A side note for my fellow geeks who are already in information security: I encourage you to read and share this post. Take the time to spread some bits of wisdom, start a conversation, and encourage those willing to step up. We all know there’s an extreme shortage of talent in our industry. The more skilled professionals we can get to join us on the frontlines, the better.
As the leader of Red Canary’s Security Operations Center (SOC), I’m in charge of finding world-class SOC analysts. I’m frequently asked: “What are you looking for?” or “How do I get my start in InfoSec if I have no experience?” Many thought leaders in the field have written about this before but I want to discuss it from the lens of someone in charge of hiring, and specifically from the view of joining the Red Canary security team.
I’m going to break my thoughts down into a two-part series of recommendations:
- Part One: How to get a job in InfoSec if you’re new to the industry
- Part Two: Preparing for and interviewing for an information security analyst job
How to Get a Job in InfoSec
So you want to be a security professional. Good. We need more qualified individuals. Note that I did say “qualified,” which will be a key point to this topic. There seems to be a growing trend in people thinking that because they have security somewhere on their resume, they are immediately qualified and don’t have to work their way up.
One of the most common questions I hear is, “How do I get a job in InfoSec if I haven’t worked in security before?” If you’re just starting out in the industry, here are four steps to help answer that question.
Step 1: Make sure you’re doing it for the right reasons.
Forget every buzzword and hot marketing term that made you think the field was cool. If you are looking at this as a career path because the market is hot, you can make ton of cash doing it, or any other reason besides having a true passion and interest, please look elsewhere. Think of getting into information security like you’re one of the guys trying to join Tyler Durden and Project Mayhem. You cannot just walk in the front door; you have to put in your time and stubbornly try. If you understand that reference, we are at a good starting point.
Step 2: Start with what you know.
Erase any ideas that there is an easy, structured, or direct path. Like anything else worth doing, getting your start in information security usually means you start at the bottom and work your way up. There is no magical shortcut. So the question is: where do you begin that climb? Start by looking at what you already know. Are you a solid developer, a rock star sysadmin, a first year college student, or some other special and unique snowflake? Use the skills you have and build from there. Every security role builds on some other core IT skill set. For example, to be a great exploit developer, you should first have a solid understanding of coding techniques. If you want to focus on forensics, you should already have a deep understanding of operating systems.
Step 3: Build your knowledge.
There are two common (but not mutually exclusive) ways to build your knowledge. The first is through work experience. If you are looking to get into an information security role, look first at what entry level IT jobs exist that will help you build those skills. The other is through training. When I mention training, I am not exclusively talking about actual classroom time (although that helps). Train in the same way an athlete trains. They go out and work and do the thing they are competing in to improve their skills. The same holds true for security professionals. A wealth of information and free tools are available nowadays to help someone get their start in just about any field with a low cost of entry. Start putting in the effort to learn and develop yourself.
Here are a few resources to get you started:
- Forensics SANS has an OSS VM for forensics
- Kali Linux on the pentest side for tools
- Any Linux distro for learning an operating system
- Plenty of documentation on Ruby and Python from a coding aspect
- Any GitHub page of your favorite security contributor (Casey Smith is Red Canary fave)
- Red Canary blog (shameless plug)<
Step 4: Talk to people.
This is hard because many of us are introverted, and we tend to gaze at other people’s navels rather than talking to them. However, there is a huge community of people who enjoy talking, sharing and engaging with each other about all things security. Most security professionals got into the field because they love it. Getting paid for it is just a side bonus. Join online communities like Spiceworks and SANS DFIR mailing list, show up at meetups, and engage in conversation. Some great meetups to check out: Bsides, Defcon Groups, Burbsec in Chicago, and any local InfoSec meetup.
At the end of the day, getting a start in information security does not require any different skills than any other career. It just takes some dedication, effort, and humility to be willing to start at the bottom work your way up.
Make sure to read Part Two of this blog series: Information Security Interview Questions, Answers & Advice. I share real-world interview questions and practical advice based on the interviews I conduct.