Hello! My name is Mike and I am an infosec engineer with 10+ years experience. I’ve worked in GRC, Vulnerability Management, PenTesting & AppSec. I have 17 SANS certs (I have a serious problem) and I’m also an infosec community enthusiast and creator/mod for /c/cybersecurity. AMA!
This is great! I should do one of these
I think that’d be frighteningly popular. You definitely should!
Do it!
Thank you for the AMA.
Do you regularly feel overwhelmed? - Keeping up with the sec news and patch accordingly, firewall/ips and endpoint alarms, logs, meetings, and more. It shouldn’t be the case, but it seems that everything in security is prio 1.
EDIT: and being the party pooper and saying no to everything, bc people do not think about security.
Honestly I don’t get overwhelmed by infosec. Though my personality is to take on more projects than I can chew and that can sort of overwhelm my time - I don’t get emotionally overwhelmed easily though. Some of that I credit to my personality but I also credit how organized I am, it helps me keep track of everything on my plate and daily prioritization. Inbox Zero, using a task manager, having a personal Wiki (i.e. Obsidian/Simplenote) all help with this.
In the early days of my career I heard that sec people were the “no”-sayers in the group. I have learned over time that we don’t need to be. Instead, we become the - “let us find a way to do that securely”-sayers. It’s about creating that we’re-a-team mentality.
Good points and thank you for your input. What kind of TaskManager do you use? Any system, or just simple list?
I mostly use Todoist
Hi Mike.
I am interested in roles that marry the Cloud, Networking and Cybersecurity together. What would such a role look like? Is there a demand for something like this? I’m not a programmer, and don’t think I’ll be a good fit for application/operating system security. But Networking security is easier for me to jump into, and I hear that roles in this industry are fairly well paid?
I’m looking to progress my career in a path related to the Cloud, and wanted to explore cybersecurity rather than just going for the Cloud architect role (or maybe they are somewhat connected the higher up you go? I’m so confused).
Thanks for your time. I’m very interested in some of the SANS courses you mentioned, I’ll take a look. Thanks!
I think this describes a lot of enterprise cloud security architect roles. I think there is enough delineation between cloud security folks who focus on infrastructure versus those who are more focused on the app/product side. I’d go take a look at the cloud certs from AWS/Azure and see if there is one that looks fun to you. Those certs are typically mapped to common job roles.
Thank you saved your comment! I’ll go take a look :)
Maybe also have a look at devsecops?
Thanks, it’s just that I’ve heard that a lot of roles related to DevOps involve programming + LeetCode grind which looks to be beyond me. But I’ll check thanks
I’m new to the field (I’ll start masters in Sept). What all topics should I focus on to improve my resume? My previous exposure to the field is 1 ctf competition that’s all.
Having a CTF on your resume and being able to speak to that experience is great imo. Early-career is always a bit difficult for resumes since you wanna beef it up but you don’t want to fill it with things that don’t matter. CTFs, trainings, content you’ve created (blog, podcast, write-ups, GitHub), etc… are all great things to put on there imo. If you have any coding projects or cloud experience (easy enough to get) you can put that on there too. Will you be looking to get a job while pursuing your masters?
I’ll go for something like a TA maybe. I have some job experience already (sde, not cybersec) so idk if it counts.
things that don’t matter
Can you give some examples so that I can avoid that
Mostly non-tech experience. This is subjective and will vary hiring team to hiring team but in this field I have always glossed over any non-tech things on a resume. There’s so much opportunity for people to learn and get involved with IT/security that there’s no excuse to not just focus on those competencies on the resume. Just my opinion.
Okay. So my experience as a software developer while not the main thing being judged will still be relevant?
Absolutely still relevant!
Thanks a lot! Also any certifications I should start doing rn?
Kinda depends what you want to get into. If you’ve let to land your first security job maybe something like Sec+ to help get your foot in the door. If you know what discipline you want to get into (appsec, endpoint-sec, etc…) this could help further filter down what cert/training might be best to shoot for. Do you know what you think you want to do?
