Recently on Twitter, a bunch of people in the Infosec community have been talking about getting new people involved more. Helping the next round of professionals get up to speed or keeping them interested and getting them in the field. So what is the problem here? Why aren’t they coming in and switching over. Using the path I’ve taken to become a “professional” Infosec guy I figured I’d talk a bit about how daunting a task it can seem.
I WANT TO BREAK INTO INFOSEC!
This was my mantra for a long time. I did what I thought I could. I started going to the Burbsec meetings in Chicago so I could meet the professionals and ask advice. Still, even going to them, I felt like a schmuck. I had nowhere near their level of experience. When they talked tech at these get togethers, so much went over my head and I didn’t want to seem like I knew nothing. After time (and some encouragement from my SO to keep going to these meetings), I started feeling comfortable around the people. I didn’t have a ton more knowledge, but I was welcomed and talked to as an equal and if I had a question, it wasn’t looked at like I was some pariah. People like @j0hnnyxm4s, @Hacks4pancakes, @Ben0xA and many others not only encouraged me, but gave me tips on how to move forward in the industry.
I was doing Network Engineering, Administration and Design work for a living. Not what I would consider being an Infosec professional by any means. Still, I went to BSides Chicago, and even got up the gumption to give a talk about the Small Businesses and their security needs at the 2014 one. Even with all of that being an Infosec professional seemed as far away as ever. Why? Well…
I DON’T HAVE THE TRAINING/CERTIFICATIONS TO GET INTO THE FIELD
Working in the wonderful world of IT you hear a ton about certifications. Look at the alphabet soup out there: A+, Network+, Security+, CCNA, CCNE, MSCE, CISSP, CEH, GIAC and the list goes on and on. Classes alone for some of these can be in the thousands of dollars, and if you aren’t getting work to pay for them, can be unaffordable. Now, I am not trying to start a debate on certifications. The thing about them is they are a way in, by means of getting past the HR people, and in some instances are required for the job due to say Government involvement. They also are a way of learning some of the basics.
Speaking of learning, one thing I think is lacking is a repository of VMs that can be used for learning. Most people who want/are involved in Infosec tend to have their own labs. Today, with Virtual Machines, the cost of labs has gone drastically down. Sharing a VM or two with someone wanting to be involved can be extremely helpful, but so can helping that person set up their own lab.
RISK VERSUS REWARD
This is one of the biggest things in any form of security, so why should it not be brought up as part of the path. Sometimes, more often than you might think, you need to take that risk to get into the field. Maybe it is doing a talk at a con or local group meetup. Maybe it is applying for that job you think you have no chance in hell at. The rewards for taking those risks can be great, as long as you understand that rejection is nothing more than another learning experience. In most cases you can talk to the organizers or people you interviewed with and get some feedback so the next time you have a better shot. When I applied for my current position I took a risk, as I felt I was not what they wanted based on the job description and requirements. I was wrong because to my surprise I was told…
YOU ARE ALREADY DOING INFOSEC AT LEAST PART TIME
My boss leveled that on me when I was going through the interview process. His statement to me was since I was dealing with Firewalls and Firewall Rules, dealing with antivirus and antimalware, removing malware and dealing with PCI requirements for some, that I already had years of experience in the field. This floored me, because, like a lot of people trying to break into the field, I think of Pentesting, DFIR, Reverse Engineering, and finding zero days as the things Infosec Professionals do. That and Speak at a ton of conferences if you want to be well known. Reality set in that security is so much more than that. I had no idea that I was thought of in that fashion, but I came to understand it. Infosec is such a broad area, that especially people new to it, need to learn that they already took the first steps into the field by wanting to learn and doing day to day stuff. Going over logs to find an issue, opening up a pinhole in a firewall, taking care of vlans, patching systems, all of that is part of Infosec. To get into the “well known” items listed before it just takes a little bit more.
DON’T BE AFRAID
Talk to people out there. I have a twitter feed on the side of this page with a list of Infosec twitter accounts I follow. Use that if you have to as a starting point to talk to people, or at least follow them. Do some research, find out if there is a local Infosec meeting near to you that you can go to. Get to cons, and talk to people in the hallways, besides seeing the talks/panels. Also I recommend this post from @hacks4pancakes: Starting an InfoSec Career – The Megamix – Chapters 1-3. It is the start of a 2 part post that really will help.