It’s rare for a young individual in high school to identify what they want to do for the rest of their life and then carry through with it without ever considering moving out of that field. Rewind to 2013—I’m in my 5th year of school, having passed my Scottish Highers and looking to University, alongside applying for some apprenticeships. I had my path laid out in my head, with an Arkwright scholarship with Heriot-Watt University. It seemed that my pursuit of an Engineering Degree with one of the top institutions in the country was a reasonable approach. Then a spanner got thrown in the works when I was offered an apprenticeship with BP. To me, this was the opportunity of a lifetime with a global company where I could develop professionally. I grabbed it without so much as a second thought or a look over my shoulder to contemplate full-time University. I was a bright student, and I felt that a global company such as BP, alongside a college qualification in Process Technology and work experience, was the right move for me.
Fast forward to Autumn of 2023. I’m now a full-time Cyber Security Consultant/Penetration Tester/Ethical Hacker specialising in web application security testing and currently holding the Cyber Scheme Team Member certification. So, what changed? And what would I do differently? To be honest—not much.
I sometimes wonder what would have happened if I had decided straight out of school that I wanted to study Cyber Security. The truth is, I’ve always had a passion for computers and a relentless curiosity to understand how things work—the recipe for someone who’d love hacking. I do think there’s an element of “not really missing what you never knew” here. Cyber Security was something I had never considered moving into out of school—not because I didn’t want to, but more because, for some reason, computing wasn’t “advertised” at my school. The push towards engineering was pretty strong, and I was good at it. When the offer came through from BP, it was something I couldn’t walk away from in my head, rightly or wrongly.
I left school and started studying Process Technology at college—understanding distillation processes and how fluids and gases travel through pipes, etc. I then spent three years on work placement, working shifts at BP’s oil and gas facilities in Scotland. As much as I learned during my time as an apprentice, and although I could probably cold-start a multi-stage gas compressor tomorrow, my clients will be glad to know it doesn’t feature in my web application testing methodology. Regardless, it was crucial in my next role when I moved on to working full time with Petroineos, following the graduation from my apprenticeship.
I enjoyed my time at Petroineos for the most part; however, it allowed me to properly re-evaluate what I wanted to do with my life and the kind of person I wanted to be. I started to develop a sense of perspective that sometimes only age and experience can define and shape.
I remember talking about all this to a close friend over a game of poker and some whisky. He was a pentester (still is), and his work fascinated me. I always explain this as being a pivotal point in my life—a Saturday night where I listened to a group of ethical hackers, developers, and others working in the tech space talk about their work so passionately and with excitement. This may sound standard to a lot of people, but back then, I had nothing exciting to say about my work, and my days off were an escape. I probably asked far too many questions about what it’s like to be an ethical hacker, but I always remember that friend telling me, “You’d make a great pentester. Let me know if you ever think about it.” We laugh about this to this day because I remember pretty much saying yes there and then and asking what I had to do, and he asked me a fundamental question that none of us can remember what it was, but it was trivial. Such as, “well, do you know what Linux is?” What I do know is, whatever it was, I had no clue. I realised very quickly the steepness of the curve.
I felt slightly deflated going back into work. A new world beyond the refinery gates had emerged, but it was a million miles away. How could I learn how to be an ethical hacker when I couldn’t code? How could I do that if I didn’t know what Linux is? Did I need to know how to use that black screen with the white writing on it? That’s pretty much alien to me!
I pushed it to the back of my mind and tried to throw myself back into my current job and ended up working in a secondment role, in which I had a budget to improve plant systems. I dived in headfirst, started contacting companies that develop ATEX rated tablets for working in a hazardous environment, and looking at how to implement them into the refinery.
Having initially been told that what I was trying to achieve couldn’t be done, I ended up getting full support from the refinery manager, and the project got launched. Moving tech into a plant built in the 1940s! Well, that is until I got moved back on shift due to COVID in March 2020. The project got taken from me, and I lost all responsibility around it. My idea, my drive to develop change, disappeared, and I ended up working in my old role again, showing up and going home.
I phoned my friend and said, “Remember you said to give you a shout? How do you get into pentesting?” He said, “Download Kali Linux in a VM, send me a photo of you writing ‘Hello world!’ in the terminal.” I responded, “Kali what in a what?”
And I was hooked. I went straight over to the computer and researched it—for hours. Straight on to the Offensive Security website, on to Reddit, everything. “How do I even run this thing, what does it do?” A few hours later, I sent him the screenshot, and so began my journey into ethical hacking.
