In this episode, our host Jason interviews Ayub Yusuf (@WhiteCyberDuck) about how he got into the cybersecurity industry.
This time, we go over a very common case where people tend to study something in college that does not relate to cybersecurity and then shift over to the Cyber world after graduation.
Ayub mentions that you are going to have to deal with a lot of silence and rejections when applying for your first job and that it took him 134 applications to get only 5 interviews.
A CTF or Capture the Flag is a special kind of information security competition. There are three common types of CTFs: Jeopardy, Attack-Defence, and mixed. Those can be useful to hone your practical skills as well as your teamwork abilities and can show your future employer that you are able of working alone as well as in a team.
Jason and Ayub go over resumes and how you should go about creating a master resume and then tailoring this template to suit each job application.
You should always make sure to do a lot of networking and show interest in the community to be able to build a network of people who could be future employers or simply just help you throughout your cybersecurity careers.
Ayub also mentions that a lot of people make the mistake of paying lots of money for very expensive bootcamps when they could easily learn these skills on YouTube or other free platforms.
In the end, you should always remember not to get frustrated especially when trying to get your first job, because it always gets easier as you progress your experience.
Jason Dion:
Hi and welcome to another episode of Your Cyber Path. Today I’m your host, Jason Dion. Kip’s actually out of the office today, so he is on travel for some of his consulting work with Cyber Risk Opportunities. So today it’s just going to be myself with a special guest, Ayub, who is White Cyberduck, and we’re going to be talking all about how he got into the cybersecurity industry as a student coming straight out of college and trying to break his way in. Because I know that’s an area that really a lot of people struggle with is, how do I get a job if I don’t already have the experience or I don’t have the certifications or I’ve never been in the cybersecurity world before? And that first job is always just so hard to get, and so I wanted to give you a little encouragement today by bringing on Ayub with us to share his experience and how he got into the job that he’s in now. So thank you for joining us today. Ayub, welcome to the show.
Ayub Yusuf:
Hey, thanks for having me. My name is Ayub. I started my cybersecurity journey in January 2021. From that I graduated college and the pandemic started. So it was quite the transition.
Jason Dion:
Great job to graduate college, right? Right in the middle of a pandemic.
Ayub Yusuf:
Yeah, absolutely. But that period gave me a lot of time to reflect and I was happy enough to… I was lucky enough to find this field and it was such an honor, because I’ve had so many great opportunities. I’ve made so many great friends, and I’m just happy how everything played out.
Jason Dion:
Awesome. Yeah. So I know talking to you before we started recording, you had mentioned that this was your first job coming out of college and going into the cybersecurity world. So in college, what were you studying? What was your plan in life to be? Because I know a lot of us, we go to college thinking we’re going to be one thing and then we end up another. For instance, for me, my undergraduate degree is in human resources and I’m a cybersecurity guy. I don’t do human resources on a daily basis anymore. And I see a lot of people like that where we come with not a computer science degree or a cybersecurity degree, but something else. So what was yours?
Ayub Yusuf:
I majored in political science with a concentration in international affairs. I wanted to be a lawyer. I wanted to be engaged with our politics and civic society and such. But it’s kind of more difficult to get into in a lot of ways than cyber. There isn’t any way to prove yourself in a CTF or in other competitions that you have the talent to succeed.
Jason Dion:
Yeah, you’re right. When it comes to being a lawyer, so I actually come from a family of lawyers. My sister owns her own law firm and my father was a lawyer for many years as well, before he retired. And it is one of those things that has that traditional path. You got to go to get your bachelor’s, you go get your master’s/juris doctorate, you go pass the bar, you go get a job either as a public defender or a prosecutor, usually with the government or a low-level firm. And then you work your way up until you’re hopefully someday either owning your own firm or you’re a managing partner or something like that. And so it is a very, very straight, linear line and if you get off that path, it’s hard to get back on. And you’re right, it is getting that first job can be really, really challenging. I guess, what brought you over to cyber instead of… So you finished your bachelor’s, you could have gone into law school and continued that journey, but instead you decided to take a turn. Why did you take a turn?
