Cybersecurity is a lucrative career, but knowing which path to follow to break into the industry can be daunting for fresh graduates, enthusiasts, and those switching careers.
Not to mention, actually taking the plunge and getting into the industry, especially when coming from a non-traditional background, is a discussion in itself. Fortunately, many inspiring cybersecurity professionals break the illusion that you need to follow a specific path to have a career in this industry.
Phillip Wylie has one of the more interesting and inspiring stories of going into cybersecurity and becoming a valued professional, mentor, and teacher. He has been part of the industry since the late 1990s but, before then, he was actually a pro wrestler and even wrestled a bear! Today, Phillip wrestles with issues of accessibility of cybersecurity education by teaching ethical hacking and web app pentesting at Dallas College and running The Pwn School Project, in addition to working as a Senior Cloud Penetration Tester.
We jumped into the ring with Phillip to hear his backstory, which skills transferred from his pro wrestling career to cybersecurity, the importance of mentorship in the industry, and his advice to people that want to start on his path.
SecurityTrails: You've been in offensive security for over a decade now, but you had an interesting career prior to that. We need to ask about your wrestling career, especially bear wrestling! Can you tell us a little about that part of your life? What was it like to wrestle a bear?
Phillip Wylie: When I graduated high school, I did not know what I wanted to do for a career. As a powerlifter and a big muscular guy, my friends said I should be a professional wrestler. I liked the idea and pursued a wrestling career. I attended two different wrestling schools and wrestled for a couple of years. I got to wrestle some very well known wrestlers, including Mick Folley, who wrestled in Texas as Cactus Jack. I also wrestled two of the three Fabulous Freebirds tag team trio, The Road Warriors, The Rock n Roll Express, The Midnight Express, and the Samoan SWAT Team, who happened to be related to Dwayne "The Rock" Johnson.
I did not wrestle often enough to make a living, so my main job was working as a bouncer at a nightclub in my hometown of Denton, TX. The nightclub hosted special events on Sundays, and they decided to bring in a wrestling bear. The nightclub manager asked me to wrestle the bear to help boost attendance of the event since I was a pro wrestler and known by the nightclub patrons. Wrestling the bear was open to anyone that wanted to. The bear was named Sampson and was a 750-pound brown bear. People always ask me who won, and the answer is the bear.
ST: There is an interesting parallel between professional wrestling and offensive security, are there any lessons you learned from wrestling and applied to your infosec career?
Phillip: The biggest parallel I can draw between pro wrestling and offensive security is the social engineering part of offensive security. Wrestling has become known as sports entertainment since wrestling federations shared that it was not real. With social engineering, you become who you portray during pretexting, much like acting in pro wrestling. Real wrestling and martial arts can also have parallels drawn between them and offensive security. Discovering an opponent's weaknesses and exploiting them is a great example, much like how you find vulnerabilities and exploit/hack them.
"Focus on the learning. If you don't learn the subject, the certification or degree is not as useful. The degree or cert is nice to have, but if you don't know what you are doing, you will have a more difficult time."
ST: How did you discover information security and what did your early days look like?
Phillip: My first experience with information security was working for Intrusion, Inc. in early 2000s providing technical support for Linux-based firewall and VPN appliances and a vulnerability scanning software the company offered. The job only lasted 90 days before I was laid off but it was long enough for me to decide that information security was the field that I wanted to work in. I went back to work for a former employer as a sysadmin but continued to study information security and got to move into the information security team in January 2004. In the early 2000s it was a lot different; there were not that many different roles in information security.
My first role was in network security and in August 2005 I was moved to a newly formed AppSec team. This was the role that put me on the track to where I am now. I was managing outsourced web application penetration tests and doing web app vulnerability scans. This experience made me want to be a penetration tester. In March 2012, I got laid off from my job and went to work consulting as a penetration tester. That was a great move for me and allowed me to work in a job that I never thought that I would. This taught me to follow my dreams and pursue things that I am passionate about and that lesson has served me well. I frequently share that advice.
