A lot of ink has been spilt about the shortage of people trained in information security – especially about the shortage of women in tech and in this industry in particular. I was recently interviewed by Matthew J. Schwartz for a podcast in which we discussed this topic, and it seems to have struck a chord with a lot of people. I’ve received quite a few requests for information about how to get into this industry, especially for those who don’t yet have a lot of technical experience.
Since this seems to be such a popular topic, I thought I’d devote a blog post to exploring it, so that more people can make use of this information (and please add your own experiences in the comments!).
The first thing I would recommend to folks looking to get into this industry is to take some classes on Information Security. You can do that in a school setting, or you can get education in the form of a training program, or as part of a conference depending on how comfortable you are with wading into this subject. Starting a college or university degree program could be considered jumping in headfirst as it can be rather a costly and time-consuming endeavor if you’re not yet sure, but there are plenty of short-term and low-cost options if you would like to just dip your toes into the waters of computer security.
The next thing, but no less important, would be to join in industry groups or attend events so that you can meet security practitioners. Getting to know people who are in the security industry is not just a great way to find out what it’s like on a day-to-day basis in your potential new career; it can be an essential part of gaining trust and recommendations when it comes time to find a position.
Conferences, Meetups and Online Resources
If you’re an absolute beginner in InfoSec, you’re starting at the right place – by reading security blogs and magazines. Many of these webpages (ours included) also have webinars and videos where you can learn more about different aspects of security.
If you want to get a better view into what it’s like to work in this industry, you can seek out Security Meetup groups and professional conferences in your area. There are annual Security BSides conferences in most major cities, and these are free to attend. They are an excellent way to meet local people in this field, and they can be a great way to dip your toe into presenting your research once you’ve got some InfoSec experience under your belt.
There are countless other security-specific conferences throughout the year, many of them generally about offensive or defensive security. A growing number of the conferences focus on more specific aspects of security or the security community. These conferences vary in cost from a few hundred dollars to a few thousand dollars for some of the year’s largest events.
If you’re already in your chosen career and looking to add to your InfoSec chops, a lot of IT conferences that are specific to industries such as Health, Education and Finance are adding security sessions or even content tracks devoted to security information. For example, this year’s Health Information Management Systems Society (HIMSS) conference added a Cybersecurity Command Center that had a special area devoted to security sessions and vendor kiosks.
More in-depth training
Whether you’ve just completed your college or university degree program, or you’re looking for a way to ease into more in-depth training in InfoSec, the SANS Institute trainings offer a wide variety of security topics at a wide variety of levels. I’ve taken their Reverse Engineering course myself and found it was a fantastic refresher course for me, on the tools and techniques used to analyze malware. My classmates who were new to malware analysis found it to be a very approachable approach to a fairly technical subject.
The Black Hat Executive Summits will be happening in the US in a few months’ time. This conference includes several days of training sessions before the Briefings sessions begin. (Though if you’re interested in attending this year, act quickly as the sessions are already beginning to sell out) Both Black Hat and SANS Institute training sessions cost several thousand dollars, so while this is far less investment than a degree program, it may not be the best first step for absolute beginners.
Trust, but verify
It’s worth noting that while networking is a good idea whenever you decide to switch careers, this is doubly true in Security. Trust relationships are vital when dealing with sensitive and potentially harmful materials, as we do in this industry. My emphasis on joining security groups or attending security events may seem strange – but in this industry more than most, it is not enough just to know your craft well. You can be exceptionally proficient at either offensive or defensive security skills, but if people within the industry don’t know you or trust you well enough to recommend you, you will have a very difficult time finding the job you seek. On the other hand, if people know you well enough to trust you and see that you are eager and able to learn quickly, you may be given the chance to prove yourself.
Other online resources:
Author Lysa Myers, ESET