
Breaking Into an Information Security Career - mastadumpa
https://bitrot.sh/post/01-24-2018-breaking-into-security-career/
======
zer01
This is along the lines of the advice I also give people, it generally boils
down to a few things:

\- Be hungry - I'm willing to spend _hours_ with someone who's hungry and just
lacks knowledge or a mentor

\- Be humble - Always underplay what you know, especially in a market where
people wildly overestimate their skillset being humble sets you aside

\- Do open source stuff - It's a great indicator not only that you're willing
to fail publicly and be ok with it, but it's also a great way to show your
progression as an engineer. It also shows you can deal with occasional asshats
on the internet (hopefully).

\- Differentiate yourself somehow - Being knowledgeable about IT is only one
of those ways (though probably the best IMO), if you can have security skills
_and_ a sense for business, or security skills _and_ hardcore networking
experience (think Cisco certification), etc you'll almost automatically shoot
to the top of any stack of resumes.

~~~
DaveWalk
This is overall great advice for anyone on any field. Being hungry, humble, an
active member of the community and developing your own niche is great advice.

------
peterwwillis
This reads a bit like a troll from my perspective, but I could be wrong.

First of all, it's 2018. Don't pay for a cert unless you are trying to get
into an industry you know nothing about _really fast_ , in which case you will
be hired by idiots or abusive exploitative companies (or governments).
Studying certs is a good way to identify the processes/requirements of
infosec, but paying for one is like paying for a certificate that says you
learned how to cook. If someone talks to you about cooking they can tell if
you have ever actually done it.

Second, forget working your way up, IT, tic tac toe. There's so much more to
know that this really doesn't begin to explain. You want to know how
technology is managed in a business, which is IT, but then there's the
software dev and product dev and project management and admin, etc. Then
you'll want to actually know how to not only develop software, but how to do
it so it's secure. And then you'll want to know how to find software that
isn't secure, and exploit it. And then you'll want to know how to prevent it.
That is a metric shit ton of information. Experience and talking to people who
know can help speed this up, and you can skip a lot of it for specific
positions, but this certainly is more demanding than becoming a DBA.

Third, 2600 meetings are a great way to waste your time. I should know. I
started one when I was 16. Conferences are great ways to network and find
people hiring, and cheap if you can get a ticket to a "real" con and not a
trade show for people expensing their trip to Vegas. But stay away from
unprofessional egotists full of the lore of the elite hacker. And generally
just stay off of IRC. There's so many snobby douchebags still holding on to
their little cliques, it's generally a soul crushing waste of time to court
them. Talk to people who work on teams at real companies, or know people who
do.

Infosec is one of those jobs where you basically just have to learn what the
processes are and have a firm grasp of all the concepts, and know the latest
tools and trends, and you can get a job. (Come to think of it, that's every
tech job...) So besides knowing the ins and outs of how businesses interact
with technology (regulations, standards & practices) you also need to know how
security firms do business (procedures, positions, services, etc).

But, yeah, don't go this route if you want a real career. Learn it from the
bottom up by studying it like it was a job maintaining nuclear reactors, but
keeping in mind it's basically just monkeys running tools and generating
reports.

~~~
am_the_author
I'm the author of the blog post. I assure you it's not a troll or satire.
Certifications have a stigma; However there are still industry standards that
still hold weight. GCIH, GCIA, SANs, OSCP are all well respected.

Second. I am for the most part speaking to how I got into the field. You DO
NOT by any stretch of imagination need to know secure coding, how to find
exploits in code, etc. Sure if you want to gun straight for a senior role it
would help but if you don't have corporate experience it's not going to get
you in the door any faster than working your way up.

Third. I'm not even sure what to say to that. You come off as one of those
egotistics you speak of. Maybe your 2600 meeting in your area are not good.
That's not to say they all are the same. Stay off irc? Again not all channels
are the same.

Last paragraph you basically spell out what the certifications I mention
literally do for you. Learn the processes, trends, latests tools, etc. I think
you're the one trying to troll.

------
solipsism
Certifications? Do people here second that recommendation? I'm very skeptical
of the certification industry.

~~~
loteck
If there is any point whatsoever to IT certifications it is to act as a
minimum level legitimizer for those willing to acknowledge a lack of
experience. Claiming certs have no value is to claim knowledge has no value.

~~~
zer01
> is to act as a minimum level legitimizer for those willing to acknowledge a
> lack of experience

True, but there are a _lot_ of bullshit certifications out there that either
1.) vastly over project the actual knowledge people glean from it (CISSP and
friends) or 2.) are unrecognized to the point that they're useless.

~~~
loteck
The certs aren't bullshit, it's how they are used by companies that makes them
appear to be bullshit.

What logically follows from my grandparent post is that people who can
demonstrate vast experience shouldn't be asked to hold beginner certs. But
companies do this _all the time._ It perpetuates a false impression that a
beginner cert is actually aligned with advanced knowledge, which sets up
people to complain about "bullshit certs" on internet forums.

------
qaq
The shortage is huge if you are smart and have IT background many companies
will train you.

