1,426 147 500KB
English Pages 57 [56] Year 2022
Break In Cyber Playbook Mike Miller
Table of Contents Table of Contents
2
Let’s Get Started
5
A Career in Cyber
7
Follow the Passion, Not the Money
7
The Future of Cyber Security
8
Gatekeeping
8
But Isn’t There a Career Blueprint?
8
No Tech Skills? It’s Ok.
9
Covid-19 Changed the Game
10
The Big 3
10
Offense (Red)
10
Defense (Blue Team)
12
GRC
13
Choosing the Right Security Sector
16
Deep Dive or Stay Shallow
16
Choose YOUR Path, Not Someone Elses
19
Got your Masters in Cyber Security? Well, You Don’t Need One
19
Let’s get Technical
22
Offensive Security
22
Defensive Security
24
How to Learn
26
Don’t Go to Jail
27
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
2
Wish Lists or Job Descriptions?
27
Cyber Security Titling Chaos
28
FAANG
29
Imposter Syndrome
31
Just Be You
32
Are You Listening?
33
What’s your End Goal?
34
Jump, Jump
35
Last Thoughts
37
Time to Get Hired
38
A True Story to Set the Stage
38
LinkedIn - Where the Cyber Security Community Resides
39
Your Personal Brand
41
Your LinkedIn Profile
42
A Smile is Contagious
42
Cover Photo
42
Headline
43
Creator Mode
43
Featured
44
About Section
44
Experience
45
Education
46
Skills
46
Recommendations
47
Summary
47
Open the Garage Door Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
48 3
Connections
48
Time to Request
49
Ring the Bell
50
Engagement Matters. Followers Don’t
51
Posting
51
Conversation Piece
52
Break Out Post
53
A Body in Motion Stays in Motion
53
Landing Opportunities to Your Inbox
53
Metrics
54
Insurance Policy
55
Create Your Own LinkedIn Story
56
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
4
First, I’d like to thank you for trusting my knowledge to purchase this playbook. There are three reasons why I wrote this book. One, it was written for those who are aspiring to break into cyber security. The second reason is to help those already in cyber security that feel like they are at a dead end in their position. Lastly, I wrote it to show both groups how to gain visibility and show your value within the cyber security industry. The end goal for me is to see you in a position in which you are highly valued and have a supportive professional community.
Let’s Get Started Since I can remember, I’ve had a passion for building things out of nothing. To dive in a little deeper and explain, (pun intended) years back I was a scuba instructor. I started a business of teaching scuba and eventually had two successful dive shops. I created my own brand of scuba gear and had dealers throughout the United States filling their stores with my products. I started this entire business with $300 in my pocket and a kiosk at a local mall to sell scuba lessons. Years later I recognized that building things from scratch was my passion and I wanted to do it again. I sold that business so that I could do it again. Round 2 I started a technology company helping businesses stay secure by consulting with them to identify weaknesses in their technology infrastructure. I spent years growing that business from the ground up. By the time that business was sold, I was servicing clients both locally and globally.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
5
Round 3 In the small town that I lived in, high speed internet was hard to come by. I decided to erect a tower at the top of a few mountains and figure out a wireless technology that would shoot across the air 20 miles and provide a connection that would give them access to well needed high speed broadband. When that business was sold, entire communities were using my service. Round 4 I built a news/media company for the surrounding area that I lived in. The goal was to provide up to date news and be “the place to go” when there was an emergency in the area. I built this by creating an online community. Today this online community still thrives with nearly 20,000 members. What do all of these things really have to do with you leveling up in your career and growing on LinkedIn? Well, over the years I have been involved in many businesses. I have learned a mentality that works in nearly any industry, primarily the tech industry. My name is Mike Miller. I currently work as a vCISO in the cyber security industry. I have been in technology for nearly 25 years. My technology career has always helped me initially “seed” or fund the other businesses that I wanted to build. Specifically in technology, I have grown a passion for cyber security and everything that revolves around it. This industry is like no other. It has more opportunities than you can ever imagine, but at the same time, it offers its unique quirks which I’ll talk about. What you will learn in this playbook:
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
6
This guide focuses on two topics: First, I will lead you down the path of pursuing a career that is nearly recession proof and has the potential of feeding you for life. From this, I hope you gain knowledge on how to quickly level up your career in this industry, not only by climbing the ladder, but also by leveling up your position and salary. Secondly, my goal is to make sure that you are always in demand. You will be equipped with the knowledge and direction that it takes to ensure that you are always being sought after, giving you the ability to pick and choose between positions in cyber security. This playbook will teach you how to use your LinkedIn account to boost your career like you have never imagined.
A Career in Cyber Follow the Passion, Not the Money I can tell you first hand that you must have a passion for your career. The cyber security industry is a very wide field. There is more knowledge than one person can ever learn, which can be frustrating. Truth is, you will never learn everything there is to know about this field. I am 25 years in and I’m still learning every single day. However, I have a passion for this. Every single day I set out to learn something new. I’m only able to do that because I love what I do. If you are doing something that you enjoy every single day, I don’t consider it work. However, if you are in a career that you don’t enjoy but you are doing it for the money you will never be happy. You will never succeed. Follow the passion, not the money.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
7
The Future of Cyber Security The cyber security industry has been one of the fastest growing market segments. Just think about it for a second. Everything you do involves data. When there is data, security is required. Every single industry requires security. Farming, transportation, retail, medical, you name it. Every industry houses data which needs to be secured. Every business that has employees has data that needs to be protected. It goes on and on. From the time I’ve been in this field I have never been out of work. This is because this industry is near recession proof. Even when the economy is down, data still needs to be protected. In many cases the cyber security industry has spiked when the economy falls because there are more malicious attempts to steal digital assets. The demand now for security professionals both entry level and senior level is higher than it has ever been. The demand keeps growing which is causing a huge gap in this industry. There are not enough cyber security professionals to fill the job vacancies.
Gatekeeping One thing that I want you to understand is that nearly everything you read throughout this playbook can and will be contradicted by somebody. You will have people that say you need to do X, Y, and Z to succeed and by not doing all of those you will never succeed. In this industry, we call these kinds of statements gatekeeping. Gatekeeping is a huge issue that still ruins careers and stomps out dreams by presenting unrealistic expectations to get into this field.
But Isn’t There a Career Blueprint? Blueprints are very clear in other industries. If you want to be an attorney, that requires years of schooling and eventually passing the bar. If you want to be a school teacher,
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
8
you go to college and come out with a teaching degree. Careers like this have very simple blueprints. The cyber security industry however, offers no blueprint. In fact, if a blueprint was required, there would be way too many versions. This field is meant for anyone, and I mean anyone, who is passionate about cyber security. Over the years I have worked with hundreds of people that are aspiring to break into the field. Some of these people had previous IT experience while others worked in completely different industries. Others that I have worked with have already been in this field for 10 years but have hit a ceiling and feel stuck. I work with them to reset their strategy so that they don’t get stagnant. There is no prerequisite besides passion.
No Tech Skills? It’s Ok. One of the biggest questions that I get from people considering a field in cyber security is whether or not they need to be technical. Well, the answer is both yes and no. In the next section I’m going to talk you down three sectors within cyber security. Two of them require technical skills and one of them does not. The good news? Even for the sectors that require technical skills, I will talk about how to strengthen them. If you are passionate about this field and have the drive, there are platforms that will walk you through step by step on gaining technical skills. For those that aren’t so big on being techy, don’t fret. There are plenty of opportunities for non technical people in this field. Want even better news? All three sectors that I’m going to talk about are in extremely high demand. In the end, whether you are technical or non technical there is a seat for you here in this field.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
9
Covid-19 Changed the Game Over the last couple years, the Covid-19 pandemic has taught us just how important internet connectivity is. Being isolated and stuck indoors caused us to rely more heavily than ever on our internet connection and online services. Ordering food, shopping, banking, and other activities got us through a very tough period. Post-Covid, we have a different mindset. We still do more things online than we did before. Many of us work from our home offices, but still have access to the same data that we did before. Without proper access to our work, we are not able to perform and get our daily tasks done. Covid produced a huge spike in the cyber security industry. With many people in permanent work from home positions, the need for proper security controls is greater than ever before.
