Dr. Erdal Ozkaya

Head of Information and Cybersecuirty, Managing Director, Standard Chartered bank

Cybersecurity: The Beginner's Guide—a comprehensive guide to getting started in cybersecurity.

I am so used to hearing questions such as the following:

"How can I start my career in cybersecurity?"
"How can I switch to cyber?"
"What are your recommendations for us to be successful?"

If not every day, it must be at least a few times every week that, those questions are asked of me. Regardless of whether I am in Australia, Asia, Africa, America—you name it—I receive the same questions again and again. I wrote a few blog posts about the topic on LinkedIn and https://www.erdalozkaya.com/, but they are not detailed enough to help beginners or career-switchers as they don't provide in-depth help.

It's not a secret; everyone is talking about the huge talent gap in the cybersecurity industry: Forbes Magazine, Tech Republic, CSO Online, DarkReading, SC Magazine, and others, as well as, Fortune CEOs such as Satya Nadella, McAfee's CEO Chris Young, Cisco's CIO Colin Seward, and others.

Organizations such as ISSA and research firms such as Gartner are also discussing this. So, nearly everyone is talking about this topic.

Working closely with Microsoft's Cybersecurity Solution Group's Corporate Vice President Ann Johnson, knowing her passion for working closely with cybersecurity talent and closing the diversity gap has always encouraged me. With her tweets and her talks, in our one-to-ones and through her public speeches, she has influenced me to do more in this area.

And, finally, while I was delivering a cybersecurity workshop in India for a group of IT experts, when I received similar questions on how they could become experts specifically in cybersecurity and AI, I noticed it was time to do something; while chatting to Deepayan, who was also an instructor at the same workshop, he shared with me his experience on the same topic.

There are possibly endless resources and information already available on the internet today, which talk about how to start in a particular area of cybersecurity. Even so, if many people are reaching out to people in the industry with the same questions and seeking basic guidance to kickstart a career in security, then it must be a general problem and could be a very simple one to solve. After analyzing the case, I found out that the information available on the internet is either overwhelming for someone to process or is too fragmented, so individuals are unable to see the forest view of the cybersecurity world and then pick a tree for themselves.

With the final push being the course attendees and Deepayan, I decided to reach out to Heramb, the Acquisition Editor (AE) from Packt Publishing and shared my idea. And, of course, Packt was also aware of the same issue.

And finally, here is the book; after completing it, we reached out to some close friends who have spent years in cybersecurity, and we asked them to share their experience with you, our readers, as well.

I hope it will help many individuals and organizations.

References:

How did I become involved in information security?

My first hack (!) happened when I was 9 years old. My brother received a James Bond-style three-digit manual bag as a birthday gift. He used to hide his secret stuff inside the bag, and one day I realized he had something really interesting in his bag, and I wanted to get access to it. Of course, my brother was not that keen on me having access to his bag. So, to cut a long story short, after running a manual password attack, which, of course, took me a while since I had to write every single combination down, within weeks I was able to open his bag. My reward was his magazines; as a nine-year-old boy, having access to those kinds of magazines made me the most popular boy in my primary school.

Starting my career as a network administrator, then moving on to infrastructure engineering with every project I completed, the security gaps that I have found have always frustrated me, researching every single issue that I have faced, reading many staff comments on the net, and doing many hands-on exercises. Then, moving on to IT consulting and sharing my insight with my clients from all organizations showed me the biggest gaps in IT departments. So, I decided to move toward information security and build my skills and knowledge in the field to be able to pass them on to everyone else around me.

A very long time ago, when I was still a teenager in Germany, I used to work part-time in a small computer shop where I had to teach customers how to fix minor issues. Back in those days, computers were not in every house, and I used to teach friends how to operate them. Then, in university, I completed a teaching degree as my secondary degree.

When I moved to Australia, I started a part-time side-business from my garage, selling computers and providing networking, implementation, and security services. In the meantime, I was still studying network engineering and getting Microsoft certifications.

My MCT training career started in 2002; I got multiple MCP/MCSE certifications, and there was a huge IT boom. I became extremely busy, running between training centers as a part-time tutor, teaching many Microsoft and security courses. That led to me opening my own training company, where I had only one room, and at the same time I was still working somewhere else as a full-time IT professional. Finally, in 2006, I quit my full-time job and started to work for myself, where I grew the business into a multi-branch training company. Within a few years, the business grew from a one-room training center to a multi-million dollar business with branches all across Australia.