~~~
symlinkk
Like who? I have better than an IT background, I have a degree in software
engineering and a couple of years experience and have never been seriously
considered for an infosec position.

~~~
marpstar
I'm a "software engineer", but I know a plenty of other "software engineers"
who know less about TCP/IP than IT people I know. What about being a SWE makes
you feel more suited for the job?

~~~
Mandatum
This is part of the problem with hiring in InfoSec. I was turned down years
ago for a role as a junior because I didn't know enough about some very
specific, foundational technology. I joined a consultancy and within a year I
was speaking at those same conferences that I met that would-be employer.

In an hour you can go over only a finite amount of knowledge, I was asked
about aspects of technology I knew very little about because I hadn't tried
anything in that space (FWIW it was a segment of networking). To pass over
candidates based on a minuet lack of detailed knowledge - to me is crazy.

It's like interviewing a builder and asking them if they know where the
majority of local maple wood comes from. Who cares, and if you need to know -
Google it! Great, now you know more than you ever needed about the local maple
industry!

YMMV, sample size 1, etc

~~~
fancyfacebook
If you're speaking at conferences then you are doing your infosec career
wrong.

~~~
Mandatum
If I was a fully funded academic, I'd agree with you. But the reality is I
trade my time for money - to maximize the latter, appearing as a "leader" in
my field requires I give talks to both technical and business tracks. The
former _might_ pay my bills (if they're a successful tech startup), the latter
definitely will.

Conferences are great for networking and entertaining. They're not great for
learning new stuff, there's much better media out there. I'm not sure what
your gripes are with it.

------
senatorobama
I'm a EE working in the chip industry who's got an understanding of mostly how
everything electronic works. Do you think this industry pays higher than SV?

~~~
Mandatum
There's many roles, on average I'd say on _average_ in the US, InfoSec pays
higher than Software Engineering roles - however worldwide I'd say there's
many more engineering roles, and much more roles that pay higher salaries.

In saying that, the top-tier InfoSec guys get paid buckets, and buckets of
money - usually through non-traditional means (ie bug hunters making $2-3M/yr
on private bounties). That's 1% of the 1% though.

Can you make your question a little bit more specific?

~~~
senatorobama
How do you get into the top 1% of bug hunters?

------
cuetzali
Thanks for the post and sharing your way into infosec! Any resources you'd
recommend for staying up to date with new malware and vulnerabilities?

------
poirier
Nice title.

------
cylinder
Is this satire?

------
adricnet
The advice is pretty good overall, but the excessive profanity is
unprofessional and distracting.

It is interesting that he values "SANS" certifications, but not the courses
for them.

Besides my own rambling[1] you might find these resources valuable instead:

* [https://tisiphone.net/category/security-education/](https://tisiphone.net/category/security-education/)

* [https://krebsonsecurity.com/category/how-to-break-into-secur...](https://krebsonsecurity.com/category/how-to-break-into-security/)

* [https://s3ctur.wordpress.com/2017/06/19/breaking-into-infose...](https://s3ctur.wordpress.com/2017/06/19/breaking-into-infosec-a-beginners-curriculum/)

[1] [http://dfirnotes.net/](http://dfirnotes.net/) etc.

hth,

adric

~~~
zer01
> the excessive profanity is unprofessional and distracting

I strongly disagree. Most security shops I've been in are made up of people
who are blunt and speak exactly like that. You absolutely _do_ need to be able
to conduct yourself professionally in a professional setting, but when giving
advice to folks I tend to use the most informal language I have, which
sometimes means this level of profanity.

Not sure how it's distracting.

~~~
FLUX-YOU
Besides, you're supposed to all be jaded and curse as a coping mechanism
because someone just launched a site with a plaintext password database

~~~
zer01
This...is actually 100% true. One of the biggest struggles I've personally had
in security is to _not_ be super jaded and cynical. Helps immensely to not be
in an organization that tolerates (or even rewards) shoddy security practices
(at least that's how I solved it).

~~~
adricnet
I do agree. That's actually part of why I called out the language: maintaining
balance (as well as not cussing in front of the wrong people) are critical
skills for security professionals and sorely lacking in many would-be
candidates.

His educational advice was good but the attitude he shares via diction is
unhelpful at best especially to folks who do not _yet_ have an awesome job in
infosec.

Thanks, have a great weekend, cheers,

adric