I found TryHackMe and Hack The Box. Admittedly, the latter was slightly too advanced for someone who didn’t even know what a terminal was, but the lack of knowledge just made me want to learn more. I watched walkthroughs on YouTube for HTB labs and got a feeling for what things were, on a basic level. I just developed a love for being in the Linux shell; it felt like an escape. I still remember downloading my first VPN connection file for TryHackMe and not understanding what it was or what it did. I spent hours learning the basics of Linux and messing around in the shell—“cd”’ing into a directory just to move back out of it again. Creating a file just to change the permissions on it, then deleting it again. To someone not interested in computers, this would seem like hell, but to me, it was addictive. But there was one problem. Everywhere I looked, there was more information about something else, then more information about that thing. All these abbreviations for things, SSH this and FTP that, and how can there be 65535 ports; my MacBook only has 2 USB ports, am I missing something? What to learn next… Option paralysis, information overload. I got so hooked and invested in it that I started doing a part-time degree in Cyber Security at the Open University to provide a more structured approach to studying. I loved it; it was the first time I loved learning. My work ethic changed (thanks to Ali Abdaal on YouTube), and I shifted my mindset.
I worked my job and studied my course at university, but when I wasn’t doing that, I was doing labs or TryHackMe modules. The university course started from the ground up, teaching me networking basics and entry-level programming in Python. The combination of the IT fundamentals alongside the more niche “hacking” resources was becoming the perfect balance.
It was all going well until I looked at doing the OSCP to get me into the industry. Researching the exam and watching walkthroughs of similar OSCP-like boxes hit me like a train. I was nowhere near the level I needed to be at. This was the hardest thing I’d ever done, and everywhere I looked, it just kept getting harder. I was deflated again. How could I ever make the jump into being a pentester?
I kept studying. I was acing my exams at university too—getting a Distinction in my first year. But I still wasn’t a full-time pentester. I kept studying. The more I didn’t know, the more I wanted to know it. It was a vicious circle. I remember being on holiday with friends on the Isle of Skye, and I studied on the drive up and pretty much the whole time there. I was in Kali from 10 am until midnight, grinding away. I saw it differently from them. Even though it was my time off work, I saw it as an opportunity to study and hack with a change of scenery, in front of a fire with a coffee and a few beers in the evening.
Then one day, I saw a job advertised for a Junior/Trainee Cyber Security Consultant. I was excited, but the moment was fleeting. I couldn’t do this, could I? I work in oil & gas; why would they consider me? What about graduates? I don’t even have 2 years under my belt part-time! But I went for it anyway. What was there to lose?
I ended up getting that job. I’m still there, now moved to a Consultant role, following the graduation from their Academy program. I felt like the underdog, like the new kid on the block. The imposter syndrome was real. However, their training was fantastic, and the support I’ve received since joining the company has done nothing but cement in my head that the best decision I ever made was taking the leap into cyber. Furthermore, as a result of the support and training, alongside some late-night study sessions, I passed the Cyber Scheme Team Member exam on my first attempt, 8 months after starting in the industry, with no prior IT experience. Trying to navigate the material I had to know within the niche of offensive cyber security, whilst building on the fundamentals as I went along, was the biggest challenge. However, the hard work paid off, as I now get to do what I love alongside a great group of people who share my passion for it.
The last two and a bit years have been a rollercoaster, but the turning point for me was that poker night. Seeing so many people passionate about what they do, even when they’re off, was inspiring. If you can love what you do for work, then that’s half the battle—considering how much of our lives are spent working.
It’s worth noting some important things that I’ve learned along the way though. I wouldn’t change anything about my journey into cyber. I used to feel like I would be leaps and bounds ahead of where I am now had I started earlier, i.e., straight out of school into a degree in cyber security. But I don’t think I believe that now. Simply put, the lessons learned in my previous roles and being able to define to myself what I DON’T want in a job gave me the driving force to move forward. Sometimes seeing something being done badly is the catalyst to inspire change. Being a security consultant allows me to help others become more aware and protect them against threats, and that’s a good feeling to have when you turn your laptop off at the end of the day.
I don’t doubt that I would probably be more technically knowledgeable if I had studied straight out of school. However, the perspective that I’ve gained both in my previous roles and through the jump into cyber has been invaluable in allowing myself to appreciate what I get to do for a living, and as a result, pushing me to develop, both as a person and as a pentester.
It’s never too late to start. The knowledge that the grass is becoming much greener than where you came from might just keep you running forward faster.
Ross is a finalist in the Rising Star category at the 2023 Security Serious Unsung Heroes Awards