We’re into the third week of National Cybersecurity Awareness Month (NCSAM). In the last two weeks, we have covered How to Manage Your Digital Shadow and Lesser Known Phishing Tactics. Changing the tempo for a bit, this week, Chris and Xue will bring to fore their experiences working in the cybersecurity industry. Having both coming from a public service background (Chris was an intelligence analyst in the British Military and Xue held the terrorism portfolio with a government ministry in Singapore), they’ll both share their rollercoaster of a journey and give you a look at what it takes to be a cyber threat intelligence practitioner and what it means to be working in Digital Shadows (now ReliaQuest). 

Taking the plunge

Perhaps the most common question we often get asked is why cyber-security? Here, we try to explain the factors – both push and pull – that made us venture into the industry.

Taking the plunge: how the journey started and how the journey ended 

 

Chris: My background was originally as an intelligence analyst in the British military. While I could have continued my career down that path, I always felt that there would be a point where I’d want to make a change and move into a job within the public or private sectors. The notice period in the UK military is notoriously quite long (12 months), and as a result I had a considerable period to prepare myself for the big change I would be embarking upon. Until that point, a huge amount of my life had been managed on my behalf; accommodation, food, paying utility bills and council tax! Those little things sound insignificant but I was under no illusion that my life would be significantly different from that point forward. 

In terms of my choice to move into cybersecurity, I had known a few people who’d made the switch into the industry and been successful. Leading up to and during my notice period I conducted a Bachelor’s Degree in Intelligence and Security, which featured heavily with several topics in cybersecurity, like penetration testing, network security, and digital forensics. This gave me a really good starting point and base knowledge of a number of different disciplines. I’m working in cyber threat intelligence at present, but there’s no reason in the future I couldn’t move into working in vulnerability, incident management, risk, or several other areas. This diversity of roles was one of the big appeals in pursuing a career in cybersecurity. 

The industry is also notoriously understaffed, and if you show initiative and dedication, there’s a great chance to be rewarded for your endeavours and get ahead. The nature of technology also leads to continual change; the cyber threat landscape I first encountered back in 2016 is hugely different to what we’re seeing today. It’s certainly enough to keep you busy and on your toes!

Xue: Like Chris, I also had my roots in the public service, but in Singapore. Having done summer internships and also part-time stints at local cafes serving up sandwiches to a tough lunch crowd (read: hangry faces), straight from the start a 9-to-5 desk job pushing papers is not my style. Fortunately, with my background in Political Science, I was hired as an intelligence analyst, covering terrorism and the threats it posed to the country and globally. With the evolving threat of terrorism, my role was dynamic and fast-paced. That job was as exciting and fulfilling as it sounds, and I never had a dull day at work. 

Alas, as it is with being in any government agency, the bureaucracy will tend to weigh you down. And so, it did for me. As a fresh-faced, wide-eyed twenty-something graduate, I was often caught in the middle between wanting to do more and going through the appropriate but lengthy channels just to bring about new ideas or operating procedures. The public service is also unfortunately not often a conducive environment for bringing about change.

Transiting to the private sector was a natural move. I knew I had to take that energy and channel it somewhere else where my output would be better appreciated. With the skills I had garnered during my time as an intelligence analyst (first covering the threats associated with terrorism and then cyber), I took up a CTI role in the private sector in Singapore. Even though CTI only constitutes one aspect of cyber-security, the ever-changing needs in this industry, and being in the vendor-space, mean that you are always welcomed to contribute elsewhere, be it supporting incident response or threat hunting endeavors. 

Transferring relevant skills and learning new ones:

Hold up! How do you make sure the skills you’ve picked up from your previous roles are still relevant in a new environment? And surely, learning new ones isn’t as arduous as it sounds?

Chris: We all have soft and hard skills we can bring to the table. Hard skills being teachable and measurable, while soft skills being traits that make you a good employee, like communication, discipline and organization. You might not realise it, but those skills absolutely are transferable and can be used in a variety of roles within this industry. 

With regards to hard skills, despite what some job advertisements might suggest, you don’t need 20 coding experience or three masters degrees to find a place and prosper within this industry. A lot of skills you can learn on the job, or alternatively in your own time. I highly recommend using services like Immersive Labs or Udemy, with courses available for free or a modest fee. 

Xue: A lot of the skills I harnessed during my role as an intelligence analyst are actually very applicable in my CTI roles. In previous roles, investigative skills and language capability came to play. With our lives becoming increasingly digital, a lot of our communications and transactions are now conducted online. It was on online platforms where I looked for the proliferation of radical and extremist content; it is the same today except that I now focus on cyber threat actors. Analytic frameworks I applied when examining terrorist groups and threat scenarios, are equally relevant when studying APT groups and their TTPs: more recently, the Photon Research Team used the SWOT analysis to generate hypotheses into whatever is up with AlphaBay 2.0.