The Big 3 When I mentor, I often talk about the “Big 3”. As I mentioned previously, there are three main sectors in Cyber Security that I’m going to talk about. Each one is different, but compliments the other. There are no advantages to any of the three. There is no “wrong” one to choose. No matter which path you choose, you are never stuck. You can pivot in and out of any of them successfully. These are Offense, Defense, and GRC (Governance, Risk, and Compliance)
Offense (Red) I’ll just say it. Even though there are no advantages to any of the Big 3, most of the buzz falls around Offensive Security. Why? Well, because it’s just pretty cool. Your job is to find vulnerabilities before the bad guys do. This means hacking… but ethically. By now
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
10
you may have heard of the term ethical hacker. An ethical hacker does exactly this. They hack ethically. Typically an ethical hacker is hired by an organization to perform penetration testing assessments. These assessments are performed by professionals that are hired to “hack” a company’s technology infrastructure to find holes and weaknesses. Their job is then to create a report that contains details of each vulnerability found as well as mitigation tactics that need to be performed by the organization in order to remedy the issue. These reports also include an executive summary that, if presented to stakeholders, can provide a non technical description of how the vulnerabilities may impact the organization. This of course is not the only role within offensive security, however, this is where most of the demand is. The demand is driven by various reasons. These reasons include compliance/regulations that they have to meet. They can also be driven by businesses doing businesses with other businesses (yeah, that sounds weird). To explain, many times companies develop a software product that other companies may have a need for. These companies, before they agree to use the software, often require the software company to have a third party penetration test performed. The reason for the penetration test is to ensure that before the software is used, it has been tested thoroughly for vulnerabilities and is safe to use. The reason for a neutral third party is so that a non-biased penetration test is performed. If the penetration test was performed by the same company who developed the software there is potential for a conflict of interest. The demand for penetration testing has only increased over the years.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
11
For many years I worked in offensive security. This was extremely rewarding. I found much joy in being able to find security vulnerabilities and report them to the organizations. To have the positive impact of finding vulnerabilities before the bad guys do and then advising them on how to fix the issues was something that I found very satisfying. Offensive security requires: ● Good communication ● Research skills ● Understanding of industry standard tools such as ○ Nmap (recon tool) ○ Openvas/Nessus/Nexpose (vulnerability scanning tools) ○ Burp (Web application testing tool) ○ Metasploit and other exploit tools ● The ability to think like an attacker ● The ability to communicate technical items in a way that an organization can understand
Defense (Blue Team) Every organization has a demand for defense. A blue-teamer’s job is to take every effort possible to protect the digital assets of an organization. One example of a defensive position is a SOC analyst. A SOC analyst is considered to be the front line of defense for an organization when it comes to cyber security. Normally this position entails closely monitoring ingress and egress network traffic from an organization. Picture someone sitting in a room with big monitors watching graphs, data, and keeping an eye out for threats. Sounds almost as cool as it looks on TV? It is. Attempts are made to
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
12
breach organizations every single day. A SOC analyst's job is to defend it by detecting anomalies, doing proper threat research, and engaging with the organization’s IT team. To give an example: if an organization sees a huge spike in traffic at 3 A.M. when there should not be activity on the network, this would be something a SOC Analyst would investigate. Blue teamers are in demand across the world. With the constant threat of malicious activity, it is imperative to have a defensive team. One of my first jobs in defensive security was working a contract with the FAA (Federal Aviation Administration) to defend its network. As part of my job I communicated with US-CERT (United States Emergency Response Team) to help communicate and resolve security issues. Blue Team requires: ● Good communication ● Research skills ● Understanding TCP/IP packets ● Understanding of internet and network protocols ● Working knowledge of SIEM tools such as: ○ Splunk ○ Alienvault ○ LogRhythm ● Firm understanding of Wireshark (packet analysis tool) ● Core/Soft skills
GRC Governance, Risk and Compliance is (GRC) is a sector of cyber security that is surging in demand. It is important that every organization has a proper set of policies and
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
13
procedures to ensure that the business is able to achieve objectives, address uncertainty, and act with integrity. GRC ensures good business practices. GRC has been around for many years, but with the complexity of digital assets and rising risk it is now more prevalent than ever. So what is it… really? Let me give you a quick example. Every business that you make purchases from with your credit card has to have proper security controls in place to protect your card data. Your card data needs protection because if in the wrong hands, your credit card or debit card can be used maliciously. Because of this reason the major credit card brands (Visa, Mastercard, American Express, and Discover) came together and formed an organization called the PCI Council. This council consisted of some of the world’s best security professionals. Collaboratively, a set of standards was introduced called the PCI-DSS (Payment Card Industry Data Security Standard). This means that any organization that processes over a certain amount of credit cards is held to PCI-DSS standards. Today, there are 300 to 400 security controls that these companies have to follow in order to be able to be compliant to continue processing credit cards. These requirements include items such as the following: ● Antivirus installed ● Firewall protection ● Encryption used if credit cards are stored in databases ● Intrusion Detection mechanisms to detect possible breaches ● Policies and Procedures to govern how the organization handles it’s CDE (Card Data Environment) ● Proper background checks on employees that have access to the CDE ● Core skills
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
14
This is only a very small example of some of the nearly 400 security controls that need to be put in place. Keep in mind PCI compliance is only applicable to companies that are processing credit cards. If a company is not processing credit cards they are not mandated to meet these requirements. However, there are other security frameworks that are in place to set a baseline for organizations to protect their intellectual property, PII (Personally Identifiable Information), client data, and to even protect digital assets from being used inappropriately. If a person is not extremely technical, GRC can be a great pivot into cyber security. One example of a career in GRC is a security auditor. A security auditor learns controls for various frameworks and works with organizations to ensure they are meeting compliance standards. Many companies do not have a full understanding of security controls that need to be put in place for compliance. A security auditor’s job is to ensure that an organization has a full understanding of required security controls and to identify gaps where certain controls fall short. A security auditor’s job is also to gather evidence that proves proper security controls are in place. For a successful career in GRC one must: ● Have excellent communication skills ● Be extremely organized ● Detailed oriented ● Gain knowledge of various frameworks (NIST, ISO, HITRUST, PCI, and more) ● Report writing skills Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
15
● Core/Soft skills
Choosing the Right Security Sector It can be difficult to choose a path from above. The best way to decide on a path is to do your own research. During your research, you will discover the path that intrigues you the most. Like I mentioned before, you have to be passionate about what you are doing. The demand in each sector is abundant. If you are technical or have the drive of becoming technical I would lean toward offense or defense. If you are not technically included or do not intend to become super technical, GRC is a fantastic route.
