I got involved in a pair of conversations in the last week. One person complained that there’s a job shortage in information security but she can’t get one. Another complained there’s a job shortage in information security and he can’t find qualified candidates to fill them. In that spirit, here’s my advice on how to get a job in information security.
Get infrastructure experience
I toiled away in infrastructure from 1997 to 2009. That’s not entirely bad. I was the junior sysadmin for most of that time, so I got the work nobody else wanted. That meant patching and antivirus, mostly. That ended up being good for me in the end. Getting good at patching set me up to be good at vulnerability management. It’s hard to find vulnerability management analysts who understand the data that tools like Qualys and Nessus spit out.
You don’t have to spend 11-12 years in infrastructure like I did. But you may have to start at the helpdesk and work your way up, and that can take some time. But it’s worth it. The problem many of us see is people going straight into security from college. With no field IT experience to speak of, they can’t relate to IT departments. That seriously limits what they can accomplish.
Working tightly with my infrastructure colleagues, in 2014-2015 I accomplished a decade’s worth of work. The only reason they would listen to me was because I had experience to help them. I didn’t order them to do things; I helped them solve problems. But without that experience, you might as well be a baseball coach who never played baseball.
Trick out your home network
How many computers do you have on your home network? When I was 25, I had five. I had two Windows machines and a Linux machine, another Linux machine acting as a web server, and yet another Linux machine acting as my router. All shared my DSL connection. Yes, it was over the top, especially considering I was single and lived alone. But I was learning networking.
Yes, you can learn things by running Kali Linux and running exploits against an unpatched Windows machine. You learn more things if you stand up some infrastructure and rely on it for something and need to keep it working. That’s one reason I still run my own web server out of my basement.
There are cool things you can do with your computers besides abusing them. Knowing how to do that does two things. It helps you relate to the rest of the world. And it gives you the background to think of other things that can go wrong.
Get a certification
Getting an entry level certification like Security+ helps with breaking in. Study for it while you work an infrastructure gig. Use it to learn where your strengths and weaknesses are. Study the parts you find interesting.
A certification helps you get past HR and get an interview. Follow-through and experience help you land a job once you get that interview. Security+ and a track record of accomplishments elsewhere in IT ought to be enough to land you an entry level job in security.
But I wanna be a pen tester!
The guy who was complaining about the lack of qualified talent went on a rant that I’ve heard a hundred times before. Everyone, he says, wants to be a pen tester without knowing the how networks or protocols work. The problem with that is pen testing is abusing networking and protocols. If you don’t know how they’re supposed to work, then you don’t have the background to throw weird stuff at them and make them misbehave.
I once had an entry-level colleague who had one job. His job was to scan new servers with Qualys and tell the sysadmins what patches to install before the servers could go into production. The work was beneath his raw ability, but he had no professional experience and limited education. When I had his age and experience, I had to work my way up from scrapping decommissioned desktop computers. “Do your job, kick [butt], and in six months you’ll catch a break,” I told him.
He didn’t take my advice, insisting he wanted to be a pen tester. So he let the work pile up and got himself fired in a matter of weeks.
If he ever gets his act together, he still could be good, but he would have been great if he’d spent a couple of years pushing patches or writing web page code.
But the pay is better in security
Yes it is. My base pay now is twice as much as I made as a sysadmin. But I get that money because I can help teams work together to accomplish a lot. Going straight into security wasn’t an option for me. But if you go straight in with no experience, you can expect your pay to top out at half to one third what it could be.
Yes, I was underpaid as a sysadmin, but that experience lets me earn more now. It also lets you understand things in context.
Back to the rant I heard the other day. He said without experience you don’t know the difference between a big deal and a tempest in a teapot, and you flip out over little things. My ex-buddy who wouldn’t run vuln scans did. People would tell me stuff, he would overreact to it, and go into a funk. I think that might have been one reason he wouldn’t run his vuln scans. Ironically, if he’d just done his job, he would have helped me keep the problems from getting worse.
What about advanced certifications?
Advanced certifications can certainly help you get through HR, but I’ve had exactly one interviewer in six years ask me about my CISSP. As long as you can apply the knowledge that it took to get the CISSP, most hiring managers don’t really care if you actually have the cert.
I think that getting advanced certifications, whether they’re generalist certifications like CISSP or CISM, or specialized certifications like the SANS certifications, can be helpful. But it’s what you learn over the course of getting the certifications that matters more. Some people hold the CISSP in high regard and ask me how to get it. Some of my former colleagues from my infrastructure days insist it stands for “Can’t Interpret Simple [Stuff] Properly.”
Not being able to interpret simple stuff properly is a sign of taking the test too soon and not having enough IT experience prior to getting into security.
That one flaw
IT departments can sense security professionals who lack experience and take advantage of it. The trick is to find one flaw in the security report and claim that flaw invalidates the whole report, and therefore, you can safely ignore it. I’ve worked with about 35 different companies over the course of my career and I’ve seen every one of them try a variation on this tactic at least once. It usually works.
In extreme cases, I’ve seen IT departments grind one or more divisions of a security department to a complete standstill with this tactic.
When someone tries that with vulnerability scan data, I have the background in patching to counter it. If pressed, I can demonstrate each and every other data point to show it’s valid. Most IT teams won’t make you do that. Once you demonstrate about a half dozen valid findings, they’ll start to listen to you. But you have to have the IT experience to follow the data and show the evidence that it’s correct.
I’ve seen people with advanced degrees and one or more advanced security certifications fall victim to this tactic. They had tremendous amounts of book knowledge. But the books can’t possibly prepare you for everything you’ll see in the field.