All you need is... persistence

February 2012

James RougvieWith youth unemployment at a high and employers citing experience over qualification as their key criteria for employing newly qualified graduates, it’s never been harder for young people to break into the IT industry. James Rougvie tells his very personal story of how he went from just having an interest in technology to becoming a junior security consultant for a respected company.

As a young boy I was the curious type wanting to know how things worked and why my toys could not do the stuff I wanted them to. I always found time to take my toys apart then try and put them back together again, which didn’t go as well as I expected. There was always something about me that wanted to know everything about anything I could. At first this started with toys, but as I got older this moved onto computers.

When I was about nine we got our first computer, which came with games like Theme Hospital. I was never really good at the hardware side of things so I focused mainly on software, learning how to do most things from the keyboard.

As I went to secondary school I learned more and more about different software and this was where I performed my first hack with some friends; we noticed it was possible to use Excel macros to install software that we should not really be able to have, like Virtual Pool and Football Manager.

At the same time films like ‘Hackers’ were coming out and I remember watching that film and thinking ‘wow that is so cool, how does that work’ this was the turning point in my life where I just wanted to know about hacking and how I could learn more about it.

However, at this time, security and hacking was not the focal point that it is today so trying to learn hacking was near impossible. From this point on hacking became my hobby. I would read about stores in the news and try find out as much about hacking as I could in my own spare time.

I was still really unsure what I wanted to do with my life but knew I didn’t really enjoy school that much, I only really liked doing IT, which was really hands on, so I decide to leave school and, being young and naïve, I felt I would walk into an amazing job with great pay and my life would be complete.

During the years after I left school, I found myself doing many different jobs, some of which included working for a film company, being a courier and working at a printer shop. Whilst I was doing all these jobs I carried on trying to learn about security and hacking, buying items off eBay that were described as hacking courses to try and teach myself and learn more.

I finally came to the decision that the only way to go forward would be to do a computer course so I applied for a course at my local college.

I was still unsure what I wanted to do so I tried to pick a course that covered a wide range of subjects; maybe this would give me a better indication of what I really wanted to do? I ended up doing a HND in information technology and was given the chance to do a top up degree with the University of Kent to get a degree in information technology.

While doing my degree I started a part-time job as sales advisor at PC World and within a few months I had worked my way up to becoming a tech guy. It was also around this time that security became well known to people through the news.

I spent most of my student loan on computer security books, but was frustrated that I never had time to read them. I finally finished the degree and achieved a 2.2 grade. This was not the best outcome, but I had some personal problems during the last year which affected my grade.

So I left university and was still unsure of what I wanted to do. I was still following my hobby of security and was reading about recent hacks in the news and trying to find out what I needed to know in order to become a security professional. I carried on working part-time at PC World, whilst I figured out what my next move would be.

At first I started to apply for web development jobs, just to have full-time work, but didn’t feel like my heart was really in it. I found web development easy and I didn’t want that, I wanted it to be a challenge. I wanted a job that was exciting and was always demanding.

I finally got a bit of a break when browsing the BCS website. I saw an advert that went something like ‘Do you want a career in computer security, get in contact’. This caught my attention and I wanted to know more. I never really used the BCS at all before so I decided to send them an email and find out what the advert was all about.

I later got a reply from Mike Westmacott who had recently joined IRM (Information Risk Management) as a pen tester. He wanted to set up a group, which would help young professionals get into security as it was not that easy to break into the industry. This would be the start of my eight-month journey to land my dream job as a pen tester.

I joined the YPISG (Young Professional Information Security Group) as a committee member and started to get involved a lot more with security. I found online forums like ethicalhacker.net where I could get advice on courses and books, as I wanted to give myself the best chance of getting the job I wanted.

I already knew how hard this was going to be as most companies would see my 2.2 grade and usually decided that I was not capable of doing this job. However, I didn’t let that stop me. I knew I wanted this more than anything in the world, a job that was well paid, challenging and was always demanding, pushing me to being the best I could be.

I started to realise what a challenge it was going to be with so much information to learn, so many courses to do and realising how expensive it would be. I didn’t really know where to start. I thought the best thing would be to try and get some security experience, so I tried to find some courses and came across the HackingDojo run by Tom Whilem.

I knew of Tom, as I had read a few of his books, and this course was aimed at taking someone with no experience and building them up. This course was a pay per month course, so it was affordable on my part-time wages. The only problem I had was this course was run just once a week so I had a lot time on my hands, hence I tried looking for another course that I could afford, but also would give me something to add to my CV.

The only other course I could really afford was the OCWP (Offensive Security Wireless Professional). I knew about Offensive because of the wonderful work they did with Backtrack; also loads of people recommended it to me on ethicalhacker.net.