Deep Dive or Stay Shallow You’ve already read some of my story, but how did I land a vCISO role? Let me further explain my journey. When I first got into IT I started in helpdesk. Honestly I knew nothing about computers, but needed a job. I had an opportunity for this position so I took it. I spent my first 6 months reading answers out of a book. I worked for an internet provider in the dial-up internet days. People would subscribe to the company I was working for to gain access to the internet. They would dial up over the phone line, connect, and surf the web. My job entailed helping customers if they were having problems getting their computer online. I would often walk them through step by step on configuring their computer for the internet. Not knowing much, I mainly read answers from a step by step company written book. Over time I slowly started to memorize some of the answers and grew my knowledge. Later within that company I started assuming roles as a systems administrator and network administrator. I became responsible for maintaining the systems and network that allowed users to get online. I
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
16
certainly never considered myself an expert, but I grew enough that I was able to troubleshoot issues and keep systems online. Later in my career I started consulting with other companies. I was not only teaching them how to set up servers and implement a network within their organization, I was actually helping them build their technology infrastructure. Over time I worked with small, medium, and even enterprise level businesses. Defensive security was the first sector that I worked in cyber security. As mentioned early on, I did intrusion detection. After a few years I rolled to offense. I grew an interest for penetration testing. Security auditing was always something that intrigued me as well, so I decided to get practical experience and learn as much as I could on the PCI framework. Over time, this led me to becoming a PCI-QSA (Qualified Security Assessor) and I traveled to various businesses across the country to help them secure their credit card environments. Over time, I started having companies reach out to me about assuming a vCISO role. Truth is, I really wasn’t sure what a vCISO was. I ignored most of the inquiries when they came in. A few months later I decided to start looking closely at the job descriptions from some of these vCISO roles that were coming to me. They were looking for someone that had a complete understanding of offensive and defensive security. They were looking for someone that had a firm understanding of compliance frameworks and various security controls. They were looking for someone that could assess an organization and understand what its risk was. They needed someone that could break down a technical conversation and put it into a non-technical format so that management and stakeholders could understand. They needed someone to help them completely align their overall security posture and strategy with their business. After I Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
17
started to look at these, I realized it fit my experience. I took my first contract as a vCISO shortly after ransomware started hitting oil pipeline companies. I was able to successfully fill these roles and I had knowledge and experience that they needed. I am always the first one to admit that I’m an expert at nothing. However, I know about many different things. Am I the best penetration tester the world’s ever seen? Absolutely not. Was I a world class SOC Analyst? Absolutely not. Are there many security auditors better than me? Absolutely. However, I can have very knowledgeable conversations about nearly any sector in cyber security because I spent time in all of them. So how did I obtain this knowledge? I decided to stay shallow but swim around the entire pond. In this industry you have two choices. You can deep dive into a sector and become the best there is. For example, you can deep dive into penetration testing and become the “go to” for an organization that wants the best penetration test that money can buy. You can be that security auditor that every company dreams of getting because you have the best name in town for auditing. Doing any of these will make you as valuable as you could possibly be. You should never be without work because demand for you will be extremely high. You can deep dive into your sector and explore everything within it. However, I chose another route. I stayed shallow and explored the entire pond. I learned as many aspects of the security industry as I could. I wanted to be someone that could have a conversation with any team about nearly any subject and be able to contribute valuable information. Because of this, I was able to leverage the knowledge gained to successfully fill various vCISO roles.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
18
So do you deep dive or stay shallow? There is no wrong answer. If you pursue to be one of the best at something, pursue an individual sector and dive as deep as you can. You will become extremely valuable and known in this field for your abilities. If you choose to stay shallow, you will most likely assume upper management roles in cyber security or even vCISO. It is all dependent on your end goal.
Choose YOUR Path, Not Someone Elses There is no blueprint for getting into or leveling up in this field. You choose the path that is right for you. What worked for someone else may not work for you. It is all about passion. You will eat, sleep, and breathe Cyber Security if it is your passion. There is an abundance of knowledge. Once you find the knowledge that you want to consume, you will find yourself consuming as much as humanly possible. As long as you are learning and improving your skill set, there is no wrong path. You will find many people telling you how they think you should pursue this career, but only you know what works for you. People learn differently, so you have to choose what is right for you.
Got your Masters in Cyber Security? Well, You Don’t Need One This is a statement that causes much debate. Many individuals think much differently not just about having degrees in this field but also having security certifications. They (gatekeepers) say that you absolutely can not pursue a career in this field unless you have a degree or certifications. Well I’m here to tell you that they haven’t done their homework and are completely wrong.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
19
Sure, there are always organizations that will absolutely require a certain degree or certification to fill a role. However, demand is high in this field. For every company that has prerequisites, there are even more that don’t. I could write 20 pages about this particular topic, but we’ll save that for another day. In this industry, knowledge is power. Most do not care how you obtained your knowledge. For example, if you are applying for an offensive position most organizations only care that you have the skills needed. They are not concerned about where you learned them. If you understand penetration testing methodologies, understand the tool sets used, and you have the capability to perform, there is a great chance that you will land the job. I know though, you still want to know about certs, so I’ll talk about them briefly. Here are some highly recognized certifications that you can gain if you really want to add those notches to your belt. ● OSCP (Offensive Security Certified Professional) ○ This is an extremely hard certification to get, but if you are insistent on getting a certification that proves you have the “know how”, this is one to go after. Testing for this certification requires actual hacking during the exam. ● CEH (Certified Ethical Hacker) ○ This is also a highly recognized certification. Although it doesn’t require actual hacking to pass the test, it consists of 125 questions and is a four hour exam ● CISSP (Certified Information Systems Security Professional)
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
20
○ Also a highly recognized certification, this cert requires more than others. Cumulative years of experience in the field, knowledge of 8 different “domains” which include different areas of security. ● CySA+ ○ This is a certification for one who is focusing more on defensive security. This focuses more on knowledge for someone who wants to become a security analyst. ● Security+ ○ This certification is a basic beginner certification, but definitely shows the willingness to learn and pursue this field. There are of course many more certifications that you can obtain, but these are just a few to take a look at. If you want a more basic certification, I might suggest that you start with your Security + certification. This is a basic certification, but a great place to start. Mentioned earlier, there are many companies that do not require certifications to fill a position. Many of these companies even have training budgets to help further develop the skill set of employees. Once hired at a company, especially for an entry level position, you can then “cert-up” if you want to. Most organizations are more than happy to assist financially with more training and certifications. Keep in mind, it normally isn’t certifications that get you the job. It is you that gets you the job. Don’t get caught-up in “cert chasing” just to have as many as you can. In the end, it comes down to knowledge, know-how, attitude, drive, and willingness to learn.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
21
I feel the need to point out once more that there certainly ARE companies that will require certifications for the positions they have listed. You will definitely see that in job descriptions while you are browsing. There are companies that DO require them. My point is that there are also many companies that do not. I will also point out that you will overhear people mentioning about “auto-filters” that companies use to weed out resumes that don’t have particular certs. Yes, there are some companies that may filter, but I can tell you that it is a very small portion.
Let’s get Technical Here we are. We’ve talked about three different paths into this field. Two of the three (Offensive security and Defensive security) are very technical. If you are getting into security auditing, you can certainly start without technical knowledge. If you are seeking offensive or defensive security, there are some basic skills / training that you will need.
Offensive Security Like we talked about earlier in this playbook, offensive security is typically the art of performing penetration tests. A professional ethical hacker is hired to test for vulnerabilities that an organization may have. Basically, they are getting paid to hack and report the vulnerabilities so that the organization can remediate them. Anyone who has a passion for being technical can learn the art of offensive security. Of course you can sign up for college, technical school, or boot camps, but for the purpose of self-studying, I’m going to list tools that you need to have a good understanding of before you should start applying for jobs. The tools that I’m going to talk about are considered industry standard tools in the field of cyber security. These by far are not
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
22
the only tools you should be learning, but these are considered standard tools that most penetration testers use. nMap - This is a recon tool. This tool is free and is used to find open ports and services that are being used on the systems that you are testing. nMap has been around for a long time and is used by nearly every pentester at one time or another. Over the years nMap has grown into a very complex tool that will let you learn many things about the systems that you are testing. Scanners - Normally in a penetration testing engagement, after a recon tool such as nMap is used, a penetration tester will use a vulnerability scanner. There are a few scanners out there, but two that I’ll mention are Nessus and OpenVas. Nessus is a commercial product that you have to pay for, but is extremely powerful. If used correctly, it tests all of the active IP addresses in your scope for vulnerabilities. For instance, if an IP address that you are testing is an old server with antiquated network protocols, it will provide you with the details of the vulnerabilities after the scan. A penetration tester can then leverage these vulnerabilities that are listed and then try to exploit them to gain further access. Another scanner that is open source (free) is OpenVas. Openvas is built into Kali, a specially made penetration testing Linux operating system. Most vulnerability scanners work the same way. They communicate with the ports and services on any IP address that is being tested. Metasploit - this is a framework that allows you to exploit vulnerabilities when they are found. Metasploit is typically used within the Kali Linux operating system. Exploit modules are built into Metasploit that allow you to take advantage of vulnerabilities.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
23
This is extremely powerful software. This software has the ability to allow you to take complete control of other systems. Burp Suite - This software, made by a company called Portswigger, is used for performing penetration testing against web applications. A company website, an online store, or even an internal corporate website is considered to be a web application. Burp is a very comprehensive piece of software that allows you to not only scan for vulnerabilities within a web application, but to also exploit them as well. Portswigger has done a fantastic job of walkthrough documentation that is posted on their website. This was initially how I learned this software. Kali Linux - I know I’ve already mentioned this a few times, but Kali is a custom built Linux operating system that is designed specifically for penetration testing. Kali can certainly be overwhelming because there are hundreds of penetration testing software packages built in, but what you will realize quickly is that there are many different brands of software built in that serve much of the same purpose. For the most part, you will most likely use 10-15 pieces of software that you will keep coming back to. To this day, I haven’t used every single software package that is built into Kali Linux.
