Navigating the Cyber Path: The Journey of Taylor Watson

Introduction

Now that I feel I’ve got a few years under my belt and miles on my soul, I want to break the cycle I’ve found of people not sharing their story. It’s nobody’s fault because even the initial write-up has been something that I’ve spent months chipping away at but I hope doing this inspires others to do the same. I want to update this on a regular basis, so if you’re interested, check back on this from time to time as you may see something new! With that said, let’s jump right in.

The overall experience (How I feel today)

This section has been rewritten more times than I’d like so ultimately, I’ll say this… I’m not sure if my overall experience has been good or bad. Every industry has its ups and downs and trust me, I’ve had my fair share of both. Do I regret my choices when joining this industry? Absolutely not. But, does that mean that the industry is perfect? Again, absolutely not… I think the main thing that I would say is that it’s important to realise how much you cannot control and to know that you can’t let the idea of being out of control consume you. Additionally, the best piece of advice I ever received was to make sure you invest in your hobbies. Having things to do outside of work is really important as it’s important to not let your work consume you like it does for many.

2025 – Year 6

Being a young professional and a minority in the tech industry presents unique challenges and opportunities. It often involves demonstrating the value of your experience despite your age. Additionally, the tech sector lacks significant ethnic diversity, particularly outside major cities, where finding peers with similar backgrounds can be difficult.

However, it’s essential to consider different perspectives. In this context, standing out can be a powerful asset. While you may be labelled as “early career” due to your youth and may sometimes feel like an outsider, it’s important to remember that people notice what is different rather than what is typical. Embrace your uniqueness; while skills can be taught, individuality cannot.

2024 – Year 5

Reflecting on my journey by 2024, I’d been in the tech industry for over five years, and I believe I became someone my younger self would admire and be proud of. It was an exciting time to be part of this field, especially with the AI boom on the horizon and the increasing sophistication of security threats. There’s still so much to learn, and many reasons for individuals to be interested in joining the industry. If you’re one of those people, I hope my story can help guide you through your first five years.

2024 was a pivotal year for my personal growth. I realised the importance of finding a balance between being nonchalant and taking oneself too seriously. If you stop caring completely, you risk losing yourself in an illusion. Conversely, if you care too much, everything can become overwhelming, making it harder to progress. The key lesson I took from 2024 is that setbacks are inevitable, and there will be times when you feel out of control. However, if you understand your core values, you’ll always find a way to land on your feet.

Additionally, you will find that some people seem to have it easier and progress faster than you, regardless of how hard you work. Being upset about this will only slow you down. Whether you like it or not, you must work through these feelings to ensure that you keep moving forward instead of getting stuck in your emotions.

With that, let’s talk about how I even got to the position to be nearly 6 years strong working in tech…

Getting started (Before my first tech job)

My pre-work story is pretty simple. I’ve always been interested in technology. For as long as I can remember, I’ve loved tech, video games and playing on whatever tech I had (My first laptop was a white Sony VAIO with Windows XP). I spent a lot of my time playing games like Minecraft, Team Fortress 2, GTA, and such. But I also knew from a young age that I wanted to make something of myself.

I wanted to make money and I knew I wanted to make a lot of it, where I had absolutely no clue where to start. This is why from year 10 onwards, I spent almost every day in the career advisor’s office talking about where I could take my career/what options I could actually do with my life (if you’re school age and reading this and have a careers advisor, use them).

By spending so much time with my careers advisor, I was able to get myself some work experience as a first-line IT support engineer at a local housing association. I was absolutely in love. Fixing printers, running surveys, re-imaging systems etc was really good, but I knew that this wasn’t where I needed to be if I wanted to get paid as much as I dreamed. Though, I wasn’t too fussed because I loved it so much I asked and went for another week’s work experience that summer.

And then during this time we had the early beginnings of CyberFirst which really is where the cyber learning side really began. Back in the day (currently about 6 and a half years ago), the NCSC introduced the world to a banger called “Cyber Discovery” (I’ll call it CD). This gamified learning platform had the following sections:

“Assess”- A 13 challenge CTF where you had to solve “Complex” (at the time it was to me) challenges revolving around cyber (finding text in the code of the website, hiding messages in images, catching expiring tokens etc). And let’s just say this stuff got me HOOKED!

“Game” – This was where the real fun began. In game there were different sections all containing around at least 20 levels of varying difficulty. This is where it introduced you into virtual machines, command-line interface elements like ssh, sftp and the Linux terminal. I would spend every moment of the days that I could beating these levels (spoiler, I didn’t get to beat all of them) and I didn’t know that at the same time I’d be learning the technical fundamentals of cyber (sneaky GCHQ).

“Learn?” – This is the section where I always got stuck at because this section was where it moved from a game to mainly theory. Think of if cyber had a duo-lingo platform where you learned about it, and you get a funky little test at the end of the sections. At this time, I was in year 10 with my first “real girlfriend” so I quickly lost interest of CyberFirst and spent most of my time playing Fortnite with her. When it came around the second time, I found myself doing my GCSEs so again, I had zero time to actually do it and then the third and final time it came around I’d started my first job so I just didn’t have the time to commit to it.

“Elite” – This one I can’t fully comment on as I was never invited! 🙁 . From what I do know about it, Elite was a multiple day residential hosted by the CyberFirst team to give the gifted individuals access to their new challenges, merch and opportunities to get on the GCHQ radar (I could be wrong with the last one.

All in all, CD was amazing and is dearly missed (if you’re reading this and found yourself on the CD team, thank you so much for your amazing work and you’ll always have a place in my heart <3).

But where did this take me? Well, I was quite vocal about how much I enjoyed it and I was vocal to my school how much I enjoyed cyber. As such, when it was Newent Community School & Sixth Form Center’s time to run a CyberFirst event, I found myself helping out with set-up and the running of the day (This was also my first proper encounter with Cyber Security Associates). With a combination of this and spending so much time in the career advisors office, I was picked to do some work experience at a local cyber company.

The best advice that I would give secondary school me would be split into 2 things. Firstly, don’t underestimate the process of elimination. Taking the next step in the right direction can be an impossible ask with the opportunity that we have today, but knowing where you don’t want to go, will help you with finding where you do. And secondly, working backwards is a priceless strategy. We live in an age where people publish their headline career milestones on LinkedIn, and every CEO has to start somewhere. Use this information to help guide your way where you can.

My First Work Experience in Tech

My week of work experience at Cyber Security Associates lasted for a week in January 2019. During said week, I spent time in their “CyberDea” which was an interactive learning area which taught cyber practices, mainly utilising Raspberry Pi technology (still an absolutely genius way to teach cyber in an accessible fashion), with another student in the year below.

The people working there at the time were absolutely lovely, resourceful, full of energy and generally, the best type of people you could ask for to run a work experience week. During the week we had a task to create a “Cyber Pi Project” to feature on their site while going through and testing their other other material and resources.

I think my technical claim to fame in that week was understanding the inner mechanisms of using “Aircrack-ng” to run a de-auth attack where the CSA exorcise was to use the automated version Airgeddon (which I would absolutely recommend learning instead of going the manual approach, I just had no idea the other tool existed.).

So with the technical part out the way, I asked the office manager at the time (who’s now a super rockstar in the cyber world) about if there are any apprenticeships available at CSA at the time. And with a swoosh of their want they set a 1-2-1 meeting with the managing directory (which was very nerve-racking for 16 year old me).

From how I recall the meeting it was quite simple. I told them my story and how I would be interested in doing an apprenticeship with them and if they’d have me, I would like a position where they said that they’d get back to me. After an informal interview with my manager to be, I got the position. After that I just had to get my GCSEs over and done with and start my new Level 3 IT Infrastructure Technician Apprenticeship.

