CrankySec

Pigeons As Far As The Eye Can See

A couple of days ago I saw a post on LinkedIn made in response to another post I saw on LinkedIn made by some 10-ply influenza that went something like "Don't even try to break into infosec! We're full!" and went on to complain that the field is too crowded, no one is hiring, everyone is being laid off, and so on. Which, let's face it, is a a fair assessment of the current market conditions, if a tad too gatekeep-y. But we'll get back to this dude who I'd wage good money bought a few thousand followers on the dark web in a minute. First, let's talk about this gem of a rebuttal, lightly cropped:

linkedin

Look, I'm not posting the whole thing or naming names here because there's no need to do that just to illustrate a point. But! You can come over to our most excellent Discord to read the whole thing and figure out who wrote this nonsense if you're so inclined. Sorry. Back to the matter at hand. If you don't want to read the whole thing —and I honestly cannot fault you for having a self-preservation instinct—here's a play-by-play of what this career advice criminal has to say about what it takes for one to be successful in this field:

  1. Think through / leverage what you know.
  2. Dig deep on one tool or technology. Become an "expert".
  3. Write killer posts about the tool or technology. Write super useful stuff that you cannot find on the Internet/Twitter/Linkedln.

Let's break down this three-point dumbassery with some help from the author himself:

Step 1: Think through / leverage what you know. The path may seem pretty clear if you have mad technical skills. Just leverage those to get into a cybersecurity role. But what if you don't?

Well, super chief, if you don't, you're probably going to have to address this knowledge gap sooner rather than later. You see, this is a technical field. There's no way around it. Unless, of course, you're a big brain like our good buddy the author. If you're not technical, ask yourself:

Teaching people what? You don't know anything about the job, so what the fuck are you going to teach people?

How are you going to manage projects you know nothing about? Experienced project managers are a pain in the ass to work with as is precisely because they don't know the technical requirements to get shit done and end up creating more chaos than if they just left the people who do the work alone. So, your solution is to put out even worse PMs? Get out of here.

Again: you don't know what you're doing. You're an aspirant. Who are you going to persuade? What are you going to persuade people into doing? Are you going to argue for more budget? Are you going to try and convince people of the benefits of solution A vs solution B? What the hell do you think it'll happen if someone asks you a fucking question?

Now we're talking! Just learn to create some pie charts in Excel/PowerBI/Airtable and you'll be very successful in this field. That six-figure salary is one pivot table away, my guy!

Don't get too comfortable because you're not done yet! Step two is where things get real!

Step 2: Dig deep on one tool or technology. Become an "expert". If you are technical then learn how to use one of the many cybersecurity tools well. Really understand how the tool works and go deeper than most of the content on the Internet. Play with the tool until you are an expert.

Got it. One tool or technology because things in this industry exist in a vacuum and do not interact with or depend on other "tools or technologies." What tools are we even talking about, sir? Wireshark? Burp? Semgrep? Regular grep? It's like going online and stating that you can become a carpenter by learning how to use a hammer. But let's give our boy here the benefit of the doubt and imagine that he meant something like, let's say Kubernetes. There's no way in hell you can become an expert in Kubernetes security without learning pretty much every fucking thing under the sun. So that's a no go. What if they meant something like Splunk? There's a lot to learn that's not simply knowing how to navigate the interface. I honestly have no idea how one should dig deep here. Not to mention that learning "one tool or technology" is a very good recipe for limiting yourself to working exclusively with... one tool or technology. Let's put this one in the "stupid" column. But wait! There's more!

What if you are not technical? You can still pick a tool. Play with a free / demo Governance Risk Compliance (GRC) tool. Try out some of the open source policy content. Test some of the training material that is available. Play with one of the many cybersecurity frameworks (NIST, CIS, Cloud Security Alliance, etc.) Really understand the tool, technology or framework. Become an "expert".

I love it that expert is in quotes. Advice like this is the reason you're surrounded by morons. This gentlemen is out there charging people money for advice like this. Non-technical? Just learn how to bullshit with Archer or something! Just play with some free tier shit! EZ! GG! If cybersecurity was a serious field, this dude should have been barred from practicing cybersecurity a long time ago. Unfortunately, we have no standards.

There's one more thing we need to address before we embark on our successful cybersecurity professional journey:

Step 3: Start writing about it. Show people how to use it or how it can solve a problem. Do a bakeoff between two tools. Compare and contrast how they work. During this process you will learn A LOT.

So, learn nothing of real value, and start writing nonsense? I see the author really practices what he's preaching. Just start writing authoritatively about shit you know nothing about! Do that and you'll have so many job offers you won't even know what to do with it! Also, how the fuck can you do a bAkEoFf between two tools when you just told people to learn one tool? Checkmate, liberals!

Now with your newfound knowledge, write about it on your resume and Linkedin profile. Make sure to share links to your awesome content. You will get noticed. Now, the only problem will be to decide of the many job offers should you take?

Fucking blow me, dude. You should be banned from writing anything even tangentially related to cybersecurity. You're telling people who want to break into this industry that all it takes is three easy steps that are complete bullshit. Nothing about, I don't know, reading a fucking book. Learning the fundamentals. Finding a mentor. Interacting with people who know what they're doing. Of course not. You don't want to help people: you want to bullshit your way into being some sort or "tHoUgHt LeAdEr" because you don't know anything about what it takes to be a well-rounded cybersecurity professional. Or a well-rounder human being for that matter. You're a fucking parasite, and the only advice you can give is "be a bullshitter like me!" because that's all you know.

On the other side of this nonsense, you have the super CISO with 18k followers who started the whole thing by telling everyone to stay the fuck away because the market is bad. The market is bad right now, but you should know better than anyone—being a celebrated 10-ply and all—that this profession requires a lifelong commitment, and that telling impressionable people trying to break into this industry to give up now will turn into a problem later. You will fucking see a real talent gap when all you can offer is poverty salaries, insane job requirements, and discouragement.

And that, my friends, is what we're up against. That's why no one takes you seriously. That's why you get a data breach notification every other day: because hucksters like this guy are out there trying to produce even more hucksters. Next time you see something like that online, do us all a big favor and tell them bitches to shut the fuck up. Otherwise, they win. And we lose.

Want to know what it really takes to break into this field? Join us, learn something, and help us figure out a way out of this fucking mess.