Wednesday, May 25, 2016

Getting your foot into the infosec door

Time and time again I have the discussion with my peers about mentoring and a starting a career in infosec. I’ve been asked my opinion, what I’ve personally done, and what others can do to be successful. Recently there was a panel discussion held on the subject of infosec careers at a Michigan Security group called #MiSec. It covered a large range of information such as mentoring, networking, contributing, and attitude. For a good write up on the session itself you can visit

It is said that the lazier the tech worker, the harder they work to automate tasks. My goal is to put down my thoughts in this article to point others to for a beginner guide of my recommendations. While it’s only driven by my personal experience and observations, it seems valuable to enough people to warrant it’s own automation.
So a fast primer on how I got here. Like most people I wasn’t born into information security. I’m what you would consider a late bloomer to technology compared to most. I had plans on joining the Marines and when that didn’t pan out for personal reasons I thought to myself “Hey I’m decent with computers, I’ll do that!”. I didn’t have my first tech job until I was almost out of college. I had gone for my 2 year “Helpdesk” degree at a local tech college and honestly had no idea what I had just learned or how to apply any of it to the real world. After 5 years at various helpdesks and another 5 as a network/systems admin I was finally introduced into the world of infosec. I had no idea that it was an entire subculture.

My first toe step into infosec had come from a project that a friend had gotten me involved in. Being an overachiever, I had jumped in right away and started to work on this project. Bi-monthly skype meetings, shared documents, collaborating with people I barely knew. I was loving it! Shortly after that the project owner killed it but I had already started the ball rolling in my mind. I knew that I wanted to be a part of more than just a 8-5 job. I cared immensely for the work I was doing day to day and I wanted to continue and expand upon that to help out as many people as I could. Even being involved in a project that didn’t go anywhere gave me the drive and experience I needed to realize that there was so much more out there that I could be involved in. So that is my first piece of advice. Find or create a project. It doesn’t matter what your skillset is, there *will* be a project out there that needs help. Documentation is needed on 99% or more of the open source projects out there. If you’re good at scripting or programming find a need and fill it. It may help you in your day to day job, or maybe it’s just a fun project that you do on the side. Either way you are spending your time on something useful that could end up helping save time for someone.

My second piece of advice is volunteer and participate at an information security conference and attend local meetups. There are hundreds of them across the US and they almost always need volunteers. Just attending a conference has it’s benefits, but truly immersing yourself will push you further to learn and experience more. Maybe you saw someone give a talk or training on something or overheard an interesting conversation. Many careers have been started by having a simple conversation about a passion over lunch or a beer. Remember those projects that I talked about working on before…...a great ice breaker. Networking is a game changer in our industry. I’m not saying that it’s the silver bullet for everyone. You can network all you want, but unless you are a desirable candidate it won’t matter. Having a willingness and desire to learn, listen, collaborate, and the ability to think for yourself are all ideal traits in such a fast paced industry. Others will want to work with you if you are a positive person that they can rely on and trust. You can also join a team for a capture the flag (CTF) or other competition, attend training, or maybe even create your own event. CTFs are a great way to challenge yourself and build problem solving skills. You can learn by watching and competing with others.

Another item to add to your “to-do” list should be to either find or be a mentor. Mentorship can come in many forms but is not just going to be solutions and information handed to you on a silver platter. If someone is offering to mentor you, they are doing it for free with their extra time, so don’t screw it up. Remember, they don’t owe you anything. Mentoring can be extremely rewarding for both parties and also can occupy a lot of time depending on the level of commitment. Try to find someone in a different company so you can bounce ideas off of each other from different perspectives. You don’t have to have a strict career path to be mentored. With so much information in infosec having a broad understanding of any piece of it will help you down the road.

While a career in information security could be an 8-5 job, to excel in it won’t be. I think it’s safe to say any career can be made into an 8-5 without personal and professional drive and commitment. You are going to get a return on investment only on the work that you put into it.