I Am InfoSec, and So Can You

I've been following, with some amusement, the recent small burst of blogging on how to get into infosec. I find it somewhat amusing for a number of reasons, not the least of which is that it reminds me of any number of "lightbulb" jokes (How many general relativists does it take to change a light bulb? Answer: Two. One to hold the bulb while the other rotates the universe.). Why does it amuse me so? Well, for one thing, there's no real defined path into this industry. For another, there are still lots of grey areas with respect to roles and responsibilities. That being said, here are some of my quick hit thoughts.

Don't!

Frequently when people ask me about how to get into infosec, my immediate off-the-cuff response is along the lines of "what, are you crazy?! don't!" This glib response is one part humor, one part sober reality. The simple fact is that we do not need a bunch of dedicated security professionals. What we need are security-conscious people working in every other technical and business discipline in the universe. If coders natively write secure code... if business leaders made decisions that properly balanced well-understood, well-defined, well-researched risks... then there would be little need for security specialists. Of course, the truth is far more stark, and the reality is that we do still need dedicated security professionals, for better or worse.

Value All Victories

On the road to becoming a security professional one must develop a thick skin and learn to savor all victories, no matter how small or indirect. Did the idea you presented 2 years ago just get adopted as the "original" idea of your boss or someone else higher in the food chain (who was part of your original briefing)? Cool, look at the progress you just made. Be happy with the progress made, and actively fight the inevitable ruts of depression that pretty much all of us suffer from time to time.

Strong Self-Starter

For entry-level positions it might be acceptable to wait for direction, but infosec tends to be a bit different. If you can't quickly come to grips with flying solo in whatever capacity you're filling (pentester, policy writer, security architect, analyst, door mat, etc.), then you're not going to last very long or get very far. It's imperative that you own your career, own your job, and make sure you hold onto your wits through the many ups and downs. Don't expect a lot of training, don't expect a lot of hand-holding, and don't expect a formal curriculum to follow (despite what various institutions of higher education might otherwise offer/threaten).

Education, Training, Certification

I have a Masters degree in infosec management, and I'm actively writing infosec curriculum for a for-profit "higher ed" organization, and I can honestly say that none of it is necessary. Which is not to say that it lacks value; quite the opposite in fact. However, we all learn differently. If you're not familiar, there are three learning styles (Visual, Auditory, Tactile), which means that each of us have strongly preferred methods for learning. Personally, I'm primarily a visual learner, secondarily a tactile learner, and - at a distant third - an auditory learner. This means that I need to see things to understand them, or least work with tools to lock in that learning. Lectures do very little for me; a problem that has gotten worse as I've gotten older (I get bored easily). Anyway...

The point here is this: we all learn in different ways, and must thus tailor our learning to our own preferences. If that means reading lots of books, great. If that means building massive home labs to tinker, great. If that means sitting through podcast or webcast after podcast after webcast after podcast, ad nauseum, fine. Whatever helps you keep learning.

It's also important to note the difference between training and education. Training is designed to impart skills through a fairly rote process. Education is designed to provide basic skills along with the method to extend those skills independently. Boot camp training programs are designed to get you online quickly for a specific skillset, but it will not spend time teaching you how to extend those ideas. Formal education, on the other hand, will seek to give you a broad base in a topic with the notion that, if interested, you can then go self-study deep in that area.

Lastly, on certifications and degrees... the general consensus is that certs don't qualify you for much of anything, despite what the DoD, DHS, or ISC2 might like you to believe. Cramming for and passing an exam is all good and fine, but it does not indicate skill level or long-term information retention. Many of us hold certs like the CISSP because they're necessary for getting past the hiring gatekeepers (e.g. recruiters, HR), not because they represent any sort of worthwhile knowledge or experience. There are some rare exceptions to this rule, such as some of the SANS GIAC courses, but the bottom line is that you should go after a cert for one of two reasons: you need it to clear a hurdle or the accompanying training very much interests you.

Similar, formal degrees can be highly overrated. I often discourage people from pursuing formal degrees - especially graduate programs - unless they're looking to go into academia or are particularly inclined toward an academic environment. My undergrad experience was a lot of fun way back when, and the Comp Sci degree probably helps me understand certain things, but there's very little I use today that could not have been learned experientially without a degree. Unfortunately, having a Bachelors degree is increasingly likely to be a minimum require for full-time positions, creating a false demand for educational services that may not be absolutely necessary.

Keep Fresh

As part of being a security professional you must make a commitment to keeping yourself fresh. It's not adequate to simply learn a single skill and then sit idly by while the world continues moving forward. Running Nessus or Nmap is all good and fine, but if that's all you can do, then you might as well go work for McDonalds. If you want to be in the infosec industry and be taken seriously, then you must work overtime to get up to speed and keep current.