My First Apprenticeship (Level 3)

Bringing us to the very beginning of my career “with very different hair”, I start my journey at Cyber Security Associates as a SOC (Security Operations Center) analyst. The apprenticeship bit itself was handled by Gloucestershire College where I went to complete multiple modules including industry certifications!

Personally, I would say that my most meaningful certification that I’ve carried throughout my career is probably ITIL but that’s because the business side of tech has always been an adidtional interest of mine and ITIL in my eyes is recognised as a IT Service Management (ITSM) gold standard.

The dates fall in a method of delivery called “Block Release” which in apprenticeship terms means that you go in for a block of time rather than a day a week which is often referred to as “Day Release”. I can’t say which one is better as it’s completely down to personal preference but is also the only method of delivery that I’ve experienced.

If you’ve looked at the image above, take the dates with a pinch of salt as I was a bit of a special case. Typically, an “Advanced” (level 3) apprenticeship lasts 24 months but, as per the rules for apprenticeship funding, the absolute minimum time that someone can finish an apprenticeship time in is 12 months. And with that, as close to 12 months as possible was my challenge. Also looking at the image, you may see that my apprenticeship was during the time of the COVID-19 Pandemic. This meant lectures in lockdown, remote working etc. Fortunately, I was quite a “loner” during the pandemic meaning I had all the time in the world to knock out my college work without having to deal with people. Plus, working in a shift rotation meant a constantly messed up sleep schedule leaving me awake during unsociable hours making perfect opportunity to get academics out the way.

After getting all of the learning out the way, it was time to get into the Endpoint Assessment (EPA). For the level 3, my EPA was a 40 hour exam based around different IT infrastructure scenarios and then a technical discussion. The exam I set an at the time record of completing it in 8.5 hours (I’m not sure if that record has been beaten yet) and ended up being one of the first to get a merit in the overall result. But why not a distinction? As per my results sheet, it was because I didn’t have the strongest mobile device configuration experience. But from not working strictly in an IT department, I think I did the best that I could and I’m happy with that result!

Being a SOC analyst (and a bit of everything else)

I will say that at the very start, being an analyst is not for the weak. Constant alerts, dealing with shift rotation, being on-call (though I appreciate on-call was later in my time for those of you at CSA reading this!), and all the other things that come in to play with being on the front-line of infosec. It also wasn’t easy balancing apprenticeship life and work life (yes they did mix from time to time).

For those of you looking for an executive summary from working in a SOC, here it is:

You use multiple tools to investigate logs/events called SIEMs (Security Information and Event Management). In my experience, I mainly used Elastic’s Kibana (my sentimental favourite), Microsoft/Azure Sentinel (my practical favourite), and LogRhythm. If you’re looking at which one’s to learn now, I would go to Kibana as it’s back to being Open-Source and cheap(er) to implement and then I would also recommend Sentinel as it’s really powerful and has a good market share.

The general process of working in a SOC goes as follows.

Alerts/Investigations

Get a notification that an alert has come in

Look at the metadata of the alert (hostname, event trigger, timestamp)

Identify the logs that triggered the alert and investigate the surrounding activity.

If the alarm is confirmed as a non-threat, it can be categorised as a false positive.

If the alarm is something that needs to be escalated to the client as a legitimate concern, or more information is required, write up your findings, remediation and then escalate for quality assurance to the shift-lead.

Rinse and repeat

There are days where you have less tickets/alerts coming in and you’ll have days where you’ll have a good few and that’s just part of the job.

I did more than just work on investigation but due to me not wanting to spill trade secrets/give relevant information, I’ll give you the summary of the other following stuff I did:

Due Diligence Checks – Using Open Source Intelligence (OSINT) tools to uncover information about a given target.

Phishing Team – Working on analysing/investigating phishing emails to protect clients (if you work in a team like this be prepared to get sent a lot of emails that aren’t phishing and are just spam).

