From Hacker to Hero
I’m not sure why, but if you go on Twitter and look for the #cybersecurity hashtag, you get the impression that all cybersecurity is about bug bounties. And this cannot be further from the truth.
At a first glance, bug bounty is easy money, which is why it’s so attractive. Newbies and newcomers to the field get allured into this rabbit hole with the promise of getting rich fast, no certifications, no resumes needed.
Once you spend some time doing this as a newbie, you realize it’s more frustrating than you think. Bug bounty platforms never tell you from the start that companies that run bug bounty programs first run internal and external pentests. And all that’s left to you as a bug bounty hunter are missed low-hanging fruits or critical and very complex vulnerabilities.
And if you live in the west, with high standards and expensive living, it’s very least likely you can make a career out of this, unless you’re very gifted, which at least 95% of the people are not. It’s the harsh truth, but I’m not gonna blow sunshine up anyone’s bottom here.
That being said, bug bounties can be fun. I, for example, spend time on VDPs or private programs when I get bored after finishing my due diligence for my application security projects and pentesting contracts.
Now, there’s much more to cybersecurity than bug bounties. For example, if we break it by attacking and defending, each of these camps has dozens of jobs and roles, for all tastes and flavors of the cybersecurity person.
Let’s look at a few, and then I’ll give you a list to do your research further down the road.
Cybersecurity Analyst - responsible for analyzing and assessing security threats to an organization's network and implementing appropriate security measures. More specifically, this could be a SOC Analyst, thereby working in Security Operations Center or SOC. As a SOC Analyst you’d be working with incident response teams to rapidly identify and remediate cybersecurity attacks.
Penetration Tester - specializes in simulating cyber attacks to test an organization's security measures and identify vulnerabilities. You could be specialized in application security and test web and mobile applications. You could also be a Red Teamer, who is highly skilled in infiltrating into networks and pivoting their way across with the ultimate goal of owning the entire network. This is also where I fit in, I’m specialized in application security and now getting training in red teaming.
Cloud Security Analyst/Engineer - responsible for designing, integrating, and testing tools for a company’s cloud infrastructure. Here you’d be recommending and/or implementing cloud configuration improvements from a security standpoint. And much much more. You’ve got a big plus if you’re able to work in a multi-cloud environment. This role is highly sought after today when a lot of infrastructure is built and maintained in the cloud.
Malware Analyst/Reverse Engineer - responsible for diving deep into and cracking malicious software to understand its nature and often to disarm it.
Cybersecurity Consultant - responsible for providing expert advice and guidance to organizations on how to improve their security posture and prevent cyber attacks.
Cybersecurity Educator - teaches students and professionals about cybersecurity tactics, best practices, and techniques to discover and protect against threats, vulnerabilities, and cyber attacks. I’m an educator myself, I teach application security and penetration testing via my YouTube Channel and my courses.
DevSecOp Engineer - As a DevSecOps engineer, you are responsible for integrating security into the DevOps pipeline using a variety of tools and processes. This involves overseeing key areas of DevSecOps, such as vulnerability management, security testing, security operations, and application security. You will play a leadership role in ensuring that security is seamlessly integrated into the development and operations processes.
Cybersecurity Architect - responsible for creating overall security plans and policies for an organization, including the implementation of technical controls and risk management strategies. You’d be reaching this position usually after spending a few years in other roles all across cybersecurity.
CISO - also known as Information Security Manager - similar to the Cybersecurity Architect, I think you’d be very suited for this role after spending a significant amount of years in the trenches, learning about all the threats, working to remediate them, implementing security countermeasures, and overcoming worst case scenarios of cyberattacks. As a CISO, you’d be overseeing an organization's overall security strategy and ensuring compliance with industry standards and regulations. Moreover, you’d be having a feel for global markets, legislation, and policy.
This being said, the list of jobs and roles could go on and on. In fact, the entire field of cybersecurity with hundreds of roles and job titles is in an unprecedented demand for skilled professionals. And as I said at the beginning of this video, it’s often much better to go for a job that actually pays instead of becoming one of the hundreds of thousands of bug bounty hunters who work for free.
I’m going to leave a few resources below so that you can check out other cool jobs and roles you can work yourself up to in cybersecurity (I suggest you look at the CyberSecurityEducation website because I think it’s very well put up).
In an upcoming video, I’ll be talking about salaries for all of these amazing jobs in cybersecurity. So, stay tuned.
If you want to get updates on stuff I’m doing: