Tips for getting started in information security
I regularly get questions of students who expect to graduate soon asking what they need to do to get started in the information security field. Unfortunately, I cannot give a straight unambiguous answer to that. What I can do is start a thought process for that student. In the end, they will have to do the work.
Become experienced
Get a job that sounds like it is
relevant to security. It does not actually have to be dead-on, but when
a potential employer reads your resume, she must feel some sort of
connect. Unfortunately, most security jobs ask for experience, so that
is exactly what you need to get.
Most likely, the easiest way
to do so is to find a job for a large consultancy organization and make
it clear to them that you are willing to work hard, travel when
necessary, and add value to their organization. At the same time, don't
let your employer ever doubt that you are going to become an
information security specialist.
Focus
Information
security professionals are service providers and you need to figure
out if you want to become a consultant that comes in to do a job, or if
you want to work for the organization
that uses your services. Make up your mind if you want to become a
product specialist. Early in your career, consulting is not a bad
way to go, since that will expose you to different industries,
different problems and different working cultures.
Deciding if you want to work in a specific industry, or in a particular geographic area is also part of making the focus decisions. I know people who decided very early on that they wanted to work for a specific organization and they had their career plan centered around that goal. The same is true for geographical areas. If you decide that you want to work in the New York City, you will probably end up in the financial services industry or in fashion. If you are on Long Island, start learning about medical services. Other areas have similar industry focuses.
Specialize
Think
hard about the area in which you want to specialize and work towards
that. Depending on the direction in which you want to move, you will
need to spend just about every waking hour doing "stuff" with security.
If you chose your direction to be penetration testing, find a
pentesting job. When you come home, start doing stuff in your own lab.
If you want to become an incident responder, look in that area and
start dabbling with forensics-type stuff on your own time. If you want
to become an information security manager, try to get some leadership
experience. If you want to become an application security specialist,
start coding.
Certify
There is much discussion
surrounding the actual value of a security certification, but the basic
fact is that employers will look for something that can distinguish you
from the rest. Not having a certification is definitely a
distinguishing factor, but it may not be what you want.
When choosing
your certifications, keep your specialization goals in mind. It is
useless (and may even work against you) to pursue vendor-specific
certifications if you want to do something with a broader scope. The
opposite is also true-- striving to pursue a general certification when
you want to be a niche specialist is also pointless.
Branding
Make
yourself visible: become a member of security organizations and go to
chapter meetings. Attend as many events as you can, even if they are
not in your focus area. At worst, you will spend an afternoon thinking
about why the topic is not relevant to you (also valuable), and at best
you meet your next employer.
If there are no chapters, start one. If
you can afford it, begin visiting security conventions and conferences,
reading (and comment on) blogs, maybe even start your own blog, join dedicated chat
rooms and online forums, jump on twitter, linkedin, etc. Set up your
own web site; don't be afraid to oversell yourself, but never lie. As
an information security professional, your personal reputation and
credibility is everything. The information security field is young, highly dynamic and the good people in the field form a close community. Associate with the right people.
Plan
Finally,
come up with a career plan. That plan will be perfect nor complete when
you make it first, but continue to update it as your expectations of
the future take on more concrete form. Write down that plan on paper
(not just as a file on a computer-- paper is more convincing!)
No
employer expects that you spend your entire working life with them, but
job-hopping every few months will come back to bite you. It creates the
impression that you are not reliable, because you are not going to be
around long enough to invest in. Plan to stay in a position for at
least a year.
Become experienced
Get a job that sounds like it is
relevant to security. It does not actually have to be dead-on, but when
a potential employer reads your resume, she must feel some sort of
connect. Unfortunately, most security jobs ask for experience, so that
is exactly what you need to get.
Most likely, the easiest way
to do so is to find a job for a large consultancy organization and make
it clear to them that you are willing to work hard, travel when
necessary, and add value to their organization. At the same time, don't
let your employer ever doubt that you are going to become an
information security specialist.
Focus
Information
security professionals are service providers and you need to figure
out if you want to become a consultant that comes in to do a job, or if
you want to work for the organization
that uses your services. Make up your mind if you want to become a
product specialist. Early in your career, consulting is not a bad
way to go, since that will expose you to different industries,
different problems and different working cultures.
Deciding if you want to work in a specific industry, or in a particular geographic area is also part of making the focus decisions. I know people who decided very early on that they wanted to work for a specific organization and they had their career plan centered around that goal. The same is true for geographical areas. If you decide that you want to work in the New York City, you will probably end up in the financial services industry or in fashion. If you are on Long Island, start learning about medical services. Other areas have similar industry focuses.
Specialize
Think
hard about the area in which you want to specialize and work towards
that. Depending on the direction in which you want to move, you will
need to spend just about every waking hour doing "stuff" with security.
If you chose your direction to be penetration testing, find a
pentesting job. When you come home, start doing stuff in your own lab.
If you want to become an incident responder, look in that area and
start dabbling with forensics-type stuff on your own time. If you want
to become an information security manager, try to get some leadership
experience. If you want to become an application security specialist,
start coding.
Certify
There is much discussion
surrounding the actual value of a security certification, but the basic
fact is that employers will look for something that can distinguish you
from the rest. Not having a certification is definitely a
distinguishing factor, but it may not be what you want.
When choosing
your certifications, keep your specialization goals in mind. It is
useless (and may even work against you) to pursue vendor-specific
certifications if you want to do something with a broader scope. The
opposite is also true-- striving to pursue a general certification when
you want to be a niche specialist is also pointless.
Branding
Make
yourself visible: become a member of security organizations and go to
chapter meetings. Attend as many events as you can, even if they are
not in your focus area. At worst, you will spend an afternoon thinking
about why the topic is not relevant to you (also valuable), and at best
you meet your next employer.
If there are no chapters, start one. If
you can afford it, begin visiting security conventions and conferences,
reading (and comment on) blogs, maybe even start your own blog, join dedicated chat
rooms and online forums, jump on twitter, linkedin, etc. Set up your
own web site; don't be afraid to oversell yourself, but never lie. As
an information security professional, your personal reputation and
credibility is everything. The information security field is young, highly dynamic and the good people in the field form a close community. Associate with the right people.
Plan
Finally,
come up with a career plan. That plan will be perfect nor complete when
you make it first, but continue to update it as your expectations of
the future take on more concrete form. Write down that plan on paper
(not just as a file on a computer-- paper is more convincing!)
No
employer expects that you spend your entire working life with them, but
job-hopping every few months will come back to bite you. It creates the
impression that you are not reliable, because you are not going to be
around long enough to invest in. Plan to stay in a position for at
least a year.