I’ve been asked this question a number of times and I cannot believe it’s taken me this long before I scribbled out something to point folks to. Keep in mind this is intended to be a brief set of general guidance. Your aspirations and experience may chart a different course; deviations are welcome and encouraged. This is simply a quick set of topics I give out as general starter advice.
If this is useful to you, please let me know and I’d be happy to author more specific guidance to cater or maybe resurrect my “90-Day Plan to a Security Program” series I’ve had on my to-do list for some time which intends to give a holistic overview of the expectations of an information security, privacy, governance, and risk organization.
That said; we continue:
Everyone Codes
This should come without surprise that if you are interested in IT, Engineering, or Information Security that you should have some familiarity with code. This is not to say that you are a full time Software Engineer (SWE) but that you should feel comfortable with (a) the console (Linux preferred) both with SSH and Bash or Powershell; (b) a “toolkit” language (more on this below) such as Python or GoLang; and (c) a data manipulation language such as SQL, Lucene, or VizQL (the visual language of Tableau).
I’ve found that having some experience with the aforementioned gives you a well rounded shape to tackle any problem within the Security space without over indexing on something specific to a single discipline.
Security is 7 Parts Consistency, 2 Parts Creativity, and 4 parts Grit
The points are made up and should always add up to a prime number. The key with this part is that above all, Security is about CONSISTENCY. You achieve consistency by automation, code, documentation, and training (both educational and BCP/DR Drills). Look over any well known exploit and you’ll quickly see a theme emerge: It wasn’t the thousands of systems we secured “well enough”, it was the miss-configured S3 bucket a contractor setup to do “that one thing that one time” that no one looked at for two years.
This implies two core problems:
1. Everything must go through some hardening and inventory process. Build a foundation to manage this, acknowledge that this will always be a moving target, perfect is the enemy of good and coverage % is the KPI.
2. Any excuse or exception request received avoiding item #1, should GOTO Item #1. Yes, I am looking at you, “but it’s just an R&D POC that will never see production use”.
Security is dull, requiring a sharp mind to vet out inconsistencies and anomalies in that 1-in-1,000,000 event that rolls past. You must have a mind that mixes the desire to improve with the grit and determination to weed through Gigabytes of data to prove a suspicion that something may not be correct. Then use your charming personality to influence others that your finding is worth investing into without claiming the sky is falling every other moment.
The best day is a day where an incident did NOT occur.
Certifications & Degrees Open Doors, Experience Lands Jobs
Security often runs against the grain from other IT Disciplines where a Bachelors is seen as the minimum bar to be looked at. While that’s true and it’s not-not important, it is always seen as less important than someone with experience. Security is one place where hiring managers will create two stacks, one with degrees, and one with out: then begin to look through those without first in search of interesting experience.
Certifications often are not worth the paper they’re printed on unless they’re backed by direct experience in the specialty. Most professionals I know will actually discount a candidate that has a certification without a strong link to experience that built the knowledge for, or allowed the application of the certificate domain.
I personally look for the CISSP from ISC2 as it is the industry standard for “general” understanding. I don’t care if you obtained it last week or 20 years ago (the material is updated, but it fundamentally does not change), this certification carries weight in the industry. Second, I look for certifications from authorities that are known to vet the candidate more than passing an exam. ISACA does a good job with this; after the exam begins a personal vetting of the candidate requiring attestation of experience from no less than two unrelated individuals. Contrast this with the AWS Exams where I took and passed 9 within 4 weeks (thanks Rigo for the competition!)
What to do if you have no experience?
This is always tough in the context of Security as this is the home of the “most” experienced folks, and the least experienced folks. Like all things, the trick lies within getting involved to demonstrate some level of experience. Often this takes the form of volunteering for a project to partner with the security team on some assignment if your employed, or simply contributing on security projects. Become active, and I mean ACTIVE not just a silent participant, of a local chapter or a project where you can link to contributions. Build your portfolio. Take part in Capture the Flag Events (solo or competition), Hack the Box, AppSec Events, or become a peer reviewer in Governance feeds.
Demonstrate that you are interested and willing to be a self starter. Show that you can learn, and have the perseverance to force yourself to be accepted. Also, if a company you’re interested in is sponsoring some event, stopping by their booth to chat up a recruiter or hiring manager goes a long, long way.