Dealing With The Experience Required Paradox For Those Entering Information Security

I’ve been co-hosting the Defensive Security Podcast for a few years now and receive many emails and tweets asking for advice on getting into the information security field.  I created a dedicated page on the defensive security site with some resources for newcomers to the cybersecurity/information security field.  I asked for advice and received a lot of great feedback, which I incorporated on that page.

I’ve since received feedback that the page is very helpful, however I’m now being asked for advice on addressing a new challenge: how to get a job in information security when all the information security jobs require previous information security experience?

Once again, I turned to my excellent network on Twitter to ask for help in answering that question.  This post is intended to summarize the comments I’ve received.

Networking

Network with people in the community by attending local events, such as BSides conferences, ISSA meetings, OWASP meetings, CitySec meetings and so on.

People who attend such meetings are generally aware of openings in their respective organizations, and having an advocate “on the inside” to get through the hiring process is often very helpful.

I will add that researching a topic and giving a presentation at one of these meetings will help to establish yourself as an authority on the topic.  These organizations are often looking for someone to give a presentation.  The process will force you to thoroughly learn your chosen presentation topic and refine your presentation skills, both of which make you a more valuable employee.

Volunteering

Non-profit and not-for-profit organizations, including churches, often can’t afford to pay for information security staff.  Volunteering at an organization is a good way to obtain practical experience.  These kinds of volunteer opportunities can lead to

Contributing to open source projects are another way to not only gain practical experience for your resume, it will also build important skills and build your network of contacts.  There are thousands of information security open source projects around.  Getting to a place where you can contribute to an open source project can be daunting, but the benefits will be worth it.  My best advice is to look for a project that interests you, find the list of open issues and/or pending features, contact the existing developers and ask if they would be willing to entertain your contribution to fix bug X or add feature Y.  Also, don’t be too offended if the developers give your contribution some criticism the first few times around.

Ground Floor

A common question goes something like this: “I want to get into information security, but this position requires years of experience…  How do I get into the field if I have to have experience in the field in order to get into the field?”

Getting into more senior level positions in any field will generally require previous experience in the field.  Generally, these more senior level positions are filled through career progression, not by someone coming in from a different field.  Said another way, you may need to look for a more entry level position that requires less experience, and then build toward your target position.

This can be disheartening for someone who has obtained a more senior level role in another field and is looking to move into information security.  Taking a lower position to get into the security field may require a pay cut.

My recommendation with this strategy is to find an organization that has both entry level positions and the more senior level positions you are interested in, or at least something close to the senior level position.  It’s often faster and easier to get into an organization in a lower level position and take on additional responsibilities, and ultimately progress up to the target position, though this strategy often means that your compensation will be less than market rate.  My advice is to get in on the ground floor, work your way up and gather some experience, and then seek the opportunity you are after.  Clearly, this is not a 6 month plan to get to a senior architect, however combining it with some other advice in this post may make it happen relatively fast.

Leverage Existing Experience

You may not have experience in information security but if you work in IT you likely have had some exposure to security processes.  Maybe it was related to following secure coding practices, or securing servers according to some documentation, or applying patches or any number of other things.  Spend some time to think about how these past experiences related to information security and develop your elevator pitch tying them to the job you want.

Certifications

Certifications are a good way to establish some credibility, particularly with managers and HR departments.  Many security professionals are skeptical about the utility of certifications like CISSP and CEH, however both carry some weight when seeking a security role.  As well, they will help you to learn some of the language and expose you to different aspects of security, which may, in turn, highlight some particular area of interest for you.  Those two, in particular, are within the grasp of most people willing to spend time studying and are not incredibly expensive.

Home Lab

One of the most commonly suggested recommendations is a home lab.  Of course, that can cost some money to set up, but it doesn’t have to cost a lot.  AWS offers free virtual servers.  Running VMs in Virtualbox on your existing PC works.

My recommendation going into the home lab arena is to have an idea of where you want to go.  Malware analysis? Incident response? Security architecture? Penetration testing?

Depending on your area of focus, you will have different needs for a home lab.  A detailed discussion on possible configuration options for home labs for each of those focus areas would fill pages.  If there is interest, I’ll work on that as well.

Blog

Blogging serves four purposes:

  1. it forces you to research a topic and understand it well enough to write something informative
  2. it helps to improve your writing abilities, which is very important
  3. it (hopefully) helps other people
  4. it helps to establish your name in the industry

Branding Yourself

There’s a lot of good resources on personal branding, and I am not qualified to really do the topic justice, but I will point out a few aspects I think are very key:

  1. Consider how your social media presence would be viewed by prospective employers.  Most all employers will do at least some minimal amount of research on you.  What will they find?  Will they see rants, complaints about current positions, or socially and politically divisive comments?
  2. Build a social network of people in the industry, particularly those in the specific area you are interested in.  Ask questions and contribute to the discussions.
  3.   Make contributions to the industry.  Blog.  Podcast.  Offer to help people.
  4. Clearly identify the position you want, and develop your story on how your experience in work, volunteering, home labs, blogging and so on, relate to that position.

Employers don’t want to hire a problem child.   They want to hire a productive person who is well respected.  I would recommend seeking out other resources on personal branding to learn more.

Speaking, Writing and Presenting

This didn’t come up as a recommendation, however I will tell you that finding information security professionals who are able to write and speak clearly can sometimes be a challenge.  Remember: your writing and your speaking are often the only things that people, including prospective employers, know about you, and they will form initial opinions of you very quickly.  Make them count.  Take pride in your writing style.