Ayub Yusuf:
I actually found a YouTube video from Neal Bridges and David Bombal and he talked about ethical hacking and that was the first time I’ve ever heard about that. And it really frankly was from that moment on, I was like, I’m in cyber, I’m going to do this.
Jason Dion:
That’s awesome. Yeah, David Bombal is an excellent instructor. He does a lot of stuff, especially around networking and penetration testing. He’s got some great stuff out there. And so your dream job in cybersecurity sounds like would be going and being an ethical hacker, white-hat penetration tester type person. What is the current job that you have now?
Ayub Yusuf:
So I’m a cyber associate for Aon, so we do a little bit of everything. It’s a really great program because there aren’t many entry-level programs, but this one is, and you spend three months rotating between our different practice, our testing practice and our advisory practice. I have a huge interest in cybersecurity, not just ethical hacking, but detection engineering, threat hunting. I’m not really sure where I fit in at this point. I’m still trying to learn everything.
Jason Dion:
How long have you been with the company?
Ayub Yusuf:
Since April.
Jason Dion:
Okay, awesome. So at this point it’s been about eight, nine months, so you’re almost finishing up that first year in cyber. So I know talking with you previously, you had mentioned to get that first job, it took a lot of time and a lot of effort and to be frank, a lot of rejection. Can you tell me a little bit about that history?
Ayub Yusuf:
So it took me… I kept a Google spreadsheet just keeping every single job I applied to and it took 134 job applications. And the interesting thing you said is you got a lot of rejections. The answer is no. The most common answer I got was silence. So I think-
Jason Dion:
That’s very true.
Ayub Yusuf:
For about 60% of the jobs I sent an application to, I never heard anything back and I eventually got an interview with five and out of those I ended up where I am now.
Jason Dion:
That’s awesome. Yeah, I mean, you’re right. That is one of the most common things is because so much of this is automated these days, especially with Monster and Indeed and Glassdoor and all these other websites out there where you can go and look for jobs, it makes it so easy to apply for jobs that everyone does, and the companies just don’t have enough time to go through all the applications and they don’t necessarily want to say no to you because they may decide in six months, “Oh hey, you fit our profile.” And what I see a lot is they’re taking your applications in and they’re using that in their own internal database of people. And so later on when they have a new job that pops up and they go, “Hey, we’re looking for a security engineer who has Security+ and PenTest+ and two years of experience.”
And it’ll come back with a list of people. And so in your case, you’re in their database and you may hear from them six months from now, 12 months from now, a year from now, two years from now, whatever it happens to be. Or you may just hear nothing, which is what you’re hearing a lot of. And that’s very common, especially when you’re brand new into the industry. When you were applying, what did you have on your record? So at this point you had your bachelor’s degree in political science with a specialization in international relations. Did you have any certifications or courses, or how’d you try to beef up your resume to help stand out? Because having a political science degree doesn’t scream I’m going to be a cybersecurity person.
Ayub Yusuf:
So yeah, I tried to focus on the training I could afford. So I got the eJPT from eLearnSecurity, so the eLearnSecurity Junior Penetration Tester. And then I eventually got accepted to the SANS Diversity Academy scholarship and I ended up getting the GIAC Security Essentials Certification, the GIAC Incident Handler Certification and the GIAC Intrusion Analyst Certification. So I thought, in my opinion, I had a really good resume, but in a weird way it actually hurt me a lot of times, because I would be applying to these SOC roles and I think they would look at my resume and decide he’s going to be here for about two months and then move on just because he doesn’t fit what we need right now.
