What it is Really Like to Work in Cyber Security: Q&A With Matt Twells

We could tell you that working in Cyber Security is amazing, rewarding and a great career choice, but these are just words. All the right words because it is, but still just words. So instead of us telling you what it’s like, we decided to ask someone. That someone was Matt Twells.

Matt is a Senior Technical Consultant at CYSIAM and has proven himself in the military, the government and the private sector. He has worked on a range of projects, from secure infrastructure to large-scale remediation and software rollouts. And on top of all this he also wrote the well-received Cybersecurity Field Manual, which you should definitely go and check out.

We sat down with Matt and asked him a few questions on starting a career in Cyber Security and what it takes…

Q: What made you want to start a career in Cyber Security?

Honestly, my introduction to the field came from my best friend Tom whilst I was in the Army. I was doing more general IT / operations-style work and was getting kind of bored of it. It didn’t really seem like the kind of work I wanted to be doing long term but didn’t know enough about the wider industry to know what else was out there.

He pointed me towards CompTIA Network+ to start off with, and I flew through it. Then it was Security+ and I really flew through that, and honestly, I credit him with helping me build the confidence to think that this field was something that I could actually do for a living one day. Cue about 6 other certifications I did off my own back and a whole lot of graft and here I am!

Q: Did you have any big eye-openers coming into the industry?

Yeah, I feel like there’s a big gap between people who have worked in any other industry before, and especially those that have worked in service sectors and have moved into this industry compared with people that are doing cyber security as their first job.

There is just a world of customer interaction practice, general business awareness, and little things – like when in your career you feel you can start picking your shots or how to deal with people who maybe aren’t as technical as you.
I always joke that the kids who spent their teens screaming at people over headsets on Call of Duty, are all now in cyber security doing pentesting – and explains some of the phone calls I’ve heard so far, aha!

Q: What have been some of the biggest challenges for you and how have you overcome them?

Honestly, it’s been the HR barrier. Getting out of that experience > job loop to get my first job in the industry was the WORST. You realise very quickly that most job specs are just unicorn shopping lists and don’t bear much of a resemblance to the real people out there looking for work.

The rejections come thick and fast, and even the thickest skins will get a battering. You need to have some mental fortitude to get through it, and a little creativity. Sometimes considering strategic or lateral job moves (maybe doing helpdesk work to build IT experience and business awareness before moving to security work) can help you break that loop and get your first security job.

Q: What would you say are some of key skills you must have coming into the industry?

Maybe I’m just old fashioned, but I always half-joke that I don’t really trust anyone who’s never worked in food service or hospitality before. Working a job where you directly serve others and learn how to deal with unfriendly/aggressive customers is massively advantageous, and you can instantly tell in the industry who has and who hasn’t done it.

I’d say as well that any kind of IT experience will pay huge dividends down the line too. Helpdesk/desktop support work is great building block experience for getting general awareness of how IT works in a commercial context, building your fault-finding and problem-solving process and generally just learning how businesses work/how to progress within the IT industry.

After that, everyone knows the rest – build a mix of certs and practical experience via bug bounty/HTB/TryHackMe and you’ll be in a good place to get a entry-level tester or analyst role.

You’re likely able to just cut the line and jump straight in out of university but getting in and being any good are two wildly different things.
This advice will get you closer to the second.

Q: Are there any certifications that you think can really help secure a job? Or are you more of a believer in mindset & the softer skills?

It’s a false binary.

You need both, both are equally important. Super-techy people that can’t talk to customers/consult properly and super-smooth talkers that don’t know jack about IT are both about as useful as an ashtray on a Harley-Davidson.

If you have no IT experience whatsoever and want to make a switch to this industry, then buckle up and get ready to put your time in. I’ve yet to see a better set of introductory qualifications in IT than CompTIA’s Network+ or Security+, and by the time you have both certifications, some aspect of the work will have jumped out at you as being pretty interesting.

After that, it starts getting job specific. You want to go blue and defensive, you can’t go wrong with Security Blue Team Level 1 (BTL1) or CompTIA Cybersecurity Analyst+ (CySA+).

You want to be a security consultant/pentester, go for CREST CPSA/CRT (CREST Practitioner Security Analyst / Registered Penetration Tester) or Offensive Security’s OSCP (Offensive Security Certified Professional).

You’ll want CISMP and probably your ISO27k Lead Implementer and Auditor to go do IT auditing work. Work back from a job spec and note down the ones that appear a lot.

However, if I have to stamp this on people’s foreheads to get people to understand it, I’ll get one made. But all the book learning in the world is useless if you can’t apply it, adapt to changing pressures and things not looking exactly as the book/course told you, or deal with customers who aren’t technical.

I will repeat. Work on hard AND soft skills, they are equal sides of the same coin – not a necessary evil to be tolerated. Work on your sales skills, your writing/spoken communication skills and negotiation tactics as well as your hard skills and you’ll do far better.

Q: What advice would you give to someone looking for their first job in Cyber Security?

Buckle up and get patient. You’re basically trying to become a pilot after Top Gun came out. Every man, woman and dog want’s to work in cyber security so the competition has never been fiercer.

If you’re just scraping the line, remember the hiring manager will have 200 people applying that have been building coding projects in their spare time and have been sharpening their development skillset as well – applying for the SAME job. The more people that want to do the job, the harder the field gets to compete with.

That’s not an excuse for you to go “oh, I won’t bother then” – it’s to open your eyes that this is an advanced sliver (offensive or defensive security) of a sliver (IT security) of general IT work – you need to know your shit before you’re any use. This will take time, so put your time in and do the work. Don’t complain about the results you didn’t get with the work you didn’t do, there will be someone very happy to vault over you and take that job in your stead.

Also buckle in for a rough HR ride as I’ve explained in previous questions, but more importantly make sure you enjoy the process of learning and don’t just tolerate it. This industry moves by the week, not the year and you will constantly be studying – either for expiring or new certs or because some new tech has come out. If you can’t deal with that, this is the wrong job for you.

Q: Do you have any advice and tips for people interviewing for junior roles?

Junior refers to seniority, not level of skill.

It is virtually impossible to overprepare for an interview so go Sun Tzu on it and know your enemy. Do your research like you’re planning a hostile takeover and learn about their business in general. Are they doing well, are they growing?

Based on job adverts, what kind of tech stack are they using, and can you bring any advice with you on that potentially?

Have you gotten in touch with anyone at that company to gather intelligence before the interview – I’d highly recommend it and a considerate, concise message with a few specific questions on it will get a positive response.

Nervousness before interviews is due to lack of proper prior preparation – so combat that. Trust me, if you’re qualified and know your stuff AND come in with this level of preparation it will send a very clear message that you’re not here to screw around. It is also okay to be a little nervous, it’s a good sign you’re invested.

Lastly – bring some questions that will illustrate any red flags for a company for you. Interview your interviewer as it’s a two-way process! Have good, thoughtful questions prepared!

Q: How do you see the market growing over the next few years?

I see on-premises security starting to die off as a proportion of security work and cloud-based solutions becoming the norm for infrastructure work for security professionals. If you haven’t already, jump on the cloud train now.

I also see a lot of base-level security assessment work being automated potentially in years to come, so it’s not going to be good enough to just coast as a basic pentester or analyst – you’ll end up need multiple strings to your career bow to stay competitive/relevant. This shouldn’t be scary, it’s just a good thing to do anyway.

I think remote work is here to stay and testing remote connectivity and remote working security will be a solid generator of security work for some time to come. But overall, cyber security has weathered the pandemic well, and will continue to grow at pace over the next few years before starting to plateau.