Tabletop Exercises – I worked on creating the material for cyber tabletop exercises to simulate a cyber attack for companies to use in their training.

During my time at CSA, I also did a good chunk of outreach. My passion in the beginning fell in with giving back to the community so when the opportunity came up to take the CyberDea by the horns, I did my best!

Leading it meant I did everything from leading the sessions (with the help of fantastic team assistants), developing new projects and updating hardware and software (at that time the Raspberry Pi 4 dropped and it was worlds better than the RPi 3.)

Additionally, I spent a good bit of time working on the marketing and blog posts before officially bringing someone in to do it. This revolved around me taking technical subjects (commonly news) and then turning it into a 1-2 pager around what it was, why it happened and why that person should care about the things happening. This was great experience for me as it meant that I could work on the skill of explaining technical things to less technical people (which is a really called for skill currently in the industry). These were also the days before ChatGPT meaning I had to actually do it for myself : ( .

I found that working as part of a SOC / Cyber Managed Services company was good, but for me it didn’t have the verity of work that I was looking for as I really wanted to get a good depth of experience. In the corner of the company at the time, they did give me all the opportunity and depth that they could feasibly give me because in micro/small companies, there’s only so much breathing room that you can give as there’s only so much resource that you can spare.

This means that in my last few months working there, I spent time in their commercial team doing the commercial stuff that people didn’t really have the time for. This meant looking over contracts, working with the marketing team on slide packs, automating business processes (more contracty stuff).

All in, I would:

1. Really recommend spending some time working at a small company. Being part of something that you can see grow and be a part of is really powerful. You’re going to run into resourcing speed-bumps but at the same time you’re going to get priceless time management experience and versatility.

2. Really recommend spending some time working in a SOC/ being an analyst if you’re looking to get yourself in a long-term cyber position. By being on the front-line of cyber, you must learn be in the mind of a malicious actor. You’ll see the ways that people break into systems and the find the ways to protect them. Yes it’s difficult, yes around 65% of people think about quitting their jobs because of stress, but, if you can find yourself spending a few years in such a position, it will do wonders.

My Degree Apprenticeship

When I thought doing a level 3 apprenticeship was difficult, I was really in for a shock when it came to degree apprenticeships. For context, a degree/ level 6 apprenticeship is a work-based method education in which you work 80% of the time and spend the other 30% (yes I put 30% for a reason) doing university work. The cost of the tuition in my case was mainly handled by the government with the remainder of the cost paid by my employers (which ultimately pay part of their turnover into the apprenticeship levy (it’s a full circle thing)). But, this resulted in me completing my higher education with no debt – WOO!

Starting off with the degree side of it. The degree title was “BSc (Hons) Cyber Security Technical Professional” where there were 34 block weeks of delivery. This was spanned at around 3 years with the final 6 months being part of the End-Point Assessment (the apprenticeship side). This is typical when it comes to the delivery of university courses nowadays as it works out at around 7-8 contact hours a week which is typical in the 2020-2024 academic period I’ve found.

Personally, I didn’t find the content side of university too difficult, because I was a general enthusiast of tech, none of it felt like a foreign language. But, what I really struggled with was time management. With you being in full time employment, you didn’t have the ability to work on your assignments on your days off from lectures. It means that you spend pretty much all evenings and weekends finishing your assignment because you have a job to do.

Fortunately (for some), employers are mandated to provide 20% “Off-The-Job” or OTJ time which falls as the following:

“It is training which is received by the apprentice within their practical period, during the apprentice’s normal working hours, for the purpose of achieving the knowledge, skills and behaviours of the apprenticeship they are undertaking. By normal working hours we mean the hours for which the apprentice would normally be paid, excluding overtime.” – Reference

The fun part with this is what actually classes as OTJ is very ambiguous meaning almost anything classes as OTJ. Some apprentices can use it for working on their assignments during work time, while some cannot. This is because the auditing and communications for OTJ is genuinely terrible and is why nobody will give you the same answer twice. As such (and as I said before), my university work was pretty much just done on evenings, weekends, or whenever I booked my annual leave.

