Landing that infosec job: These experts share their best career advice
“Hey there! You found us,” read the first five words of a hidden Apple job listing.
The job listing was posted on one of the company’s publicly accessible but hidden servers, hosting data on millions of Apple customers across the US east coast.
In fairness, Apple is not looking for me, but someone who’s far smarter and more qualified, and someone who has better office etiquette.
But it did get us thinking: You never know when you’re going to need work, let alone find work. Sometimes you have to rely on skill, and it other cases, it’s entirely down to chance.
How do people trying to get into the security space know where to start?
ZDNet asked several well-known security professionals on what advice they would give to their younger selves starting out in the infosec world.
“I would say a four-year college degree helps. It’s becoming increasingly popular in some infosec circles to downplay it, but I think it opens doors,” said White. “Also, a broad range to study — university or otherwise — is crucial: politics, history, linguistics, and, of course, computer science.”
“It’s important to stay curious and follow passions. At least for me anyway, I’m vastly more productive drilling into complex topics that genuinely interest me than those that don’t,” he said.
He added that early exposure to basic electronics are the foundation blocks for learning. “It’s amazing how many insights you pick up on performance, data flow and logic by understanding simple (and maybe not so simple) circuits,” he said. Or, in other words, “break things, tear them down, figure out the ‘how’,” he said.
“My advice for older pros is much the same as people starting out: build things, stay hands on, learn new languages, frameworks, gadgets — whatever,” he said. “But keep hacking things.”
“The first factor is self-motivation and passion to learn,” said Carhart, in an email.
“In my career, I have never seen a university, technical school, or certification program that will fully prepare a student to excel in either offensive or defensive security. Certainly there are outstanding programs out there that teach specific skill sets, but technical skills are quickly obsolete and involve depth beyond the material that can be taught in a semester or a year,” she said.
“What divides an ‘okay’ information security candidate from a great one is the motivation to learn more about the field outside work, every week,” she said. “What this looks like depends on by niche — perhaps working in a home lab, or reading new computer legislation.”
“Regardless, people who have no interest in the field outside of business hours will quickly find themselves at a disadvantage in the market,” she said.
“The second factor is (human) networking.” When Carhart isn’t doing her day job of digital forensics and incident response, she can usually be found at a security conference. “It seems odd to call out soft skills in a highly technical field, but the community of practice is still small enough that networking (preferably in person) is a big leg up for job seekers,” she said. “Nearly every information security professional I have met has obtained at least one job through participating in meetups, social media, hacking conferences, or collaborative research. Often, that job was their entry-level segue into the increasingly competitive field or their niche of choice.”
“While commercial conferences like Black Hat may be out of reach for some job seekers, we have an extremely active community with BSides security conferences in cities around the globe and even more expansive networks of meet ups,” she said. “I highly recommend job seekers seek them out and take advantage.”
Vickery, a relative newcomer to the infosec space, has years of experience under his belt, thanks to carving out his own niche of discovering breached and exposed data in what is already an ever-crowded security space.
In an email, Vickery offered a list of points for anyone wanting to make a name for themselves in the infosec world.
- “Disrupt the status quo!”
- “Successful people make enemies.”
- “Drawing people in is more powerful than reaching out.”
- “Doing something extremely well is not enough if no one recognizes you are good at it,” he said, adding that, “who you know is equally important as what you know.”
- “Take an intro to paralegal studies class at a local community college. If the professor is decent, you’ll gain some valuable insight. (yes, I’m recommending this to the infosec crowd).”
- “Most of the time, good deeds are not rewarded. Don’t expect rewards. Be grateful when they come.”
- “If you are indispensable to a powerful person, they will not tell you so.”
- “Good people are easy to recognize after a short time. Be wary if you have any doubts at all of someone’s character.”
And, lastly, he said: “Sunshine is the best disinfectant,” referring to the famous Louis Brandeis adage.
“As the CEO of a small organization, I don’t yet have the budget or time to hire people that have to learn on the job — I need people that can hit the ground running,” said Tentler in an email.
“And now, I can understand things from this side of the table — when you need someone to be functional on day one, it doesn’t matter what they look like on paper — it matters how they function in “meatspace,” he said (referring to the “real world.”)
“Can you put them down in front of, say, Burp Suite, and have them be at least functional to the point they ask questions, or will they report when they get stuck? Or will you have to shouldersurf them across their first several gigs until they get the hang of the tools?” he said.
“It depends on what sort of company is doing the hiring, and there’s a pretty vast array of those as well. Some companies just want someone with some alphabet soup after their name to look like they ‘have people,’ purely as a function of ‘being compliant’. The cold, hard truth is that most companies in the US only do the bare minimum to conduct business — so they look at what regulatory compliance frameworks they have to abide by to legally to business, and only do the bare minimum for those. This means that many people in those organizations who have the title of “security engineer”, or otherwise, are basically there purely to make audits easier, and serve no actual security function whatsoever, except to wave at the auditors when they come around and say “hello, I am security human. I do security things!’.”
“This is critically important to consider when attempting to get a job in security.”
“Do you want to just be a figurehead, and get paid just be ‘a butt in a seat somewhere’,” he said, “or do you want to actually conduct security work?”
“The tells are very clear in many job postings. If the job posting is asking for lots of certification and degrees, and describes knowledge of compliance frameworks, there’s a good chance that there isn’t actually any security work there — it’s all just smoke and mirrors to make the compliance machine operate. It’s a good idea to investigate these, to validate those suspicions, there are legitimate security jobs that have some degree of compliance, but you have to make it past “the HR firewall” and talk to the actual hiring manager to find out. If the first thing you hear after you sit down for the interview is basically ‘papers please,’ then you should worry.”
On the other hand, if the interview is “tell me your best red-team story”, then it’s likely the organization doesn’t care about ‘papers please,’ and they want to know your strategies for performing the actual work,” he said. “This is a great sign if you actually want to do security work.”
Tentler noted a key point: “The very first thing to consider is: ‘what do you actually want to do,’ because saying ‘I want to work in security’ is like saying, ‘I want to work with animals’ — it can go many many different ways.”
“Deciding where you want to land in security isn’t difficult. Go to some cons, do some [capture the flag exercises], try some Crackme’s, talk to people on Twitter, and get a feel for the sort of work you enjoy the most,” he said.
“My two biggest pieces of career advice are to put some serious time into your resume and interviewing skills, and to network,” said Williams.
Networking can include professional meetings and heading to conferences as time and budget allow, he said. “When you are at a conference, networking means more than walking around saying ‘I’m looking for a job’ and partying. Strike up conversations with people. Ask where they work, what they do, the challenges they face, how they solve problems, etc. and actually listen — you’re likely to learn something.”
“But more importantly, these people can let you know when positions open up at their organizations, help you get in the door to get an interview, and make a recommendation to hire on your behalf,” he said. “Always be networking.”
“If your organization doesn’t print business cards for you, print some of your own. It’s worth every penny,” he said.
Networking will only get you so far. “Your resume must be top notch to actually get a job,” said Williams. “If your resume looks like it could have been written in crayon, then you’re probably not getting an interview.”
“Infosec requires good communication skills — as do many technology jobs. If you can’t write your resume, there’s little likelihood that you’ll be able to communicate effectively when it comes time to write a critical report. Your resume is the first example of your writing that a potential employer sees,” said Williams. “Communication during the interview is also important, so brush up on your interview skills. Do some mock interviews with friends. If you can’t interview with friends, you are unlikely to do well in the actual interview.”
“Your ability to communicate clearly, confidently, and professionally during the interview is actually more important than knowing all the answers to interview questions,” he said.
This article is reprinted by permission from