As one of the founders of Secure Ideas, I am often asked how someone gets into InfoSec and/or how do they get hired at Secure Ideas. So I thought it would make sense to discuss this here on the blog…
So the first thing to understand is that I think that it is critical to understand the reality of IT and business before you decide to try and take it all on in security. 🙂 We see WAY to many people who have just jumped into information security, either because it interests them or they see it as a way to make lots of money. While this is fine and works for some of the organizations out there, here at Secure Ideas we think you are missing out on the ability to give truly reasonable and actionable recommendations or advice. Please understand, I am not saying that security professionals can’t give good advice unless they have been operational, but I do believe that to give excellent advice (I am biased!) you need this.
Let’s look at a common example we see today. Security professionals around the world are recommending that organizations remove Oracle Java from everyone’s computers. The issue with this is due to the wide range of systems that require Java for administration and management. Instead, we need to look at the organization that is using it, and see if there are ways to limit the exposure, while not breaking the business or administration requirements.
So the big question is how do we bring in people who have this experience while meeting the demand
that we all know exists in information security. I think its actually a pretty simple idea. We start training and engaging the operational staff at organizations. (Keep in mind that when I use the word operational, I am speaking of administrators, developers and any one in IT.) Then we start encouraging people to join IT via the traditional paths. Become a developer or an admin and learn the why and how of information technology, since without it, information security isn’t needed. 🙂 To help in this, Secure Ideas actually has done a presentation, which has been turned into a two day class called Tactical Sec Ops. This class is being taught at BlackHat US this year. In this class, we go through a series of hands-on exercises that teach operational and developer staff the how and why of security testing.
Even if you don’t take this class, please start encouraging IT staff to learn more about security and security testing.
Then we need to answer the question about how to transition from Info Tech to Info Sec. This actually depends. (I know, everyone hates that kind of answer.) The best way, meaning the way I see work the most often, is to start volunteering with your organization’s security department. Make them aware that you are interested in that career path and see where you can help. Also talk to your boss and see if you can do quick lunch and learn sessions for the staff about various security topics. These allow you to learn more about a topic and to make it public that you have skill and passion in this area. Finally start working with your boss, if possible, to make security testing a part of your job. For example at one of the companies I worked at early in my career I built a process to security test our builds after they were stood up but before transition to the project team that needed them. This gave me critical experience I was able to leverage when I became a consultant.
All I can say is good luck, and if you have questions or comment, feel free to reach out to me about them!
Kevin Johnson is the CEO of Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.