Defensive Security Organizations face digital threats every single day. It is non stop. This is why defensive security is in such high demand. Every organization has a need to protect their assets. This is the first sector of security that I started in, early in my career. It is extremely rewarding. Defensive security can be broken into many things, but to start, here are a few things that you will need to learn about.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
24
Phishing - We have all heard of this, but it is the art of tricking a user into clicking something that they shouldn’t, with malicious intent. Studying recent threats - This is one of the biggest missions of defensive security. Continuously researching threats. An important job is to be able to communicate proper mitigation techniques on threats that organizations are facing. Vulnerability Management - Every organization has vulnerabilities. These can be technical vulnerabilities that can allow an attacker to exploit a network, or even an employee that hasn’t been properly trained on user awareness. Vulnerability management involves working with an organization to properly handle addressing vulnerabilities. This can even start with policies and procedures to get to the root of the problem of why systems are not being patched properly. Security Monitoring - We have all seen those cool rooms where people are watching multiple screens and looking for suspicious activity. Security monitoring involves actively looking for anomalies (things that aren’t normal). Often a SOC (Security Operation Center) does 24/7 monitoring to help fight against malicious activity. They are the front line defense that responds when an incident is occuring. Incident Response - When an incident occurs, an organization needs to know how to respond. How an incident is handled is extremely important. A proper playbook needs to be in place at every organization that gives direction on how to handle an incident. Being part of an incident response team is definitely something that is both exciting and rewarding.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
25
How to Learn As I mentioned earlier in this playbook, there is absolutely no blueprint for getting into the cyber security industry. There is no right path or wrong path. This field is about gaining knowledge. As long as the knowledge you are gaining is relevant to your goal, it does not matter how you gain it. One thing that you will find is that the amount of training, boot camps, and certifications are endless. You have to make the choice that suits your learning style the best. If you learn better in a classroom environment, there are many technical schools available that offer training in this field. I do have to admit, when I was first starting in my career I really leaned toward boot camps. These can be anywhere from a few weeks training to several months. Of course these are also offered in a classroom setting as well as online. Hands-on experience is by far the best way to learn. When I was newer in cyber security I would build three or four computers and load different pieces of software on each so that I could learn. I would build a Kali Linux system and then load a vulnerability operating system to hack, such as Metasploitable. Metasploitable is a purposely vulnerable Linux OS that is built so that you can learn to hack. Loading systems like this however, require hardware that can be expensive. As of late, I think the best way to learn is by using a service called TryHackMe. TryHackMe.com at the time of writing has over 1 million subscribers and has become the de-facto standard for getting hands-on practical experience. In my opinion, those that have gone through the entire TryHackMe program have an edge because these are very well written courses. TryHackMe can take you from a beginner level, to becoming very knowledgeable on either defensive or offensive security. At the time of writing this, you can get started on their website for free. They have some premium benefits
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
26
that you can subscribe to for a very low monthly cost. If you do the math, it is much easier to use their system than it is to build your own lab at home if you have no hardware. By far, for self paced learning, TryHackMe is in my opinion your best option to learn. I have watched people change their entire career by using this site.
Don’t Go to Jail When learning cyber security, it is often tempting to hack (non maliciously) organizations just to see what their vulnerabilities are. You should NEVER attempt to hack an organization if you do not have written permission to. Penetration testing engagements involve legit documentation and paperwork before the ethical hacking can occur. By hacking an organization, even for fun, you can land yourself in jail pretty quickly. Do not even be tempted. If you insist on hacking, there are some great Bug Bounty programs that you can sign up for to have the appropriate permission to hack. Many organizations put bug bounty programs in place to allow professionals to ethically hack them, but then advise them on the vulnerabilities found and how to remediate them. Unless you have signed up for an official bug bounty program, keep the hacking to the labs. Remember, if it feels like you shouldn’t be doing it, you probably shouldn’t. Always take the high road so that you don’t end up with black vehicles rolling in your driveway.
Wish Lists or Job Descriptions? I have spoken about this to so many groups of people. It can be frustrating to search for cyber security jobs online only to find that many of them require a certain number of years experience or even a list of certifications. As soon as you start your search you will find this. My experience has taught me that many of these job descriptions are
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
27
actually wishlists. Keep in mind that many times when these listings are posted, they are posted by individuals that are not technical. You will find that job descriptions many times are just a cut and paste from other job listings from other companies. If you are new to the field and you run across your dream entry level job, don’t shy away just because it lists 4 years of experience and a Security+ requirement. If you feel that you can meet the knowledge that is called for in the job description, never hesitate to reply. Remember, demand for individuals in this field is much higher than the supply. You may be pleasantly surprised when you get a call from an employer because they see value in your profile and resume. This is something that I have been working hard on, to enable change in how job descriptions are listed. Job descriptions need to have more clarity and need to be written better. Too many people are walking away from applying for positions because of a requirement that is posted in a job description that in the end isn’t really a true requirement. The job ends up unfilled.
Cyber Security Titling Chaos Security Analyst, Security Engineer, IT Security Principal, Security Risk Consultant, Security Consultant, Privacy Consultant.... the list goes on and on and on. What do they all have in common? Everything and nothing. This industry has no standardization in job titles. I always ask all of my mentees what type of job they are seeking. Most of them, instead of telling me what "type" of job they are seeking, they rattle off a title. Guess what... titles in this industry often don’t match the job description.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
28
To give you an example, if there are 100 job listings for a Security Analyst, nearly every one of them will have a completely different job description. This industry is still the wild west when it comes to defining job titles. So how does this affect you on your journey? You need to focus on the "type" of job you are seeking. For instance, stop searching for job titles. Instead search for job descriptions that match what you have a passion for. For example, if you are strong in compliance, search for keywords such as PCI, NIST, CMMC, SOC2, security auditing, and so on. If you are strong at defensive security, search for terms that match. Search for tools/phrases that you are familiar with. These could be things such as SIEM, Splunk, Wireshark, Packet Analysis, Threat Monitoring, and others. If you are interested in offensive security, search for keywords such as Nmap, Nessus, Metasploit, Burp, Owasp, vulnerability, exploit, penetration testing... and so on. These are just small examples of keywords to use when you are searching for opportunities. Don’t get stuck on titles. Focus on what you want to do.
FAANG A weird acronym that I just became aware of not too long ago, FAANG, stands for Facebook, Amazon, Apple, Netflix, and Google. You will see and hear people making comments that they are striving for a FAANG, meaning they want to land a job at one of these companies. I thought it might do justice to talk about FAANG. Truth is, in the last 10 years, I’ve had recruiters reach out to me from every single one of these companies. These are companies that would make you look super cool to your friends
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
29
as well as your LinkedIn profile. However, I can tell you that if you are aspiring to pivot into this field, these can be some of the hardest companies to get hired at. They have some of the highest interview requirements and many times can go many, and I mean many, rounds of interviews. Getting hired by these companies would absolutely be great, but the issue that I see is that many people get stuck on only wanting to work for FAANG. If you are aspiring to break into this field, you have truly chosen some of the hardest companies to get into. Many pass by opportunities with smaller companies because of their pursuit of FAANG. This could possibly delay your journey into this field. I can tell you that I have never worked for FAANG but I know hundreds that have. It is definitely a great achievement to have under your belt. In my career I have worked for and/or contracted with companies that we have all eaten at or shopped at. What I can tell you is that bigger isn’t always better. Many times the bigger the company, the more sandboxed you end up. What I mean by this is that you often get stuck in a position where your knowledge can go very deep, but not very wide. You don’t have access to the company leaders, the weight that you carry in your position possibly isn’t enough to be heard like you want to be. For this reason I have favored smaller companies. My niche over the years has been doing work for companies that are 20 to 80 person operations. Even further, it has typically been companies that offer full security services to their clients. For example, companies that I have worked for, including the one I owned for 10 years, offer a full suite of security services. These services include items such as penetration testing, SOC services, compliance, and a slew of others. Even though these are smaller companies,
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
30
many times they work with global clients that we’ve all heard of. You often get more exposure to different things because in small companies you have the ability to wear more hats and get more involved. Smaller companies often have a better cultural feel. For example, if you were hired as a SOC Analyst for a FAANG company, you can nearly be certain that you won’t have exposure to offensive security. In a smaller company, you can cross over and help in multiple sectors easily. In one instance, I was helping with defensive security by helping develop an incident response plan as well as working on the offensive side. At this same company months later, I was helping with PCI compliance. The opportunity in small companies many times will far outweigh FAANG.
