Career Navigator talk for IT Hub College

Last week I gave a “Career Navigator” talk for the students of the IT Hub College in Moscow. By the way, this college has a very interesting practical information security program. If it is relevant for you, check it out.

I’ve never talked so much about myself in public. It was like giving advises to yourself from the past. An interesting experience. It took about an hour and a half. And now I will try to mention the main points.

University

I talked about studying at the university. The fact that we go to university to gain knowledge and skills. But this is not the only reason. The university diploma makes it easier to find a job and participate in emigration programs if you ever want to. For example, this is a requirement for a for the European Blue Card. Networking at the university is also important.

My experience of studying at Bauman Moscow State Technical University was definitely positive. Although I believe that there could be more practical courses on Operating Systems, networking and programming. On the other hand, there could be much less mathematics. I have the best memories from the Theoretical Foundations of Information Security course and the course based on CISSP exam.

The first job

The first job in the last years of study at the University is also important. It often shapes your career path. I am fortunate to have worked at the Radio Research and Development Institute. This gave me good practice in Linux and Solaris system administration, programming in C, Java, Bash and parallel computing. This is more important than money.

Security Vendor

My first full-time job after graduation was at Positive Technologies. This is where I learned about Vulnerability Management and specialized in this field. I started by developing Compliance Management checks based on CIS benchmarks and vulnerability detection checks for various Linux and Unix operating systems. Mostly using Python and Bash. I was also conducting competitive analysis of Vulnerability Management solutions. Working in a vendor allows you to understand how technical solutions actually work under the hood and what limitations they have. This is a very valuable experience.

From theory to practice

When it came time to move on, I started working on implementing a Vulnerability Management process in large IT companies. I started at Mail.Ru Group, and now I continue to do this at Tinkoff. Perimeter scanning, internal infrastructure scanning, vulnerability prioritization, remediation tracking, host hardening, various infrastructure security metrics and custom automation. All this mostly in Python using the APIs of various security products. It seems to me that it is impossible to fully understand Vulnerability Management by working only at the vendor, without trying to implement it practically from the client’s side. Therefore, I advise you to specialize in information security on what you like and try to study it from all possible angles.

What else

What else can help a specialist to develop and get an interesting job?

Blogging

I can say that for me the decision to start a blog played a favorable role. A tech blog makes your work more visible, highlights your expertise, and is a good addition to your resume.

Activities

Participation in conferences, meetups, hackathons, CTFs, etc. is also important. Apart from the main task, it is a powerful recruiting tool. It is also helpful to have some open source projects on github.

Job Interviews

I find it very beneficial to apply for vacancies abroad. This allows you to practice your English, understand knowledge gaps, find out what is really in demand and how much your services cost. As a rule, such communication is pleasant enough and expands your social graph. And if as a result you get an interesting job and relocation offer – why not. And it’s free.

Certifications

What about certifications? I admit that this may be useful to someone, especially for security consultants. In my opinion, the most useful certification is CISSP. However, I myself do not have certificates and for me it is a kind of cult. The exam is quite expensive, you have to pay annual membership fees, retake the exam regularly or collect CPEs. So far, it seems to me that it is wiser to spend time on a blog or your projects. But this is just my opinion.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.