Working in cybersecurity takes not only the right skills and training, but also a mindset that focuses on persevering and finding opportunities to learn and grow. In previous student spotlights, Mihai spoke to us about starting a career in information security as a high school student, and Suhyun highlighted the importance of mindset and community along the path to certification.
In this student spotlight, OSCP holder Rana Khalil outlines the importance of perseverance and growth in pursuing a cybersecurity career – and how even those who have studied computer science need to keep working to develop information security experience.
Becoming a Cybersecurity Assessment Analyst
There are many different paths into information security. For Rana, the journey started for practical reasons. Her natural inclination toward problem solving led her to double major in math and computer science. From there, she started out as a programmer in a quality assurance team.
Rana decided to take Penetration Testing with Kali Linux after consultants were brought in to evaluate the security of the applications she was testing. She says, “Security should be part of QA. Quality assurance and security testing are not two completely separate processes, instead they are really two sides of the same coin. The quality assurance team should work closely with the organization’s security team.” Building apps to be secure by design is a key step in empowering businesses to protect themselves and defend their web applications against malicious actors.
Many businesses will try automated tools and leave it at that. Rana’s curiosity pushed her to ask questions: how do the tools work – and can they find the same logic flaws that a knowledgeable human tester could find? What does the big picture look like when pentesting an app? Answering these questions required more training.
“I wanted to improve my skill set. I had experience in web apps, but I didn’t have network experience. I needed general experience. I didn’t know how to chain vulnerabilities. I was missing the holistic picture of penetration testing. I looked online for training courses and from what I got from the infosec community, the most respected one is the OSCP.”
Given her work on web apps, attaining the OSCP was just the beginning for Rana. After earning the foundational pentesting certification, she went on to Advanced Web Attacks and Exploitation to learn web application security.
The Right Mindset
Throughout her work and study, Rana maintained a mindset that prioritized perseverance and problem solving.
“I’ve always had a problem solving background. It’s a skill that you need. With the OSCP you’re really gonna need to want it…there’s no cookie-cutter method. Even if there is, it’s not useful to you during your job. You need to put in the effort, put in the time. It’s a skill set you need for your job.”
That perseverance is a key part of the Try Harder mindset taught at OffSec, and a hallmark of our most successful students. Those who want to become infosec professionals also need to cultivate the problem-solving mindset Rana describes.
“That’s something I gained from OSCP – no problem is too big or unsolvable. There’s always a solution. That was the most valuable thing I learned…the evolution in mindset came directly from the journey of a full year of working on this material.”
Both critical and creative thinking are necessary to break down the expected functions of a target, see how they could be exploited, and craft an appropriate response to either attack or secure the vulnerability. When there’s no step-by-step guide available, a strong cybersecurity specialist is able to research, evaluate, and implement their own unique solutions. Those considering this path should be prepared to continually train, hone, and practice their thinking and problem-solving skills.
For those considering a career in information security, Rana has this advice:
“You need to be flexible in terms of the knowledge you gain, because things are constantly changing and you can’t have the same mentality that you had a year or a couple of months ago. New vectors come along. You need to be very flexible in terms of your thinking, because an attacker is creative in their thinking. They’re always changing their attack vector.”
Rana also acknowledged her employer’s support in earning her certifications, and highlights the need for businesses and organizations to expand investment in training to address the cybersecurity skills gap. She also pointed out that many university degrees – even those focusing on computer science – don’t approach technical topics from a security perspective.
She says, “As a CS student, I didn’t learn about secure coding. I didn’t learn it until I forced it into my thesis on computer science.” If you’re a student interested in pursuing a career path in information security, don’t wait to see if the curriculum will introduce it. Instead, find ways to be proactive about bringing security topics into your studies. A practice of curious, engaged thinking is required to enter and succeed in the cybersecurity industry.
Personal and Community Growth
In addition to flexible thinking and proactive learning, Rana adds that infosec professionals should be prepared to put in a lot of personal time to keep up and need to love what they do. That personal investment can also be paid forward – that is, support those coming up in the field so that everyone can grow and be enriched by fresh ideas and new talent.
Rana, whose popular blog grew out of her desire to understand infosec concepts for herself, says, “I realized that I’d benefited from other blogs and free resources, so I wanted to give back to the community with something I wished I’d had just starting out.”
In the end, this growth and giving back benefits everyone, empowering and strengthening the industry.
Ready to do more learning of your own? Learn how to select the best cybersecurity training in our downloadable guide or review the paths you can take with OffSec courses.
Rana is a senior cybersecurity assessment analyst currently working in the banking sector. She has a diverse professional background with experience in software development, web application vulnerability assessment, malware analysis, and teaching. She has had the opportunity to speak at several conferences/chapters including BSides, ISSA, OWASP Ottawa and Hackfest. Rana recently received the Offensive Security Certified Professional (OSCP) certification and is currently pursuing the Offensive Security Web Expert (OSWE) certification. In her non-existent free time, you can find her posting HTB writeups on Medium, organizing study groups for the next certs she wants to pursue, and getting involved in the local cybersecurity community in Ottawa. Connect with her on Twitter or read her OSCP review.
Free Download: Web Application Security guide