EPISODE 90
How to Get Your First Job as a Pentester with Chris Horner

HOW TO GET YOUR FIRST JOB AS A PENTESTER WITH CHRIS HORNER

About this episode

In this episode, our host Jason Dion goes over the very exciting topic of how to get your first job as a pentester with Chris Horner, banking expert turned Security engineer and penetration tester. Together, they go through Chris’s background, how he got into banking, and why he made the switch to cybersecurity.

Chris discusses his transition story and how it’s not the cliche zero to hero in 90 days, explaining that it took him a long time to transition where he is today, and highlighting that his networking experience and soft skills were a huge aid on his job-hunting journey.

Jason then shares his opinion on Chris’s journey, highlighting many important parts, like how to deal with time limitations during your studies and how to choose the right path to start you cyber career.

Chris then shares his experience with the eJPT certification exam and how he was able to pass it, giving us examples of the training he used and how he prepared for it.

Then, Chris and Jason go over Chris’s job responsibilities and how he goes about every one of them, what he enjoys, what he finds tedious, and what parts of the job he finds challenging.

In the end, Jason and Chris discuss the hiring process from two different perspectives, the hiring manager perspective, and the applicant perspective, discussing the different challenges that both people go through.

What you’ll learn

  • How important are soft skills for someone in the cybersecurity industry?
  • How to choose the right certifications to start your pentesting career?
  • What is the eJPT test like?
  • What is it like working as a Pentester?
  • How long does it take to get your first Job in Pentesting?
  • How to fight self doubt and continue your cyber career journey?

Relevant websites for this episode

Episode Transcript

 

Jason Dion:                        
Hello and welcome to another episode of Your Cyber Path. I’m your host for today, Jason Dion. And joining me today is going to be my guest, Chris Horner. Now, today Kip is not going to be joining us because Kip’s actually out in California right now filming a couple of new courses for LinkedIn Learning, that are going to be coming out early in 2023.

These two new courses are going to be building and managing a cybersecurity program, which is really focused for the management and executive level to figure out how they should be doing cybersecurity in their organization, and be able to do all the governance and risking compliances associated with that.

And his second one is called measuring and managing cybersecurity risk. Now, this measuring and managing cybersecurity risk course is really, again, focused at that management level so they can start figuring out how do you track success or failure inside of your risk management programs, and how you can implement that in the real world.

When those come out, I’m sure Kip’s going to tell us all about it the next time he’s here on the podcast, over the next couple of weeks. And he’ll be able to share even more details about that. But if you’re in that management or executive space, definitely check out Kip’s courses over on LinkedIn Learning. He’s got lots of great stuff there.

But for today, what we’re going to be doing is talking with Chris Horner, who is a penetration tester. Now, I know when I work with students, a lot of times when I say, “What job do you want in the world of cybersecurity?” Probably the number one answer I get is, “I want to be a penetration tester.” And Chris has done that.

And what I think is really interesting about Chris’s story is that he didn’t come, necessarily, from an IT background, but he actually had a lot of experience in the banking industry, doing almost 20 years of banking. We’re going to talk about that as we go through the show of what was his experience like, how did he get into cybersecurity, what certifications or training he needed, what his role looks like now. And all that kind of wonderful stuff around the world of being a penetration tester here in this type of cybersecurity industry. That being said, welcome to the show, Chris. Thanks for joining me.

Chris Horner:                   
Absolutely. Thanks for having me today.

Jason Dion:                      
Yeah. As we get started, I mentioned in the intro that you are a penetration tester now, but that’s not where you started. Can you give us the background of where you started and how you got to where you are now?

Chris Horner:                    
Absolutely. Growing up, being young, I was always into computers and programming, and messing with things, so that interest was never a foreign interest. It’s not something I just woke up one day and thought, “Hey, you know what might be cool? If I do this.” [inaudible] I got recruited into the banking industry, and that was because I had a background in sales.

And that was the time that banks wanted those kinds of skills. And at the time, I was going to college, I was working a lot of retail jobs, which involved all kind of weird hours. And banking industry was like, “Hey, we can use those same skills and you can work a normal schedule.” And the money was good. And I was like, “Well, sold.”