Hi Mike, I recently started working as programming intern for a company doing webapps. I’ve worked part-time gigs in a completely different field before, that means I got no certs, no job experience in IT to speak of, I’m not the young guy fresh out of school anymore. However, my interests have always been to break into cybersecurity and have slowly added some relevant knowledge as bare minimum… linux bash scripting, selfhosting, networking and etc. I’ve been checking out the certs usually recommended plus all the specializations out there and gotta say this is no easy commitment, but I do want to learn.
The thing is, what I’m currently seeing as intern is very different from what people in this field usually speak of online: For example, I was expecting the latest tools and whistles, but the company I’m at uses very old (10 years) frameworks for maintenance and support for corporate clients, windows only, proprietary stuff with very little documentation online. It gets… demotivating? It’s still a job and I have bills to pay, but I’m wondering how many years of experience do I need as a regular web developer (if my contract is renewed, even) to even attempt branching into infosec?
I know this gets asked a lot. Sorry for the long text. TL;DR: just started as intern programmer, company works with ancient dinosaurs instead of latest stuff, years of experience needed to become hackerman (or jumping from first one to others shown here)?
I don’t think there’s some minimum XP (in terms of YoE) bar to hit. You just need to be able to demonstrate your practical XP in some manner. Some people get this through work in IT/cyber, others through academics and others still through personal projects and doing things at home. There is a TON of self-teaching options these days through online trainings, CTFs, cons, meet-ups, etc… And lots of ways to document and market your experience and know-how (blogs, social media, podcast, etc…). Personally, I suggest learning a bit of coding, some cloud XP, start a small blog or post about what you’re learning on a micro-blogging platform and network network network.
As for your current place of employment, having a VERY legacy environment can actually be somewhat good for security as it may be “easier” in some respects to find misconfigurations and Vulns. Does your company have any security resources? If not, try to volunteer to help in that area, if they do, introduce yourself and ask to shadow/help/learn from them.
I see. I will have to document my progress and remind myself the company isn’t actually financing this. I should start by creating a blog.
Haven’t personally talked to the IT dep yet - I am in a small dev team for internal webapps and the last time we contacted them was because of printer problems, hah. Will try contacting them once I feel ready.
Thank you for the insights. Sorry I took too long to respond.
If anything that’s a great learning environment. Offensive security is a lot of reverse engineering, figuring out how stuff works based off (extremely) limited information and understanding how best to attack it.
Moreover, as these are old systems, they’re more likely to be outdated and vulnerable - not that you should try without permission or a clear understanding of what you are doing, particularly on production gear.
At any rate, no company will pay you to learn a completely different job to the one they hired you for. So you’re going to have to spend some of your own time learning about security. Where to start has been repeated ad nauseam online so I won’t attempt it.
Sorry for the late answer.
I haven’t thought of it that way - if I can convince my boss to test my skills on the legacy systems the company is running, it could be beneficial for both… assuming I get permission and enough actual skills to assess vulnerabilities.
Thank you for the perspective. I agree that intro posts are repeated ad nauseam, I will find my own way.
Hey there Mike. Thanks for doing this. With AI/ML changing the face of infosec, what do you predict infosec will look like in 5 years?
Also as a fellow SANS enjoyer, it’s great training. What are your top 5 SANS courses and why is GREM number 1?
Good Q, I’m no AI/ML expert by any means but I do think it’s effects on the infosec industry will be muted to some extent, at-least in the 5 year time scale. I can see companies toying with the idea of AI-based capabilities replacing junior staff but from what I’ve seen from these tools thus far I don’t think it would be particularly efficient to do so. Instead, I see AI being a force-multiplier / filling in existing gaps in the security workforce. Beyond 5 years who knows. The tech could progress to a point where it truly is capable of replacing human operators, even for cyber roles. The beauty of infosec though (as opposed to other tech disciplines like software engineering) is that too often we are thinking of ways to circumvent human thinking, and for AI models that were trained on how humans have traditionally thought, they are innately poor at this.
Top 5 SANS courses oh man… I’ll give it a shot.