Imposter Syndrome If you would have asked me a year ago, I would have told you that I didn’t know what imposter syndrome was. It was a term that I kept seeing and hearing people talk about. One morning I took the time to do some research on it and it really hit me hard. When I looked it up and read about it I immediately had a huge weight lifted off of my shoulders. It was a self diagnosing moment. For years, because of the way that I “climbed the ladder” in cyber security, I never felt confident that I was good enough. This is because I always considered myself a jack of all trades in this field, but a master of none. I really do feel that it is true. Maybe better yet, a jack of some trades but a master of none. There it is, imposter syndrome in full gear as I’m even typing this. By definition, imposter syndrome is “doubting your abilities and feeling like a fraud”. One struggle is that the more you learn about the field of cyber security, the more you find out you don’t know. This industry is ever changing. For that reason, it is easy to doubt your abilities. When you land your first job in cyber, you will most likely suffer from imposter syndrome. Even if you’ve been in this field for a while, there is a good chance you have experienced it.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
31
Although I still struggle with it, I have learned to leverage imposter syndrome for my benefit. I do this by pushing myself harder to learn. If I’m up against a project where I’m facing something new, it forces me to dig in deep, research, and learn as much as I can about what I’m about to face. Imposter Syndrome gives me the drive to work even harder. In my opinion, I think it should be a healthy balance. I feel that everyone suffers from it one time or another. I think that when a person finally thinks they are good enough, their desire to learn decreases and they can easily fall behind. Once you learn to leverage Imposter Syndrome, it can really be used to your advantage.
Just Be You I really felt like the last chapter would be a great segway into this chapter, Just be You. If you only learn one thing from this playbook, I hope that this is the one that you take home with you. Simply put, it is the most important. If there is one thing that we have learned from the pandemic, it is that we are all human. We all have lives. We work so that we can live. We don’t live to work. Although that sounds very cliche, it is true now more than ever. Companies don’t hire people. People hire people. With that said, people want to hire humans that they can spend eight hours a day with, even if it’s just virtually. We all have the ability to put on our super professional cape, but at the end of the day that is not what gets you hired. Be proud of who you are. Be different. If you have been connected with me long enough on LinkedIn you have most likely learned that I talk about this a lot. We all have our own stories in life that got us to where we are. It’s ok to be proud of those stories whether good or bad. If you are already employed at the job you want, just be you. If you are seeking a new company to be employed with, be you. One key to my success over the years is my ability to connect with people. I try to find the human side of everyone, even if they were interviewing me.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
32
Finding the perfect mix of being human while professional can have a huge impact. It is ok to talk about your flaws. We all have them. Honestly, I have more than most. I remember a day when life and work never crossed paths. To give an example, if I were in a video meeting ten years ago and a cat walked across my desk, it would have been considered very unprofessional. In many meetings now, you’ll see me holding my small boston terrier in my lap. Even the dress has changed. Years back I wouldn’t be caught in a video conference without my button up shirt. I find it rare now that people aren’t casually dressed in meetings. This of course does not speak for everyone, but there is definitely a change in culture surrounding this. In the end, be you. Any company that does not allow for you to be human, does not deserve you.
Are You Listening? We've all been in meetings with "that guy" who seems to be the smartest and most vocal person in the room. He's been in the field for years, made his mark and has a ton of experience. It's his way or no way. Morale is down within the IT team. The system administrators try to speak up about an application that the security team is making them turn off, but they are not heard. Morale is down in the web development team. They voice a concern about code that the security team is making them change, but security doesn't want to hear it. The end users are frustrated because of a new procedure that security is pushing on them which makes their job harder, but their concerns seem void. In this field, we must learn to listen to each and every concern. I'll repeat it again. In this field we must "listen" to each and every concern. Over the years I've learned to not
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
33
be the loudest person in the room. I sit back and listen. Then I listen more. I try to process the information that is coming at me. I then speak up, but instead of directing, I'm asking questions. I'm asking questions so that I can understand all of the frustrations and push back. After asking questions, I listen more to their answers and possible alternate solutions. Finally, I speak up and make sure that they know that I'm not only listening, but hearing them. I care about their concerns. I care about morale. I care about doing things efficiently as a team, not on my own. Be the quietest person in the room. Morale stays high and things happen when people are heard and feel valued.
What’s your End Goal? I've been in this field for 25 years. Worked from Helpdesk to Systems Admin, Network Admin, Consultant, Defensive Security, Offensive Security, Security Auditing (PCI-QSA and other frameworks), vCISO. In that particular order. I never planned on becoming a vCISO. Companies started reaching out to me because they saw something they liked. Before I knew it, I was utilizing the skills learned through my career to serve in this capacity. My end goal was to have a fulfilling career. As long as I was growing, I found it fulfilling. I had no clue that I’d ever serve in a vCISO capacity. In fact, there was no such thing when I started this career. In this fast changing field of cyber, having an end goal isn’t always tangible. There is a good chance that it will change at least 5-8 times along your journey. So what really IS my niche? How have I been successful? Looking back, it has been my ability to adapt, connect to people, listen well to their needs, and then communicate well. In a nutshell, I'm a problem solver. I know how to solve problems in this industry. I know how to use my resources. I know how to make
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
34
people work together as a team. I know how to achieve (sometimes exceed) goals. No matter what field you are in, if you have the ability to solve problems, you will be successful. Although I don't consider myself an expert at anything, what I do know is that I've been around the block. I love this industry and know aspects of it well. The fact that I love what I do tells me that I’ve met my goals. Follow your passion, not the money. If you follow a position because of the money you will never be happy. You will find yourself having to learn things that you don’t enjoy. If you follow the passion it will never seem like work. Money will also quickly follow because you will find yourself being the best at what you do, inevitably becoming extremely valuable.
Jump, Jump This topic stirs much debate although I hold pretty firm on it. Perhaps it is because this was my path to gain traction quickly in this field. While I have much respect for people that stay with one company for their entire career, it just wasn’t in the cards for me. The best way that I can think to explain this is to tell you a story in the form of Bob and Jane. Bob is a great guy. He's a family man and an extremely hard worker. He joined the company 20 years ago as a waiter. He was young and ambitious. He quickly became a manager at the restaurant. He was always good to the people who worked for him. Technology however, was always his passion. He applied internally within this large company of 1500 restaurants for his first IT Desktop Support position and landed it. After a few more years, he migrated into Systems Administration. A few years after that
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
35
he developed an interest in Cyber Security. He applied again internally and landed his first Security Analyst role. Bob became the "go to guy". Everyone liked Bob. Later, upper management asked Bob to learn penetration testing and to help build out a vulnerability management program. Bob was always enthusiastic about his job and loved it. He was always praised by upper management. However, Bob could barely afford to pay his bills. He was always stressed out about being able to take care of his family and give them the things they need. Bob started his job 20 years ago and got the typical 3% raise each year. As he got promoted, he did get some small increases in pay, but nothing near what he was worth. Bob is one of the top security staff at his company, but barely getting by. Then there is Jane. Bob works with Jane. Jane has the same title as Bob. She has the same education and skill set. Jane has only been at the company for 6 months, and has only been in security for 8 years. Previous to this role with Bob, she worked at 3 different places, averaging 2.6 years per job. Each time she got a new job, she negotiated by leveraging her experience and knowledge. She got an increase of about $15,000 per job hop. Currently, working the same title as Bob, she is making $45,000 more than Bob. Bob has no clue that Jane makes $45,000 more than he does. Why is this? Let's face it. Many companies look at the bottom line. Even though Bob is a true asset, they know that Bob is loyal. They aren't going to walk up to Bob and give him $45,000
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
36
more "just because". They don't have a reason to. They know that he won't leave because he believes in the company and plans to retire there. Who's fault is it that Bob is underpaid? Is it Bob's fault or the company's fault? I blame both. I blame Bob for not knowing what he's worth. He should have negotiated as he moved up with the company or even explored options with other companies that would pay what he's worth. I also blame the company for taking advantage of Bob's loyalty. Are you Bob or Jane?
