We asked a number of people working in different roles at Sophos how they made their way into cybersecurity.
1. Music making to malware fighting
Sales Engineer, Benedict Jones
I graduated from university with a first class BSc honours degree in Sound Technology and Digital Music. I have always pertained a profound interest in music and technology, but during my degree it dawned on me that I wasn’t quite “musically creative” enough to be a Music Producer. That’s when logic kicked in, and I decided to tailor my degree more towards my skillset and passion… technology.
I chose to create my own Android application for my dissertation so bought an O’Reilly book on Java and read all 726 pages by the poolside when on holiday in Spain. While creating my application, I managed to cause the device to overheat and/or crash – sometimes intentionally, and others not! This inspired my interest in mobile application malware, which was very much an emerging threat at the time. A year on from this, my dissertation was complete and my very own mobile application was published.
After graduating, I pursued a career in IT and my first job was as a Graduate Network Support Engineer. After 3 years in technical support, I had worked my way up to the top tier as a Senior Technical Support Consultant. I’d received plenty of first-hand insight into the devastating effect that malware can have on an organisation, having spent many an evening dealing with the aftermath of an outbreak. My research into various threats led me to understand how best to remediate security, which was to fix the flaws that had been exploited by the attackers in the first place.
Protecting organisations against cyberthreats left me with a sense of heroic satisfaction that ultimately inspired me to change my career path into cybersecurity. Which takes me to today – I am a Channel Sales Engineer at Sophos and continue to help organisations to protect themselves against cyberthreats.
2. Romancing malware analysis
Threat Researcher, Luca Nagy
The first time I came across programming languages was during high school and it was love at first sight. Our romance continued at university and I decided to dedicate myself to programming. While there, I also developed an interest in IT security and it was a huge dilemma to choose which direction to take my studies in.
For this reason, I started a CEH (Certified Ethical Hacker) course where we studied several techniques and tools to find and exploit weaknesses in various systems. This required prior experience but also creativity to solve new problems. The combination was really appealing, and it helped me to reach the decision to take the IT security route in my career.
During an internship at Telekom, I was working with intrusion detection/prevention systems (IDS/IPS) and became acquainted with malware. I decided to dig deeper, and in my thesis I introduced a malware analysis procedure through a ransomware analysis. I became passionate about malware analysis and have been ever since.
Now at Sophos, I spend my time reverse engineering emerging threats and creating detections against them.
3. Keeping on top of moving targets
Senior Threat Researcher, Rowland Yu
After majoring in Computer and Telecommunication Engineering at Tongji University, I graduated and got my first ‘proper’ job at Siemens Shanghai Mobile Communications Co. I was a Shift Leader and Technical Specialist and was responsibile for a production team working on a rotating schedule, who diagnosed, troubleshot, and repaired mobile equipment.
Two years later I started my postgraduate degree at the University of Wollongong, Australia, and was really attracted to the magic of computer and network security. I dedicated myself to research projects, including the design and analysis of secure systems with an emphasis on network and communication security, under the direction of Professor Reihaneh Safavi-Naini – the first-ever Australian winner of a security funding research grant.
I started as a spam analyst for SophosLabs in 2006, before moving into the role of Virus Threat Researcher for advanced threat research, reverse engineering and remediation. I then led anti-spam and DLP (data loss prevention) research in the Australian SophosLabs. When the first Android malware was discovered in 2012, I believed Android would become ‘the new Windows’ for malware and dedicated most of my time to Android security. Today I am a Senior Threat Researcher L2 at Sophos and the primary researcher leading the Android team for malware analysis and emerging threats.
Cybersecurity is a constantly moving target. Over the past decade, there have been so many different major cyberattacks targeting many different platforms. At the same time, we’ve seen advanced threat prevention techniques introduced too, such as generic detection, behavior monitoring (HIPS), memory scanning, sandbox, EDR (Endpoint Detection and Response), and deep learning.
I’ve had many interesting and unforgettable moments throughout my career. I read a great book called ‘Network Security: Private Communication in a Public World’, and attended an excellent lecture, ‘Advanced Network Security’, and have used both as a learning stepping stone in my career. Ultimately, I’d like to give credit to Sean McDonald (one of SophosLab Directors), who contributed to my career success. It’s great that I have worked with so many truly talented people in Sophos.
4. Discovering a love of cybersecurity
Software Engineer, Bogdana Avadanei
I recently graduated with a degree in Computer Science and, like many students, I didn’t initially know what particular area I wanted to specialise in. Unfortunately, my undergraduate degree didn’t offer a cybersecurity module, and the only reason I discovered how fascinated I was by the topic was because I had to write an essay in my first year that I left until the night before the deadline.
The essay topic was anything computer science related, so I decided the early methods of encryption would be a good idea, as I had just heard about a security breach. I spent all night in the library reading all the interesting books I could find on the subject. I knew then what path I wanted to follow, and my placement year at Sophos was an excellent opportunity to find out more about the industry. I enjoyed it and learned so much that I came back after I graduated as a software engineer.
Tim Boddington
I can see some great careers developing there. I sympathise with all the study and gaining of qualifications you guys have to go through these days. I started out programming, without any quals in any relevant subject, in 1967, progressed through business applications, middleware, operating systems. Then in the late 1970s we recognised the looming problem of security and I got into mainframe security, security education (within the company), leading to standards development (BS7799), and contribution to the first Data Protection Act, the Computer Misuse Act, and information security education. In those days it wasn’t a question of what have you learnt, rather it was ‘can someone please work out how we can do this – and do it!’ In my retirement (I program almost every day) my greatest disappointment is that over the past 30-40 years I constantly see the same weaknesses in security being missed or ignored day after day with predictable results. So if I were to offer a little advice it would be, no matter how amazing the latest technical ideas, never forget to pay attention to the basics of good security – it’s largely down to people.
Ozy Lee
My path is pretty much rife with study and gaining qualifications. I always had a love interest with IT but never got to study Computer Science, however I worked with Risk Management at a financial institution which got me thinking about Security. Researching a way to combine IT & Security led me to a graduate degree in Cyber Security and I’m so loving it!
I sure wish there was something I could do to get you out of retirement lol… There’s a lot of people who could benefit from your wealth of knowledge & experience
mplserin
It’s too bad that this article only relates to college grads–it fails to represent anyone who’s self taught. Security as a career is wide open to grads and non-grads alike.
Remember. many successful people never finished college, such as Bill Gates, Steve Jobs, Larry Ellison , Jack Dorsey, Tom Anderson (Myspace founder) Larry Page (co-founder Google), Mark Zuckerberg, Michael Dell, Jan Koum (What’s App founder), Travis Kalanick (Uber founder), Byung-chul Lee (Samsung founder), Richard Branson (Virgin Mobile founder & high school dropout) and more!
Non-tech drop-outs include Oprah Winfrey, George Washington, Abraham Lincoln, Henry Ford, Albert Einstein and many more.
There are still those by-the-book hiring managers who FAIL to include people from diverse cultural, economic and educational backgrounds. This is a huge mistake for any company that wants independent problem-solvers. While anyone can say they do that, only the self-taught person can prove their ability to think outside the box, afterall, they managed to figure out HOW to become educated when they were still uneducated! I don’t know any better way to prove a job candidates worth than to look at the sheer level of motivation that it takes to learn independently. Ponder that!