A lot has been written about the explosion in information or cyber security jobs now and in the coming years. For the infosec analyst role alone, he Bureau of Labor Statistics predicts 18% growth through 2024, much higher than average. The median pay in 2016 was also near six figures. Thanks to high profile DDoS attacks and data breaches, I no longer have to explain what a security architect does to family, friends, and acquaintances. More often, the questions I get are about how to get into the information security field, due to the immense number and quality of opportunities available now and for the foreseeable future.
Personally speaking, my career started in the late 90s in desktop support. At that time, I had previously dismissed a job in computers because I wasn’t very good at or interested in programming or coding. Aside from computer science (CS) degrees, the other college programs available were in management information systems (MIS). Neither of those traditional degree programs directly prepare a person for a career in information technology (IT), much less information security. Only in the last decade have degree programs focused on hard skills in network engineering and cyber security become prevalent.
Even with a degree, there is still no replacement for hands-on experience. Troubleshooting operating infrastructures, implementing new architectures, and re-engineering old ones. There are elements of the infosec practice that can only be gained from seeing what happens in practice. How will users and adversaries alike compromise systems? What are the realistic remedies and practical responses? Some certification programs like CISSP, OSCP, and CEH seek to validate information security skills and knowledge. However, these certifications are not intended to replace foundational skills in application development, network engineering, and systems administration.
Information security is a discipline borne of an understanding of other disciplines and where their vulnerabilities lie. Perhaps the most vital traits common to most infosec professionals are curiosity and paranoia. Curiosity leads to probing for where infrastructure elements are broken, might be re-engineered, or otherwise co-opted for other than the intended purpose. A little (healthy) paranoia encourages us to make no assumptions about the inherent security of any element of the infrastructure, from the user to the browser to the application, server, and network itself.
While degrees in cybersecurity are available, entering the infosec workforce directly from college or a certification program can be very challenging. Pursuing a role as an application developer, desktop support technician, systems administrator, network engineer, or other IT role outside of the specific information security purview is often a great entrypoint. This path enables fledgling infosec professionals to gain invaluable experience in practicalities of how information systems are truly implemented and operated.
Regardless of the path you take, infosec has vibrant and supportive communities available no matter the geography or specific discipline. Organizations like SANS, (ISC)2, ISSA, OWASP, and Security B-Sides offer local chapter meetings where it’s possible to connect with peers and mentors in any field of infosec passion. On the topic of mentorship, the recently rebooted InfoSec Mentors project has been gaining great reviews. Co-founded by infosec veterans Jimmy Vo and Keith Hoodlet, the project matches mentors with protégés for free based on interest, goals, experience, and availability. Twitter also features many of infosec’s most vocal activists, hackers, researchers, and other professionals. Many engage very freely with so-called newbies and are willing to share their wisdom and guidance.
The opportunities in and avenues to a career in infosec are as varied as the people and the disciplines within information security. Getting engaged with the community is the best way to find opportunities and guidance. Trust in curiosity and a healthy dose of paranoia, and don’t be afraid to share ideas and ask questions in the community and in your current job – even if it isn’t yet specifically focused on infosec. Better security on the Internet improves safety for everyone, which can make an infosec career as fulfilling as any other.