Jason Dion:
Yeah, that’s a good point because you know mentioned the GIAC certifications and, in general, SANS is really expensive and really hard to do for most people. So a lot of times when a company sees that you have SANS courses on your resume or SANS certifications, they think, “Oh, this person probably already had… Were working for a company that paid for this and that maybe you’re furthering your career,” right? Because generally when I see people take SANS, they’ve been in the industry for two to five years, they’re mid-level at that point and their company’s investing in them because those courses cost, they were from five to $8,000 to take the course and the certification. Because you were in the diversity program with SANS, you were able to get in and not have to pay for those, they paid for it for you. And I’m familiar with that program because we actually had a guest on probably five or 10 episodes ago, as well as the director who runs that program for SANS talking about that diversity and inclusion equity program.
It’s really cool three-month program where they really fire hose you with information and build you up to speed very quickly. But that does bring up the point that sometimes when people look at your resume alone, they’re only looking at it for six to 60 seconds. And for me as a hiring manager, when I see GIAC or SANS on there, I start thinking this person already had a career somewhere. And so if I’m hiring for an entry-level position, you’re kind of overqualified for the entry level. But then I look at your resume and I see that there’s no experience and I’m like, well, those two things don’t go together. So that can be one of those challenges is how do you get the experience to match up with those certifications when you’re brand new coming straight out of college. Sometimes in college you have the opportunity to do a lot of that because you already have CTFs or capture the flags or you’ve done a lot of hands-on lab work because you have a cybersecurity degree.
In your case, you didn’t because you came from a political science background, there was no cyber labs to play with. So how did you bridge that gap and finally get over that hump? What other things were you doing besides the SANS program to help build up that experience so that when you did get those five interviews, you could talk intelligently about the things they were asking you. Say, “Hey, have you ever used Nmap? Like, “Oh yeah, I’ve done that because of X, Y, and Z.” What are some of those things you did to get that hands-on experience?
Ayub Yusuf:
So I love CTFs. I try to do at least one a month. Sometimes I end up doing more, but I think they’re probably the best way to learn because it’s a gamified experience. And in my mind, it’s easier to learn after doing something how an attack works than it is to go back and try to just explain it just from a different explanation. So it really helps me get that foundational skill, you can talk about Nmap all day, but if I run a couple of Nmap scans and I understand how the program works, it becomes really easy for me to apply that to an interview question. It’s like, hey, what if you don’t have Nmap? Oh well, there are plenty of other scanners that you can use, like Masscan.
Jason Dion:
Yeah. Yeah, that’s a great point. So when you’re finding these CTFs, where are you finding them? Because I know I love doing CTFs as well, and you’re right, it is an excellent experience, especially if you’re doing some of the ones where they are team-based CTFs because if you’re getting stuck, you can then go, “Oh hey, I’m having problems. Ayub, can you help me with that too?” Right? “Or Kip, can you help me with that?” And you guys can work together on things. Where are you finding these different CTFs and are they more individualized, one-person online or are you doing it as a team?
Ayub Yusuf:
I’ve done a mix. Sometimes I think it’s important to work with a team because you could just see, learn that cooperation, but it’s also important to work by yourself because sometimes you end up with a really great teammate who flies through all the challenges and then you’re just stuck with the really difficult ones and you don’t get as much learning. So there’s a mix on my part, like it’s more 50/50 team versus individual. There’s a website called CTFtime, they have a ton. But oftentimes just being around people and just hearing about what’s coming up that’s usually what motivates me. Anything ran by John Hammond is excellent. So I would recommend doing any CTF that he’s associated With.
Jason Dion:
Awesome. Yeah, I actually just pulled up CTFtime. It’s ctftime.org, and if you go there you can find all of the upcoming CTFs for the year. And so for instance, I’m looking right now and there’s literally, between now and the end of December, which is basically three weeks as the time of this recording, there’s about 15 or 20 that are up, ready to go. And there’s some that are attack and defense, some of them are Jeopardy style where it’s you basically you go and pick… With Jeopardy style basically there’s a board and there’s different categories and they may have difficulties from one to five. And so if you pick five, you get 500 points, you pick one, you get 100 points, and it’s all about who gets the most points in that given time. And most of these CTFs run for one to two days at a time, and you can do them over the weekend or whenever they happen to be.
