>15 years in infosec, currently a hacker; in the past been an infosec policy consultant and ran my own business.

About me

Kevin S.
Computer Science
Computer Systems and Software Engineering
MEng
Langwith
1997
United Kingdom

About this profile

Penetration Tester
BT
United Kingdom
Digital and IT services
Large business (250+ employees)
2013

About the job

What I do

I'm an embedded penetration tester for BT. I attempt to break the security of products and devices that BT uses and sells.

Skills I use and how I developed them

Hacking, reverse engineering, *nix systems administration, C, python, assembler (inc MIPS and ARM), hardware attacks, cryptography.
Most skills were developed through own research via the Internet.

What I like most

I like having the time to develop a deep understanding of how an embedded device was put together, in order to break it.

What I like least

Admin.

What surprised me most

It's a relaxed atmosphere that supports the development of new skills.

Finding and applying for the job

How I looked for work

Originally I was sponsored at Uni so I took my first job with my sponsoring company. When I was looking to leave there (after 3 years), I found the recruitment agencies weren't very helpful. My IET mentor got me an interview at the company he had recently joined and they took me on as an information security consultant.
I left that job after another 3 years and started my own consultancy, supplying infosec advice and penetration testing services to the Ministry of Defence and its contractors.
After selling up 6 years later I worked full time as a hypnotist (having started Head Hacking many years before) and then sought a job at BT through friends who I had known for many years.

How I found out about the job

Personal contacts

The recruitment process

I approached a friend who had previously worked for me, who was now working at BT, and asked him what they were looking for. I then spoke to some other friends who worked at BT and submitted a CV. I was interviewed by the head of the penetration testing team and the head of BT Protect. They quickly told me that I would be offered a job but warned me that it would take a few months to materialise.

My career

My career goals when I graduated

I really just wanted to write computer games but my industrial placements indicated that there was fun to be had in systems integration in the defence sector.

My career history

Sponsored by Siemens Plessey Systems (2 summer placements).
Employed by Siemens Plessey Systems as a software engineer. Business unit was sold to British Aerospace which later became BAE SYSTEMS. Progressed to systems engineer and designer running a prototyping team. (3 years).
Employed by VEGA Group as an information security consultant. I spent two years working within the Defence Procurement Agency advising on security policy and then qualified as a penetration tester (CHECK Team Leader). (3 years).
Started and ran my own consultancy, supplying infosec policy and penetration testing services to the defence sector. (6 years).
In tandem, started and ran the leading street hypnosis training company, Head Hacking, with my friend Anthony Jacquin.
Sold my consultancy and joined BT as a penetration tester. I specialise in embedded device hacking.

What has helped my career to progress

Dedication to completing tasks and attention to detail are the two things that provided the opportunities for progression. Knowing what I wanted and actively seeking them out provided the momentum for progression.

Courses taken since graduation

Coursera Stanford Uni Cryptography 1.
Coursera Maryland Uni Cryptography.
Coursera Maryland Uni Hardware Security.
Cryptography (often in the form of TLS) is appearing everywhere and there are many ways of getting it wrong, while still making it look right. These courses teach strong principles that are useful in multiple levels of crypto analyses.

How my studies have helped my career

Hacking is relatively unique within the IT industry as it is dependent on a mind set rather than a set of skills or qualifications. As such, this career requires continual learning and study, but not in the form of formal courses or reading recommended books.
Sometimes it is simply to keep abreast of developments, but often it is because we have to learn how something new works in a relatively short period of time, in order to find ways to break it. We refer to this as 'becoming an expert in an afternoon.'
It's fun because it is challenging.

What surprised me about my career so far

'Business' is just a more complex system with fewer controlled variables.

Where I hope to be in 5 years

I'd happily still be breaking things for BT. Maybe I would move into management again. Ideally I'll be building cool art installations, directing films or writing for famous magicians and hypnotists, but I guess I'll just continue with that in my own time.

My advice to students

My advice to students considering work

Work out what you'd ideally like to do and do that, even if it isn't in this field. It's far more important to enjoy your work than it is to get paid well or be respected by your peers.
Life is about having fun and work is such a huge part of that, that it has to be fun for it all to work.

My advice about working in my industry

If you want to be a professional hacker then either a) you're already an amateur hacker and you know your way around gdb and NOP-sleds; b) you've just got interested in security and you're not afraid of learning assembly and giving up your social life in favour of research; or c) you're probably not going to make it, sorry.
Security and hacking qualifications are worth less than hours in a darkened room reading the right bits of the Internet and trying things out.

Other advice

You don't have to grow up to exist in the grown-up world. You don't even need to grow up to get a reasonably-well paid job that offers progression and development. You just need to be dedicated and competent. Happy people always get promoted first.

Contacting me

I'll happily mentor students wanting to get into information security, particularly hacking. I'll also answer questions on anything to do with work.
For those interested, I present at Cyber Security Challenge occasionally and I presented at Securi-Tay at Abertay Uni in Feb 2015.


Ask Kevin to be your mentor Ask Kevin a question