Being a consultant (And a bit of everything else… again…)

Moving to the world of consultancy has been my most eye-opening experience yet. I’ve used my previous experience to work in a different world to security services. My world was in the small town of Gloucester (and sometimes Cheltenham) and now thanks to working in consultancy, its taken me all over the country and allowed me to meet so many fascinating people.

Having confidence in your ability will be one of your strongest attributes and biggest challenges where I’ve found that knowing that you know your stuff can really take you far. My role has been quite flexible and open as I’ve got a flexible and technical background. In my area of consultancy, I also have the experience now of working at an enterprise sized company. This comes with it’s pros of large budget for training and flexibility but also comes with the (sometimes) con of rigid processes. All-in-all I will say that if you can work with the system and play by the rules, working at a large company can be very rewarding. But, if you’re someone who always wants to pioneer the new and get everything as fast as possible, it can be easy to struggle in this sort of environment.

For how I came to get the job in the first place, this came mainly from networking. Through my outreach efforts, I found myself in the same room as people from CGI and the more time I spent exposed to their culture and work, the more appealing it became. So, when it came to having the opportunity to apply and interview, I gave it my all and fortunately, I had the good word of other people which helped push me across the line.

Build Trust: Cultivate a reputation for honesty, reliability, and integrity. Show your clients that they can depend on you by consistently delivering high-quality work and being transparent in your communications.

Effective Communication: Hone your skills in clear and concise communication. Whether it’s written reports or verbal discussions, being able to convey complex information in an understandable manner is crucial.

Continuous Learning: Stay updated with the latest industry trends, tools, and best practices. Attend workshops, webinars, and read relevant publications to keep your knowledge current.

Resourcefulness: Develop the ability to research and find answers to questions you don’t know. Use a wide range of sources, including industry experts, forums, and scholarly articles, to gather information and insights.

Pressure Management: Cultivate strategies to handle high-pressure situations. This could include time management techniques, stress-relief practices like meditation, and maintaining a work-life balance.

Problem-Solving: Approach challenges with a solutions-oriented mindset. Break down problems into manageable parts and work systematically to address each component.

Flexibility (but also keep to yourself): Be adaptable to changing circumstances and client needs. The ability to pivot and adjust your approach based on new information or feedback is highly valuable. At the same time, it’s important to ensure that you flex to points that you can sustain. (I spend a good amount of time on the train now and late finishes from commuting. It could be a lot for some but for me it’s a good source of isolated time.)

Networking: Build a robust professional network. Connections with other experts and professionals can provide support, advice, and new opportunities.

Empathy and Active Listening: Understand and empathise with your clients’ needs and concerns. Practice active listening to ensure you fully comprehend their objectives and challenges.

Professionalism: Maintain a high standard of professionalism in all interactions. This includes punctuality, dressing appropriately, and conducting yourself with dignity and respect.

One thing that I find with being a consultant is that you don’t just stick with one task; it can be a different role day to day, or month to month, all with its own learning and development opportunities. One day, I might be getting my hands dirty carrying out technical research, designing a system, and assessing the costs that come along with it. The next, I could be engaging in strategic planning sessions with clients, helping them align their initiatives with broader business goals. This diversity not only keeps the work engaging but also ensures continuous growth and adaptation in an ever-evolving field. Each new project brings its own set of challenges and rewards, fostering a dynamic environment where every day is a chance to learn something new and make a meaningful impact.

How Project Pioneers came to be

As I’ve mentioned earlier, outreach is something that’s always been important to me. I feel that even though I fight my personal battles in the industry, even getting the chance to be in it in the first place is about being in the right place at the right time and not everyone has the privilege, drive or luck that others have to get in the door. This is a problem that dates back longer than the industry has existed and is an issue that is going to continue to grow unless a silver bullet comes along to solve it.

