Little My

4 karmaJoined


I've been working as a information security specialist for a year now (doing SOC work, pentests and developing tools to improve the first two) at a major energy producer in Europe. I've been a hacker and following what's going on in this field for some time longer.

I haven't done consulting but what I've heard from colleagues about some consulting companies (even internationally recognized ones) we've hired in the past matches what you've highlighted - utter disappointment. 

Even though I haven't approached the field from a consulting direction, I'd also recommend instead to start hacking yourself and applying the recommendations highlighted by Hans.

I would like to push back on  a couple of things - certification and norms.

There are some certificates that really take a no-bullshit stance and completing them does require extensive knowledge and abilities so seeing that someone has a OSCE certificate shows me that they are capable of doing penetration tests. I've heard other experts in the field expressing that certificates aren't that important for getting a job and what matters more is what you can do and what you are enthusiastic about doing.

Your wording on the usage of norms, I feel, is too broad. I agree that some norms, especially if they are thrown around without specifications or are implemented without background knowledge, are stupid (well explained by LiveOverFlow https://youtu.be/fKuqYQdqRIs ). 

But as you said they can be good source of inspiration and ideas. For example going though the MITRE ATT&CK framework recommendations does force you to think about all the aspects a system can fail and the things highlighted there and in other standards are most often based on lessons learned from experiences where things have gone wrong.

I would also like to add to the Dos list: 

  • Getting a good understanding of the fundamentals of IT, software development and networking