Jason Dion:                        
The traditional banker’s hours, right? 9:00 to 5:00, that kind of thing?

Chris Horner:                    
Yeah. Yeah. Which turns out not to be as true as you think, but anyway. But I never lost that interest in technology. And so, as a banker, because I could understand technology, I could land technology clients because I could speak their language. I was always still in that world. Had a lot of clients that way. And of course, those clients would refer me to other clients like, “Hey, a banker actually understands our business.” That was unusual. Carved my own little niche in that.

Jason Dion:                        
That’s awesome. Yeah, my sister’s actually a lawyer down in Orlando, and she works with a lot of technical clients as well for that reason. Because as a tech company myself, we use her and her law firm.

And her law firm has a lot of other tech clients because they understand our business and our business model, and the way that we work. And the way we operate, and the different challenges involved with that. And so, you’re right, even if you’re working in something like banking that’s not necessarily totally related to IT, if you can speak that language, you can help service those clients better.

Yeah. I’m looking through your history here on LinkedIn, and I see that your last couple of jobs, you were working as a branch manager for some pretty large banks. And then you switched over to your new job as a security engineer and penetration tester.

Can you tell me a little bit about how you prepared for that jump? And then how you chose either that company or that role? What excited you about that particular place?

Chris Horner:                    
I’ll make a very long story rather short. My dad was a software engineer and he gave me a hand me down Linux laptop one day. He said, “Hey, I’m done with this. Would you be interested in playing with it?” And like I said, I love to tinker with things, so why not?

And as I got into it, that’s what rekindled my whole interest in that. And then, started learning about cybersecurity and pen testing. And it’s like the stuff that I thought would be fun to do is actually a paying job. Now people will pay you to do stuff like that.

And again, tying it back into banking, especially the branch manager. Fraud and security are two major things that you’re responsible for. You have to sniff out fraud. And you have to make sure that the bank’s assets are all locked down, people’s accounts are locked down. You have to teach them how to be cyber safe online. There were those parallels too.

As I started looking into it, I started by taking an introductory course to pen testing to see if I liked it. It was a Udemy course, and I loved it. I thought it was really [inaudible] and at the system level, understanding what was done. How can you manipulate things to make things do. I like to break things. I think it’s funny to make things do things that they’re not supposed to do.

That’s for better or worse it is. But so after I completed that course, that was probably a 50-hour course or so, “I thought, hey, I’m really hot stuff.” And I’d heard about OSCP, so I’m like, “Hey, I’m going to start the OSCP and I’m going to knock that thing out in 90 days.” And let’s just say that was quite humbling experience. I learned a new absolutely nothing. That turned into overall three failures of the OSCP. And I still don’t have it to this day honestly. And it was extremely discouraging.

Now at the same time… Okay. I know a lot of LinkedIn posts will talk about zero to hero in six months and stuff like that. My story’s not like that. Mine’s more like zero be hero in 1,000 days. That’s what I like to call it. And reason being, I’m working full-time, I’m a single father with four kids. I have them full-time.

I’m trying to study while still producing up my job while raising children. In between all the time, I had some family events come up. This was a very long process of studying and grinding and doing things. But along the way too, because of my banking background, I’m good at networking so I could make connections. Started getting people in the cyber industry. Got invited to some really cool conferences, like the Edge Conference for Tenable, for example, as I was still studying for OSCP and learning about the eJPT.

And I decided to take a crack at it because it was a more entry level, much more so than the OSCP. Tried that, blew it out of the park. And that was good year and a half into this journey. And I thought, “Okay, okay, I’m starting to learn things now. Then I started with applying for jobs and starting to get hiring managers and companies and they’ve had a lot of mixed results too.

But I finally landed on connecting with the company I currently work for, Triaxiom Security. And what they were looking for were engineers that also could speak the language of business. Because their business model is they want the engineers that start with the client, to continue all the way through. That’s own. That’s not common in the cybersecurity industry.