ST: Your interesting road to security is all but usual. What have you learned from your progression, and what advice would you give people who want to go from completely different industries/professions to security and hacking?
Phillip: Based on my own experience and the experiences of those I have taught and mentored, here is the advice I would give:
- Take your time learning, so you better retain what you are learning. If you don't, you will have to relearn it later.
- Be patient with yourself. Security and hacking are complex topics to learn, and many industry professionals will tell you that it is a constant learning experience and not an easy one. It is possible, and you can do it. If you realize that, you will have a better experience.
- Avoid negative people. Negative people will say you cannot do it and put self-doubt in your head. I had someone I had to remove from my LinkedIn Network because he was constantly negative and saying things like you can't get a security job without experience. He was having a hard time finding a job in security, probably because of his negative attitude.
- Try to be optimistic. I got my first pentesting job without infosec certifications or pentesting experience because of my attitude, passion, and self-study efforts. The manager took a chance on me because of those traits.
- Find, mentor, and form a study group. You can make more progress faster with experienced advice and a team of study partners working towards similar goals.
- Network on LinkedIn, Twitter, cybersecurity meetups, and conferences. Networking made it easier for me to find a job. It is easier to get your resume into the hands of a hiring manager if you know people in the company or people that know the manager outside of the company.
ST: A large part of your career now revolves around teaching and mentoring newcomers to the industry, and you teach at a university. What changes have you noticed in the availability and variety of resources for those just starting, from the time you got into the industry to today?
Phillip: There are many more free and low-cost learning resources available now. When I was studying for the OSCP certification exam, there were not many blogs available to help prepare for the exam. Now there are plenty of blogs, articles, and YouTube videos available to help prepare for the OSCP or learn pentesting in general. There are some great offensive security and cybersecurity content creators out there, and a lot of them actually work in the industry, so you are getting useful information. There are many great resources to build and improve your hacking skills such as HackTheBox, TryHackMe, Proving Ground, OverTheWire CTF, and UnderTheWire CTF, which saves learners the time building labs for learning. Home labs are still a great option, but the many options save time and computing resources and allow you to spend more time learning and hacking.
"We take for granted what we know. Not everyone is at your level on a particular subject and can learn from you."
ST: You also founded The Pwn School Project which offers free pentesting/ethical hacking education to the public. What are the origins of The Pwn School Project?
Phillip: The motivation behind The Pwn School Project, or Pwn School for short, was to give my students from the college a way to further their education. Secondarily, it was to help a couple of members of the local cybersecurity community who were not allowed to register for my summer class unless they transferred to the college from their current college. I wanted to be able to offer an educational resource open to anyone, eliminating any possible restrictions. It started locally but I started streaming the Pwn School presentations in February 2019.
ST: With so many available resources today for people outside of official education, do you think people are skipping the basics when getting into some cybersecurity roles? How important are the basics when it comes to technical skills needed for a security field job?
Phillip: Some people miss the basics, like operating systems, networking, and other IT or computer science-related skills. It is easy to want to skip past the basics and dive into the hacking part. Learning the basics will make learning the hacking part easier and makes you a more effective offensive security professional.
ST: You hold many certifications in the field and teach at a college. If you had to choose one, which would you say is better for beginners in cybersecurity: certs or college?
Phillip: There is not a one size fits all solution when it comes to cybersecurity education or education in general. If you do well learning on your own with self-study, then certifications may be a better and quicker learning path. If you need structure and more traditional learning methods, then college is probably the best option. The best thing I learned in college was communications. My English composition class was the best class for me, hands down. It did a lot for my writing. I worked in IT as a sysadmin while getting my Associates's Degree in Computer Networking. Other classes that are valuable for IT or cybersecurity professionals are business classes. My former coworkers with business degrees were very helpful in building business cases for new technologies. The people that control the company checkbook understand business, and if you can speak their language, it can go a long way in helping you and your organization.
I would also like to share this bit of advice, focus on the learning. If you don't learn the subject, the certification or degree is not as useful. The degree or cert is nice to have, but if you don't know what you are doing, you will have a more difficult time.
ST: What are some non-technical skills that are important for people getting into security and hacking?
