I was a risk, but in the end it’s all worked out.
I handed in my notice and spent the Christmas and New Year period applying for security related positions which was what I wanted to move into. I know most people would think it’s crazy to leave one job without having another lined up, but I don’t see it as being clear cut. I knew I had funds for a few months and I’d sorted out a motorbike and laptop in advance for commuting and potential self employment. Note for anyone that tries this – the Christmas period sucks for job hunting, a lot of companies don’t advertise until January but for my situation I was happier making a start. It was the right time.
For non IT people – previously I’d worked as generalist positions, related to network and system administration, with some web programming thrown in. Although both my previous position and security IT work is in the IT industry, it’s not the case that different branches of the IT industry are similar enough that you can walk from one to another without preparation. My recent self study and qualifications were designed to be this assisting preparation.
Finding the right place
I approached a local penetration testing company – I’d found them by search engine, using certain security related keywords and the local area names. From their website I could see they weren’t advertising for a position but I thought they might be of the right size and specialist enough to be recruiting in future. I used LinkedIn to see what the various staff specialised in, and to lookup previous staff members and used this to tailor what aspects of my training I emphasised in the approach letter. I was careful with the wording as you can’t come across as the sort of person that assumes you know another persons profession just from reading a book or studying (or you could think that, but I’d hope everyone recognises it’s a troubling and flawed reasoning). I stated I wasn’t a penetration tester, but emphasised that I had transferable skills. I’ve spent years on the other side of things – trying to secure things to negate the type of attacks they’re carrying out – but didn’t know the deeper technicalities or have the experience of performing the attacks.
I was invited in for a technical interview. I took a taxi as I thought it would look more professional than turning up for an interview carrying a motorbike helmet and clothing. The taxi driver took my map (with the marked destination) spotted the company telephone number and then, before I realised what he was doing, he rang the company direct to get directions – I cringed slightly at the lengthy confused conversation on the phone as I thought if the rest of the workplace was within earshot of the person speaking they would think it was myself when I walked in.
I was asked verbal questions from a senior members experience – there were no written questions, the questions weren’t pre-planned and didn’t seem hard for the interviewer to come up with which I think made it better for both parties. I wont give specifics, but in general I was asked about things such as certain common programming issues and the security problems inherent with them, and how an attacker might approach or detect certain issues in websites or networks. I wasn’t asked any cliché interview questions. There were no awkward silences from when you’ve answered an interview question incorrectly or attempts as belittlement. When I said I didn’t know an answer, I explained the limits of my knowledge on that subject, which the interviewer appeared fine with.
In the application I’d suggested perhaps I could do a couple of days work as a trial. In the interview this was discussed and I was sent a Non Disclosure Agreement (NDA) covering client names, details of work done and similar.
I’d had a disastrous interview somewhere else where I’d turned up in a expensive suit which matched the interview panel, but then had been introduced to the team, whereupon a scruffy member of the team spent about 5-10 minutes openly sneering at my suit. I didn’t want that to happen at this company so I dressed down for the trial day to match the smart/casual attire I’d noticed the testers wearing in-office on my first visit.
I shadowed one team member first, who turned out to be an ex-marine. He showed me some physical penetration testing equipment he’d built (disguised tools you might leave in a target building) which I thought were fantastic and seemed well executed and then went through the network based attack he was currently performing.
As some background to the industry: A long time ago at a trade stand I’d spoken to a member of a branch of GCHQ (I don’t recall the specifics but in hindsight it might have been a member of CESG as the discussion topic matches the role) who had spoken of the difficulties they had when identifying useful penetration testing companies – the problem with the trade is the presence of companies who can only perform automated sweeps with no greater knowledge than the output reported by their automated tools (I have some horror stories on this for a future blog post). This wasn’t the case with the company I visited, where the penetration testers were hands on, with any tools simply being used as an alternative to speed up certain attacks that they happily demonstrated by hand to explain the theory and execution.