My understanding is a lot of times you’re going to have your business development person and the project manager and the tech guy is on the backyard, but that’s not how they wanted to do business. That’s a very specific skillset. In talking with them, they like the fact that my banking background, I’m used to talk big clients. I’ve also had a lot of exposure to a lot of different businesses and a lot of different industries.

Because of my banking background, I mainly dealt with business clients. And they knew my tech skills were going to take a little bit of work to bring up the snow. But some back, forth conversation, several months later, they offered me a position and I gladly accepted.

Jason Dion:                        
Awesome.

Chris Horner:                  
This is everything I’ve been going for. And then, they’ve also helped me level that up and recently just completed the PMPT certification as well.

Jason Dion:                      
Awesome. I’m going to dive into a couple of questions based on everything you just said. A couple things I heard that stuck out to me is, you came from this banking background. You didn’t really have a tech background, but you’re able to leverage this networking and soft skills.

And so, one of the things that Kip and I talk about a lot is you can have all the technical skills in the world, but if people don’t like you or want to work with you, you’re not going to get the job. And alternatively, if they like you and they want to work with you and they see something that’s really valuable, like your expertise with talking to other people and working from that business perspective instead of the technical perspective, they realize, “Hey, I can hire somebody in who has a basic pen testing skills but has really good business and networking and communication skills. And I can train that tech and bring you up.”

And I see that a lot in the industry, where not necessarily the most qualified person will get the job because they don’t have the soft skills to go with it. They just have the technical skills. And as you said, in some organizations that may work where you have a biz dev person who’s working with the client, a project manager who’s dealing with the client. And then they just push all the technical stuff to the guy in the basement who’s with the dark hoodie on, the traditional hacker that doesn’t talk to anybody.

And more and more these days, people are looking for more of the complete picture, especially because the clients want to talk to those engineers, they want to make sure they’re talking to the pen testers and know what’s going on and how that business operates. I thought that was really interesting.

The other thing I thought was interesting is I didn’t hear you say once college in there. I hear so many people who are like, “Hey, I want to make a switch into cybersecurity. I’m going to quit my job and go to college for four years and rack up $200,000 in student loans.” And that’s just not the way to do it. I like the way you did it, where you slowly tripped away at over time. You figured out what worked, you started your networking, you made connections.

And then once you were ready and you had the tech behind you because you had now passed your eJPT, you were able to go and move into that type of a role. And then the third thing that I thought was really interesting is, you mentioned you were a single father with four kids, so your time was at a premium. And I have a lot of students that I teach all different certifications and some of them are very short certifications, like Idle Foundation, that’s normally a two-day course.

Most people can find two days, but if you’re trying to go and become a pen tester, it’s generally going to take 3, 6, 9 months because there’s just so much to learn. And even if you’re doing something like the PenTest+ exam or CEH, that’s usually going to be 30 to 60 days. If you’re doing OSAP. It’s like a 90 day if you have nothing else in your life going on, but you have a full-time job, you have kids. You have probably other commitments and volunteering work in your area.

And it’s one of those things that if you want it enough, you found the time to do it, but it took you a little longer because you had to do it a little bit at a time as you were working towards those things. I thought that was really interesting as well.

The other thing I wanted to bring up is you mentioned OSCP and eJPT. Those usually are higher up in the pen testing world because they’re more hands-on certifications, as opposed to something like CEH or PenTest+. Is there a reason that you didn’t go for CEH or PenTest+ first and jumped right into one of those?

Chris Horner:                   
I had talked to people in the industry. And it seemed that the ones that were more technically focused were the certifications were more well regarded. Like you’ve alluded to, I’ve only got so much time to do this. I could go get the alphabet soup of everything, but what’s going to serve me best? And so, it seemed like the technical ones like each eJPT, OFTP, that I was seeing the most in job description and seemed to be most valued by people I talked to.

Jason Dion:                        
Yeah. Yeah, that’s a good point. And that’s one of the things I always tell the audience is when you’re thinking about what certification to get, it’s not about collecting the alphabet soup like he said. Yeah, you can go out and get your A+, your Network+, your Security+, your CySA+, your PenTest+, your CASP+, your CISSP, your CISM and all that stuff. And you can look up and you have 20, 30 certifications. But then, are you really answering the mail on what employers are looking for?

