More Inspiring Advice from InfoSec Pros

July 13, 2015

This is the third in a series of posts on other people’s advice for growing your information security career. The first two posts are here and here. Thank you to all of the people who contributed to each post. I’ve linked the header before their quote to their LinkedIn profiles so you can read more about them.

Recognize that it is a journey. It is a marathon. It is not a sprint. A voyage that, despite best efforts, will take several twists and turns. Some expected, some not. Steps taken should be purposeful. Be confident and do your very best to follow the path.

“There is a difference between knowing the path, and walking the path.” — Morpheus

During your journey, you must also recognize that we are sometimes at the mercy of destiny. Always be prepared for opportunity, and consider the following high-level guidance on being a better you, while aspiring to a career in Information Security.

  • Commence your journey with a solid plan, established long-term goals, and a sound educational base, preferably in STEM (Science, Technology, Engineering, or Math).
  • Constantly seek council or mentorship from much-more experienced individuals or leaders. In this context, both general (e.g., being a better professional) and specialized (e.g., being a better security practitioner) career guidance.
  • Develop and maintain a robust professional network in your desired discipline. We become like those with which we associate. Be sure those are good people. You may be needing their support
  • Seek employment opportunities that align with your plan and will support you with meeting the next objective towards achieving your long-term goal(s).
  • Live it, and mean it. This isn’t the type of career that one solely practices 9-to-5 while hoping to differentiate oneself from the crowd. Most successful InfoSec professionals live Information Security long after the workday is done. It is their passion.
  • If at all possible, select a leader/manager that will champion and support you in achieving your goals. I cannot stress the importance enough. You’ll be lucky to find one that is genuine about it, but rest assured, they are out there.

Lastly, do not seek to be the smartest, or the brightest on the team, or in the group. Be the one that is most humble, and open to learning. Do not fear mistakes, learn from them. Then, you truly will have succeeded.

  • Success in life comes from an escalating process of Learn -> Do -> Teach
  • Learn — Measure your job in terms of learning, not in dollars per hour. Leave when it’s a dead-end in terms of “can’t learn anything new” not when the dollars max out or when you can’t be promoted to an arbitrary hierarchy. That will put you in a position to go for the really important jobs later in life.
  • Do — Talk to people you hate. Go to tea party groups if you’re liberal and vice versa. Spend a bit of time with the crazy (non-violent) extremists and try to understand their point of view. Get your media news from BBC, Al Jazeera, CNN, MSNBC, and FOX News and your Internet news from a similarly diverse set. Learn how those people think so you can use their language (metaphors and narrative) when you talk to them.
  • Teach — If you’re stuck, get involved in an open source project. If you can’t code, focus on improving their documentation and project management. Make HowTo videos and posts. It gets your name out there and it allows you to teach.
  • Then start the cycle over again. As you teach, you’ll realize that there are new things to learn. As you learn those, you’ll find there are more interesting things you want to do. As you do these things, you’ll find that you’ll want to teach others how to do them too. So long as the cycle never stops, and you manage your time well (Read Getting Things Done by David Allen), things will keep on getting better.

All the basic advice: Learn Python, Write a Metasploit Module, Join a CTF, etc … they’re all just tactical steps to this much bigger, cyclical strategic plan. Know the strategy, work the tactics. As you get more comfortable with it, you’ll find yourself moving faster and faster and exploring the weird corners of the world we live in with increasing curiosity.

Josh has a new book coming out on Breaking Into Information Security available from Amazon.

Don’t be too hasty in leaving a good job for an opportunity. You won’t improve your lifestyle with a bump in compensation, and may end up miserable for a few extra dollars. If you feel under compensated, talk with your current manager first. Security is a stressful career path, and a good security job has value far beyond monetary compensation.

A willingness to move will greatly improve your chances of finding a good job. So many new industries are hiring security professionals, being flexible on location will exponentially improve your opportunities.

When interviewing for a position,what you have personally done is more important than your company, industry, certifications, or job title. If you want to get into a field beyond your current experience, pursue that area on your own. for instance, someone with a home lab doing penetration testing on the side not only shows hands-on experience and ability, but also initiative.

My advice would be to always make sure that you document clearly goals, set expectations, and evaluate once you have completed those tasks to see if they are effective. In Information Security there are many areas that you will need to master, and priorities will always be changing. If you don’t write down why you are doing something, you won’t remember it how to evaluate it later. Many times in my career I look back and found that my initial judgement on how to solve a security problem was correct, but shifting priorities made me stop making progress toward that goal.

As an experienced Information Security professional I’d recommend that people entering the Security field continuously focus on three things; innovation, continuous learning and asking questions. By practicing these simple, but effective steps you’ll begin to form a foundational base that can be used to take on new challenges and solve current and emerging security problems. Make these part of your daily routine.

Lean into discomfort and volunteer for things that may be out of your comfort zone, you can learn anything new or master it if you don’t put yourself out there.

For college grads or new-comers looking to break into the information security field I recommend investing in yourself by sitting for a security certification or specializing in a subject matter to give yourself a competitive advantage over other candidates during the interview process.

To be successful as an information security professional you have to stay relevant and engaged. The profession is not “9 to5”, hours of reading and studying are needed just to try to maintain the pace of change in the industry. While its rewarding and challenging, you need to be willing to dedicate time outside of work to stay sharp.

Thanks to all of the contributors to these posts. I’ve been amazed at the way security people give back to the community and you can see it in the responses I’ve collected.