IT jobs are getting scarce again, and I believe it. I don’t have a cure but I have a suggestion: Specialize. Specifically, specialize in security.
Why? Turnover. Turnover in my department is rampant, because other companies offer my coworkers more money, a promotion, or something tangible to come work for them. I asked our CISO point blank if he’s worried. He said unemployment in security is 0.6 percent, so this is normal. What we have to do is develop security people, because there aren’t enough of them.
I made that transition, largely by accident, so I’ll offer some advice.
The most important thing is just to find the field of security that relates to what you’ve already done. I’ve been a sysadmin almost half my life, and early in my career I got stuck with the duties nobody wanted, like deploying patches. Deploying patches happens to be a critical security duty.
When I moved to security, I did a lot of policy work. I liked the money and I guess I was OK at it, but then I got a job auditing patch deployments and creating monthly metrics and analyzing where we are versus where we want or need to be.
It related directly to my old work. I had to learn to think like a bad guy, to think about how I would exploit a network the day after Patch Tuesday in order to set priorities, but that’s a journey that any competent sysadmin ought to be able to take. The other half of the job is being able to estimate the levels of effort involved, in order to keep my bosses’ and the sysadmins’ bosses’ expectations realistic.
Admittedly the move can be tricky. If you search job boards for security job descriptions, there’s virtually nothing in each description to distinguish them from another. From reading the job descriptions, every security job is ensuring compliance with company policy and legal requirements, working with vendors and partners in infrastructure, and contributing to the company’s information security awareness program. Seriously, that’s every job I’ve applied for in the last four years, even though the roles have been very different in practice.
Here’s what I recommend. Get a book on the CISSP, even if you don’t plan to get the certification. Get an old one because it’s cheap. The next step is to find the parts of the book that don’t put you to sleep or make your head explode. I can think of three approaches to it: Skimming chapters, skimming the table of contents, or skimming the index. There may only be 10 pages in that 1,000-page book that interest you, but that doesn’t matter. What matters is knowing which 10 pages they are.
Next, figure out how that portion that interests you relates to your experience. That may require some searching but it’s worth it.
The last step is listening to some security podcasts. For getting started in security, I really recommend Liquid Matrix Security Digest. Start with episode #1 and listen all the way to their most recent one. Their news segments will be a bit dated, but there’s plenty of wisdom in their discussion about the old news, and they talk quite a bit about security practices. Liquid Matrix is the perennial runner-up for the best security podcast, but for someone who’s trying to learn about the industry, I think it’s the best one by a long shot.
Another good one to listen to is the SANS Internet Storm Center. Recorded every single weekday, it’s a 5-6 minute high-level overview of what’s going on right now.
Think of how the things they talk about on those podcasts relate to what you know, and when they talk about things you don’t understand, do some Google searches to learn. You’ll be surprised how quickly you pick it up.
Listening to a couple of podcasts won’t make you an expert, but I’ve given that recommendation to a number of people and you’d be surprised how few show the initiative to listen.
I can’t guarantee that doing these three things alone will get you into your first pure security role, but it will give you a leg up. Finding the 10 pages of a 1,000-page security book that interest you and listening to 64 hours’ worth of Liquid Matrix podcasts takes some effort and shows some initiative. And I do know people who were hired for roles where they weren’t necessarily the best fit just because the hiring manager didn’t want them to slip away. They plugged them in to the best fit they could manage, played them out of position in that role for a year or two, but then, when a good opening came up, moved them into that better role.