I won’t deny that picking up new skills will invariably become more challenging as we become older. Our brains are less nimble and agile. But it doesn’t have to be that way. Even if you may not be consciously aware of this, you learn a lot on the job. Besides, learning new skills doesn’t have to be dull. If the classroom sit-and-absorb setting isn’t for you, there are lots of programs out there that gamify learning. (Psst – we share what we read each month so you can deepen your knowledge and understanding of a topic too!)

Does it matter which company you join?

Turning away from skills and experience, in section we see if company and team culture play a big factor when it comes to working in the industry and choosing the right environment.

Chris: I’ve worked for three companies in the private sector now, with my other two previous employers being in telecommunications and financial services. I’ve taken something from all three—and without making the readers reach for the sick bucket—I genuinely do feel very lucky for the position I’ve managed to find myself in. I think choosing the right company is so important and I can’t stress enough how company ethos and culture does contribute towards employee satisfaction. Your first impressions and conversations during your interview process will go a long way in this. 

You’re going to be doing everything to paint a favourable picture of yourself, but it also works the other way. What is the attitude towards flexible working where necessary? Will you be able to influence change? Does the company typically promote internally or look externally? These are the types of questions you could look for indications for in the job advertisement or enquiring about during the interview process. Be as inquisitive as you can, if you leave this until your first day, it’s too late! Trust your intuition, if something doesn’t feel right, then it’s probably for a reason.

Xue: It absolutely does. Companies often brandish their values and beliefs all over their website, undertaking corporate social responsibility programs to prove their at the core a good company. But, do they walk the talk? I won’t deny that in the grand scheme of things, we’re all dispensable and just a cog in the wheel. Ultimately, you gotta ask yourself if this company is worth working for? Do they make you feel valued? Do they at least make you feel like a human being?

Cyber-security is without a doubt an exciting space to be in. But it is also not all rainbows and butterflies. Chris mentioned the lack of manpower and expertise in this industry; this also means that we all work at superhuman levels. The last thing you’ll need is a company that takes your superhuman contribution for granted. With the pandemic, I’ve also found that a flexible working policy does wonders for your productivity and mental health. But, not many employers are advocates of working from home, especially public service organizations. Compared to the public sector, it is a lot easier to cut through needless bureaucracy and red-tapes. Working in a small but mighty company like Digital Shadows (now ReliaQuest), conversations on a flexible working arrangement is also a lot easier to facilitate. Ultimately, I am fortunately able to work for employers who are open to the idea of me managing my own time, and with colleagues who don’t mind me setting my own schedule.

What about the team you’ll be joining?

Bosses, colleagues, hiring and firing – do these things matter?

Michael Scott Meme - Would he rather be loved than feared
If you work for a boss like Michael Scott, you’re in for a treat

 

Chris: I sat on a panel discussion regarding cyber threats recently, and one of the questions that was posed asked about the biggest problem facing CISOs today. Now, I haven’t achieved those dizzy heights yet, but my answer was hiring and retaining talent. ‘You don’t hire people in this industry, you just rent them for a short period’. 

Unfortunately, this appears to be true, and the time in post for individuals within cybersecurity is demonstrably lower than the majority of other jobs. The company culture and keeping your employees happy probably has a huge impact on this, particularly when combined with a talent pool that can often be shallow but with a huge requirement for filling jobs. Work ethic and putting in the hours needed is a given for this industry, but if you don’t treat your employees right and burn them out, they will have their heads turned and go elsewhere. 

Xue: Team dynamics is another absolutely important point for me. Toxic workplaces are more common than we think. And having been through one before, the effects of a toxic workplace on me is detrimental on multiple fronts – it has not only impacted the quality of work, it also caused a huge strain on my mental health. In this fast-paced industry, we already have heaps of deadlines and urgent requests to meet. The last thing we need is to worry about workplaces that don’t make us feel like we are contributing or are welcomed. We’re only humans after all – even cybercriminals look for the right talent to fill their rank

A word to the ladies out there: pay attention to details such as the gender gap within a team. The cyber-security industry tends to be male-dominated, which at times means we have to work extra hard to be taken seriously or at the same level as our male counterparts. Of course, this is not to say that male-dominated teams are bad and must be avoided at all cost. The converse also holds true: the previous workplaces I’ve been in that had a proportionate number of male and female colleagues, I’ve been put up to undertake gendered roles, like buying bosses’ lunches and being delegated to administrative tasks. With the gender gap being pretty narrow in the Photon Research Team, this fear is now mitigated!

There is no better time than now

Having ventured into the cybersecurity industry, there is no turning back for Chris and Xue. Besides exciting career trajectories, there is also seldom a sluggish day in the lives of Chris and Xue: dark web monitoring, generating threat intelligence reports, studying attacker TTPs and being knowledgeable on the MITRE ATT&CK framework, are just some of their responsibilities. 

Chris and Xue’s contributions as part of the Photon Research Team go towards enhancing intelligence collection and monitoring at Digital Shadows (now ReliaQuest). If you’re curious about what Digital Shadows (now ReliaQuest) can do for you, take a seven-day test drive or sign up for a demo