ATBC in Australia sharing my profile with their members

In 2012, the success of my company gained the attention of another company, who offered me a deal to buy the business, which I could not resist. The handover of the business took a year; in that time, I continued to deliver security assessments and security/ethical hacking classes:

PenTest Magazine Issue 1 (2012) interview with me

In the meantime, I was still working toward my goals and dreams of "making cyberspace more secure;" my contributions caught the attention of Microsoft and I was given the Microsoft Most Valuable Professional award (I was awarded an MVP from 2008 until I joined Microsoft in January 2016):

Microsoft Most Valuable Award letter from the Corporate Vice President

In the meantime, I have also finished a Bachelor of IT degree at the University of Western Sydney, and have spoken at many conferences as a Subject Matter Expert. In 2008, I was selected as Speaker of the Year at Microsoft TechEd (now, it's called Microsoft Ignite). I was also selected as Best Microsoft Certified Trainer in Australia, and I received the Global Instructor of the Year award by EC-Council for getting excellent feedback from my ethical hacking, forensics, and penetrating testing classes:

Microsoft Tech Ed 2008, Gold Coast Australia, Speaker of the Year

This award helped me to speak at even bigger conferences with a few thousand attendees. The more time I invested in developing myself and sharing my experience with communities helped me meet many people, which gave me a lot of international exposure. This is what I tried to explain to you in Chapter 7, Networking, Mentoring, and Shadowing. Networking, mentoring, and finding the right coach can help you excel in your career:

Hacker Halted Miami 2011, Global Instructor of the year, together with the CEO of EC-Council Jay Bavisi

Microsoft Ignite North America, more then 2,000 attendees are listening

In 2012, while I was handing over my business at one of those conferences, I met Martin Hale, the CEO of IT Masters (as you read in the Experts' advice section). Let's read the rest of the story from Martin:

"I first met Erdal back in 2012 when he was Chief Technology Officer for an IT infrastructure design company called Fastlane. Erdal's enthusiasm and vitality was infectious, and I couldn't help but suggest he channel it into postgraduate study. Erdal soon went on to enrol on one of our cybersecurity master's degrees, later taught some of the subjects, published several best-selling books on cybersecurity and just last year graduated from our Doctor of IT. Today, Erdal travels the world, helping companies that have been hacked and companies who are about to be hacked."

This example is also a good reference for what we mentioned in Chapter 7, Networking, Mentoring, and Shadowing, so make sure to network well, again, as was mentioned in Chapter 4, Skills We Need for a Cybersecurity Career; once you choose your path, make sure to gain the right skills and, again, as mentioned in Chapter 9, Knowledge Check and Certifications, knowing what you are doing, getting the right certification, and always trying to do your best will always get you moving forward:

When I started to do my master's, I also got an offer from IT Masters and Charles Sturt University to share my experiences with their students. Since then, I have been lecturing at Charles Sturt University:

In 2013, I joined Kemp Technologies as a regional director for 2 years. I helped Kemp to grow its business in Australia and Asia. While at Kemp, I was still part of the community, and any free time that I could find I invested in building cyber-aware campaigns to raise the security bar against hackers:

Kemp Technologies' web site, announcing my award (2013)

My full-time work never held me back from working toward my dreams. My hard work also grabbed the attention of newspapers. The following are some screenshots from those news articles:

Entrepreneur Magazine, Philippines 2012

The following is a photo of me making a thank-you speech for my Professional of the Year award in 2014, in Sydney, Australia:

Then, I had a great offer from EMT Holdings. The company offered me the Regional CISO position for the Middle East and Africa and a Vice President status, based in Dubai:

Dubai, United Arab Emirates was a brand new market for me; yes, I was born in Germany, and I have also lived in Turkey, then Australia, traveling around Asia, but none of those places can be compared to the Middle East. I had to start from the beginning, as I didn't know too many people, so I followed all the recommendations that I have made to you.

Me and my family moved to Dubai in December 2014, and within a year I came second in the Top 50 Security Professionals by Channel MEA magazine for my contribution to helping the community to be cyber-aware:

Channel Middle East Magazine, Channel Champions (2015) in Security

2015: Modern Trader Magazine, USA

I started from scratch and just repeated what I knew was going to work, and it did. Events started to catch the attention of the journalists all across that region. The following is an example from a newspaper in Bahrain:

This caught the attention of Microsoft, and I found myself joining Microsoft as a cybersecurity architect responsible for Europe, the Middle East, and Africa. For 3 and a half years, I reached out to customers all around the world.

