When I first started interviewing for security jobs, I remember some of the jargon confusing me. “Infosec” was one of those terms. Getting that first job is hard enough without getting your resume binned over not knowing the word infosec. So what is infosec, what does it stand for, and how do you talk intelligently about it?
What does infosec stand for?
Infosec is a contraction for “information security.” It’s a subset of cyber security, and generally means the process or operations or “hands on” side of security. Some recruiters overcomplicate it, but it’s exactly what it sounds like.
I largely came up in the government space, so I never heard the term until I moved back into the private sector. It’s entirely possible you’ve practiced infosec without even knowing it. Just be aware that the similar-sounding term information assurance actually means the opposite. Information assurance refers to policy. You often hear that in government contracting jobs. I linked the two terms and that probably set me back.
When you’re applying for jobs, you need to get a feel for whether it’s more of a policy-focused job or an operations-focused job. I’ve seen large companies reuse the same job description for every security position, so it pays to ask questions. Infosec is one of those buzzwords that gives you a clue not to be talking policy. A good recruiter will steer you toward the right position, but not all recruiters know the difference.
Laziness in writing job descriptions is probably one of the reasons companies can’t find security talent, but they’re used to having 100 people who want every job they post. In the security field, they don’t have that upper hand. But that doesn’t stop them from behaving as if they do.
What is an infosec program?
An infosec program is the half of a security program that refers to the operational or hands-on side of security. These are people who do things like investigate incidents, configure firewalls, and scan for vulnerabilities. If you’re like me and can do both policy and operations work, try to get an idea from the recruiter what the job actually does. I’ve applied for jobs that looked like policy jobs only to be told they were looking for someone with hands-on experience.
If, like me, you have sysadmin experience, you probably want to veer toward infosec rather than policy. I had some success working policy jobs, but didn’t find it fulfilling and it probably showed. If your dream is to become a penetration tester, this is the side of the house to start on.
The kinds of departments you’ll find in an infosec program include data forensics, incident response, a security operations center, vulnerability management, firewall administration, and even attack simulation. You may still get pulled into the policy side from time to time. But it should be in an advisory role, rather than rather than actually running meetings and writing the policy.
What kinds of skills do you need to work in infosec?
The more you know about how computers work, the better you’ll do in infosec. I was a crackerjack desktop support guy early in my career, and that experience lended itself well to incident response. I actually did a fair bit of incident response between 2000 and 2008 without realizing that was what I was doing. Knowing what system processes do, where the various logs live in the system, and being able to pick out what files don’t belong somewhere are all useful skills in data forensics and/or incident response.
To work in vulnerability management, you can’t know enough about patching. Working in vulnerability management without having patching experience is like coaching a sport you never played outside of PE class. I know people who’ve done it, but it’s an uphill climb.
If you work in firewalls, knowing a lot about networking is key. You also need to be good at analysis, because two rules can easily break each other without it being obvious to a casual observer why that is.
And finally, regardless of where you work in infosec, being able to code a little is increasingly important. Our tools frequently don’t do everything we need them to do. Being able to hit an API, pull some data, manipulate it, then feed that data into another tool or back into the tool where it came from is a crucial skill. Which language to learn is a matter of religious debate. Windows shops tend to prefer Powershell, since all modern versions of Windows come with it. Other shops prefer Python. Python always was cross-platform and is easier to learn. But if you can get things done with code, I think that matters more than which language you prefer to write in.