Some of them are free, some of them have some money associated with them, depending on what you’re doing. And for those, usually there’s like an entry fee and then they divvy out the prize to whoever wins. But a lot of them are just free and easy to do. A lot of them are online and a lot of them are local as well. So it’s a great thing to look at, ctftime.org, we’ll put that in the show notes as well, so people can take a look at that and get an idea of that. And then the other thing you had mentioned previously to me was that as you were applying for all these jobs, as you said, 134 jobs, one of the things I’m curious about is when you were applying for those jobs, were you using the same resume? Were you modifying it for each job? What was your technique and tactic there?
Ayub Yusuf:
So usually since I’ve taken so many courses and done so many different CTFs, I would remove certain things that are more relevant to the job posting. So for example, if it was more of a blue team role, I would include some malware reverse engineering courses I’ve taken. But if it was more of a red team role, I would include some web app courses I’ve taken. So it was the same template, but there were just a few points changed. I think one of my biggest problems were probably my resume, looking back in hindsight, I think I should have gotten more revisions. I had one person say it was great, which was great, but if you’re applying 10 places and you haven’t heard anything back and you qualify for those roles, I think you need to go back and get someone else’s opinion, have them weigh in on it and then make changes until you start getting some feedback back.
Jason Dion:
Yeah, I think that’s a great point because when you’re looking at your resume, if you’re using the same one each time, it’s not going to land with that particular hiring manager. They want to feel like you’re the only person in the world for them. They want to feel like you wrote this specifically for them. Now does that mean you have to write 134 different resumes? Well, no. What I usually recommend is you kind of create one master resume and then based on that, like you said, you delete things that don’t matter. So my master resume might be five or 10 pages, but the resume I’m going to submit is only going to be one, maybe two pages. And so I do want to make sure I’m highlighting things that are relevant to that particular position. So if I look at the job description, it says, must be familiar with Fortinet firewalls and must understand Juniper routing and blah blah blah.
I’d want to make sure I have those keyword based on my experience, highlighted and showing. Whereas if they’re talking more about this is a reconnaissance-based penetration testing role, must know open-source intelligence, I would want to talk more about things like Maltego and Shodan maybe even Nmap if I’m going to do a little bit of active reconnaissance and all my reconnaissance stuff as opposed to my attack stuff. But having that long list of everything makes it very quick to be able to do 134 resumes just by deleting out the things that aren’t relevant and then applying. So I think that’s a good strategy. And then another thing you know mentioned is if you don’t have a lot of experience, how do you make a name for yourself to be a thought leader? So people start hearing your name and they know who you are. What are some good examples of things that you’ve done in the past to do that?
Ayub Yusuf:
So the best example of this I did was at the end of last year, I posted a year in review and I just included… It was kind of a graphic of all the things I did. So I included certifications, I included the CTFs, and I think that post had over 100,000 impressions on Twitter. So I essentially got 100,000 people to look at my resume by making it into a little graphic. So I would encourage people to do that. Something else I saw other people do, they were like hundred days of InfoSec and they included like, “Hey, here’s what I’m working on every single day.” And I feel like that makes a great story for you, and you’ll have people in the community rooting for you. So I would encourage that.
Jason Dion:
.Yeah, I’m looking through your Twitter and anybody wants to follow his Twitter, it’s @whitecyberduck, all one word, whitecyberduck. And we’ll put that in the notes as well. But you’ve got several hundred tweets in there where you’re basically adding value to the InfoSec community. And so people are starting to know you and what you’re doing and following you and all that kind of stuff. So that helps. I think another thing you could do is blogs, YouTube channels, being at events and industry events. I know for instance, you met my partner Kip over at Deadwood in South Dakota at the InfoSec conference up there. And as you guys were there learning more from other people, you’re also meeting other people in the industry and they start to know you and get to know you and like you and trust you and all that stuff, which that will give you benefits.