And so what I always like to do is say, “Hey, I’m in this region. Let me see what other employers in this region are asking for.” And I know that you’re in the Charlotte metro area, which is apt because that’s one of those big banking and tech centers. And so I think having your bank background and there’s a lot of banks and tech in that area probably helped as well. But if you were looking there versus looking in, I don’t know, Tokyo, they’re going to ask for different things.

And so, depending on where you live in the country or in the world, it’s important to look at what’s important. And just because eJPT worked for Chris doesn’t mean it’s going to work for you, the listening audience, depending on where you are. Always pull those job postings and say, “What am I seeing as the recommended or required certifications?” And generally what I see for pen testing is they usually want CEH or PenTest+ for an entry level role. And then they want eJPT for mid-level roles and OSCP as you go higher up for the higher level roles.

But that’s just where I’ve seen things. And so, depending on where you’re trying to go and where you’re trying to break in, picking the right certification is going to matter. And then the other thing is we talked about OSCP a little bit there, offensive security certified professional. Is really based, it’s made by the people who made Kali Linux. And they made that as a very hand on exam.

I think it’s a 24-hour exam. And you go through and you try to find all the things you can attack. And then you write up your report at the end, you submit it. And then based on that they count up how many points you get and how many things you found. Basically, it’s a capture the flag in real time and you only have 24 hours to find as much as you can. If you find enough, you pass. And if you didn’t find enough you don’t pass.

And I’m guessing that probably was part of your issue with doing OSCP, may not have been that you technically hit a hurdle, but you may have also hit a time issue because you have other things in your life going on too. You probably didn’t have a full 24 hours to just sit in front of a computer and do it. You probably had a couple hours here and a couple hours there. And that can break up your workflow in pen testing too. Is that what happened with you?

Chris Horner:                    
Yeah, it wasn’t so much the technical. It’s also very much a mental test. And I’ll be honest, I freak out and meltdown in test environments. I just do. Some people are good taking tests, I’m not. I panic. Things start to go wrong, I panic more. I know calm down, try harder, all that stuff. But that’s what my biggest challenge was on that, on OSCP. But in a few months I’ll follow back up with you because I’m going to be sitting for it again here, 2023. Now that I’ve got a little more experience under my bell, understand a little more, not going to freak out as that in test environments right now.

Jason Dion:                      
Yeah. Can we talk a little bit more about eJPT? Because personally, I’ve never taken that one. What is that test like? And for those in the listing audience, I know it’s one of the more niche certifications in the industry as opposed to something like CEH or PenTest+, where those are very A, B, C, D multiple choice. Which is 100% that way for CEH. And then for PenTest+ there’s usually four or five simulation type questions, but they’re very small simulations. eJPT, is that more of a hands-on or more of A, B, C, D type questions?

Chris Horner:                    
It’s a hybrid. Now, I will also say I took version one of that test. And they shift released version two, literally a couple weeks ago. Well, my understanding is it’s fundamentally the same. It is A, B, C, D, but in order to find the answers, you can’t guess it. And you have to hack your way through the system in order to find the answers. There’s no way you’re going to be able to just, “Oh, okay it’s this one,” because it’s usually a flag.

Jason Dion:                      
Okay. The A, B, C, D questions aren’t something like which of the following is part of the CIA triad? It’s more like, which of the following is the flag on box one? A, monkey, B, dog, C, kitty, D, dolphin. And you wouldn’t know until you actually went in there and found the right word. And then you can pick the right one. Something more like that?

Chris Horner:                    
Exactly. What is the flag?

Jason Dion:                        
Cool.

Chris Horner:                   
What is the password discovered on this service? It is set up a little mini network, so you do work your way through it and discover. At the time, it was 20 questions. I think it’s 35 now though.

Jason Dion:                        
Okay. And if somebody wanted to study for that, what did you use? What did you find to be effective when studying for the eJPT as somebody who is new to pen testing?