Phillip: Soft skills, such as communication skills, are majorly important. Being able to write and speak in front of a group or large group is very important. When I improved my public speaking skills and started speaking at conferences, it helped my career tremendously. I attended Toastmasters to improve my speaking, and it was more helpful than my college public speaking class. Networking with other professionals is also very helpful.
"Be sincere in your efforts to teach and care about the students and the education you are giving them. Be a good listener and be patient."
ST: What made you decide to invest so much of your time and knowledge into mentoring and teaching? How did you start, and what's the most rewarding part of it?
Phillip: Prior to teaching, I would share resources and help people trying to get into pentesting. I took it a step further by teaching at Dallas College. When I started teaching, it gave me more opportunities to mentor and help people. I have come to the realization, in recent years, that one of my greatest strengths is mentoring and helping others. Before mentoring and teaching, I felt like my life had no real purpose. But since teaching and mentoring, I am a happier and more fulfilled person. Pwn School, conference speaking, and workshops helped me expand this even more and helped me reach more people.
ST: What were your biggest challenges when you started teaching? Do you have some advice for people that also want to start sharing their knowledge in that way?
Phillip: Imposter syndrome was one of the first challenges, but teaching helped me overcome it. I would think after some lectures, I hope it wasn't too bad or boring, and students would come up after or during class and say this was great and how much they enjoyed the lecture or hacking demo. We take for granted what we know. Not everyone is at your level on a particular subject and can learn from you. We can learn from anyone; I learn things from my students all the time.
My advice is, be sincere in your efforts to teach and care about the students and the education you are giving them. Be a good listener and be patient.
ST: You recently published a book, The Pentester BluePrint: Starting a Career as an Ethical Hacker, inspired by your popular conference talk by the same name. Was this your first time in the writer's shoes, and how did the process look for you?
Phillip: It was my first attempt at writing outside of articles or blog posts. I had a co-author, Kim Crawley, an experienced writer with a tech and cybersecurity background. My writing style is short and to the point without a lot of fluff, and I was having a hard time filling the almost 200 pages of the book. I learned it is okay to ask for help, and when you work with others, you can produce even better results. Kim helped me finish the book quickly from the time she started helping. I was running behind, and Kim was a big help. Writing a book can be time-consuming, and making revisions requested by the editors also takes time. It was a great experience, and I am glad that I did it.
Based on the response I got from my conference talk, I saw the need for a book on the subject. Many good books teach pentesting, but there were no books on where to start before you even started learning to pentest. The book is based on my experiences and others that I have mentored and helped over the years. The book was a way to reach more people and share what I have been sharing over the years.
ST: You work as a pentester and have for some time. What are your favorite accomplishments as a pentester?
Phillip: My favorite, all-time hack on a pentest was exploiting a SQL injection vulnerability on an Internet-facing web application. I was able to get command-line access to the Windows Server that was using MSSQL and had XP_CMDShell enabled. I was able to dump and crack the password hash for an admin account running the MS IIS HTTP service.
Passing the OSCP exam was another favorite moment of mine. I passed the exam a little over a year after I started my first pentesting job. It was very difficult for me and was a huge accomplishment.
ST: What do Phillip's plans for the future look like? What future projects and maybe even books can we look forward to?
Phillip: I plan to continue working as an offensive security professional, and I plan to continue educating others through conferences, free training, and paid training. I would like to offer more structured introductory pentest training through Pwn School and develop paid training content. I am still in the planning stages of my training offerings and course development. Doing this independently gives me more control over what I create.
Others have asked if I would write more books and encouraged me to do so. I have had other publishers contact me about writing books. I have an idea for the next book, but I can't share the details. It was worthwhile writing the book, and I would like to write more.
We want to thank Phillip for joining us for this interview and sharing with us his story — hearing stories of people who had unusual journeys to cybersecurity can help motivate those looking into switching careers or just having doubts about jumping into the industry.
There are certainly more than a few ways to become a cybersecurity professional, and Phillip shows us that all backgrounds are welcome — and especially those that involve wrestling a bear.