- SEC503 / GCIA (Intrusion Detection)
- FOR610 / GREM (Reverse Engineering)
- SEC564 (Red Team Ops)
- SEC460 / GEVA (T&VM)
- SEC450 / GSOC (Sec Ops)
I think 503 is the most valuable SANS course and I had a great instructor during my run. GREM was super technical and really fun. Not something I get to do with my day job. SANS Red Team course was really cool to learn the distinction between Red Teaming and Pen Testing, though it was only a 2-day course at the time. Both 460/450 were actually really amazing curriculums both with top notch instructors/course authors. Can’t recommend them enough despite the fact they are 400 level courses.
Did you pay for all those SANS certs yourself, or company foot the bill?
What’s been most memorable incident or PenTest finding?
I’d be either very broke or have to be very rich to have paid for all of those haha. Fortunately, I worked for a company that had a very generous training allotment. I’ve also managed to take quite a few entirely free by being part of their vTA (virtual TA) community, whereby I help instructors throughout the week of the course with student questions, lab setup, etc…
I can’t go into too much detail on vulns specifically but I’ve found a number of high impact vulns in public-facing websites for companies I have worked for as well as one vuln in a popular proxy appliance that I should have submitted a CVE for but never did at the time.
We may have crossed paths if you TA for SANS… Pretty sure I know some other details for that proxy appliance vuln, or maybe it’s just a real common vector.
Hey Mike, I am currently an SRE (total 3 years of experience), how easy/difficult will it be for me to pivot into cybersecurity?
I guess it depends what skills/experience you’ve picked up in your time as an SRE. I suspect you have some really transferrable skills though and really just need to get some foundational knowledge for infosec. Sec+ is a good place to start, and if you couple that with some coding, cloud and OS-knowledge, I think you’d be a really appealing candidate for a lot of teams.
Thanks Mike! Appreciate your input!
Hi Mike, I’m a big fan of your blog and know you’re a SCA (SANS Cert Addict) haha. Thanks for doing this AMA!
For someone who’s been on the offensive security side of the house for a few years and now getting into more Application Security Engineer focused roles, what would be some recommendations in terms of a skills roadmap? (certs/study/training etc.). Thanks!
Roadmaps are such a double-edged sword imo. I’m as guilty of trying to come up with roadmaps as anyone but have often round it get’s me too focused on future activities when I really need to focus on the task at hand. It’s of course important to have a destination in mind, and often that destination involves having multiple steps to get there (hence the roadmap), but you have to be cautious in biting off more than you can chew (as I have done a lot).
AppSec is, imo, the most interesting security discipline to be in right now. It’s sort of all-encompassing and exposes you to a lot of things, coding, cloud, devops, modern frameworks, etc… Given your proximity to devs, learning as much as you can about coding is/will always be super valuable. Plus, if you can code you can automate which is a skill many in infosec don’t have which can set you apart. There’s so many specific directions to go in in terms of languages to learn, frameworks to master or sub-disciplines to focus on that it’s hard to recommend any specific next step or path though. With coding chops, you have a lot of translatable and easily applicable skills for any job though.
Where do your interests lie? Building, breaking or defending?
Thank you! Yeah, I see myself in that deathtrap of trying to build out roadmaps and taking on way too many things a little too often haha. I definitely agree with you that AppSec is one of the most interesting security disciplines out there atm.
Given my background, I tend to gravitate towards breaking and a fair bit of defending but I’m fairly green when it comes to building. That said, I’m trying to improve my dev skills to be able to understand a developers mindset and be able to design and build an AppSec program from that PoV. On the same note, I’ve been looking into the CSSLP cert as a reference to help me along this journey, any thoughts on the cert or the material?
Appreciate the response and I look forward to your new content.
Haven’t taken the CSSLP nor have I seen it asked for very much on job reqs. It wouldn’t hurt to have but ISC^2 doesn’t exactly have the reputation for practical learning.
How do you get your work to pay for certs? 17 certs would be like 100k for me. And I don’t mean salary.
My old work place had a relatively progressive training policy and a decently healthy budget. The real beauty of it was that the budget was a departmental pool. The IT department did NOT take a lot of training so those few of us who did want to take advantage of it had access to a huge pool of money. Think, 10 people accessing money meant for 100 people kinda thing…