A few years ago the silver bullet was CyberFirst but the industry quickly remembered that money is a finite resource and people could only give so much to support. With that, myself and Emilia knew that we wanted to do something to support the ecosystem but we also wanted to do it in a way that works with us. Unfortunately, we didn’t have the time or resource to be part of the fun “cyber days” and we wanted to make sure that we could support those that don’t have the resource or personell to get under the CF radar.

By this point, I found that I’d quite liked doing public speaking and I was comfortable speaking about my concerns (sometimes going against the grain). With that, I would say that for those looking to get into the industry, I would say the most important thing to have is confidence. You need to have faith in yourself and believe what you say and what you do. And in the cases, where you don’t believe it, either make yourself believe it or just do it! I was able to get my face out there in the cyber space by just going up to people at networking events, introduce yourself proudly and listen to what advice people have to give.

By this time, I had been doing bits here and there to support the community but in 2022, I helped an oversees friend write their personal statement for a university application as I’d had a few years professional writing experience. This personal statement opened the door to give them an international student scholarship for the US masters degree which since completing it, they’re living out a thriving career in the US! This then ended up getting me nominated for a local award and getting me on the stage of Cynam 22.1 (more public speaking). Here I met the fantastic Florence from lives of colour who was impressed by what I had to say and shortly after, spoke to Charlotte from Cynam (and now CyberFirst) about ideas of what to do next.

After starting Project Pioneers, my calendar started to fill, we were doing assemblies, after school clubs, talks and even featured on a podcast! But we also found that we weren’t helping the number of people that we quite wanted. This is where we flipped the coin and started looking at our options and started doing our work more behind the scenes with our first key “Client” (in reality it’s a partnership) being the amazing Fortinet.

Fortinet was amazing for us because we had the trust and belief of Randall, a manager who believed in utilising our experience in the outreach realm to help learning from our experience and become the outreach powerhouse that they are today. The advisory that we give has allowed us to support 1000s of people and help relocate £1000s of technology to support communities. I would say that our main difficulty with Fortinet is trying to continually grow our reach. A phenomenal capability that Fortinet provide for their Education Outreach Partners is the ability to provide free, self-paced training to individuals who don’t typically find themselves in positions to get such an opportunity (if you feel like this is you please reach out <3). We struggle to find people in such positions even with the statistics showing it being one of the sectors largest issues.

Another amazing “Client” (partner really) is Lives of Colour. A personal thing that I have with being such a minority in tech is that you really feel it. Throughout my entire life, I haven’t felt like I belong in the as I affectively do not see people that look like me and when I do, finding people with similarities to myself is the next battle. It’s like finding yourself in the position where yes it’s very nice to have someone occasionally that looks like me but it would nice to have the option of going deeper than having only the surface as deep as you can go. Well, Lives of Colour is there to change that.

LoC works to up-skill people of colour and allies to give them the opportunity to grow into different spaces (being less diverse areas). This is done through their different projects in different sectors but in my case, there was one special project that I had involvement with called “Young Leading and Black”. As I mentioned previously, it’s easier to feel like an outsider in all aspects of life where this includes the classroom. The Young, Leading and Black programme provided a space for young, black identifying individuals to learn without having to worry about imposter system in the classroom (now one of those individuals is doing a cyber apprenticeship!).

For the future of Project Pioneers and what we’re looking to do, it’s more of the managing from the back. We’ve been able to help so many people through guiding others that we believe that’s the way to go. This means that if you’re reading this and you’re in a position where you carry out CSR efforts or knows someone that does, reach out and we’ll be happy to help (literally completely free no strings attached by the way. It genuinely costs us money to run it but we love what we do).

What’s next?

Instead of just looking back, it’s also really important to look forward. Nobody is perfect and plans fall but it’s always important to have some sort of direction. With that, I thought it would be a good idea to jot down some things that I want to achieve and one day write about: