s been all about capturing and keeping that data in notes apps - on mobile devices that were standalone for some years and now on my phones that sync to web apps or a local end-to-end encrypted vault.
A couple years ago I learned that there’s a fancy acronym for what I’ve been doing for all these years - PKM - and I’m on board with the idea that in our work lives and lives in general, our knowledge is one of our greatest assets as human beings.
That’s my story. I hope that might be helpful for any of you who come across it and are looking to find a way into a career in cybersecurity.
MCSE 🔥 i bet you have some stories! I remember configuring checkpoint and PIX firewalls back in my Netware days. The first firewall I worked with might predate you - it was the Linux firewall toolkit or FWTK