Last Thoughts The field of cyber security can be overwhelming. By doing your own research, you will find that there are so many sectors of cyber security to dive into. As I mentioned earlier in this playbook, passion is the most important thing to follow. If you are passionate about something, learning it will never seem like work. If you try to learn too many topics at one time, it will be difficult to grasp any of the concepts. Start with one of the three topics that I talked about in the beginning of this guide. These topics are offensive security, defense of security, or GRC. Trying to learn all three of them at the same time will be too difficult. Lean toward the one that intrigues you the most. Dive in, and you will be amazed at what you can learn. Remember to not get frustrated if things are not easily understood right off the bat. This was one of my frustrations in the beginning. I found myself wanting to learn everything at one time and I would find myself feeling overwhelmed. It can be easy to spend hours, days, weeks and months learning this field. The biggest thing to be aware of is self burn out. Go at a pace that you can handle. Remember to step away often and give
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
37
yourself a break. It can often make the difference of whether or not you achieve success in this field.
Time to Get Hired Here we are. You have put the time in. You have studied hard. You have gotten hands-on practical experience. You feel ready to get hired. The entire rest of this playbook is built to direct you on landing your next job in cyber security. I have moved around a lot in this field. I have worked in the offensive, defensive, and GRC (Governance, Risk, and Compliance). I have been successful working as an employee, as a contractor, and running my own company until tt was acquired in February of 2022. Whether you are looking to work as an independent contractor, a loyal employee, or even found your own company, the information that you are about to read can apply to you.
A True Story to Set the Stage About 5 years ago, myself along with 4 really good friends started a singing group. Five men with varying pitches of tone working hard to blend together and create a harmony of unique sound. When we started, we sang mostly oldies, some country, rock, and even some gospel music. We did this for nothing more than fun. So here we were, a self-made group, with half decent talent. The problem was that nobody was hearing us. We really had no clue how good we actually were. There was a moment when we decided to volunteer to sing at a charity event that was raising money for veterans. I like to use the phrase “putting the garage door up” so that people can finally hear us. Even though we were extremely nervous about our first singing appearance, we were also very excited. I remember starting with a Beach Boys song that resonated very well with the crowd. By
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
38
the second verse of the song, people were tapping, nodding, and even some stood up and danced. Before the end of the first song the five of us had looked at each other and you could just tell that we knew we had something. At the end of that event, we had several people walk up to us and asked if we could sing at their event. Before we knew it, we had been booked up for the next couple years. This was one of the best times in my life. The feeling of having the ability to perform at a level that people really enjoyed was something that was indescribable. We sang for five years, before I moved to the Midwest. The group is still singing today. The reason I'm telling you this story is because I believe it directly relates to gaining employment in the cyber security industry. It does not matter how hard you work. It does not matter how much knowledge you have. It does not matter how much desire you have to get into this field. If no one knows about you, you will be unemployed. My goal for the rest of this book is to help you put the garage door up so that people can find out who you are. People need to know how passionate you are. People need to know how much driving ambition you have. People need to know what value you bring to their organization. Together, let's put the garage door up and get you discovered. No turning back.
LinkedIn - Where the Cyber Security Community Resides Seems crazy that we are talking about social media in regards to landing a job in cyber security. The fact of the matter is, most of the cyber security community resides right here on LinkedIn. Yes, it certainly is a social media platform, but a platform of professionals. Almost every organization, business, and the majority of cyber security professionals are here. When I was younger, the only way to get a job was word of
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
39
mouth and slinging resumes. You dropped your resume off, crossed your fingers and hoped that someone likes what they see and calls you. Yes, you can still certainly get a job in cyber security by doing that, however those days are ending rapidly. Recruiters, hiring managers, and those looking for qualified candidates are looking to LinkedIn to find the next person to fill their vacant role. My end goal is to help you put the garage door up and get discovered. I want you to be discovered for who you are and what you have to offer to an organization that is filling a role. I want them to discover you because you are unique. From here on out, I want you to think of your LinkedIn profile as your resume. When I was hiring for my company, I looked at two things. I looked at resumes and I looked at online profiles. When I was handed a resume, I spent about 60 seconds on it. Online profiles such as LinkedIn are typically where I spent most of my time. I want to generally know who you are, what you are about, how you benefit the cyber security community, and how you could be beneficial to my company. A resume does not tell that story. Most of the time online profiles do. In the past few years, I can tell you that 100% of my work has come from LinkedIn. Yes, 100%. Not “some” of my work, but all of it has come from this platform of professionals. The combination of a field of work that is in extreme demand and a platform and allows you to interact with nearly anybody in this profession allows for unbelievable growth in this career.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
40
Your Personal Brand The entire rest of this playbook is dedicated to helping you create and find your own personal brand. Whether you know it or not, we are all in business. We are in the business of developing a skill set that becomes valuable to an organization so we may have a great career. Nearly every job we’ve ever had, at some point had to be able to sell ourselves to our employer. Without being able to market and sell our skills, we face the risk of being undervalued, underpaid, or even unemployed. We truly are in the business of selling who we are, our personal brand. So what is a personal brand? It is you. Your personal brand is what you are about. It is an effort to communicate and present your value to the world. It is not only your experience that you have, but your personality. Truth is, many of us have the same kind of experience. The only thing that sets us apart is who we are, meaning our personal brand. Think of your top three favorite people that you have worked with over the years at any of your jobs. Why are they your favorite? Why do they stand out? What is it about them that is different from everybody else? Whatever those reasons are, that is their personal brand. Let's think of it the other way. How are you unique? How do you stand out? How would someone that works with you describe you? Are you funny? Are you more serious? Both of course are great aspects that help define you. While reading the rest of this playbook, I want you to be constantly thinking about your personal brand and who you are. It will help greatly. Keep in mind, you do not have to have your personal brand figured out entirely. I am still figuring mine out. I try to craft it every day, but in the meantime I enjoy learning who I am and what I represent.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
41
Your LinkedIn Profile As I mentioned earlier, start considering your LinkedIn profile as your online resume. This resume represents your technical skills and who you are, which is your personal brand. Your LinkedIn profile is your billboard that represents you. It is extremely important that you use this billboard from top to bottom. Not using your LinkedIn profile to the fullest, is like purchasing a billboard beside the highway and only using half of it. The goal is to get as many cars driving by your billboard as possible. As part of doing that, we also want people to spend time looking at it. Let’s break it down
A Smile is Contagious It really is true. A smile is contagious. It is important that you have a great picture that represents you. This does not mean that you have to put a suit on for a picture. This should be a casual picture of you. I highly recommend NOT using a picture of you sitting at the bar. I recommend a quality picture with good lighting. People make connections with pictures. Not having a picture on your profile makes it hard for people to make that connection. Do you know how many Mike Millers there are in the world? My photo helps people realize that it's me.
Cover Photo This is important. LinkedIn tends to favor profiles that they see as “complete”. By not having a cover photo, it is considered incomplete. Don’t make this too “busy”. I advise something that is very clean and professional looking. Take a look around at other cover photos from others that have been successful on this platform. You will see some great examples. Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
42
Headline Your headline says it all. It is the first piece of text that is read on your profile. This piece of LinkedIn real estate is one of the most important. A big mistake I often see are people not representing themselves well with a headline. The headline is the text that is displayed directly under your name. This space allows for many characters. Typically your title is put there. However, you can use this to elaborate on what you are skilled in, or even your passions. Another mistake I see are people specifically in the cyber security industry just listing themselves as a “Cyber Security Professional”. I often describe this as someone who says they are good at “sports”. What sport are you good at? This field is very wide. For example, if you are aspiring to get into defensive security I might put “Blue Team / Defensive Security / Cyber Security Analyst”. This would better describe what you are really passionate about. A person looking at your profile would immediately know that you are interested in defensive security. Whether you are interested in offense, defense, or auditing, try to be more specific so that your interest / skillset is quickly visible. LinkedIn gives a lot of space for a headline. Don’t be afraid to add something personal. If there is room, use this space to give a few words about yourself or your mission.