Now, bear in mind that the industry is huge. This point implies something nuanced... despite my working hard over the years to remain a generalist, the simple fact is that there's really no way to be a generalist any more. There is too much ground for any one person to cover, even at a basic level. Even if you consider yourself a generalist, you're going to want to pick niches to semi-specialize in. It's about the only way I can see stay relatively current or relevant in the industry.

Engage the Community

Do not sit home disengaged and then act surprised when nobody knows who you are, or you're not able to build a reputation. If you never engage the community, then the community can't engage you. Find ways to contribute, whether it be through local security groups or open source projects or even through social media like Twitter. Do you like to do research and analysis? Start publishing your findings! Find mailing lists where you can participate in discussions. As you progress, look for other ways to contribute. If public speaking doesn't terrify you (or maybe even if it does), then start submitting talks for various conferences. Can't afford to attend RSA? Then go to Defcon, or find (or organize) a local BSides event. The more you give back to the community, the more the community will support you and help you advance your career.

Analytical Skills a Must, Writing Skills Beneficial

If you want to be a security professional, you need to learn how to do quality analysis. You need to be able to walk into a situation unbriefed, gather info as painlessly as possible, reach reasonable conclusions, and - even better - make reasonable, actionable recommendations. A lot of this takes experience, which is something you'll likely need to develop on your own. That being said, developing those analytical skills can be done through many different types of jobs and opportunities, and can then be used to work into infosec-oriented roles.

Along these same lines, writing skills can be invaluable. The written word, whether it be in print or online, is still one of the single most important ways to express/share ideas, concepts, thoughts, commentary, etc. Being able to engage in learned discourse in written form requires patience and skill and the ability to translate an idea or a picture into a description. This rule applies equally to being able to write formal reports or to blogging or even to micro-posting on Twitter.

Tenacity and Perseverance

If you want a career in infosec, then you should be prepared going in to be depressed, frustrated, and burned out on a fairly routine basis. Sure, there are ways to work around and through these problems, but the simple fact of the matter is that infosec can be one of the most frustrating industries because people oftentimes do not listen, or flat out do not have the capacity to understand. No matter how good your communication skills, it is inevitable that people will not grok what you're saying, resulting in inaction and possibly worse.

Tenacity helps you stick to your guns and not give up (all) hope. Perseverance could be coupled with patience in that it takes time to move the needle. The Titanic couldn't turn on a dime, and neither can most medium and large organizations. Agility is generally reserved for the small and nimble, which are the minority. Add in the limitation that to have influence you must first have credibility, which itself takes time to build.

Play Nicely with Others (mostly)

I love this industry and community, but that doesn't mean I like everybody in it, nor do I agree with everything everybody says. Sometimes I really want to tee off and vent my spleen. There's nothing wrong with that, unless you do something stupid (*ahem*) and actually put it into writing, such as on your blog. *blink, blink* Perspective and the ability to walk away is key. We may be an industry of rugged individualists, but we also tend to be a very small, tight-knit community. No real good can come from shooting off one's mouth, especially in a public form. You also never know when something you say about a person will get back to that person, or how they'll respond.

If you want to be in infosec, you need to learn how to engage in these difficult situations, work with people, and generally play nicely. Keeping things in perspective is a great idea. Securosis has these "firestarter" posts every week that are a great example. They tend to be ideas tossed out with an intent toward inciting active discussion, but people can occasionally take it too far and get personal with it. And this is understandable, since sometimes we find comments on topics that directly undermine something we're doing or supporting. *shrug* Them's the breaks. As Jimmy Buffett sings, "Sail on." ;)

Should You Go Into InfoSec?

Nobody can answer this question for you. My advice is to think about what you're good at, what you really enjoy, and focus on that. If it's coding, then be a really good secure coder and then look for ways to spread that to others. If you're a glutton for punishment, then definitely look at joining this industry and community. However, be forewarned and prepared: there is no easy way to legitimacy, and it will require hard work and long hours.

Other Peoples' Posts on the Topic

The First Steps to a Career in Information Security
http://erratasec.blogspot.com/2010/04/first-steps-to-career-in-information.html

Bootstrapping the next generation.
http://layer8.itsecuritygeek.com/layer8/bootstrapping-the-next-generation/

Who to Recruit for Security, How to Get Started, and Career Tracks
http://securosis.com/blog/who-to-recruit-for-security-how-to-get-started-and-career-tracks

My Other Pages

Support Me

Support EFF


Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10