I'm considering a slight career change to IT security - what do I need to consider?

tover

I've been in IT for awhile, and am considering a shift to focus more on security and related technologies, policies, etc. What kinds of things should I keep in mind?

Tags: infosec
Topic: Security
Answer this Question

Answers

2 total
Vote Up (40)

One of the most common questions I get asked is “How can I become an information security professional?”. These days, it seems that a ton more people want to be in the “business” of information security. I get the question so often, I thought I would write this post as a quick and easy way to respond.

 

Are You Serious?

The first response is a “gut check”. Are you serious that you want to be an infosec person? Do you even know what you are asking? My suggestion is 2 steps. Number 1, read a basic information security guide (not Hacking Exposed or something on an aspect, but something more general like the ISO standards). Number 2, invest in your career option enough to buy a few coffees or beers and ask a couple of security folks you know of and trust to sit down, one on one with you for an hour chat. Talk about that person’s career, what day to day security work is like in their experience and what they think about your ideas for moving forward. If you can’t or won’t invest in these basic steps, then quit now and choose another career path. Security work is all about research, reading, guidance, networking and conversations with other humans. If you can’t do these toddler steps, then forget running with the big dogs and find another pack.

 

Get Serious, Quick!

 

Step 1: Knowledge boost: Start to read every single security book you can find. Listen to podcasts, read web sites, subscribe to mailing lists. Read RSS feeds.

 

Step 2: Find a way to contribute: Work on an open source security project. If you can’t code, then write the documentation or contribute to testing. Start a website/blog and start to aggregate or gather other security news. Wax poetic on what you think of certain topics. Think of this part as turning knowledge into wisdom. It is where the rubber meets the road and where you will encounter some pain, humiliation and grief, but it is another form of “gut check” to make sure you are ready to be in infosec.

 

Step 3: Build a lab & practice security skills: Build a lab. Make it out of old hardware, virtualization systems, Live CD’s, etc. Then hack stuff. Secure stuff. Apply settings, scenarios, access controls. Shop at eBay, garage sales, thrift stores or Walmart to cut the cost down. Be creative and pragmatic, both are essential security skills.

 

Step 4: Brand yourself: Once you have some wisdom and insight, then update your resume. Build a personal brand. Read books by Seth Godin and Guy Kawasaki to learn to do this. Learn how to separate yourself from Joe Six-Pack and how to turn your security experiences with the above projects into valuable differentiators that open doors for you to get that job you wanted. Is it work? Yes. Is it hard work? Yes. Does it take time? Heck, yes. Is it worth it? If you get what you really want, heck yeah!!!!

It’s OK to Turn Back

 

If, at any point during the above steps, you decide you are not interested enough to continue, then don’t. Security is tedious, hard work. Most of it is COMPLETELY NOT SEXY and has nothing to do with Swordfish, Hackers or the Matrix, no matter how much you want to be Neo, Cereal Killer or Angelina Jolie. Security is mundane, boring, full of science, analysis and research. If you want to be great at it, you also need to understand business, marketing, math, human resources, education, more marketing, sales, basic programming, public speaking, more marketing and oh, yeah, more marketing. Why so much marketing? Because, believe it or not, people need to be sold on being secure. That is the largest irony of the job. You have to not just identify how to make them secure AND teach them how to be secure, BUT you ALSO have to SELL them on the idea that security is worth their investment of time, energy and resources. It’s not that they don’t want to be secure, it’s that humans are REALLY BAD AT MAKING RISK DECISIONS. Keep this in mind as your security career progresses. It is a handy meme.

 

Are there Shortcuts?

 

Maybe, if you wanna be average. More than likely not, if you wanna be truly GREAT at what you do. Everything in life has a price. The good, the bad and the security career. Paying that price is a part of the reward, you just might not know it yet. Pay the price. This is one system you really don’t wanna “hack” to get at the “easy way”, it makes for a lot of pain down the road when you look foolish.

 

What About Certifications?

 

I am not a believer in certs. I have never made any secret about my position. I DO NOT HAVE MY CISSP NOR AM I LOOKING TO EVER HAVE ONE. Certs are NOT a good measure of experience, work ethic or intelligence. They represent all that I hate about the security industry and the idea of doing the minimum. This is not to say that you should not pursue them or that they are not valuable, it is just my belief that the IT industry puts way too much stock in certs. They believe that most every CISSP is a real “security person” and knows their stuff. I have met plenty who do not. I have met plenty who I would not let manage my security. I have met some that I would, as well. The same goes for all certs (MCSE, CSA, etc.). Certs are just a BASIC qualification mechanism, no more, no less. Experience and what you have done in the past speak volumes more to me, and anyone I would want to work for or with, than a cert. Period.

 

I hope this answers those basic questions about how I think you should move toward being a security professional. I hope you do choose security as a career, if you are willing to invest in being great at it. The world needs more great security people, but we also need less inadequate security professionals. The industry has its charlatans and fakes, but it also has some of the best people on the planet. This industry has been good to me for almost two decades. I have met and made friends with some of the most talented, fascinating and warm people in the world. I am very blessed and very grateful. I hope you will be too. Buy me a cup of coffee if you want to talk more about it. I promise to try and help you figure out if this is the way you want to go, if you are willing to invest in yourself first BEFORE you seek my input. More than likely, you will find the same to be true for other security experts too. They just might like cheaper coffee than I do…. 

 

jimlynch
Vote Up (32)

Hi Tover,

I found an interesting PDF file that covers the basics of what you'll need to get into the information security field. The PDF is about 9MB.

https://www.isc2.org/uploadedFiles/Industry_Resources/careerguide06.pdf

I'd give that a read as it will probably answer many of your questions.

Ask a question

Join Now or Sign In to ask a question.
A zero-day flaw in a software driver in Symantec's widely used Endpoint Protection product may be tricky to fix.
A security audit of 10 popular Internet-connected devices -- components of the so-called "Internet of things" -- identified an alarmingly high number of vulnerabilities.
It's generally accepted that antivirus programs provide a necessary protection layer, but organizations should audit such products before deploying them on their systems because many of them contain serious vulnerabilities, a researcher warned.
The secure mobile vendor wants to be more secure.BlackBerry plans to buy a German vendor specializing in voice encryption.
The EU court ruling that gives people the "right to be forgotten" by search engines is misguided in principle and unworkable in practice, said a U.K. House of Lords subcommittee Wednesday.
An open-source project has released the first free application for the iPhone that scrambles voice calls, which would thwart government surveillance or eavesdropping by hackers.
Symantec's Endpoint Protection product has three zero-day flaws that could allow a logged-in user to move to a higher access level on a computer, according to a penetration testing and training company.
Now that BlackBerry has fallen significantly behind Apple and Google in the race to offer features and third-party apps for its smartphones, the company is concentrating on providing devices that, it claims, have the strongest available security -- the killer feature for the enterprise.
Today's hotels are unfortunately vulnerable to types of attempted fraud. Here's how to keep data safe when you travel.
U.S. Senator Patrick Leahy has introduced a new version of a bill to rein in the National Security Agency's bulk collection of U.S. phone records in an effort to strengthen legislation that passed the House of Representatives this year.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

randomness