Robyn Lundin

Security Consultant

Career Hacking: Finding a Backdoor Into InfoSec

Looking at my resume prior to my time at NCC Group, it may be difficult to understand how I became a security engineer. How does someone with a job history that resembles a patchwork quilt join a well-respected consultancy without getting a degree in cybersecurity from a fancy university? The answer to that question lies in the time and effort I invested into my career development, and the investment NCC Group made in helping me turn my curiosity into expertise.

When I first became interested in working in tech, I decided to attend an all-women’s coding boot camp called Hackbright Academy where I learned Python and full stack web development. NCC Group, as a Hackbright partner company, presented an ‘intro to web security’ lecture to my class with a live demonstration, showing some of the most common attacks on web applications from the OWASP Top 10. My mind was blown. I had never seen anything like this before. Who were these hackers and how could I join their ranks?

After attending this lecture, I immediately followed the advice of the NCC Group presenters, and bought a copy of the Web Application Hacker’s Handbook, then submitted my application to work for NCC Group. I didn’t feel quite ready to tackle their interview process, so I studied security concepts for a few months and took a part time job doing web development for a small startup. I realized after a while that even if I studied for years, I would not be able to learn everything there was to know about cybersecurity. So, I gathered my courage, completed 2 technical homework assignments, interviewed, and received an offer to join NCC Group’s Seattle team as an Associate Security Consultant.

When I first came on board, my new colleagues and I didn’t know what to expect because with my non-traditional background, no one knew what to assume about my current level of technical knowledge. Being surrounded by people with computer science degrees was daunting and I felt like I would never catch up. With time, however, it became apparent that my background gave me a unique perspective and was an asset, not a hindrance.

I didn’t have the deep technical knowledge that many of my co-workers possessed, but I did have years of other experience that helped me develop a strong work ethic, communication skills and a healthy sense of curiosity. That curiosity helped me catch security vulnerabilities that other consultants had missed, while absorbing knowledge from colleagues with more technical backgrounds.

When I started receiving praise from co-workers and customers about my performance, it started to sink in that I was not just OK at my job, I was great at my job. I started to think about the tech industry in general, cybersecurity in specific, and the so-called talent shortage in my chosen field. Maybe the talent shortage was actually a training shortage, and a trust shortage preventing tech companies from hiring talented people with loads of potential whose resumes scream “not technical enough”.

In addition to the talent shortage, I had read countless headlines and blog posts discussing the difficulty of finding women and under-represented minorities to hire who were qualified to fill technical roles. So, maybe to solve these two problems, the tech industry needed to re-think the necessary qualifications for entry-level technical positions. As a security consultant, the most important job skills that I brought to the table were strong verbal and written communication, and the desire to learn. Everything else was teachable.

During my post-boot camp job search, I found that most job postings listed rigorous requirements, even for entry level technical roles. Frequently, recruiters would tell me that they could not hire engineers without computer science degrees or a minimum of 1 years technical experience. Career pages directed candidates with under a year of experience to apply for internships; internships that were only available to candidates attending university computer science programs.

Although plenty of tech companies claimed to have an engineering talent shortage and a desire to hire diverse applicants, they were unwilling to bring on candidates who didn’t fit the traditional mould because they lacked the ability to train people brand new to the industry. While job searching, I interviewed, a lot. I got rejected, a lot. When I started the interview process with NCC Group, I realized that their process and approach to hiring and training people was different.

NCC Group gave me the chance to demonstrate my ability to think through problems at my own pace. When I first applied to work for the company, the recruiter provided me with study materials, and told me to reach out whenever I felt ready to interview. After the initial interview, NCC Group assigned me some homework to complete on my own schedule, and to submit when I was ready. This was the only interview process I experienced that provided me with a roadmap to success, and the time I needed to show what I could accomplish.

After my first year working for NCC Group, I started to heavily question the skills that tech companies value the most when hiring new engineers. If I could learn enough about web security to be a strong contributor on projects within a few months without meeting most of the traditional requirements for my current role, it seemed fair to conclude that the industry was missing out on a large, diverse talent pool by disqualifying people based on overly strict requirements.

Overall, I came to realize that many tech companies overestimate the amount of hand-holding that career changers will need in order to be successful, and underestimate the abilities of driven, passionate interview candidates whose resumes may not shine as brightly as the resume of an Ivy League graduate. As a very green, but very motivated new security consultant, I only needed a few things from NCC Group in order to become a successful employee: a management team who wanted to see me succeed, a mentor who could point me toward helpful internal and external learning resources, co-workers who were willing to patiently work with me while I shadowed projects, and some time and space to grow my skills.

Now that I am nearly two years into my security career, I feel much more confident about my abilities, largely because of the support I received from my colleagues at NCC Group. With the skills I developed while working as a consultant for some of the most well-known tech companies in the world, I am now ready to tackle a new career challenge as an in-house product security engineer at Slack Technologies. I look forward to gaining a new perspective on cybersecurity while using my valuable past experiences to help secure people’s online safety and privacy.

One of my biggest takeaways from my first two years in cybersecurity is this: security threats come in many different forms, from the unsophisticated script kiddie, to the hacktivist, to the state-backed attacker with access to massive computing resources. The people tasked with battling these threats need to have as diverse backgrounds as the criminal entities the security industry is working to stop.