Chris Horner:                   
Honestly, because back then, it was INE, I just used the course that they provided for it. Everything that was in the course… No, let me say that. Everything you needed to pass the test was in the course. There were no curve balls, no gotchas, like some other certifications maybe. But if you understood that course material and you could execute on it, you could pass the test.

Jason Dion:                      
Okay. And then when you were doing the OSCP, did you also do where they… I know they have, you can buy just a test or you can buy the training plus three months of their lab environment and their test. Which of those were you using?

Chris Horner:                    
I bought the lab environment initially and I kept extending it. I did that for, I don’t even remember how many months after my 90 days. And around that time, TryHackMe came out. Look, the OFCP labs are expensive.

Jason Dion:                        
Yes.

Chris Horner:                    
But I found that like TryHackMe, Hack The Box, it’s not hard to find lists online that will tell you which of those labs and courses are comparable to OSCP boxes. During that time too, Heath Adams, Cyber Mentor, he started coming out with his courses, which I find excellent and are very easy to understand and very easy to follow. And that kind of concepts click. I used that to prevent. And then the other thing I found very effective Was Offensive Security Logic Proving Grounds, which at the time might still be. It was $20 a month. And OffSecs were comparable to OSCP level boxes. That was a little more cost effective way to prepare too.

Jason Dion:                        
Awesome. Yeah. And then another great free resource, it doesn’t link directly to OSCP, but as you’re playing and trying to learn more about either being a cybersecurity analyst or a penetration tester is VulnHub and you can go to V-U-L-N-H-U-B.O-R-G. They have a bunch of different virtual machines. Most of them are Linux-based. But they’ll have them with different configurations and different flags hidden.

And so you can take these, put them into a little virtual network and start doing discovery against them to find out what vulnerabilities they have. Then try to exploit those vulnerabilities and try to find the flags and work your way through these little systems that people have made as a free open source way. And there’s probably three, 400 different boxes there that can keep you busy.

Another great thing that I mentioned in one of the previous episodes was ctftime.org, which is a CTF site that has a bunch of free and paid CTFs capture the flags that you can participate in. Which again, gives you a chance to practice your skills, upgrade your skills, learn from your mistakes. And then when you go to an interview you can also talk about the fact that you were doing these different CTFs and that can help you in that process.

Now that we covered a little bit about the certifications, I want to talk a little bit more about your role as a penetration tester. Especially as somebody who’s been basically about a year, you’ve been in this role as a penetration tester, so you’re fairly new to it. What has that experience been like? What kind of work are you doing? Are you working as part of a team or are you working solo? What does that look like on a daily basis for you?

Chris Horner:                    
Still work as a team. The two things I’m primarily responsible for are social engineering campaigns and ex-pen tests. The social engineering I find is fun. Setting up the campaigns, setting up fake websites, training. I find that really interesting work that might be fun. I work quite independently, but I also have people I can ask if I run into questions. And for next year they want to start training me on internal pen test as well.

Jason Dion:                        
Right now, you’re doing a lot of social engineering and a lot of external pen tests. Chris, so you mentioned you do a lot of social engineering in your current job. When you’re doing that social engineering, is that mostly phishing and spear phishing campaigns and you’re doing it remotely? Or are you also doing things in person where you’re doing deceptive practices and trying to go through and test their physical security for piggybacking and tailgating and stuff like that?

Chris Horner:                    
So far it’s all been phishing, vishing and spear phishing, so it’s all been remote. Our company does do some physicals but not a whole lot. Most of it is setting up campaigns, trying to capture user credentials through fake websites, sending out phish emails, calling them on the phone, trying to get people to do things, bypass their security procedures that way.

Jason Dion:                        
I’m curious, what kind of tools are you using to do that? Are you guys using open source things like the social engineering toolkit or are you using something custom inside your own organization?

Chris Horner:                    
No, we’re doing off-the-shelf open source tools. We use social engineering toolkit primarily. We have used Gophish if it’s a larger engagement. And the app SpoofCard to spoof phone numbers when we’re doing the phishing calls.

Jason Dion:                      
Awesome. Yeah, I’ve used a lot of social engineering toolkit. I haven’t used Gophish myself. The one I used to use a lot was Phish Insights when I did engagements, which is made by TrendMicro. It’s another great system, where it allows you to basically do all of that.