Creator Mode Creator mode is a great LinkedIn feature. You may have already noticed that some LinkedIn profiles have “connections” and “followers”. A connection is a two way handshake between two people. If you are connected to another LinkedIn member, you will see their content and they will see yours. Creator mode allows you to also have followers. This means that although you may not want to connect to another member, they still have the option to follow you. This allows them to see your content, but you won’t see theirs. LinkedIn currently gives each member 30,000 connections. This means
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
43
that you can have a two way connection with 30,000 people. As far as I know, there are no limits on followers. You will notice that some members may have only 1,000 connections, but 10,000 followers. Creator mode also gives you the ability to use other features such as LinkedIn Live, Audio Events, and Newsletters. Even further, creator mode allows you to list up to 5 hashtags on your profile that are relevant to your interests. For example, if you were to look at my profile, I have 5 hashtags in use. They are #ciso #hacking #infosec #cybersecurity and #informationsecurity. These play a role in helping your account gain visibility. When creator mode is turned on, that is essentially telling LinkedIn that you are a content creator. You will most likely gain more traffic from it when you post.
Featured LinkedIn gives you the ability to have a featured section. Normally I have some of my own favorite posts in this section. I would recommend picking a few posts that you have made that represent who you are and what you are about. If you haven’t posted much and don’t have anything yet to feature, it gives you the option to add other items instead.
About Section The About section is very important. This is a section that allows you to enter a large amount of content to describe yourself the best you can. I see this section underused and overused. Underused, many profiles only have a sentence or two. This area is too important to let go to waste. I also see profiles that type what seems to be a book in the about section. Remember, our LinkedIn profile is our online resume, so this section should not be too lengthy of a read. I recommend two paragraphs. The first paragraph, tell us about you. Help people make that personal connection by being a bit personable.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
44
What are your interests outside of your career? Do you have hobbies or pets? Tell us about them. You have an entire paragraph to do this. The second paragraph is where you are going to dig in to show your skill set. This paragraph should really define who you are professionally. If you are aspiring to get into cyber, talk about what you have gone through and what your training/experience is. Tell about your labs you have completed and some of your successes. If you are a veteran to this field, tell us about your experiences. At the end of the second paragraph make an easy to read bulleted list of some of your skill sets, tools/software and security frameworks that you are strongest in.
Experience In this section, break down the experience that you have with your current or past employers. If you are already in IT or cyber security, be descriptive. List your accomplishments that you have had with the job. Talk about your skill set as well as some of the projects that you have worked on. The more descriptive you are here, the better. If you are still aspiring to get into cyber, that’s ok. If you are taking time to learn and you are getting your own practical experience with labs, frameworks, or other areas, talk about it. I would suggest creating a job at the company of your own name. Put the time you started learning until present when you are filling in the “from” and “to”. Talk in length about your journey and what you are doing to pursue this field. Talk about every single thing you’ve learned, tools you’ve used, and other things that you want others to know. This is a very debatable topic. Some will tell you not to do this. My recommendation is to always be transparent. Never say you are an expert at something if you are not. In your description of this “job” of teaching yourself, mention that you
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
45
are self learning. By putting your own name as the company and being transparent, it will show that you have initiative and that you are taking time out of every day to pursue this field. Even though you are not getting paid to learn, you are still doing the work. Be proud of that. LinkedIn allows you to have several positions at one time. Meaning that if you have a job outside of the field of cyber, you can list that as well as making your own listing for your own at home work/labs.
Education Be proud of this section. This section isn’t just for college degrees. Any type of boot camps, online classes, webinars, or anything that has helped you gain knowledge, include them. There really isn’t much to talk about in this section, however make sure that it is filled out completely.
Skills I talk about this a lot when I’m mentoring. This section is really important. LinkedIn allows up to 50 skills to be listed. Use these the best you can. Keep in mind that just because you may not be a complete expert in a certain skill doesn’t mean that you can’t list it. Remember, be honest and transparent. If it is a topic that you are very enthused about and you are advancing your knowledge, feel free to list it. Just be prepared to be asked about it if/when you are in an interview. If asked, just be honest about your level of skill. Never list a skill that you are completely uncomfortable having a conversation about. Look at other profiles from people in the industry, and look closely at their skills that they have listed. My suggestion would be to use as many skills as you can. These
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
46
will help when recruiters are searching for candidates with certain skill sets. You don't have to use all 50 skills, but only using a few of them will be to your disadvantage.
Recommendations Recommendations do a great job of telling who you are as a person. Recommendations certainly aren't mandatory, but they help. Even if you have recommendations from friends or other people that you have worked with, it helps show the type of person that you are. Don't be afraid to ask for recommendations from coworkers. These do not have to come from your manager. Of course it is always welcomed to have recommendations from your managers. Any type of recommendation that you can get that talks about who you are as a person and what it’s like to work with you, will really help.
Summary The information that we walked through above is important for your personal branding. Without having a complete profile, your chances of gaining visibility are decreased. I can tell you that after reviewing thousands of profiles, only 90% of them are completely filled out. The good news about this is that if you use your LinkedIn profile to its fullest capability, it clearly gives you an advantage. LinkedIn will be more likely to show your profile to more people. Recruiters have a better chance of running across your profile. Just by doing the steps above will severely increase traffic to your profile. Having a full and complete profile is certainly more attractive than those that are not complete. If you were to stop reading here and never finished the rest of this playbook, you would still stand a much better chance of being found then if your profile were incomplete. This is what I call passive LinkedIn traffic. Once you put the work in to get your profile complete, it will pay off for a very long time.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
47
Open the Garage Door Your profile (aka, online resume) is now complete. Now we have to go to a networking event and pass it out to as many people as possible. The LinkedIn platform is our networking event that never ends. If you follow the rest of this playbook step by step, you will see your LinkedIn profile take off like a rocket ship.
Connections Simply put, connections matter. The good news is that they are easy to obtain. You are already at an advantage because you have a complete profile. Now it’s time to shake hands. The cyber security community is large, but small at the same time. If you get yourself out there and keep showing up, people will remember you. LinkedIn allows you to have up to 30,000 connections on their platform. Why not use them? So where do you start? A huge mistake that I see over and over are people only wanting to connect to people that are above them in their position. For instance, people think they can’t gain anything by connecting to people in a lower rank than they are. They are wrong. For me, when I’m trying to build my profile and connections, I look for people that are passionate about the cyber security industry. It doesn't matter to me whether they are aspiring to get into the field or if they are at a CISO level. I also look for those that have a ton of engagement. They normally go hand in hand because if someone is passionate, others tend to flock to them and engage. Let me give you an example of why.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
48
A good friend of mine, David Meece, holds an entry level cyber security position. He has only truly been in the field for about two months. He is so passionate about cyber security that he has journaled his entire process of gaining entry into the field. While he was struggling to get into the field, he was posting about his journey. Even though this field is very competitive, he’s teaching others how to get into the field at the same time. His transparency and honesty has landed him a huge following with authentic engagement. David currently has tons of followers at all levels of the game. From others that are aspiring, to VPs, CEOs, and company founders. He has many recruiters that follow him as well. David is also the type that answers nearly every comment that people make on his posts. Because of this, anyone who engages with his content stands a great chance of gaining visibility simply by others seeing the comments/engagement. By connecting with David and engaging with his posts, your account will gain visibility. To take it a step further, when you engage with someone like him, engage with a CTA (call to action). This means when you comment on one of his posts, make it thoughtful and engaging for genuine conversation. Asking a question in the comments will almost always gain return engagement. When you first start connecting with people, concentrate on profiles with many connections and high engagement to get your foot into the cyber security community.
Time to Request Research has shown that LinkedIn gives you the ability to make approximately 100 connection requests per week. You have to be very careful with this because if you try to send too many at one time too fast, LinkedIn will make you wait before you can send more. My advice is to start by sending 30-50 per week, stretched out evenly over the
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
49
week. LinkedIn will warn you if it thinks you are sending too many out at one time. Connect to people that have their profile completely filled out and active. When you send a request, feel free to add a personal note on why you want to connect. Let them know that you are passionate about this field and that you are looking forward to learning from them.