Not just with our customers, but internally I was also volunteering to deliver advanced cybersecurity classes, as well as cyber classes for CxP levels. I was awarded membership of the Platinum Club, which is the highest level of achievement in Microsoft that an employee can achieve:

2017 Microsoft Circle of Excellence Platinum Club award, Microsoft CEO Satya Nadella, Microsoft Executives, and other award winners.

Some newspaper examples from South Africa, Nigeria, Turkey, and the Gulf

All of this never killed my desire to learn; in 2018, I was able to finish my doctorate degree remotely from the Charles Sturt University in Australia:

I loved my work at Microsoft, but I was traveling way too much, and at the beginning of 2019, I decided to move to another great global company, the Standard Chartered bank, as Head of Information and Cybersecurity (Managing Director).

What advice would you give to someone who is considering a career in IT? How can they get started?

As I've explained throughout this book, anybody who sees themselves in IT has to keep one thing in mind: the learning curve will never, ever end, so you have to love learning, researching, and being up to date. The IT industry will not appreciate the past; being current and being ready for tomorrow with the experience from the past is the best piece of advice I can give you.

Technology is moving so quickly, and it is it difficult to stay up to date, so if you don't like to read and learn, your knowledge will become outdated very quickly. We are in an era where knowledge can be gained much easier than 20 years ago; back then, for us to be able to learn, we had to go to libraries, borrow books (if we were lucky, as not too many IT books are in libraries), but, today, blogs, computer-based training, YouTube, and classroom-based training is much easier to reach and much more affordable. So, to keep it short, even if you cannot attend conferences, today, most of them are broadcast live, so watch them; follow technology leaders on Twitter; subscribe to a couple of valuable email lists; and read, learn, and, of course, practice.

Looking back at my career, from a small business owner to a multi-million dollar company, then moving to Kemp Technologies, Secunia (EMT Holdings), and Microsoft, I have worked with many governments and Fortune 100 companies in the financial and medical sectors:

An award from NATO, Center of Excellence Fight Against Terrorism

Selling hardware and implementing services can be repetitive, but being a Trusted Security Advisor working with Tier-1 Security issues can be unique. You might visit an organization that has 30,000 computers wiped out. Being able to work with customers in bad times is very special. Being able to help them resume services as soon as possible is indescribable for me.

At the same time, when I teach workshops or when I speak at conferences, sharing the real-life experience that have I gained in the field, helping students/attendees to be better makes me happy, and seeing my customers being able to fight sophisticated attacks makes me proud. Reading feedback via email—or you name it—makes me feel the best; mission accomplished—until the next challenge, which could be in the next hour.

Get feedback, listen to feedback, and keep improving yourself

Being awarded a doctorate in your career after two master's and two university degrees might sound like the pinnacle, but it isn't. I know I am still as I was on the first day of my career. My biggest mission is to make cyberspace more secure for everyone. Having a doctorate or working in a C-level job has no direct impact on my mission. I will probably still take the time to write books, speak at free events and webinars, as well as Tier-1 conferences, in order to share my experiences, findings, and recommendations with as many people as I can. Knowing humans, and how vulnerable we are, having the mission of helping to make every person and every organization more aware of cyber threats is not an easy task.

As my final word, I would like to share my speech from my doctorate graduation with you. If I can do it, so can you, and please don't forget that the highlight of my career happened in my late 20s, when I was married and had children:

"I had a dream, a dream that was not easy to reach; I planned.
I had to take the necessary steps to achieve my goal; I acted.
There were times when I felt alone, when I thought I would never go through with it; I had some negative feedback that I needed to address; there were times when I fell.
I learned from all those to move forward, learned from my mistakes.
Finally, in the end, I am a doctor; I made it.
Today, when I look back, I know nothing happens without dreaming, without taking the first step, without checking your progress and learning from your mistakes."

Today, from my speech, if you wanted to walk away with one thought, I would say "never give up," regardless of how tired you are or how many times you fail. Stick to your ambition, to your goals, and ACHIEVE them. I know you can, because I just did it, and I just shared my "secret recipe."

Good luck!

Dr. Erdal Ozkaya