Once I passed the course I tried to get my name out into the industry as best I could. I attended security events, created a LinkedIn page, and added contacts, as well as security groups and created my own webpage to have something to show employers, as well as helping others who were like me and didn’t really know where to start. I also got cheap business cards printed with my website on that I could hand out at places like InfoSec.

After around five months of doing this, making contacts and working hard to try to improve my skills, as well as being involved with the ypisg.bcs.org and running events, I started to apply for junior penetration jobs. I was happy when I started to get requests to go for interviews. I felt that I was getting somewhere.

My hard work was starting to pay off and I thought it should have not been long before I was working for a company doing something I was really interested in and had a lot of passion for. How wrong I was. I was getting interviews, but was having problems with the questions they asked me. This was because the range of questions asked were so broad and so different from one company to another.

A lot of the time I would learn the basic stuff and then they would want me to explain advanced stuff that I could just not remember. I was trying to remember too much and remembering it inside out was even harder.

When I did learn the more advanced stuff I would get asked the really basic stuff; it was really frustrating. It felt like I was going backwards and not getting anywhere. Despite the fact I knew once I was given a chance I could learn anything and would be a good pen tester, getting a break was proving extremely difficult.

Just when I felt things could not get any worse, they did. I had the worst interview of my life where nothing went well and the person who interviewed me made me feel extremely stupid and, that no matter how much I tried, I would never get a job doing what I wanted. I left the interview feeling demoralised and really down and just felt like giving up. It took me a few days and some really good advice to pick myself up and get ready for another interview I had lined up.

In my next interview I picked myself up and took everything that went wrong in the other interviews and built on it spending the four days before the interview going over the CEH study guide and other notes as well as looking at the company website trying to take in as much information as I could.

This was ‘make or break’ time for me. I gave it everything I could. I turned up at the company not knowing what to expect. Were they going to ask me basic questions? Or were they going to ask me about WEP cracking?

I always turn up early for interviews and ended up sitting in the reception for around fifteen minutes before I had my interview and straight away I could tell I was going to like this company. The staff were friendly; they were working hard, but having a joke at the same time. I felt at home and felt really relaxed. I was then called for the interview where I got a mixture of questions.

Some were basic, but some were more advanced. I had question after question. Some I just didn’t know, and from experience knew it was best to be honest with the people who held the interviews as they knew their stuff inside out so it’s not worth trying to blag it. It felt like I was in the interview of a lifetime; two and a half hours to be precise.

Another thing I had found with interviews is you can never really tell how it went. There are some cases where you can tell, like the really bad experience I had, I knew that went badly and knew once I left I had more chance of winning the lottery than getting that job. But most you just cannot tell. I felt this interview went okay, but some questions I just didn’t know or, in some cases, didn’t answer and I felt that let me down.

What made it even worse was the interview was on a Thursday and I had to wait over the weekend to find out how it went. I finally got the good news that they wanted to take me on as a junior security consultant. I can’t really begin to describe how this felt. I was over the moon at the news and at a total loss for words. I just couldn’t wait to start my new job.

So what did I learn from all this? What was the point of this article? Well, I wanted to share my journey and give some advice to anyone who is trying to get into security, especially pen testing.

The first bit of advice is it’s not going to be easy so you need to want this so bad and never accept no as an answer. If you really want this it does not matter what background you have or what grades you got at university. If you want this you can get it, but be prepared to work hard and realise you may have bad interviews, but if you build on them you will finally reach your goal.

You should also do as much as you can to get involved within the security field. Going to events and making contacts could give you the vital break you need. I got some of my interviews from contacts I had met at places like InfoSec and through the BCS.

Try and pay for your own course, if you can, as this shows you are truly interested in the subject and are willing to spend your own money for something you’ll enjoy and believe in. If you can afford it doing something like Tiger scheme AST and the QSTM course, which will get your CV, noticed by companies or the CREST CRT course will improves your chances of landing a job.

I also recommend going through the Certified Ethical Hacker course (CEH) to understand the basics as well as learning stuff like common port numbers, how TCP/IP works, how Nmap uses TCP|UDP to determine whether a host is open, closed or filtered and knowing some web hacking basics like what is SQL injection and XSS.

Also know your CV inside out. You’ll usually be interviewed by technical directors so if you have it on your CV that you passed a Cisco course, be expected for them to ask you a Cisco question like ‘what is the default password for Cisco router?’

The last bit of advice from me is to just chase your dream and never give up. It will be hard to land a job, but once you do it will be worth it.

http://jamierougive.co.uk/