What Young CyberSecurity Students Must Do In Their 20s

As a young person living in the Internet Age I found myself spending too much time building my technical skills and too little talking to people with more experience than me in the industry.

Its a bad habit we pick up in school. Think about it.

We are forced to let someone decide what we will be learning without question on whether it helps (trust me most of it does not).

We are forced to spend most of our time learning these questionably practical subjects.

We are told hard work pays off.

We are promised rewards on paper. Have you spent years grinding all for grades, degrees, certifications, recognition at work, promotions, or yes--even money.

And then--even after getting those hard-to-get credentials--we are just told we have to work even harder to get the next set of credentials in life.

How Rewards Blind Us

At some point--all of us hit a brick in the road. We realize getting recognition or reward from others is not good enough to make up for the time we burnt with others getting there.

If you have not you probably have not left the school system just yet. If so, please watch until the end--especially if you are known to be a hardworker. I am trying to save you several years of confusion and wasted time. Usually this happens even shortly after the overachieving student hits college. There, they receive mass disillusionment.

Their hard work in school did not prepare them for the challenging coursework. Many of them later realize that they don't even want to pursue the career they wanted to pursue as little kids after all. Those young people realize that the profession they were working on would just lead out to nothing but burnout, misery, and regret.

There is a reason for that.

Schools and workplaces are designed to measure tasks done. Not measure what is worth it.

You need to stop thinking about what things you can get out of pursuing a profession. It is a bad habit to do work just for the outcome. People who do not grow out of that are the ones who run into career dead-ends. These are the people that don't believe what they are doing matters, that never do more than required, and are the ones that miss out on the satisfaction of having done something great in life.

Instead, you need to be mindful of whether what you are doing benefits others in reality. Focus on doing things because its worth spending your time with people completing a task--aspire for the best outcome you can imagine--but don't worry about it if it does not happen. Over half of the time it will not.

How to Choose Your Career

If you a cybersecurity student it should not surprise you when I say not everything you are learning in school is up-to-date or relevant. You should have noticed this by now after researching what people in your intended profession do on a daily basis on their job duties. But what you may not know is whether you want to be that person doing those things for the rest of your life.

If you are struggling with deciding if a career choice is right for you I encourage you to find someone that has the exact profession. Once you do meet them in person discuss your career interests and why you want to have the profession they have. Ask them questions like this:

1. If you could redo your life would you choose your profession?

2. Would you recommend your profession to your own children?

3. What things related to your profession do you do outside of work?

   1. There is an important purpose in asking this question. It tests if the person has genuine interest in their field. A person that does engage with their profession in any way outside of work is most likely a work "zombie"--a person that gains little more out of their work aside from the pay. And such people can be pitied.

   2. There are so many simple ways to do this: mentoring others (its fun--you should even do this for free you will be less lonely), working on projects to solve a real life problem to benefit others, or even attending meetups to discuss their cybersecurity concerns with others in the profession (you should already be doing this at least once a week!).

4. What do you most like about working with others in your profession?

5. What do you dislike the most when working with others in your profession?

6. What are the most important lessons you learned from your mistakes working in your profession and what would you advise young people like myself to do avoid these mistakes?

   
   

   Try the above questions to more than one and as many as five people in the profession you are considering. Be suspicious of the jobs that are "glamorous" in the eyes of your peers. Usually the people behind the perks and benefits of the job are just trying to enslave you.

   
   

   By asking these questions you are testing if you will enjoy the rest of your career. Everyday, people walk into jobs without any idea what happens to the average person that does the same. Many jobs suffer from a lack of care for the workperson--leading to burnout and regrets. By asking these questions you can save yourself a lot of unnecessary trouble. For more ideas on questions I encourage you to read the chapter on choosing a career from a great book I read called "How to Stop Worrying and Start Living" in the most difficult years in my 20s. The lessons in that book are over half of the reason why I decided to speak to you today about your struggles being who you want to be.

   
   

Get a Mentor!

If you really enjoy speaking with said person and the profession they have chosen--see if you can convince them to remain in contact with you. This could start a lifelong relationship called a mentorship. Your mentor can pass down critical life lessons they have learned the hard way at work--saving you years of mistakes. This is also how you can begin building a professional network that helps you make an impact in your field--something all of you should be aspiring to do.

These are the lessons that can make up for all the faults in the school system and at work that I know you are frustrated with. Do your best to meet with your mentor at least once a week. It can be as simple as a phone call or ideally an in-person meeting.

You should be comfortable letting your mentor know what difficulties you are facing in preparing for your profession and even life. They have dealt with the real world longer than you have and can assess what the best course of action would be given your situation.