I’m not giving specific technical details due to the NDA but can say it was exciting to see an attack underway, the thought going on, the tool selection, usage and experience based testing. I understood the concepts and the flaws being explored, so I could follow what was being done, but the penetration testers clearly had a lot of experience – problems I’d always thought of as being theoretical or pedantic were actively being turned into exploits.
The team automatically went for lunch together, walking down to the local shop which you could tell form mannerisms was a routine social behaviour which I took to be a good sign.
After lunch I then shadowed another member of staff who was performing a social engineering attack on a client. While deploying the attack he was encountering issues with the companies defences and I understood from my own work what the company had done and was able to assist. I was really excited and wanted to help but didn’t want to be obnoxious and interfering so I tried to tone it down as much as possible. I helped with some a Linux command line syntax problem and suggested a minor improvement to the social engineering attack, which the tester decided to implement as a valid idea.
The day went really well, but the company hadn’t been advertising for a penetration tester and couldn’t offer me a position at the time as they didn’t know in January how much work there would be next month (a lot of large companies take a little while to wind up again after the new year and so take time to place orders for new networks or websites to be tested). They asked what salary I was seeking, and I stated I was motivated by the position, so was simply looking for one they felt was fair.
A week later I got an email, saying they’d let me know, and that the tester I’d shadowed for the social engineering attack wanted to pass on that it had been successful.
I’d applied for more positions at other companies and as time went on I was fearing not just the career damage of an unemployment gap on the resume but also, due to financial liabilities, of potentially having to accept a position being employed somewhere where my heart wasn’t in it. One friend really stuck his neck out, first to suggest a temporary employment possibility and then to continually persuade me to apply for another company he knew to be a good employer despite my accidental best efforts at being unemployable – a public thanks to Dan.
I was a bit conflicted and about to finish arrangements to attend a second interview as a sysadmin with a local company when the phone rang and I was asked if/when I could start as a penetration tester at the company where I’d wanted to work – work had picked up again after the New Year break and there was now lots of work to support an additional position.
I don’t claim to be an expert on job seeking, but it might be that my experience is useful to others.
- Don’t be afraid to approach companies directly if they aren’t advertising.
- Talk to your friends about local employers they’ve heard of. I had no idea how many local companies there were tucked away nearby. Some quite famous ones I’d never realised were within a stones throw.
- Do your research to find what they offer to clients and then demonstrate in your cover letter you have at least some knowledge of these areas.
- Make sure you can financially afford to job hunt – know how long you can survive
- Suggest something unorthodox like a trial/test day. It’s a chance for you to discover and run like heck if the place is dysfunctional (hopefully that’s rare but it’s a real career threat if you accidentally accept a job at such a place), and a chance for them to answer two of the the main questions they need to know the answer to: will you enjoy it here, and will they enjoy working with you?
- Work on your LinkedIn profile, interview presentation materials, portfolio and resume
What didn’t work
I attended about 4-5 interviews over December-February, it’s important to learn from things that went wrong.
- Don’t expect anyone to read your portfolio, LinkedIn profile, interview materials and resume (despite the advice in the previous section). If they do it’s a bonus, so you should work hard on it, and there’s personal benefits from self development as you work on them, but don’t assume a link on the resume will ever be followed.
- Don’t assume the interview is just to flesh out more details about the things in your resume. You have to repeat your experience in the interview. It’s a nightmare to realise towards the end of an interview that they haven’t read your resume and you’ve just assumed they know you have knowledge of the areas you’ve mentioned in it.
- Don’t let it get you down. If an interviewer fixates on your A level results from 18 years ago, if they hate your suit, if they have some slightly crazy view of the world – it’s going to happen in an interview eventually. Do your best not to burn the bridge and afterwards just learn from the experience as character development.
This is almost 2k words – there’s bound to be some errors so drop me a message for corrections. Related: I’m currently offering £2 to charity per correction on my portfolio site.