From foodie to firewall: Kyser Clark's rise to senior penetration tester

 

Kyser Clark didn’t take the conventional route into cybersecurity but is now thriving as a penetration tester.

He worked hard to learn the basics, getting his first cyber-related role in the United States Air Force as a system administrator and earning certifications along the way. 

Kyser’s story is an inspirational one, and he reminds all aspiring hackers that:

“It's a marathon, not a sprint. Focus on getting 1% better every day.”

Fun facts about Kyser Favorite game: Mortal Kombat Series. Favorite tech: The internet. Hobbies: Gaming, traveling, reading. Education: B.S. Cybersecurity Management and Policy from UMGC, OSCP, CISSP, eJPT, OSWP, CEH, CCNA, CompTIA Pentest+, CySA+, Cloud+, Linux+, Security+, Network+. Currently pursuing M.S. Cybersecurity Management and Policy at UMGC.

How did you get into cybersecurity after working in different industries?

For my first job, I worked in a restaurant for three years. For my next job, I spent almost five years in industrial services. I worked in oil refineries and chemical plants painting, sandblasting, fireproofing, asbestos abatement, lead abatement, and scaffold building.

I wasn’t passionate about my work, and my full-time video game Twitch streamer career never took off, so I was forced to reexamine my career options at age 23. 

It didn’t take me long to realize that I wanted to work in tech because I found computer building very satisfying and was already a decent computer troubleshooter. 

The problem was I thought going to college was the only viable solution to get a tech or entry-level cybersecurity job. I had no idea how to break into the industry. 

I had the epiphany to join the United States Air Force one day. This was a viable option since they had a handful of tech and cyber jobs I could do without going to college. 

I didn’t want to go to college at the time because:

1. I very much disliked high school.

2. I didn’t want to pay for it. 

College is very expensive, and I didn’t think I had the time, mental capacity, or money to earn a degree. My thinking was simple: Why would I pay to learn a skill when I can get paid to learn the skill? 

The United States Air Force did that for me. They took me in with zero experience (all I had to do was get a good score on the ASVAB exam). After the annoying but essential basic military training (BMT), I went to my technical school, where the Air Force taught me the fundamentals of my job as a client systems technician (a system administrator).

I spent six years mastering my craft in the Air Force while simultaneously pursuing degrees and certifications in cybersecurity during my free time after work. After all that time, I landed my first job as a senior penetration tester in the civilian workforce.  

What challenges did you face when trying to break into the cybersecurity field? 

I had no idea how to start. In 2017, I don’t think there was much information about breaking into the field, or at least I had no idea how to find it. I thought college and the military were my only two options. 

Once I entered the Air Force, I started working with people like me. I learned a lot about the field through osmosis with my peers and started studying how the field works and how to get a civilian cybersecurity job post-military service.

At the time, I figured all I had to do was get a degree and a handful of certifications to be competitive in the cybersecurity job market. Due to the reported 0% unemployment rate and “cybersecurity skills gap,” I thought landing my first civilian job post-military would be a walk in the park as long as I put in the study hours and got the credentials employers were looking for.

When my military separation date approached, I started applying for penetration testing jobs and received many rejections.

I received many rejections because the resume I was submitting was pretty bad. I only listed my degree, certifications, and a job description of my work in the U.S. Air Force.

I had no idea I had to create impactful bullet points and tailor them to the job description, quantify my resume bullet points, or showcase my skills within those bullet points. My original thought was, “Why do I have to list Kali Linux, Nmap, Burp Suite, Metasploit, and Mimikatz on my resume when an OffSec Certified Professional (OSCP) clearly demonstrates these skills?”

It was frustrating, but having the same credentials and qualifications written better on my resume landed me many more interviews. Learning how to market and sell yourself is just as important as having the skills and qualifications. 

What do you think helped you get your first role in cybersecurity?

The most critical elements were the training, certifications, and degrees I completed. Without at least some of these, landing a cybersecurity job is next to impossible. Weekly Hack The Box machines also played a significant role. 

Employers like to see your passion and commitment to life-long learning. 

A minor part was my work as a content creator. Companies seemed more interested in my technical skills and experience thanks to videos of me demonstrating how to solve Hack The Box Machines on my YouTube channel.

Related read: The powerful perks of creating content as a security professional.

Another big part was learning how to write resumes and cover letters. It was a long process where trial and error triumphed. Once I figured out what employers cared about, the interviews started rolling in. 

 

You can have all the qualifications worldwide, but employers won't call you in for an interview if you can't effectively convey the value you bring to an organization on your resume. 

Lastly, my soft skills ultimately turned my interviews into a job offer. Knowing how to interview is a crucial skill. You can know everything about everything, but no one will hire you if you're not a likable person.

Tell us about your experience working with the United States Air Force. How did your career in cybersecurity develop working there?

After 3.5 years, my job title changed to “Cyber Defense Operations” from “Client Systems Technician,” but the job itself didn’t change. I was still a system administrator, so it was never a true cybersecurity position. 

However, it had elements of cybersecurity in it. For example, we must have the CompTIA Security+ certification before we can even graduate from our technical school. Security+ (or similar DoD 8570 certification) is a requirement for anyone working on a federal government network. 