And then, the nice thing about that system is, if they do fall victim to it, you can use it as part of your security awareness training by saying, “Hey, now that you’ve messed up, here’s a video you need to watch to make sure you’re remediated before we unlock your account again,” and things like that. Again, just depends on how you guys are doing it in your organization.

And then you had mentioned you’re doing a lot of external engagements for pen test, not a lot of internal. In that case, are you doing things like more of the reconnaissance and the enumeration trying to find the ways in. And then do you hand that off to somebody else or do you also do the engagement of trying to break in once you’ve identified those holes?

Chris Horner:                   
I do do the trying to break in once I find the holes. These days with external, it could be a little tougher. I do a lot of password spray. It’s on 365, for example, looking for passwords, looking for default credentials, trying to brute force my way into things sometimes. Or just trying to find enough weaknesses that I can chain together to create a kill chain attack and use that part of my brain. How do I break it? How do I make it do something it’s not supposed to do? And then, from the standpoint of going back to, “Hey, here’s something we’ve found. You think about it and here’s how you close it up.”

Jason Dion:                        
Awesome. And then just going back to the career side of things. I know this is going to be your first job in the world of penetration testing and really in IT security. I know a lot of people, they really struggle to get that first job. And once you get the first one, it becomes really easy.

Right now, you’ve got a year of experience at this point. If you start applying for jobs, you probably have a pretty easy time going to another company if you wanted to. How hard was it for you to get that first job? Did you have to put 100 resumes out there, or 200, 1,000? How quickly were you able to do that? Or were you able to bypass that process through some of that networking that you’ve done?

Chris Horner:                   
I was not able to bypass the process. It was not simple, it was not quick. It was a grind. It was a literal grind. It wasn’t so much that I didn’t know how to talk to companies or how to present myself. Bypassing HR filters was almost impossible. Because who in God’s green earth is going to talk to a bank manager that wants to be a pen tester? Let’s just be real. Unless I have a personal referral, that makes no sense. And when you have the competition that you have for in the roles, it’s very easy to see a resume out of the pile.

I’m just being realistic. That was work against me. It was networking, you’re trying to find personal connection, that where I have the opportunity to get in front of somebody to talk. Sometimes it was companies don’t even know what they’re talking about or what they want.

I was told I was going to come in for a technical interview. My understanding of a technical interview, especially for pen test roll is can you break into this? How would you evaluate this? But it’s eight and a half 11 sheet of paper. Circle the right answers with things like what is the file format of Windows 7? That was, “Okay. Here, take this quiz and we’ll come back to you.”

And I know I didn’t do good on it. And when I said, “Well, I thought we were going to talk about vulnerability analysis, how do we remediate things? How do we prioritize. Wait. I thought that’s what we were going to talk about, but I don’t know what this is.” Well, I never got invited back to that interview either because of my mouth. But it took a good year and a half from the time I got through submitting to where I thought I could to landing the job.

Jason Dion:                        
Yeah. It can be a really long process, especially when you are trying to get that first role, as we said. And I think it’s interesting you mentioned the technical interview that was on paper. I’ve seen that done several times. I’ve seen it also done where they’ll do it as a free interview quiz.

And so we’ll say, “Hey, based on our resume reviews, we went from 1,000 people who applied to the 100 we think we’re interested in. We’re going to send out this quiz that maybe takes 10 minutes for everybody to fill out.” And that way we can at least see, “Okay, based on this, do you have the technical knowledge and background that would be applicable to this position.” And maybe out of those 100 people, we get down to 10 people and we call them in for an interview. And then out of those 10, we might get a follow-up for five. And then out of those five we’ll make an offer to one or two of them.

And so, we get this big stack to the little stack to the little stack. And anything they can do in an automated method, which includes those quizzes, can be useful. In fact, one of the organizations I work with here in Puerto Rico, they are a security operation center. And I helped them build out their initial evaluation pipeline.

