This is a story of how I end up as Cyber Security professional and the path that I walked to change my work domain at 26 years old. Things I learned, mistakes I made and more.
A bit of metadata on the sections if you want to skip ahead:
- College 📚: Education and Things I studied in the past
- Early Career 💼: Paid non-cybersecurity jobs that I started my career with and a trigger
- Higher Education 🎓: A break from industry for another degree
- A Jump to the dark side 🥷🏼: A start on Cyber Security job and How I am thriving till now
My country education system was adapted from ancient British Education System. Grade 0 to 10 and take exam that determine what you study. Higher scores at this matriculation exam (A-Levels for UK and Exit Exam for US) gives a chance to choose science subjects such as engineering, medicine and computer science. Lower score give you Art schools and subjects like Physics, Philosophy and Law.
You can’t retake exam if you pass but doesn’t reach to the accepted score by college/university. Your life is screwed at that point. I heard of students aiming for medicine school, failed intentionally at the last exam day to retake next year. Medicine is the hardest subject to get entry. I heard the news about reforming this silly rule at 2015 but I don’t know it happens or not.
As a typical working class family, my parents want me to be a doctor. I like to fall asleep at Biology class which gives a hint of my interest in it. I put OK effort in this exam and get into Computer school. My parents disappointed for a while and still insist on trying for maritime school. Ships and nautical stuffs pick an interest in me but in reality, I still don’t see myself ruling and navigating a ship in a ocean.
I ends up in a Computer Science subject and studied 4 years. Unlike today’s IT school, we barely touch computer during the whole 4 years of my bachelor degree. It’s mostly books and listening to lecturers making you confused about subjects from DBMS, Programming to Operating Systems. The good thing is the learning materials are at a good standard due to replication from a foreign university.
I decided to self-learn these tomb sized books out of class to understand the concepts and fundamentals. I owned a PC at my 2nd year to familiar with actual computer, try some practical programming and gaming of course. Friend introduced me to Web 1.0 and internet is shocking at that point. I took A+ course to learn components of computer and hardware, which is the only course I took outside college and learnt a practical understanding of computer.
After 4 confused years and get a honored bachelor degree with Computer Science, I kind of stuck in a year or two trying to get into Master degree in a foreign university. I polished my English language skill, meanwhile learning a bit of Computer Programming at a school. These are the downtime of my early adult life.
Early Career 💼
I ended up working in a local software house and stared some app development with ASP.Net, PHP, and ColdFusion. I barely make any money but developed a skill of logical thinking and understand more of web application development. It’s a combination of aesthetic and logic. However, I found out a bit boring and repetitive after 2 years in the role. The business requirements are similar with a lot of using internal code libraries with slight changes. I also found myself as average developer with average passion on it.
As this point in my life, Cyber Security is a blank slate. No interest at all. Until there is an odd-ball incident on the web application I developed for government is sql-injected by some hacktivists. I am like “ what is this sorcery!!”. How come these outsiders can do a damage like that while I am creating a SQL query to remove the js remote call script injected with these so-called hackers. This is the first moment I got some common web exploits and how unsecured websites can pwned by adversary. This is the moment that I initiated my interest and importance of security in Web 2.0 and beyond.
A chance has come to me to continue my higher education with a push by my mother to study at Thailand, where I’ve been living for the past 10 years.
Higher Education 🎓
I applied and a chance to study M.SC (Computer Science) program at a neighbor country. It is a traditional program with a sort of recap of subjects from bachelor degree. Additional learning is R&D and hand-on projects. My past experience in IT industry paid off and makes projects easier to cope.
For final thesis project, I have to narrow down to a topic that I am eager to create a new study and doesn’t have a bombarded number of researcher works on it. I spent a month or two on Cyber Security and Digital Forensic research topics and paper. At last, I landed onto a research area that I believe it will give me a learning path and an acceptable research outcome.
My thesis advisor suggests me to work on Forensic lab afterwards and I kind of glad that it fell apart. I am pretty sure I am not designed to work in a government facility. I landed a job as security engineer at a service provider company with a lot of questions and excitement.
A decision that I made to continue Master degree is one of the biggest dilemma that I made in my life. It is good that I learn to improve my R&D skill and expand my network into a new area. Working at a science lab as a IT admin/developer/research assistant opens my eye in understanding fundamental knowledge of small scaled infrastructure and data analytics. The downside is a gap in your career and kind of fall behind of peers for taking a break at university. In reality, Master degree is not help much for recruiter eyes and it should not be the reason to study it at first. However, I don’t have that much regret after 6 years and it leads me to a decent path in my work and life.
A Jump to the dark side 🥷🏼
My first job as a security professional comes with a lot of learning and applying to support the team and to fit in the role. A company I joined is a big IT service provider and the company is setting up a new security team to provide services for customers. Senior engineers/consultants have to partake in the business development and also sales process. It’s a learning path of a new domain and business aspect and again, this is my first paid job in a foreign company.
Learning about various security technology, market trend and providing consultant, security services gives me a solid foundation to the industry. I worked there for ~3 years before moving on to another opportunity that I am still working at.
I joined a security team at telecom company for internal security operations. The idea of joining this in-house position comes from the point to fill in the gap of “understanding more on customer obstacles and pain-points”. By switching from providing services to receiving end, the first adjustment is there is no 1 week,2 weeks projects. This is a short or long term improvement of process and technology to have a good maturity level of all-around security program. To achieve that, there is a need of management approval and funding, right personnel for each roles and security awareness of the organization.
The look back on my past working and study experience shows that experience gained from your past domain shows the dominance in your security expertise more or less. In my case, I lean more into application security and endpoint security before making a discussion about network tier. There will be a knowledge gap that we need to fill in to have a holistic understanding of Cyber Security.
This is not so long gist of where I am at now. I don’t believe anyone will read this dump of random thoughts but if you do, i am surprised and hope you pick it up something interesting from this. Come find me at twitter or anywhere on internet to chitchat with me for any topics.
Have a good time…