Life lessons from senior pen tester, Andy Gill.
At this year’s SteelCon, which took place at the UK’s Sheffield Hallam University last week, Scottish pen tester Andy Gill offered some sage advice to those looking to establish a career in information security.
Now in its fifth year, SteelCon has become a fixed date in the UK’s infosec calendar, offering a packed schedule of workshops, technical deep dives, and social events for security enthusiasts of all ages and experience.
With its informal setting and retro theme (see floppy disk lanyards and Nerf gun swag), SteelCon is certainly a breath of fresh air – and one that stands out in defiance of an increasingly corporate security conference circuit.
Breaking the mold
Given its university backdrop, SteelCon holds particular appeal for those aspiring to break into the industry. And this year, Andy Gill, senior penetration tester at Pen Test Partners, was on hand to offer his advice to the next generation of white hats.
At the start of his presentation on Saturday morning, Gill – who became involved in security after studying at university, undertaking some internships, and participating in the government-led Cyber Security Challenge – said: “This isn’t a run-of-the-mill talk on how to get a job in the industry. It’s more a life lesson.”
Indeed, while Gill underlined the importance of certifications and technical knowledge, he pulled focus on some other, often overlooked, elements that can help aspiring penetration testers to gain a foothold in the industry.
“Come to security conferences, speak to sponsors, go to meetups, write a blog,” he urged. “Even if you think you have nothing interesting to talk about – it gets you out there and sets you apart from the crowd.”
Although Gill said technical skill is important, he noted that one of the best ways for prospective penetration testers to get their foot in the door is by meeting people already in the industry.
He added: “Bug bounties are also a good way of learning. They have gathered a lot of traction recently. This is a good thing because there are a lot of guides out there now.”
The Scot also provided some tips for those embarking on their first steps in infosec.
“Those who are already in the industry will know that it can be quite stressful,” he told the audience. “It can be quite closed, and you can work with some people who are quite rough around the edges, but it’s important to have an open mind.
“As well as that, with pen testing and a lot of security roles you tend to work from home a lot. So having an escape is really important. Get outside, do some sport, or anything else that’s non-technical. Take an hour a day to go out and do things that help you break out of the work cycle.”
In addition to his day job at Pen Test Partners, Gill has become well known in industry circles for his blog and accompanying book, Breaking Into Information Security, which brings together all the basic topics to get readers up to the level of a junior penetration tester.
“I published it at B-Sides London last year,” said Gill. “There have been nearly 4,500 copies downloaded of the eBook, and I’ve sold 500 physical copies so far.”
While Gill said his book is aimed at those who are looking to tap into the industry, he admitted that readers were assumed to hold some degree of technical understanding.
Now, with issues surrounding security and privacy well and truly a mainstream topic of discussion, Gill took SteelCon 2018 as an opportunity to launch his latest project – and one that goes right back to basics.
Citing the need to make technology more accessible, particularly for older users, Gill has published the first in a series of planned articles that aim to take readers from ‘Zero to Technical Hero’.
“This new project is going to explain internet safety and provide security advice,” he explained. “It will become increasingly technical with each post, and the plan is to collect these posts into a new book, which will become a precursor to Breaking Into Information Security.”
According to Gill, this latest project will help make technology more accessible for people who use the internet but don’t necessarily know how it works.
“This takes a step back and explains it all in a very relatable sense,” he said. “It’s important to take a step back to basics to bring as many people in the general public up to standard level to make the internet safer and make our job as security professionals easier.”