Ah, the ol’ security through obscurity trick… (not recommended) 😁

Let me first say. I don’t really know. I haven’t been looking for jobs (thankfully) and I’m not entry-level. That said, I’ve heard it’s pretty rough 🤷‍♂️. That said here’s some stuff I’ve written about in the past that could be useful/interesting for you…

• My take on the current infosec job market
• Thoughts on a career in infosec
• How to get into infosec
• Some commentary on how breaking into infosec can be hard
• On the subject of gatekeeping in this field
• A big resource on my path into infosec and reviews of certs/trainings I’ve taken.
• My caution on those who would give you stale career advice. To be clear, this means from me too.

Good luck out there!

Be comfortable not knowing things and delegating, don’t report to the CIO (bcuz usual conflict of interest stuff), invest in people (training, career progression stuff), don’t follow the industry herd (i.e. salivate over AI just because every other E-level type is). I’m an IC, always have been, so there’s a lot im sure I don’t know in terms of effective management among managers but from my perspective this is what I would perceive as efficacy and proficiency at that level. That and Ill throw in that traditional ways of measuring “success” or output rarely applies to infosec teams. It’s hard to measure “how secure are we” or “how many things did we block this month”.

Not really actively doin’ any certs or training. But have been learning a bit more about threat modeling recently 🤷‍♂️

These days, sometimes it’s just enough to survive. Stay sane out there folks.

Sorry to hear it! Hope you get back into the gym soon. I know what that’s like. It also sucks to just feel like you’re losing whatever progress or gains you had made before getting sick. Feel for ya!

I know how. I just don’t. 😬

😆

Was / am still trying to work on the WEB-300 course. I’ve also dumped personal money to it at one point or another =/

Oooph I know the feeling. I have been for months and months trying to get the sustained energy to work on OffSec training. Hasn’t happened yet.

• Been reviewing Flipboard’s “Surf” app (social web browser)
• Working on some other write-ups for my blog… such as, overcoming my own burnout to write a piece ABOUT said burnout
• Assessing some (un-named) endpoint security software at work
• Testing out some other Fediverse client software, specifically, been using the Mona app more recently
• Going to start thinking about getting back into some training of some kind… not sure what though (yet)

Hello! 👋

There’s no one path in to be sure. But there’s lots of ways to educate yourself and build a “hireable” portfolio from home and without getting a typical 4-year degree. Learn to code, get some applicable certifications, start a website (as your digital portfolio), contribute to open source or spin up your own project(s), etc… The IT/software/cyber market is not at its peak (in terms of opportunity), but we’re definitely still here and there are openings. It’s still a great field with a lot of perks if you can weather the challenges of “breaking in”. It’s also not going anywhere, despite what some may lead you to believe given the advent of “AI”. For those of us in tech, we’ll be the first to tell you that our jobs are pretty safe.

If it’s infosec you might be interested in, you may find this guide I put together and typically share interesting - https://shellsharks.com/getting-into-information-security.

Good luck!

I’ve tried a bit. But not really day-to-day just yet

Overall, yes. Day to day y’know it varies. Pure “security work” is, for me, genuinely interesting and I spend legit personal time learning and working on projects, for no other reason than they are kinda fun. What I do as a security engineer for a corporation day-to-day and week-to-week doesn’t always translate to the “fun stuff”. So my answer is somewhat nuanced. Yes, I do like cybersecurity. But no, I don’t always like the work in terms of how it manifests in corporate life.

🦀

Got a bunch of house projects coming up myself… What kinda renos you up to?

I just use an Osprey Comet daypack (https://www.amazon.com/gp/product/B072N2WY6S/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1), though if I had just random money to burn I might go for the “Technonaut” https://www.tombihn.com/products/techonaut-30?variant=40265614753981

I wouldn’t worry about certs to start, especially not OSCP. Since you are in the software/dev space, I would consider security roles in the AppSec or CloudSec space as places to jump first. For that, consider going through PortSwigger’s web security academy (free) training online to learn more about web vulns, their impact, how to mitigate, etc… If you want a cert, consider one from a cloud vendor and apply to jobs that use that vendor. If you can do even basic scripting, understand app-related vulns and use a few appsec tools then you should be an easy hire for a lot of places. (That said, I’ve been hearing the market for infosec is atrocious right now).

Never been in the QA world myself, but as someone who has spent a fair bit of time in AppSec, I’ve encountered Selenium the most. 🤷‍♂️