Sunday, April 26, 2015

On breaking into the Information Security field.

Making my rounds on Twitter this evening I saw @SwiftOnSecurity pose an important question for those wanting to get into InfoSec. This is something I've been wanting to write about for awhile so her post put a fire under my ass to finally get it done. I have been incredibly lucky in my security career in that I've had a chance to work with incredibly smart and talented people. People who are always willing to help a n00b find their way. I owe it to them to do the same. 


1. Do something else first. 

Whether it's IT or DevOps, context is king. I didn't intentionally follow this advice, it's just where I started. I was a good 8 years into my IT career until I saw my first PCAP. However, in hindsight, this was the best thing that could have happened to me. How do you know what you're securing if you have no idea what a router/switch/firewall does. How can you study application security if you haven't spent some time helping users troubleshoot their spreadsheets?

Pay your dues, the rest will come in time.

2. Self Study

This is so important I could list it a dozen times and it would still be an understatement. I have worked Helpdesk, Desk-side, Network and Telecom support but nothing has been as valuable as the time I spent after-hours studying anything and everything I could get my hands on. The wonderful thing about this business is, it's all out there for free. There are so many skills challenges online for free it'll make your head explode.

You can learn all the theory you want but the sooner you start actually practicing the techniques the better off you'll be. You will, sooner rather than later, get asked during an interview "What's your home lab look like?" If you haven't taken the time to take advantage of the myriad of free tools out there and sniff your own traffic, nobody is going to take you seriously. We live in the age of VM's, there's no excuse not to stand up your own test environment to play with all the tech you say you're so passionate about.

Most importantly, you have to love what you do. Technical skills deficits can be overcome, it's passion that counts. An innate curiosity about the world and a desire to figure out how it all works, these are things that can't be taught but they can be nurtured. We have too many half assed muppets running around in this business. We need to solve actual problems.

3. It's not all about the paper....until it is. 

I have an Associate Degree and that stupid thing is 13 years old by now. I can count on one hand all of the times only having a 2 year degree has even remotely mattered. Your time is better spent working on your own projects and initiatives. If you do the work and can talk intelligently about it to an interviewer, that's half the battle.

That isn't to completely discount the value of that paper because we live in the real world. I think my path would have been much harder without at least a 2 year degree. Especially because I started out in IT and those people are crazy for degrees. I will inevitably pursue an advanced degree because business is business and you still have to play the game.

Some companies will not move you up without an advanced degree but it's an added bonus if they offer tuition reimbursement. They want it? Let them pay for it.

4. Certs

There are so many areas of Security available you can run yourself in circles trying to figure out what you need to be studying. Every area of infosec requires an immense amount of concentration and time. The other maddening thing is that companies want you to be both specialized and generalized in your knowledge. It can seem like an impossibly daunting position to be in when you're first starting out. To that end, I posit that you need an anchor, a true north. A solid foundation is key and sometimes the only way to focus is to go after a cert like Security+ or CEH.

You're going to hear a lot of different opinions on certifications from a lot of different people. Some of these opinions will be constructive, some will not (see my entry on Drama Queens below) but certs can be beneficial with the proper motivation. I didn't get my Sec+ because I thought it made me worthy of a job, I got it to lay the foundation for the security career I aspired to.


5. You think you're ready? You're not, but apply anyway. 

Time to start getting your name out there. At this point you have nothing to show for Security experience so make your cover letter count. You will be surprised how a well written cover letter can sell your passions to an employer. You won't be making six figures from the jump but you will be able to get experience. Your best friend? SOCs and Contracts.

Contract work is a blessing and a curse in InfoSec. Nobody wants to take a 6 month SOC gig in the middle of a Kansas cornfield, but when you're just starting out it's hands down the easiest way to get going. Hell, maybe you live next to that cornfield and think you'll never get your shot at security. Think again. Many of us started in a SOC (security equivalent of an IT Helpdesk) and some SOCs are better than others. You can bank on the fact that you'll work with both truly talented people and completely useless, piss poor excuses for "Analysts". Learn to recognize the difference early and you'll go far.

6. Get your ass kicked, then do it all again. 

Show me someone who's never gotten their ass kicked in an interview and I'll show you someone who's not trying hard enough. Take copious amounts of notes during your interviews. The topics you were absolutely clueless about are what you should be studying next. I have detailed answers already pre-written to interview questions I've gotten more times than I can count. That's another blog coming in the near future. Suffice it to say, it's not enough to copypasta answers from some other resources, find the answers then rewrite them in your own words.


7. Find a mentor. 

You don't have to spend a lot of time in Security to realize who the people are that you should be listening to. If you're able to find someone who's willing to spend time teaching you something, anything, you soak up as much information from that person as you can. I am not at the level I am today without an army of intimidatingly smart people guiding me along the way. Tribal Knowledge Share is the lifeblood of our business.

8. Press the flesh. 

"It's all in who you know."

Nowhere is this more evident than in InfoSec. Relationships are everything here so build them early and build them to last. Get out to some conferences if your budget allows, if you can't make it to Vegas find your local BSides, they're absolutely everywhere. At the very least, hit up and see if there are any local security groups in your area. Can't find any? Start your own!! Both my career and personal life have been significantly improved from the amazing people I've met at my local meetup, NolaSec.

9. Build your twitter.

Twitter is hands down the single greatest resource in InfoSec. It's immediate and always on the bleeding edge. Nobody loves a good cluster quite like Security folk so you'll not only see the hot gossip/outrage but you'll seem some fantastic solutions and write-ups. Never has it been so easy to interact with the actual people solving the problems. Start your own blog, you may think you have nothing to say but you do. Contribute.


10. Relax.

For the love of whatever god you pray to, stay positive! InfoSec burnout is a real thing and it will happen sooner than you think. Realize when you're getting overwhelmed with information and pump the brakes for a bit. Those aforementioned relationships will be crucial when you start to feel the pressure of your new career or the crushing disappointment if it doesn't go your way at the beginning. Remember to breathe.

11. Be humble.

If there's one point I can't stress enough it's this, ignore the "elite hacker" bullshit. We have no shortage of InfoSec "Rockstars" here.  Some will say to steer clear of these prima donna's, but I say you steer into them. Learn from the drama, use it as a lesson of how not behave.  Drama is not productive to the conversation and it's one of the biggest problems we face in the InfoSec culture.

Bragging about "street cred" and being unwilling to teach/mentor those more Junior than you is unacceptable and, quite frankly, makes you a bit of a douche. We need serious, passionate people to solve difficult, important problems. If you're not part of the solution you're part of the problem.

Don't be a douche. Welcome to the team, now get back to work.


  1. OSCP! The exam is tough, but the 3 month lab is a blast and since you have permission, it is legal hacking. Because prison sucks.

    btw, CEH can be done self study. Don't pay out $5,000.

  2. Excellent point. Sec+ and CEH were just the first 2 that came to mind.