Your mentor can even help you meet the next person that will help you tackle the problem you are facing. People that the rest of the public cannot so easily access. You usually have to convince such people you have some potential that will warrant their attention.

Finally, a mentor can also help you become more socially aware of problems in the industry relevant to your field. They can help you tell if a job or an industry would be a good fit for you. Your mentor should be someone with more than twice as much as experience as you do--and therefore has seen what work in your field is satisfying and which are the ones you should avoid--even if its counterintuitive. You can't learn that just by building your technical skills. Get someone to care about you enough to pass it down to you.

Go to Meetups!

Another great way to be aware of what is happening in your industry--other than watching the news--is by meeting people in person at a gathering known as a Meetup. Meetups are public gatherings where people meet up in-person discuss a certain topic. You can find a meetup where discuss major events, work experiences, or projects in cybersecurity at Meetups. Unlike online gatherings people are much more likely to be direct and straightforward with none of the pretense and less of the nonsense you see plague social media and Discord. You should ask other security personnel what were the biggest lessons they learned about working the industry and what they wished they knew before working in their field. You will find some of the best advice on picking up a new technology you are struggling with learning at Meetups.

How to Get An Internship

It seems impossible to get an internship these days. Part of the reason for that is that the software engineering interview process is broken. If you are a person reading this and are interested in getting a job in cybersecurity I have some grim news--the hiring process in the cybersecurity industry is even more broken than the software engineering industry. It is much harder to predict what the hiring team will grill you with for a job than in software engineering. Sometimes hiring teams ask questions unrelated to the role--just because others do the same in the industry.

This is why it is crucial that you apply to jobs that demand skills that you are truly interested in building on your own free time--not just for the cash. I am not saying you should be okay with working overtime for free! What I am saying is that it is important that you continue to build your technical skills relevant to your field both at work and even outside of work. Yes--it is not good enough to just do what you are told! You have to build your technical skills outside of work. All the technical skills you now have need to be upgraded in the next 10 years. Some of your technical skills may even become outdated by the end of the next decade.

Why would you spend your free time building technical skills in something all for pay? Because you actually care about improving people's lives with those technical skills--not just so you earn a living. Remember money was invented to allow us to outsource tasks to others that were willing to spend their time completing them--giving you the time you would want to complete the tasks you want to spend time on others. Therefore you should choose the industry, career, and technical skills you are more than happy to benefit others with on your spare time! This will separate you from the candidates that treat building those skills as an afterthought. Employers must deal with that mediocrity all the time.

The best way to build your technical skills is not by preparing for an interview! A surprising number of cybersecurity interviews make you do things you won't even use on the job!!! The best way to build your skills is by actually working on projects on your spare time that you intend to benefit others with in some way. That's worth working on your spare time! What is pay but a means to outsource the tasks less important to you. You want to use money to maximize the time and resources to solve the issues you personally care about--both for you and the people you care about.

This very blog is about training young security engineers to solve difficult problems in software security. You can teach others. Make software that helps catch security bugs in your codebase. Write your own binary analysis tools. The list of possibilities are endless! Its up to you to decide what problems are worth solving on your spare time. You should discuss your project ideas and progress with your peers, mentors, and people you trust at Meetups. Having a trusted circle of people that care about your core values and interests will help you tell if your work is meaningful and will keep you motivated. You should be practicing doing projects with other people--this builds your skills in working with others before you get your first job or internship. If you have a resume that shows off how you solved real problems for other people using the technology you built for others you will be a very tempting candidate for a relevant roles that is difficult to pass up!

I got my first full-time internship since I was doing projects in cryptography near the end of my college stay. That full-time internship evolved into my first full-time job. And the story continues from there. I still work on small projects on my spare time outside of work to this day. Right now I am building my skills in developing cryptographic software by studying the BearSSL library--a TLS library I strongly recommend you study if you are interested in professional cryptographic software development. What makes this library so unique is that it provides exceptional high-quality documentation on how the programs are implemented. The code for this TLS library is also easy to understand and simple in nature. Young people can read the library code, practice developing their own cryptosystems, and comparing their implementation's accuracy, security, and performance versus that of this library.

Finally, doing projects will help you tell if you want to pursue a career. I remember working on a hackathon project where I implemented a cipher as a GNU/Linux Kernel module. I learned I was interested in implementing cryptography as software for the rest of my career. I also learned I was not interested in GNU/Linux Kernel development in itself--though I am capable of doing it.

Attend Hackathons

A great place to do projects is by attending college hackathons. These are competitions where students attempt to solve a problem in a short period of time--usually <24 hours. You can also just complete a project in a semester. You should plan your hackathon project beforehand (and sleep ~4 hours during the hackathon -- you need it -- trust me!). You can't start working on the project before the hackathon, though--and don't break the rules!