Ring the Bell I have talked about this a lot in my LinkedIn posts. LinkedIn profiles that have creator mode turned on, have bells at the top right of their profile. When you ring their bell, you are turning on notifications to let you know when they post. You certainly don’t want to ring everyone’s bell because it would be counter productive. However, if used correctly, you can gain a lot of visibility to your profile. Pick roughly 10 to 20 of your favorite connections. Primarily connections that attract a ton of engagement when they post. Ring their bells. When you see a notification that someone posted, be one of the first ones that gets to their post to comment. If you take the time to make a thoughtful comment that includes a CTA (call to action) like a question or a reason for them to comment back to you, LinkedIn often keeps your comment at the top. If your comment remains at the top of a post that attracts thousands of views, most of them will see your profile. This will cause an influx of traffic to your profile. The more posts that you are able to engage with first, the more traffic your account will receive. Don’t click too many bells. Pick just enough that you can keep up with. Normally that number comes in at 10-20. If you choose too many, it will be too overwhelming and your notifications will be too noisy. Try to engage with at least 5-10 posts a day consistently.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
50
Engagement Matters. Followers Don’t I see way too many people get caught up in the number of followers that people have. The number of followers isn't nearly as important as engagement. For example, there are many accounts out there that have over 100,000 followers. However, if you look at the engagement on their posts, it can be nearly nonexistent. I would rather connect with someone who has 500 followers, but great engagement than I would someone with high followers but no engagement. A high number of followers without engagement is a sign that their posts are not targeted for their audience. This does no good. Always choose engagement over followers.
Posting Of all the things I have discussed to this point, posting seems to be where most struggle. That’s ok. Truth is, I still struggle too, but I learn with each and every post. Let me start with this. The biggest fear that people have (including myself at one point) is posting the right thing. I used to ask myself the following questions: ● What if my post isn’t “expert” enough? ● Am I smart enough to post? ● Do I have anything of value to post? The best advice I can give here is to just be you. This is where you get to take charge of your personal brand. What you post is an extension of who you are. You never need to come off as an expert. I just use my life and career experiences (both good and bad) to guide people through their journey. When I post, I’m just me. People love authenticity. Be you. So what does that mean?
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
51
Being you means posting things that come to your mind. At this stage you might be full of questions about the industry, certs, career paths, or even technical questions. Good questions can be great and engaging content. As I have mentioned previously, the cyber security industry is a very supportive community. If you post a good question and your account has visibility from the work that you have already put into it, your posts will eventually gain traffic. Remember, just be you.
Conversation Piece This is one that I’ve completely learned and taught myself. My goal in every single post is to be a positive light to someone as well as educating them in some fashion that they can use toward their career goal. What you will also find in nearly every one of my posts is a conversation piece. I have used multiple examples of this. One example that I’ve used in some of my posts is a Jeep door sitting in the background. I bought a new Jeep this past year and took the doors off over the summer for a couple weeks and set them behind where I sit. In some of my pictures, you will see the Jeep door. I make no mention of it in my post, but the door sits there. Even though it has absolutely nothing to do with my post, it causes conversation. People will constantly ask about it. It just isn’t something you see in an office every day. You may have also noticed that I collect socks and enjoy using them in my posts. These just give people something to conversate about. I always put my priority in making sure my posts have educational value, but I tend to have fun with these conversation pieces. I have used things such as goofy shirts, watches, or my pets. By doing this, even if a person doesn’t connect with my content, they can still be part of the conversation.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
52
Break Out Post When I mentor others, I often talk about making a breakout post. What I mean by this, is to put much thought into a post that has CTAs (Call to Action) in it. Like mentioned, this could be a question that triggers engagement to answer. This could even be a story of your personal journey. What I will tell you is that the more personable this post is, the better it will do. Make a post that allows people to feel a personal connection. This will trigger engagement. Plan this post ahead of time and reach out to some of your favorite connections that have been engaging with your comments and ask them to engage with yours. Many of them will. When these people engage with your content, many of their connections will see their engagement on your post. This can have the ability to make your post really break out meaning that it will be seen by many.
A Body in Motion Stays in Motion By doing everything we talked about above including a good breakout post, it will put your LinkedIn account in motion. Once it stays in motion, it will gain traction. Your job is to keep it in motion. Stay consistent on engaging with connections, connecting, and posting will keep your profile growing. If you are not consistent, the profile will go back to rest. It is certainly work, but as you know, it is career changing.
Landing Opportunities to Your Inbox It still seems crazy that we are trying to use a social media platform to help our career. The times have surely changed over the years. Who would have thought that followers, engagement, connections, and posting would have anything to do with our career. Even though it seems crazy, it has the ability to directly affect our career. We have the choice of not using this platform and slinging resumes in the hopes that we get hired, or we can leverage this platform to be discovered and land opportunities in our inboxes. Isn’t
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
53
that the goal? My end goal for you is that you use this platform successfully so that your personal brand takes off. When that happens, it is very likely that you will start seeing opportunities from recruiters and hiring managers. At the time of writing this, 1.6 million talent professionals (people seeking candidates for jobs) are using this platform to fill positions. Remembering that only 10% of people are using LinkedIn to its fullest capability, if you use yours to its fullest it puts you in the top 10%. The old saying that word of mouth is the best advertising, is still true. Word travels quickly on this platform. If you show up on LinkedIn consistently and people know who you are, you will certainly stand a much higher chance of someone mentioning you to a recruiter or hiring manager because of your talents. Recruiters and hiring managers are on this platform every single day scouting for good people. It’s only a matter of time before they start landing in your inbox.
Metrics Metrics is how you measure your account and how you are doing. I use three metrics. If creator mode is on, you will find these metrics by looking at your profile. ● Profile Views ○ By default it shows you profile views over a 90 day period. Do not be discouraged even if your number is 0. By following the directions in this playbook, it will grow rapidly. Remember every profile view is a person that runs across your online resume/portfolio. The more the merrier. ● Impressions ○ Impressions are how many people have come by your posts. By default it shows you the past 7 days, but if you dig deeper you will find that you’re
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
54
able to view up to 1 year. I use this as my personal goal to beat each week. Each week I strive to have more impression views than the week before. Don’t worry, you will have ups and downs. I still have them. However the goal is to keep growing consistently. ● Search Appearances ○ This is just what it says. It is how many times you have appeared in searches in the past 7 days. By following this playbook, you will be able to watch all of these metrics grow rapidly. I advise doing a weekly check-in with yourself on these metrics. Write down the numbers you are at before you do a single thing. It will be very rewarding from the time you start.
Insurance Policy Even if you have been in cyber security for years and have the perfect job, LinkedIn is your insurance policy to ensure that you always have opportunity. The pandemic has shown all of us that we can't take anything for granted. Unfortunately, we are always at risk of losing our jobs. I can tell you that it is much easier to find a job when you have used your LinkedIn account to its full capability. Even when you are satisfied with your current employer, it is a great feeling to have your inbox filled up with recruiters and hiring managers. I never recommend waiting until a job is lost to start putting yourself out there and working on your personal brand. By then it is too late. You are at too much risk. Use your LinkedIn profile as an insurance policy so you will always have work.
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
55
Create Your Own LinkedIn Story With the career advice in the first section and leveraging LinkedIn, your journey is limitless. I can tell you that most of my opportunities have come from the visibility that it has given me. The great thing is that anyone can do it. I’m not special. I just dove in and decided to make the commitment on my personal brand. I try to leverage my creativity and enjoy this platform to its fullest. Using this playbook and taking it seriously can do the same for you. It is life changing. You have the ability to write your own story. The demand in cyber security grows every single day. The LinkedIn platform grows every single day. The latest stat is 2 new members every two seconds. These are mostly professionals on this platform. Remember, not using LinkedIn is like going to a networking event and standing in the corner. In parallel, you should be working every day to tune your technical skills while at the same time you are building your personal brand. Don’t wait until one is done to do the other. I truly wish you success on your endeavor. See you on LinkedIn! -Mike Miller
Break In Cyber Playbook v1.0 / All rights reserved / Copyright 2022
56