As a Client Systems Technician (CST), I worked with public key infrastructure (PKI). As a help desk technician, I reported security incidents to our cybersecurity office and managed them with a higher-level Air Force. I also managed the privileges and permissions (access control) for all users in my unit on a handful of information systems. 

Overall, my main job was to fix problems users were having with their computers and government-issued mobile devices, but with security baked in at every step of the way. 

The network was built with security in mind, so oftentimes, making common in-secure configurations wasn’t possible. So, security was always a priority, not an afterthought, when working on trouble tickets. 

Is working in cybersecurity for the Air Force different from other industries?

As I said, my job wasn’t a pure cybersecurity role. It was a system administrator role with a lot of cybersecurity responsibilities. But I would say yes, absolutely!

A compromise of security can and will result in the deaths of people. Both innocent civilians and active military combatants.

A breach of national security is almost always fatal. We have enemies that would love to see us and our fellow service members dead. They are actively trying to kill us as well as the civilians we protect.

Except for the medical and industrial fields, most industries only lose money and reputation when there is a data breach. The medical, industrial, and defense industries are the only fields (that I can think of) where human life and limb are at stake every day.

Working in the government always has another huge difference. We don’t deal with profit and loss. We are funded automatically by the American taxpayers. 

That doesn’t mean we can waste government funds, but that means that quarterly and annual earnings are never discussed. This is one of the biggest challenges military veterans have coming out of the military. Civilian employers don’t think we understand profit and loss, and in many regards, they are correct.

How do you keep your skills sharp and updated on the latest vulnerabilities?

I love certifications. I have 11 of them right now and plan on getting dozens more throughout my career. Most certification bodies keep their courses updated (they get refreshed every three years on average), and constantly studying new topics and refreshing my memory on old topics go a long way for me. 

Many certifications are theory/knowledge-based, meaning they don't showcase practical "hands-on keyboard" skills. With many "theory-based certifications" under my belt, I've been working a lot on the more practical certifications too, which can only be passed with hands-on keyboard skills and a professionally written report. 

I also pwn a Hack The Box Machine or two every week, which ensures that my keyboard skills never get dull once I stop pursuing practical certifications in favor of knowledge-based certifications again.

I like listening to the CISO Series' "Cybersecurity Headlines" podcast daily to stay informed of the latest cybersecurity news. I also listen to the "Cybersecurity Today" podcast to hear the daily news differently. These podcasts usually share the same news, but there are minor differences in what they cover. 

As a CompTIA-certified professional, I was automatically enrolled in the CompTIA Smart Brief email newsletter. I like reading the headlines daily, and if one of the articles piques my interest, I'll read the full article, but most of the time, the headlines are all I read. I do the same thing with the SANS NewsBites newsletter. 

Lastly, I'm connected with and follow many cybersecurity professionals on LinkedIn. This is where you will see breaking news. I like to scroll through LinkedIn and see what others are discussing. This isn't the best place to get all the news, but it's the best place to see the big news immediately.

Do you have any advice for beginners looking to start a career in cybersecurity?

At first, getting the skills and knowledge necessary to become a cybersecurity professional is a complete mystery. But eventually, you'll discover a plethora of training options. You're not going to know what training types will resonate with you at first, so feel free to experiment with many kinds of learning methods when you're starting out. 

But eventually, with time, you'll find out the way you like to learn. 

Once that happens, you'll want to ignore most of the training options. Once you figure out what position you want to have in cybersecurity (security engineer, Governance Risk & Compliance, cybersecurity analyst, penetration tester, etc.), you'll have a clearer idea of the training you need to reach your goals. 

I wanted to become an ethical hacker (penetration tester). So I spent the first couple of years learning the core fundamentals of cybersecurity and information technology (IT). It wasn't until about three years after my decision to become an ethical hacker that I started doing cybersecurity courses. 

Spending a long time understating the fundamentals makes every advanced topic much more accessible. 

It's a marathon, not a sprint. Focus on getting 1% better every day. Each day may not seem like you learn a lot, but compound that 1% every day over the years, and you'll become an expert before you even know it.  

 

Cybersecurity is a more than 9-5 job. It's a career; it's a lifestyle. You have to be willing to work extra hours after work to improve your craft. 

 

I like to call this a "commitment to lifelong learning". Cybercriminals are constantly evolving, and you have to as well, or you will never stop them.

Upskill and get hired with Hack The Box

Beginners can learn the essential skills to become a successful red teamer with our Penetration Tester Job Role Path.

Team blue? Then you can build the foundations for a defensive career with our SOC Analyst Job Role Path.

This path covers core security assessment concepts and provides a deep understanding of the specialized tools, attack tactics, and methodology used during penetration testing.

Looking for your next or first job in cybersecurity? 

More than 150 open cybersecurity job opportunities are listed on HTB Talent Search. 

Aspiring hackers can apply directly to roles posted by companies worldwide such as Amazon Web Services, NTT, Verizon, Daimler, DAZN, Context Information Security, and more.

Author bio: Fiona Leake (fileake), Content Writer, Hack The Box Fiona Leake is a Content Writer at Hack The Box. Digging deep into how people think to create meaningful content that solves problems is what gets her out of bed in the morning. Fiona loves simplifying technical topics and enjoys occasionally trying her hand at only the most beginner-friendly HTB Machines. Feel free to connect with her on LinkedIn.