Tuesday, December 03, 2013

How to Get Started in Information Security

I've seen a lot of people lately asking how to get started in the Information Security industry. I think there are a lot of misconceptions about what you need, like expertise with tools, certifications, experience in a role, etc. Those help, but I don't think that's the number one thing that gets you into the industry. I think the biggest things are curiosity and dedication. Those two things will ensure that the rest follows. And if you don't have those drives for an Infosec career then you haven't found what you want to be doing for the rest of your life, so keep looking.

But there's more to it that you'll pick up along the way. Rather than tell you what I think you should do I'll tell you how I got into the industry then try to distill the lessons and skillsets that I think have been most important for me. The story will hopefully tell you why I think the skillsets are important so you can understand for yourself what's the best path for you.

I started out working break-fix PC support. Someone would call the help desk and if they couldn't work it out over the phone I'd go out and fix it. I got good at malware cases - spyware, popups, network worms, etc. because I was curious about how to get rid of the malware, not just reimage the system. That doesn't always cure the issue, as I learned, but it was typically quicker to fix and less work on my part because I didn't have to copy the data, reinstall software, etc. On larger-scale malware incidents then I was on the front lines to help. And whatever I learned I wrote up for others so they didn't have to learn the same thing.

I also made sure to take care of the whole problem before leaving. Again, mainly because I was trying to be more efficient (some might say lazy). If I didn't I'd have to come back out to solve the original problem. And that often meant walking through some basic awareness information so that the system didn't become reinfected. I wasn't great at that, but the people appreciated it. It was this bedside manner that meant I was assigned to the higher profile cases with the folks who were more important in the organization.

When a security role opened up I applied for it. I researched for the interview and conversations, looked over what I'd been working on most and how I'd solved those problems. Then all of the questions were about appsec rather than anything I'd been doing. Oops. I guess I still did OK because I got an offer. It was lower than I knew it should be so I asked for industry average. I didn't get it, but I did get about 5% more than the original offer.

I started reading all the blogs and magazine articles I could, in between doing security things. I figured I'd start writing too. I started my own blog to pass on lessons learned in plain English (go back to the early days of Beau's Cybersecurity Blog and see how raw that stuff was). And comment on other peoples' blogs and stories. People started to notice and comment back, email me, etc. and that encouraged me and keep up my momentum.

When I told my boss I was hitting the ceiling she said she understood and was glad - it meant I was growing and thriving. There wasn't room for me to move up so I let her know I was going to start looking at other organizations. She said that was a good idea - it's always easier to turn down an offer than to get one in the first place.

So I took stock - what was my passion, how could I best monetize my skills and why was I doing this? My passion was helping people fix problems. My most in-demand skillset was my communications and problem solving skillset, as well as my familiarity (not expertise) with security tools. My why (this is always the most important one) was so I could travel the world and work from anywhere, which meant I needed to improve my network connections and ability to make them more than anything.

So I began a low-intensity search - I still had a job so I could afford to wait for the right opportunity. Trawling job boards, Craigslist, companies I wanted to work for, asked friends, etc. Within a month I found one that looked perfect. I reached out, looked around and found who the hiring company was and applied directly too. Just like the last time I did lots of research and preparation and built a dossier on all the people I'd be talking with, as well as their execs in case I met one of them. All of that came in handy and they hired me. (They also found my blog and liked what I was writing about so that helped too.)

Repeat that process a few more times and here I am.

Below are a couple of lists. The first is traits I found inside myself when I found the right outlet - the area I felt I belonged and was passionate about. The second is the skillets I worked to improve along the way. Both lists are in order that I feel were most important. You'll see that there aren't any specific tools listed - that's because I don't think a large investment in time in those really helps. But familiarity and some experience playing with the top tools in what you want to do certainly does. If you're just going for an entry-level job then that's all they'll be expecting.


  • Curiosity
  • Desire to get better
  • Self-exploration
  • Humility
  • Ambition
Skillets I worked hard at improving
  • Communication (quantity and quality)
  • My value and place I fit best
  • Root-cause analysis
  • Patience
  • Perspective
  • Some technical tools
Update: Some links below from others who have written on the same topic.