And one of the things we did there was, as people were coming in, they had different roles and different levels. And they wanted to be able to quickly assess if some brand-new person like Chris comes in as nobody who knows him. He can go in, take this 30 or 40 question quiz. And then at the end we say, “Okay, based on your responses we think you fit an entry level role, a medium role or an advanced role.” And then we would put you into the right bucket. If we have a job for that, then we would interview you for that job. And so, that became part of that automation process.

I wouldn’t be surprised out there if people are seeing that because it is being used more and more. I’ve also seen a lot of virtualized interviews where AI is doing the interview, not a real person. In fact, when we were running our hired program with your cyber path, we used that in our program as well, where we gave people 10 questions and they had to answer each one in one to two minutes. And then we would go back and be able to review those.

And then based on that, if we were hiring somebody, we’d say, “Okay, now that we’ve looked at these 10 people who gave us prerecorded messages, I can then decide who I want to call in for a real interview. And do face-to-face and really probe them a little bit harder.”

And so I see a lot of that in the industry being used. And it’s something that is changing over time because again, there are so many people trying to fight for these jobs, especially at the entry level. And as you said, if you’re coming from being a bank manager or being a marketing person or being a salesperson, you’re just in some completely different industry, it can be hard to get in.

But that being said, you’re not the first person we’ve talked to on this podcast that came in from a non-IT background. We had another person recently who was working at a bike shop. And he had a degree in music. And he got hired to be a vulnerability analyst because of persistence. And in his case, he actually met somebody, he had a help desk job. And then when he got that help desk job, he was able to meet somebody in the cybersecurity side, made friends through networking. And then they were able to refer him. And they said, “Oh, even though he doesn’t have the perfect background, we know he’s a good worker and we’ll bring him in anyway.” And they were able to train him up with the skills needed.

It is one of those things that kind of happens. I think what you’ll find is the next time when you’re looking for another position. And I’m looking at your past generally, it seems like you stay at a place for quite a bit a long time. Most of the places you’ve been at have been five or 10 years.

When you’re ready to leave after 1, 2, 3, 5 years, there’s going to be a lot more companies fighting over you. And you won’t have this, “I have to put out 1,000 resumes to try to get one person interested in me.” It becomes more of you’re going to put out 10 resumes and have five people interested in you because you’re now at the medium level or the advanced level. And there’s so much less competition once you get up to those areas.

Chris Horner:                   
Very true.

Jason Dion:                      
Yeah. And then the last thing I wanted to ask you is where do you see your career going from here? As you’ve now moved into the cybersecurity industry, I’m looking at you on the screen, those on the podcasts, can’t see you. But you and I look like we’re probably about the same age, somewhere in our 40s. You’re mid-life, mid-career. And so, you’ve probably got another 10, 20, 30 years of working life ahead of you. What’s your plan for your career?

Chris Horner:                  
And I’m not just saying this because I know my company will probably see this interview. But…

Jason Dion:                        
I love you guys. I swear.

Chris Horner:                    
I’m really feel fortunate to land where I landed. And the company that I work for, they take awesome care of their employees and they’re growing. I mean right now they’re booked out months in advance of work. And they’ve been around five, six years roughly, maybe seven. But there’s growth opportunity there.

For where I want to go now, I want to learn the internal pens. I want to continue becoming just a solid tester because I love that. And the way that where I’m at, because it’s a different project every week, it’s a different industry, it’s always different. The challenge is always there.

It’s here, for right now, just want to keep growing, get a couple more certifications. I am going to go back and beat that OSCP because I don’t let things beat me. And certified red team operator, that’s something I want to learn more of too. More of the full on red team environment because that just is fun.

Jason Dion:                      
It sounds like your path is you want to stay technical hands-on keyboard. And that was really my question was are you planning on staying technical hands-on keyboard and going from being a junior pen tester to a mid-level pen tester to a high level pen tester and that’s your career path? Or are you looking at, “Hey, I’m going to get to a certain point and then I want to move over to and be more of the manager of the team. Or I want to be a CIO or CSO one day”

And there is no right answer. Everybody’s got to have their own opinion. Personally, I love hands-on keyboard stuff. I regret that I moved into the management side of the business as early as I did because I didn’t get to do as much hands-on fun stuff as I used to love. And so even as a manager, I was running a lot of pen tests, but I wasn’t really getting to do a lot of the hands-on stuff like I used to. And that can happen.

