My Path to Security - How Gerben Kleijn Got Into Security

How did our consultants end up here? This ongoing series looks at the stories behind our Foxes and their specific career trajectories. (Learn more about Bishop Fox careers at our careers page).

Meet Gerben Kleijn, Managing Security Consultant at Bishop Fox

What originally drew you to security?

I probably would have never found myself in the security field if I hadn’t been pushed into going back to school in 2012. I needed a visa to stay in the USA and ultimately decided a student visa was the easiest path to take. I knew several friends who studied at UAT and I was interested in doing a technology-oriented major, such as programming. When I looked more into UAT, I found out that they offered classes in network security and digital forensics, and that seemed interesting. The idea of becoming a hacker was exciting, so I figured “Why not?” and enrolled. I didn’t know as much about the field as most of the other people in my major, so I had a lot of catching up to do. I worked hard though, and it paid off.

How did you end up in the USA?

I landed in the States thanks to kismet. Way back when, I worked for an American company in the Netherlands until they closed down their international office (where I worked) in 2009. I was offered a chance to continue working for them in the US and I figured “why not”. I moved to the USA in October 2009 with nothing but a few suitcases and no place to live other than a 2-week hotel reservation. The first couple of months in the US were crazy, but then … I figured it out.

How did you get your first job in the industry?

Thanks to UAT, I worked as a volunteer at Black Hat. There was another UAT alumni volunteering who was working for Bishop Fox. He introduced me to their recruiters and the rest, as they say, is history.

Tell me about one career highlight.

The first time I got remote code execution during an external penetration test was amazing. For the first couple of years, my job at Bishop Fox was in enterprise security, so basically auditing and control reviews. In my spare time, I studied penetration testing techniques and I did the OSCP, but that was all done in artificial environments that were created to be hacked. I didn’t really feel like I knew what I was doing until I got my first shell on an actual penetration test. Then I had more of a sense of, “Yeah, this is what I want to do.” I’m fortunate to have experienced that.

Where would you like to be in the next 5-10 years (career wise)?

I’ve never planned my life that way. I never knew what I wanted to study, what kind of job I wanted after graduation, where I wanted to live, etc. I usually just go with the flow and take opportunities as they present themselves, and it has worked out well for me so far. All I can say is that I am always trying to get better at what I do, and that I am very happy working at Bishop Fox. If, in five years, I am still here hacking things, then I am totally okay with that.

What was one unexpected challenge you have encountered?

Dealing with projects that require a lot of travel for an extended period of time. I don’t mind traveling for work and I am aware that it’s one of the not-so-great parts of being a consultant. However, at one point I was on a project that required me to be on-site from Monday through Friday for a period of more than six months. This took a toll on my personal life and it required adjustments. Sometimes you just have to put up with a situation if it leads to something better.

What advice would you give to someone wanting to break in and/or advance in security?

Dedicate yourself and work hard. Spend as much of your free time as you can studying and getting better. Maybe you need to give up another hobby; if that’s not worth it to you then maybe you don’t want it as bad as you think you want it. At the same time, don’t get discouraged because you feel like you’re too far behind the curve. The field is not made up only of people who started hacking as a teenager. I didn’t start until I was 28 – I was quite the late bloomer. So it’s possible to enter the field with a late start.

What is the greatest resource you have found?

HackTheBox.eu and Pentesterlab.com. Both offer free exercises in hacking techniques, although it’s worth it to get the paid subscription for both as they are relatively cheap. If you’re new to the field, they will teach you a lot of the stuff that you need to know. If you’re a veteran, they will help you stay sharp.

What’s the biggest misconception in security?

For me, it’s that your company can be secure by practicing “checkbox security,” meaning that if you do your yearly audit, and you buy the most expensive firewall, you should be safe from hackers. Security needs to be an integral part of the company culture, and it must be a part of every department and operation. Of course, there are no guarantees even then, but the companies that keep information security segmented to its own department don’t stand a chance.

Tell me one interesting fact about yourself.

I attended an English high school in the Netherlands for no other reason than that I thought it would be fun. This obviously ended up being a useful decision.