We call that in-person networking, but you could do the same thing online with virtual events and CTFs and working on different teams and things like that. But I think as you are starting to build up your own personality and name, you want to be recognized as this thought leader. So having a blog, having a YouTube channel, using a Twitter feed, using LinkedIn posts, whatever it is, pick a channel and kind of build yourself up on that. Because even if you don’t have the experience, if you’re talking about this stuff and you’re doing it in a lab environment, you’re doing CTFs, all of that transfers over. It tells an employer that you care about this industry and you want to be a part of it and not just for a J-O-B or a salary or a paycheck, but you actually care about advancing the community as well.
So I think that’s really, really useful and good things to think about as you’re… Especially as a new person coming out of college, if I was talking to a sophomore, junior or senior in college, I would say right now, start a blog, start a YouTube channel, start using LinkedIn, start using Twitter, whatever it is, pick one of those and go with it. Because by the time you get out after two, three years of college and you have this wealth of buildup, employers do look at you online. And when I get a job application from you, I would go and type your name into Google and see what pops up. And in your case, there’ll be a lot of stuff that pops up because you have this footprint that you’ve been building over the last 6, 12, 18 months. So I think those things are really useful as well. And then-
Ayub Yusuf:
Yeah.
Jason Dion:
Oh sorry, go ahead.
Ayub Yusuf:
Yeah, you don’t have to go all the way to South Dakota to network.
Jason Dion:
Yeah, yeah.
Ayub Yusuf:
I highly recommend finding a local BSides or DefCon chapter. I understand, I was in that position. I didn’t have any money when I was trying to break into this field, so I wish I would’ve went to my BSides, I wish I would’ve went to my BSides Augusta. I went this year. They were awesome. But just trying to find local people is super helpful because there could be people you hang out with on a regular basis.
Jason Dion:
And that brings up a good point depending on where you’re located. So you’re located down in the Atlanta, Georgia area, and I know that there is BSides, two or three of them that happen in Atlanta and the surrounding areas like Augusta, like you had mentioned. I used to live in the Baltimore, DC area, and we had BSides Baltimore. There’s also BSides New York, which is about a two-hour drive. So you could drive up for the day, go to the conference and come back. And it’s not super expensive to drive up and drive back. I think Augusta from Atlanta is probably what, a couple hour drive. So it’s not a horrible investment. Going to South Dakota is a little bit harder. They also do some outposts as well. So they have San Diego, I know they’ve done one of those last year.
I plan on going out to BSides… Not BSides, Deadwood next time next year. I missed it this year because I was already on travel when I found out the dates. But I do plan on going. And I’ve done the Black Hat for instance, and Black Hat is kind of stupid expensive. So if you’re a brand new person trying to go into Black Hat for $3,500 for a couple of days, Vegas, that can be a challenge. But if you are in one of the major metro areas in the US either East Coast or West Coast, there are BSides all over the place that you should be able to get to. And another great place you can look is Meetup. Meetup is an app and website that has a lot of different meetings. I know in Annapolis there was weekly cybersecurity meetings when I lived in that area and I could go and meet other people and network and that in-person networking, really you’d be surprised at how much it can lead to your first job, your second job or even your third, fourth and fifth job.
I get a lot of job offers because of the people I’ve met over the years and they go, “Oh, I have a new position, Jason, you’d be perfect for that. Let me give you a call.” I’m not looking for new jobs, so please don’t reach out to me. But there are lots of people who are looking for jobs and being in those places will help put you in the right place. And then the other thing I wanted to talk to you about was as you started building up your skills, you had mentioned low-cost training that you could afford. What are some good examples of that?
Ayub Yusuf:
So the best example is the training from Antisyphon. So John Strand teaches three courses, Intro to SOC, Active Defense and Cyber Deception and SOC Core Skills or Intro to Security. So I would highly recommend checking those out because they’re pay what you can up to $0. And whether you want to become a SOC analyst or not, what you learn is the fundamental skills you’ll be using throughout your career. So you learn networking, you learn Linux, you’ll learn Windows. And from that foundation you can start looking into paid training. So I feel like some people, unfortunately, they start this industry and they start out, they’re like, “Oh, I need to go to these bootcamps.” And they spend $10,000 on a bootcamp where they could have learned a lot of that material on YouTube for free or cheap. So I would encourage you to start with the free stuff and then move to the paid stuff.
Jason Dion:
And I would echo that comment, definitely free is great, paid is okay. And then there’s different levels of pay. So for instance, you mentioned John Strand’s stuff, he was actually a guest back on Episode 61. So if anybody wants to go back and listen to that, it’s yourcyberpath.com/61 and that will take you to our episode on skills-based certification and training with John Strand. He actually came from the SANS world where they were charging five to $8,000 per course. And he is like, “It’s great training, but not everybody can afford it. What can we do to change that?” And that’s where he came up with the Antisyphon model, which is where they do this pay what you can model that you went through. And it’s an awesome model and some people pay $0, some people pay $50, some people pay $500, really just what can you afford to do it.
And because they’re doing it at scale where they might have a thousand, 5,000 people in a course or even a couple hundred people in a course, if everybody paid $5, that easily covers the instructor salary that they can have that training. Some other free things that are out there. As you mentioned, YouTube is a great one. The only challenge with YouTube that you have is finding quality content. There are lots of channels out there that do awesome, great jobs, but there’s also a lot of junk on YouTube. And a lot of it’s just filled with trying to upsell you to something else and things like that. So just keep that in mind as well. And then the other problem that I have with YouTube is that it’s not a curated or linear progression. And what I mean by that is let’s say you want to go get your Security+, you could find all the information you need to pass Security+ on YouTube, 100% for free.
But it’s going to be really hard to find a single playlist or a single course, for lack of a better term, that covers everything from A to Z throughout the certification. So I find YouTube is great too. If you’re looking for something specific, how do I do Nmap scans, or how do I do an SQL inject against an Apache server? Not an Apache server, what am I talking about? It’s a MySQL server or a Microsoft SQL server or something like that. You can find that kind of stuff on YouTube very well. Where I find a lot of… We mentioned cheap options, YouTube is good, but when you go to a paid version, you may look at something like LinkedIn Learning. They have great courses, Pluralsight has good courses, Udemy’s got great courses. Obviously people who listen to this podcast know I love Udemy, I teach on Udemy, I teach all the cybersecurity stuff from A+ all the way up through CASP+ on Udemy.
And those courses are 10, 15, $20 usually. And that’s going to give you really good videos, really good practice, really good study guides that you know is going to get you to passing your certification. So from a certification perspective, I really like Udemy, LinkedIn, Pluralsight, things like that. But when it comes to hands-on SOC skills, I think nothing really compares to what I’ve seen from Antisyphon and John Strand’s folks, especially at that low, cheap model, low price, cheap model or pay-what-you-can model.
And then there’s also a lot of other stuff you can do out there, like these CTFs that are really a really great way to learn. Because as you’re getting this challenge and it says, “Hey, here’s a disk image I want you to use Foremost and carve out the file that’s from this old deleted file of this disk image.” If you don’t know how to do that, you can go on YouTube real quick and say, how do I carve a disk file, and it will show you and then you can do that and then find out if you got it right because you got the secret key that you were looking for in that CTF. So I really like doing things like that. I think it’s a great way to do it. And then one other place I think is really good is Discord. Do you use Discord a lot?
Ayub Yusuf:
Yes, I love Discord.
Jason Dion:
So what is your favorite place to hang out on Discord? Is there a certain group or server that you like?
Ayub Yusuf:
I bounce around but one that stands out as really excellent is the Black Hills one. I think they call it… They changed the name of it. I forget the name right now, but the one, the BHIS one. Yeah, there’s so many. I think if you take a course from anybody, they’ll probably have a Discord channel that you can hop into.
Jason Dion:
Yeah, so our company Dion Training, we do have a Discord server as well. So if you want to jump in there and play in there, it is diontraining.com/discord and that’ll redirect you over to our Discord server. We’ve currently got about 2,600 members in there. We also have a big group on Facebook which has about 35,000 members. So we just started our Discord probably about six months ago, and at any given time, we’ve got several hundred people online. So if you’re studying for a certification and you’re like, “Hey, I’m working on my Security+ and I don’t understand this SQL inject thing,” you can go in there and ask questions. Somebody will probably do a video and send it back to you or answer your questions and that kind of stuff. So lots of great stuff and lots of great places that you can go and get this information without having to spend a ton of money.
Because again, Discord is completely free and it’s a great place to meet other people and chat with them, either voice or chat, text chat, and get some additional information. So in summary, I think that when we look at your story, right? Don’t get discouraged, don’t be worried if you don’t hear back from employers, because 134 applications and 60% of them he heard nothing. Nothing came back from the employer, but the other 40% he was able to hear back either “No, we’re not interested,” or he did get five interviews out of those 134 jobs.
And then from those five interviews, he picked the one that he liked the best and got the job with that company, and that’s where he is working now. And then the other thing is, as you’re working through, you’re kind of getting up to that point where you’re almost at the year point, what you’ll see is one to two years kind of is the sweet spot where once you get a year to two years of experience in cyber, you combine that with a couple of key certifications, and you’re just going to be so in demand that you’re going to be getting lots and lots of calls.
And next time you apply, it won’t take you 134 to get five interviews. It’ll be more like here’s 50 to get 10 interviews. And the more experience you have, the more valuable you are to an employer because you know more and you’re better off. But that first job is just it’s hard. And so for those of you who are trying to break into cybersecurity, just remember, even if you had to put in a hundred applications to get five interviews or 150 applications to get five interviews, that’s not bad if you are a brand new person and you have no experience and you’re trying to break in. But once you get that first job and you have 12, 18, 24 months under your belt, the job market just wide opens to you because that’s that sweet spot of where everybody’s trying to fight over is those people with one to two years of experience up to about five years of experience.
And so you’re definitely on the right track and in the right industry. And then the other thing I thought that was really important that you said was get that hands-on skill, whether that’s CTFs or Antisyphon training or something like that. Practice what you’re doing. Don’t just read a textbook, open up a VM, open up a cloud server and start hacking those things and making sure you understand what you’re doing. And then the final thing, I think, is just always be continuing to learn because our industry is constantly changing and so you have to keep up with the stuff and keep being engaged.
And you can do that in places like Discord, Twitter, LinkedIn, you’ll find great people out there putting out great content that you can follow along with, things like Darknet Diaries, things like Krebs on Security is another great blog. Lots of things out there that you can get information. And of course, this show every two weeks we put out information and try to help you in this cybersecurity industry and how to break in this hiring, firing, resumes, interviews, negotiations, all that kind of stuff. So that being said, I’m going to pass it back over to you for any final thoughts or comments.
Ayub Yusuf:
So if anyone wants to connect with me or ask me any questions, I’m available on Twitter and LinkedIn and Discord and Mastodon. So just feel free to look me up and shoot me a message, love to help in any way I can.
Jason Dion:
Awesome. Thank you again for joining us today and sharing your story. I know it’s one of those ones that we get a lot of questions about. It’s like, how do you get that first job? And really it comes down to persistence and then tailoring those resumes for the job to make sure you’re hitting those right keywords so you’re not getting blocked by ATS and then just going through and killing it and persevering until you get that first job. And once you go for that second job, it’s going to be so much easier. So that said, I want to thank you for being a guest today. And again, he’s at @whitecyberduck on Twitter, so you can find him there. And we’ll put links in the show notes to CTFtime, his Twitter account, the episode with John Strand that we mentioned, as well as our Discord server and any other great links that we’ve mentioned during this episode. Until next time, I will see you on the next episode of Your Cyber Path. Thanks.
YOUR HOST:
Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
YOUR CO-HOST:
Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.
Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!