Using the CEH to create an ethical hacker career path

Chris Sienko: 1:10

InfoSec and CyberWork Hacks are helping to train the red teamers and blue teamers of tomorrow with our boot camps and study materials for the CEH exam. Now, how does ethical hacking proficiency translate into a satisfying career? Well, infosec CEH boot camp instructor, akil Phillips, has plenty of strategies to help you get focused and stay focused in your studies, excellent tips for keeping on top of latest security changes and innovations, and how you're going to push past uncertainty and into the work of putting one foot in front of the other in your quest to become a bona fide in-demand ethical hacker. Keep the enthusiasm up when you check out today's episode of CyberWork Hacks. Hey, welcome to another episode of Cyber Work Hacks. The purpose of this spinoff of our popular Cyber Work podcast is to take a single fundamental question and give you a quick, clear and actionable solution or a new insight into how to utilize InfoSec products and training to achieve your work and career goals.

Chris Sienko: 2:14

Today, I am very excited to be talking to InfoSec's bootcamp instructor for the Certified Ethical Hacking or CEH bootcamp. His name is Akil Phillips and if you haven't seen his previous episodes yet, go check out the previous three that we've released. We discussed the mechanics of the CEH exam questions. Akil gave us his best tips and tricks for taking the exam and also walked us through the day-to-day work that he does in our CEH certification bootcamp, so you'll definitely want to check those out as well. But today we're going to be talking about career paths, so the Certified Ethical Hacker exam and the very idea of an ethical hacker are good starting points that can sort of move in several different types of a security career. There's roles that are related but not quite the same, so I'm hoping that together we'll give you a look at how you can use your CEH certification to put together a career path in the field of ethical hacking. So, akil, welcome back to Cyborg Hacks.

Akyl Phillips: 3:06

As always, thank you for having me.

Chris Sienko: 3:07

My pleasure. So, to get us started in this topic, what are some of the key goals that students of your CEH bootcamp are trying to achieve in testing for the CEH certification? Like what? Where are they tend? Do they tend to be in their career?

Akyl Phillips: 3:23

Usually you have someone who's been in IT for several years and now they're trying to advance their career, maybe break into the cybersecurity side of the house, and when you look at pen testing specifically, there's a lot of you know side hustle opportunities or open opportunities on the side for talented pen testers as well.

Chris Sienko: 3:45

Oh, can you, can you talk about some of these, these sort of side quests, side hustles?

Akyl Phillips: 3:49

Yeah, they're so-called bug bounties. They can be pretty hard, but if you do take the time and you get the automation in place, they do get pretty rewarding, and I think that can be a motivator for a lot of people that are breaking into the industry as well.

Chris Sienko: 4:05

OK, well, yeah, I'm definitely going to want to talk to you some other time about getting started in bug bounty programs, because that's something that people ask us about all the time. But let's, let's, let's stay on target here. I want to talk about some of the key career paths that can branch off from the Solid Foundation that can be found in the EC Council's CEH certification. So I know that you said there's a lot of people who learn ethical hacking to be pen testers, which makes sense, but are there other related career paths or specialties that would benefit from someone who's CEH certified?

Akyl Phillips: 4:37

Certainly, I think, if you are running a security operations center, it far be it from you to be the defenders if you don't understand the way that the offenders are actually attacking. If you are a security architect, your role is to go ahead and proactively find issues within your architecture, within your network architecture, and I do think that this cert definitely helps. It keeps you on the edge of what's new within the ethical hacking space. There's a lot of what blue teamers do that I do believe is very closely related to understanding the pen tester, and I think that's a huge gap that we can find within the average person. The average person is usually not trying to think like a criminal, so having this type of exam, I think, is a great thought exercise for someone who just doesn't understand that perspective.

Chris Sienko: 5:37

I think it's interesting.

Chris Sienko: 5:39

You know, I follow the numbers on our, on our YouTube page of our most popular videos, number of popular articles, and it is very funny that a lot of our best, best visited things are things like how to crack a password or how to you know carding for noobs, you know, and things like that.

Chris Sienko: 5:56

So there's, there's stuff that you know to anyone going out there say, ooh, you know, I can do some nefarious stuff with this, but it's ultimately like you have to be thinking like that all the time, like you have to know how this is done so that you can, you know, prepare it, prepare against it, because obviously the work of strengthening it is to understand where your weak spots are, and that's what red teamers do.

