Hal Pomeranz, Deer Run Associates

Lately I’ve received several requests for advice on breaking into the InfoSec field.  I find myself repeating the same advice over and over, so I thought I’d post my thoughts here on Righteous IT to save time (at the risk of turning this into a career advice blog).

What Others are Writing

“Breaking into InfoSec” has been a hot topic in the community lately, and several authors are writing eloquently on this topic.  Rather than repeating their good advice, let me just throw out some important links to read.

Every Tuesday, Lee Kushner and Mike Murray provide solid InfoSec career guidance in   “Career Advice Tuesday” at the Information Security Leaders blog.  One oft-repeated piece of advice in their blog is to develop a “career plan” for where you want to be with at least a five-year time horizon.  While no plan survives contact with the enemy, having a plan means that you’re moving forward in a purposeful direction rather than just wandering at random.

Bruce Schneier recently posted “So You Want to Be a Security Expert” on his blog.  I’m a firm believer in his “Study… Do… Show” mantra.  Bruce gives a specific shout-out to security certifications, which are indeed useful for demonstrating a certain level of knowledge in a general discipline.  But I wish that more people starting their careers put at least as much effort into doing research in their own areas of interest and writing blog posts, talks, and code to document what they’ve done.  This is how we grow as an industry and incidentally it also shows potential employers something that distinguishes you from all the other “highly certified” professionals you’ll be competing against for jobs.

That Bruce Schneier article is part of a larger series of interviews with various InfoSec professionals on how to break into the InfoSec field, which is being created by Brian Krebs over at Krebs on Security.  Brian’s blog is normally some great coverage of recent happenings in the Cyber Crime world, but these (often first-person) accounts of how to get started in InfoSec have been really interesting.

Similarly, Eric J. Huber has been running a series of enlightening interviews with leading lights in the field of Digital Forensic Investigation on his Fistful of Dongles blog.  Somehow he became momentarily confused and also included me in this series.  But apart from that oversight, these interviews always include interesting information on how to get started in the field.

If you’re paying attention, one thing about all of this advice is that it’s equally applicable to getting into any field.  There are no magic tricks for getting started on an InfoSec career path that are different from any other career path.  The corollary to that realization is that any of the classic career guidance books (from “What Color is Your Parachute” to now) can be helpful when you’re getting started in InfoSec or any other career.

It’s All About Your Network

When people ask me for career guidance, the one point that I emphasize repeatedly is that personal connections– your “network” of friends and colleagues– control your career destiny more than any other single factor.  Every good job I’ve ever had, whether as a full-time employee or as a consultant, has come through personal connections.

When you’re just starting out your career, you’re also starting to create your professional network.  This process begins during your educational history.  The contacts you cultivate during college and grad school– both fellow students as well as faculty and administration– are at least as important as what you learn from your books and professors.

Many of you reading this may not have been fortunate enough to attend college, or your college days are long past.  And even the people who did start to build their network in school need to continue building their networks after they leave their educational womb.  You need to constantly be on the lookout for opportunities and venues to meet other people and create a robust, living network.

An important part of your personal network comes from your on-the-job friends and co-workers.  If your employer sends you for training, part of your job at that training event is to make useful contacts with other people in the room.  If they’re at the same training event with you, they’re almost certainly part of the same field and will be great people to interact with in the future– whether that’s getting help with a problem you’re stuck on or finding a new job.

But also look around your area for regular meetings of different groups  and invest the time to attend the meetings.  This could be anything from a Security BSides event, to a SAGE or LOPSA local group, or an ISACA or ISSA chapter meeting, or even Toastmasters.  InfraGuard may have an active chapter in your area.  SANS often has a “community night” associated with its conferences which you can attend for free and network with other people in your area.

Don’t have a local group in your area?  Go start one!  Try using LinkedIn to search for other IT and InfoSec professionals in your area and reach out to them.  It doesn’t have to be anything formal.  Just meet for dinner/drinks every month and talk about your experiences and research projects.

Social networking has become an extraordinary resource for reaching out and networking with other InfoSec professionals.  While it will never fully replace face-to-face interactions, “knowing” somebody by interacting with them first via Twitter, LinkedIn, or Facebook can get you past the awkward chit-chat phase when you finally do meet them in real life.  And it can help you engineer those meetings when you’re in the same geographic region.

When you come into an established group for the first time, I urge you to sit back and just listen for the first couple of meetings.  Figure out who the “players” in the group are and get a feel for the “social norms” and nuances in the new group.  You’ve probably had the experience of boorish newcomers coming in and making a pain of themselves in groups that you’re already a member of.  Don’t be “that guy”.

Instead you want the group to recognize your positive contributions.  That could be anything from providing helpful summaries of information provided at the meeting, to helping with setup and tear-down at meetings, to providing food and beverage, to providing additional links that are relevant to the meeting’s focus, to contributing your own research and presentations.  Even just making new people (like you) feel welcome and accepted is a valuable contribution!

Small Fish, Big Pond

If there aren’t currently any gatherings for professional InfoSec people in your area, and you’re having trouble tracking people down on LinkedIn to start your own gathering, then this may be a sign that you’re in the wrong geographic location.  Being the biggest fish in your small pond may be comfortable, but you need to put yourself in an uncomfortable situation in order to grow.

You need to be in a situation where you’re constantly being exposed to new information and new ways of doing things.  You might think you’re getting this from reading articles and blogs on the Internet.  But you really need people around you who will push you to improve your game.  If you’re on your own reading about new technology on-line it’s easy to think, “That’s cool, I should look into that.” But meeting up with your InfoSec pals every month will do more to push you into actually doing that research than anything else.

When you’re learning on your own it’s easy to have “blind spots” and miss out on important information.  While social media can help with this somewhat, it’s not a replacement for being in a room with a group of like-minded folks who are bouncing ideas and solutions off one another at a rapid rate.

Being in the right geographic location also provides more job opportunities, which also translates to more “interesting” job opportunities.  Feel like you’ve topped out at your current job and aren’t being challenged?  Things are much easier if your next job doesn’t require you to move your home.

But how do you get moved to the “big pond”?  In my case, I took a pretty lousy job for a year because the job was willing to relocate me to the Silicon Valley.  Remember that advice about having a “career plan”?  It’s a lot easier to take a lousy job for a year if you view it as a step on the road to the career you want.  During that year, I was busily getting plugged into various tech groups in the local scene, and by the end of the year it was almost embarrassingly easy for me to step into my next job, which was a lot of fun. The things I learned during my 12 years in the Silicon Valley were instrumental in shaping my career and massively increasing my knowledge-base.  And the friends and contacts I made during that period are still with me today.

So pay your dues if you have to, but get yourself to one of the big high-tech centers: Silicon Valley, New York, Washington D.C., or Seattle.  You may never be a “big fish” in any of these places, but you’ll be better for having had the experience.