It’s important to know where you are and where you want to be. And right now, it sounds like you’re loving what you’re doing. And you want to stay in that path of very hands-on, very technical, which is awesome because we need good people doing.

And there’s not going to be any shortage of jobs and roles available because, as we continue to expand in the cybersecurity industry and the bad guys are getting better at what they do, we as defenders have to get better at what we do. And there’s a lot more money and investment going into this cybersecurity and the world of pen testing and vulnerability analysis and all of that kind of stuff because of the rise in data breaches.

Chris Horner:                   
Absolutely.

Jason Dion:                      
Awesome. Yeah. I’ll kick it over to you for any last comments you may have for the audience. Any last minute advice, things you wish you knew, things you wish you did to make your life easier. Anything, any words of wisdom you want to share?

Chris Horner:                     
Honestly, the only one, and this is so cliché, but it’s so true. You just got to grind it out. If you want it bad enough, there’s always a way. And I’m not saying that because oh, I went through it and I made it. I went through a lot of self-doubt. And a lot of times from, “Why am I doing this and worth it? I’m no good at this. I suck.” All the negative that is going to creep in. But if you truly enjoy it and you find passion in it, just grind through it.

And don’t be afraid to ask for help. Form a little group, even a study group for the certifications. And don’t be afraid to pick up the phone or to meet somebody in person. Say, “Hey, I’m really interested in your job. Can I learn more about it?” You’re going to learn something from everybody.

Jason Dion:                    
Awesome advice. And if people want to connect with you, what’s the best way to reach out and find you, Chris?

Chris Horner:                      
Oh, LinkedIn, for sure.

Jason Dion:                      
Awesome.

Chris Horner:                     
Yeah, [inaudible].

Jason Dion:                      
Awesome. I’ll put a link in the show notes, Chris’s LinkedIn profile. It’s linkedin.com/in/chrismhorner, H-O-R-N-E-R. And we’ll put that in the show notes as well. If anybody wants to connect with him, you’ll be able to do that on LinkedIn as well.

Chris Horner:                     
Yep. I’m very open. I very rarely refuse connections, except fake people that try to sell certifications, that we tend to get a lot of.

Jason Dion:                      
Oh, yeah. I love those. The hey, 100% pass guarantee. No work required. Just send me a money and I’ll give you your certification because I’ll pretend to be you. Yeah, those guys are a horrible plague on the certification industry.

Chris Horner:                     
They are. But otherwise, I basically accept all connections that come my way.

Jason Dion:                        
Awesome. Yeah, same with me. If you want to reach out to me, I’m linkedin.com/in/jasondion. You should be able to find me there as well. Yeah, I want to thank you all for joining us for get another episode of Your Cyber Path podcast.

If you’re interested in becoming a pen tester like Chris, my recommendation to you would be learn the basics. Start out with Security+. Even if you’re not going to get the certification for it, the stuff you learn in there is just so darn valuable to giving you that good, wide breadth and depth across the industry. And then you can go into more specialized areas like cybersecurity analyst if you want to do CySA+ and that role as the defense side. Or if you want to be red team side, something like PenTest+ is a great place to start because you’re going to learn all these attacks and hacks and what they look like and how to actually do them in a lab environment.And once you have that, that’s your basic line. Then you can move up to something like eJPT, where it’s a lot more hands-on. Or ultimately OSCP, which really is probably the hardest certification out there for pen testing right now on the market. Those are the way I see things. And again, if you need any help with the plus certifications, the CompTIA ones, obviously you can get that over at diontraining.com.

At diontraining.com, we have all of the CompTIA stuff from A+, all the way up through CASP+, so we got you fully covered there. We don’t currently have eJPT or OSCP, but it is something we may add in the future, so always check back with us there. Until next time, thanks for joining us again for Your Cyber Path and we’ll see you next week.

Headshot of Kip BoyleYOUR HOST:

    Kip Boyle
      Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

    Jason Dion
      Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.