20 August 2019

Transitioning from Army to a career in Cybersecurity: Matthew’s Story

My personal journey

My journey from Soldier to Pentester over the last few years (much like the rest of my career, to be honest) is not the clean Cinderella story that most people on LinkedIn would have you believe. I haven’t been doing this since I was 12, haven’t had a visit from GCHQ for hitting the Pentagon, and wasn’t fluent in eleven programming languages before I even started.

I honestly fell backwards into IT after graduating University with a 2:1 pass from Reading University in BA Economics. I had the customary week off doing literally nothing and was then struck with a crippling case of “Now What?” syndrome.

As every finance/economics grad who’s seen Wolf of Wall Street can attest to, first stop was the City.

I did a few interviews with some fairly large financial services firms, even looked at potentially becoming one of those people you see on Instagram “finding themselves” abroad and doing some TEFL work, as I’d picked up the relevant qualification during one of the summer recesses.

It struck me walking down Canary Wharf’s tube station stairway and looking out at a few thousand people queueing to get inside one of the sardine cans that pass for Tube trains that I’d rather do absolutely anything else than do this every single day.

That’s how I found myself in Nottingham Armed Forces Careers Office a few weeks later genuinely asking “Who’s hiring at the moment?” to the Army representative there, a grizzled old sergeant who was clearly pretty tired of speaking to the ninth 17-year-old that day that’s played too much Call of Duty.

He replied that the Royal Signals were hiring for Communication System Engineers and that you got a promotion out of the end of it – fancy working with computers?

I had a fairly good command of computers as a user, but it seemed better than the other options of Musician and Chef, so decided why not – a stable paycheck and maybe some direction didn’t sound too bad at that point.

The road to cyber

Fast forward to Phase 2 training at Blandford Royal School of Signals (after getting my Full Metal Jacket on in basic getting screamed at for 3 months) and I ran into who was soon to become one of my closest friends in the camp cafeteria, who was working on the Cyber Protection Team.

I asked him what he did for a living and it sounded amazing – breaking into computers and seeing what he could find. I immediately bugged him to tell me what the roadmap was to get from where I was (basic IT knowledge) to where he was (Mr.Robot in camouflage) and he told me to start by getting a solid grounding in IT by doing Comptia Network+ and Security+.

Judging by him spitting his coffee out when I came back in a few months with both certificates saying “Awesome, what’s next?” – most people decide they don’t like doing it the hard (but necessary way) and drop their cyber dreams there.

The next few years passed in a whirlwind and I kept the momentum up with acquiring certifications (Comptia Cybersecurity Analyst+, ITIL Foundation etc) and trying to piece together some sort of security experience out of the work I was given in the Army.

Due to personal reasons, I left in late 2018 and managed to pick up a place on Crucial Academy’s Offensive Security Course, where I got my CREST Registered Penetration Tester and CREST Practitioner Security Analyst, alongside a pretty roaring caffeine problem / appetite for HobNobs.

I managed to land a job doing systems administration for a consultancy firm and looked for that first break into cybersecurity from there. In a nutshell, that is the story of how my life got flip-turned upside down and how I ended up at a company called IRM!

“So how do I do it, then?”

This is probably the question I get asked most often, form people inside the military looking to leave (and a fair few by people wanting to make the jump).

I can certainly see why – interesting work, great progression within a growing industry and excellent starting salaries – but your road and estimated timescales for breaking in depend entirely on where you’re starting from.

I’ll break down vaguely what the road looks like if you’re in the military and looking to get your first cybersecurity job:

Persona 1: No full-time IT experience / no technical profession (potentially SC cleared)

We’ll start here, as it’s the longest route in. You get told about a million times on your CTP sessions and by your welfare officer that you have a multitude of transferrable skills that any employer would kill to get hold of.

That is indeed true, but so do the vast majority of the thousands of veterans out there already, so you will need to start joining whatever CV you have right now (and writing one in the first place if you haven’t already!) to the job that you want to get hold of.

A job in “cyber” is a statement so vague as to mean very little now , so my first advice would be find a job you like the sound of and find about 9-10 job adverts for them on a few different sites. Circle the certifications that appear more than once and a picture of what you need to go get should appear fairly quickly.

But a lot of these will be hard-as-nails with no solid foundation in IT to work from.

So I personally would start with a foundational set of certifications like a CCNA Routing and Switching (Cisco) or Network + and Security + (Comptia). I did the latter, and the solid foundation you get from those will help you do the rest of the certs you need to get that first job you want.

Get some real-world IT experience in the meantime (helpdesk/technician work is great) and get on Hack the Box / Immersive Labs in the meantime and soon, the recruiters will come-a-calling!

Persona 2: Technical Trade Group (but not IT/SIGINT/Security-based)

This is for all the mechanics out there, along with the electricians, the radio operators, and engineers that have a fairly technical workload but just not directly IT-facing.

If you’re lucky, you’ll have picked up SC-level clearance from working with the radios. This will come in really handy later on in your job search.

Your skills are more transferrable than you would think, especially if you want to get more hands-on with fixing computers or building physical devices and my earlier advice to find a job you like the look of and work backwards from there applies twofold here.

But let’s say you still want to be a pentester and have a fairly solid command of IT already (if not, go get the foundation sorted first). I would start directly pointing your studies in a specifically cyber security/ penetration testing direction.  This is primarily going to come from home lab / Hack-The-Box style training in your own time.

The best part about this is all of it counts now. Nobody gets all elitist about whether you’ve done “the course” or not – they care about what you can actually sit down in front of them on a rig and do in an interview, not what provider you got your certs from or who taught you.

So in your evenings, start by downloading some vulnerable machines from Vulnhub, signing up for HackThe Box VIP  and looking at specific pentesting qualifications that interest you and working towards one. If you’re doing this for getting a job, I’d recommend Cyber Scheme Team Member (CSTM) and CREST’s double CRT/CPSA – which will qualify you for CHECK Team Member status and let you start doing government tests.

Time to get to work!

Persona 3: aka The Lucky Few (IT/EW/SIGINT/weird Intelligence guys, you know who you are…)

This one is for the guys who somehow (like me) fell backwards into a direct IT trade, whether security-focused or not. Your career has mostly been centred around being an engineer and you have a solid grasp of IT, networking and potentially systems administration also.

A higher-level (DV and above) is more likely, and this will make your job search much easier as you enter your resettlement period.

Pointing your experience and CV towards a security focus will be much easier for you than most, so I would pretty much bundle your SLCs/ELCs into doing a pentesting-specific course such as the CREST double CRT/CPSA or Cyber Scheme’s CSTM and get CHECK Team Member eligible. Your skills are both transferable and will directly assist you in your new career.