Hello! My name is Mike and I am an infosec engineer with 10+ years experience. I’ve worked in GRC, Vulnerability Management, PenTesting & AppSec. I have 17 SANS certs (I have a serious problem) and I’m also an infosec community enthusiast and creator/mod for /c/cybersecurity. AMA!
I’m new to the field (I’ll start masters in Sept). What all topics should I focus on to improve my resume? My previous exposure to the field is 1 ctf competition that’s all.
Having a CTF on your resume and being able to speak to that experience is great imo. Early-career is always a bit difficult for resumes since you wanna beef it up but you don’t want to fill it with things that don’t matter. CTFs, trainings, content you’ve created (blog, podcast, write-ups, GitHub), etc… are all great things to put on there imo. If you have any coding projects or cloud experience (easy enough to get) you can put that on there too. Will you be looking to get a job while pursuing your masters?
I’ll go for something like a TA maybe. I have some job experience already (sde, not cybersec) so idk if it counts.
things that don’t matter
Can you give some examples so that I can avoid that
Mostly non-tech experience. This is subjective and will vary hiring team to hiring team but in this field I have always glossed over any non-tech things on a resume. There’s so much opportunity for people to learn and get involved with IT/security that there’s no excuse to not just focus on those competencies on the resume. Just my opinion.
Hey there Mike. Thanks for doing this. With AI/ML changing the face of infosec, what do you predict infosec will look like in 5 years?
Also as a fellow SANS enjoyer, it’s great training. What are your top 5 SANS courses and why is GREM number 1?
Good Q, I’m no AI/ML expert by any means but I do think it’s effects on the infosec industry will be muted to some extent, at-least in the 5 year time scale. I can see companies toying with the idea of AI-based capabilities replacing junior staff but from what I’ve seen from these tools thus far I don’t think it would be particularly efficient to do so. Instead, I see AI being a force-multiplier / filling in existing gaps in the security workforce. Beyond 5 years who knows. The tech could progress to a point where it truly is capable of replacing human operators, even for cyber roles. The beauty of infosec though (as opposed to other tech disciplines like software engineering) is that too often we are thinking of ways to circumvent human thinking, and for AI models that were trained on how humans have traditionally thought, they are innately poor at this.
Top 5 SANS courses oh man… I’ll give it a shot.
- SEC503 / GCIA (Intrusion Detection)
- FOR610 / GREM (Reverse Engineering)
- SEC564 (Red Team Ops)
- SEC460 / GEVA (T&VM)
- SEC450 / GSOC (Sec Ops)
I think 503 is the most valuable SANS course and I had a great instructor during my run. GREM was super technical and really fun. Not something I get to do with my day job. SANS Red Team course was really cool to learn the distinction between Red Teaming and Pen Testing, though it was only a 2-day course at the time. Both 460/450 were actually really amazing curriculums both with top notch instructors/course authors. Can’t recommend them enough despite the fact they are 400 level courses.
Did you pay for all those SANS certs yourself, or company foot the bill?
What’s been most memorable incident or PenTest finding?
I’d be either very broke or have to be very rich to have paid for all of those haha. Fortunately, I worked for a company that had a very generous training allotment. I’ve also managed to take quite a few entirely free by being part of their vTA (virtual TA) community, whereby I help instructors throughout the week of the course with student questions, lab setup, etc…
I can’t go into too much detail on vulns specifically but I’ve found a number of high impact vulns in public-facing websites for companies I have worked for as well as one vuln in a popular proxy appliance that I should have submitted a CVE for but never did at the time.
Hi Mike, I’m a big fan of your blog and know you’re a SCA (SANS Cert Addict) haha. Thanks for doing this AMA!
For someone who’s been on the offensive security side of the house for a few years and now getting into more Application Security Engineer focused roles, what would be some recommendations in terms of a skills roadmap? (certs/study/training etc.). Thanks!
Roadmaps are such a double-edged sword imo. I’m as guilty of trying to come up with roadmaps as anyone but have often round it get’s me too focused on future activities when I really need to focus on the task at hand. It’s of course important to have a destination in mind, and often that destination involves having multiple steps to get there (hence the roadmap), but you have to be cautious in biting off more than you can chew (as I have done a lot).
AppSec is, imo, the most interesting security discipline to be in right now. It’s sort of all-encompassing and exposes you to a lot of things, coding, cloud, devops, modern frameworks, etc… Given your proximity to devs, learning as much as you can about coding is/will always be super valuable. Plus, if you can code you can automate which is a skill many in infosec don’t have which can set you apart. There’s so many specific directions to go in in terms of languages to learn, frameworks to master or sub-disciplines to focus on that it’s hard to recommend any specific next step or path though. With coding chops, you have a lot of translatable and easily applicable skills for any job though.
Where do your interests lie? Building, breaking or defending?
Thank you! Yeah, I see myself in that deathtrap of trying to build out roadmaps and taking on way too many things a little too often haha. I definitely agree with you that AppSec is one of the most interesting security disciplines out there atm.
Given my background, I tend to gravitate towards breaking and a fair bit of defending but I’m fairly green when it comes to building. That said, I’m trying to improve my dev skills to be able to understand a developers mindset and be able to design and build an AppSec program from that PoV. On the same note, I’ve been looking into the CSSLP cert as a reference to help me along this journey, any thoughts on the cert or the material?
Appreciate the response and I look forward to your new content.
Hey Mike, I am currently an SRE (total 3 years of experience), how easy/difficult will it be for me to pivot into cybersecurity?
I guess it depends what skills/experience you’ve picked up in your time as an SRE. I suspect you have some really transferrable skills though and really just need to get some foundational knowledge for infosec. Sec+ is a good place to start, and if you couple that with some coding, cloud and OS-knowledge, I think you’d be a really appealing candidate for a lot of teams.