Chris Sienko: 6:18

So, yeah, the most common comment we hear on cyber work is from people who are just trying to get started in cybersecurity. We've really fine-tuned the program to sort of get people who are nervous about getting into cybersecurity or overwhelmed with a number of possible directions, to sort of lower the bar and get them in the door in whatever way we can. So can we break down a few of the first steps that people who are interested in pen testing or ethical hacking and related careers should be considering when mapping out their career and study plans Like what are some questions they need to ask themselves about their skill sets and what actions should they be taking as a result of the answers that they get?

Akyl Phillips: 6:56

I think the first question is do I have the ability to create a small habit and I say small habit as in 30 minutes a day or an hour a day, not three to four hours a day, because you can start out hot and heavy in this field and burn out really fast, right? So do you have the ability to create a small habit and do you have the space in your life for a small habit? If you can make a habit out of studying, a habit out of these ethical hacking activities, then you know that you can make it into a career. So that's the first question I would tell someone to ask themselves, and the answer to that question is always going to be a yes, right, everyone has a spare 10 to 15, maybe 30 minutes in a day, right? Um, if you can make it a small habit, then I think the follow-up question is do you actually like what you're doing? Yeah, right, do you actually like what you're doing? Um, and the reason I say you have to like it is, again, this burnout aspect. Right, you don't want to be frustrated and have to work on technical things. Right?

Akyl Phillips: 8:07

Tech rage is real. People tech rage is real. There's a ton of broken computers out there because of tech rage, right? Wow, yeah, so you know, do you? Do you actually like it? You know, do you do you actually like it? And then three uh is do you see uh the benefit that it brings to other people? Right? I think a lot of times we can get lost in our field, uh as in, it's just about the tech. But ethical hacking, I think, is something that has a great deal of uh benefit for the uh entirety of society, right? If we can't provide a secure network, then all of the convenience of communication and transportation and transfer of money, all of that goes away, right? So those are the three things I would really ask, tell people to ask themselves in terms of preparing um, just because, as we've been saying so far, it's a marathon, not a sprint.

Chris Sienko: 9:05

Yeah, can you be a little granular in terms of, like, what some of these things are, that you have to be happy to do a lot? Because, yeah, I think that's a really good point. I think people, um, might imagine a career based on, like the highlight reel of what they imagine the fun parts are. You know, I made it to the flag, I, I've, I've, I found a way in, I got to root, I got, you know, I I captured the criminal, I brought him to justice. But, like, what are the? What are some of the tasks that are that are just going to sort of be on your plate every day that aren't quite as sexy and glamorous?

Akyl Phillips: 9:37

I think one of the ones that's less spoken about is just keeping up with cyber security news and how often things change within technology. Um, so after one class, you should be able to fully understand all of the cyber security news that's being released. But within one week you're going to start hearing about different types of attacks and there's going to be a myriad of different types of attacks. There's not one type of rat. There's thousands of different types of remote access Trojans. There's not one type of malware. There's thousands of malware variants, just like what we've been seeing with everything else.

Akyl Phillips: 10:14

So that's something that I think, as you get into it, just keeping up with the news can be pretty difficult. And then also, who is interested in the industry at the time? This is an industry that gets a lot of a lot, a lot of what I would call bipartisan political attention, where it's not about whatever side you want, it's about the entirety of society. So understanding those things can be a little bit heavy. Um, and then understanding where cyber security crosses with the sub-industry of a lot of your other uh companies as well, because in 2024, every company is a tech company.

Chris Sienko: 10:59

They just don't care Manufacturing infrastructure, it's all. You can plug yourself in anywhere. This is sort of off the question set here, but do you? What is your particular routine in terms of keeping up with new tech information? Do you have like a set of publications that you read every day? Do you go and check out latest vulnerabilities on? You know a DOD or things like that? Like what, what is? What is your sort of diet in this regard?

Akyl Phillips: 11:29

Um, so I'm typically I'm on the hacking news or the hacker news or dark reading. Um, microsoft defender three 65 is really good as well. I like those three because they give you visual representations of the actual attacks and you want to find something that breaks down the attacks as detailed as possible. So uh also like if, uh, if anything new pops up on exploit dbcom that's just a repository fora lot of new exploits, uh, and overall, yeah, I, I think you're spot on. I just have a feed full of different rss feeds. Yes, um, that just kind of feed into this news report that I do.

Chris Sienko: 12:14

Yeah, um, yeah, I think, especially if you're in the house, I think if you're, if you're just starting in the industry, the idea of, like, well, go out and find out what's happening, you know, in in the news is going to be a little intimidating. But yeah, it is worth noting that, like, once you have your sort of go-to sources, then all you have to do every day is just is just look in and see what they're telling you, because they they're happy to tell you.

Akyl Phillips: 12:36

No, that's very true, right. And if you have discord, there's a that can be created as well, right? So join some discord servers that are around cybersecurity. They're bound to keep you updated.

Chris Sienko: 12:49

Yeah, absolutely so. Akil. Do you have any advice for people who are coming to ethical hacking, maybe from a completely different career, maybe related tech, or maybe even not that, because a lot of our new listeners tell us that they're? They're making a big jump from a job or industry where they felt they got stagnant and we're looking for a big change and might just be like starting again from the beginning. You have any thoughts on how to broker skills from a current role that might not be security based or even tech based at all into a networking career?

Akyl Phillips: 13:23

Genuinely. Bring all of your skills, because skills are transferable, right? If you were doing retail and you were stocking shelves at, you know a retailer, well then you could still help me on asset management and we can find a way to really make that shine within your understanding of inventories and how they're updated. Maybe that can connect with how the technology integrates with inventories and that could help you create race conditions in the future, right? So transferable skills are always going to be there, so don't leave anything behind. Bring that experience with you.

Chris Sienko: 13:55

Yeah, yeah, and let anyone you're interviewing with know that you have all these things, and, and, and I think it's probably worth saying that you should. You should know these things before you start getting into the job search game, right? You, you need to be able to imagine in your mind like this is where I could imagine, like you said, my inventory skills would, would be used, and then it's a lot easier to bring it up in the in the moment.

Akyl Phillips: 14:16

No, I agree with that. I think, um, and for that sense, if you are coming over from another field, consider getting a mentor, because sometimes someone who has a little bit more experience might be able to help you. Uh, understand that some of those skills are really important and you do need to bring them with you.

Chris Sienko: 14:33

Yeah yeah, the number of people we've talked to that said that their their best pen tester or their best digital forensics person came from like child psychology or, you know, bookkeeping or any number of other things is is astonishing. So again, like you know, we're always beating this drum here, but if you, you know, if you weren't a tech prodigy at age six, it really doesn't matter. Like you can, you can get caught up. So one of the reasons we talk about career mapping so early in one's professional journey here is because we frequently hear from students who feel that if they take the wrong career path early on, they either won't be able to make the pivot into the career that does actually interest them or they'll fear that they've wasted too much time on unimportant things, which, you know, folks who have a little longer time on this earth know that that's not true. But so what advice do you have here for listeners who paralyze themselves into inaction out of fear of making the wrong career move?

Akyl Phillips: 15:26

If you do nothing, you'll get nothing right. That's really the only thing I can say. I think that I'm really grateful for the career that I've had, and I think that the time that I spent in the military just kind of taught me to keep putting one foot in front of the other. But the thing that kept getting told to me while I was putting one foot in front of the other is, hey, if you go back and you check some of your friends out that weren't taking action, they'll be right where they are 10, 20 years from now. And now. Now I'm in my thirties and I'm seeing how true that is and it's kind of scary. I was like, well, that's kind of prophetic, right? So if you don't take action, you'll get exactly that in return. Inaction breeds nothingness. Yeah, amazing, yeah, that's that.

Chris Sienko: 16:13

You know that might sound grim, but I think that's actually a very positive note to endness. Yeah, amazing, yeah, that's a that. You know that that might sound grim, but I think that's actually a very positive note to end on. Yeah, we all have that friend who's still talking about their big plans from 20 years ago. So don't, don't do that. So, yeah, this is a. This is all great advice and, as always, akil Phillips, thank you for helping us to create this new generation of ethical hackers. Thank you, thank you and, as always, thank you for watching this episode.

Chris Sienko: 16:42

If you enjoyed this video and felt it helped you, please do share it out with your colleagues, any forums or discords that you're on in your social media accounts, and definitely subscribe to our podcast feed and our YouTube page. We're everywhere you want to be. You can just type in CyberWorks InfoSec we pop right up at the top. There. We're everywhere you want to be. You can just type in CyberWorks InfoSec we pop right up at the top there. We've got plenty more CyberWorks hacks to come, including several more certs. So if you have any other topics you want us to cover, drop them in the comments below. Otherwise, you can just see us here every week on Monday and Thursday with new episodes. So until then, see you next time and happy learning. Hey, if you're worried about choosing the right cybersecurity career, click here to see the 12 most in-demand cybersecurity roles. I asked experts working in the field how to get hired and how to do the work of these security roles so you can choose your study with confidence. I'll see you there.