How I Got Started in InfoSec

Lately there seems to be a huge movement to help get more people in infosec roles. I have been seeing more and more talks at cons regarding this topic as well as helpful blogs and other resources. There is even a project called InfoSec Mentors that helps put mentees in touch with mentors already in the infosec community. I think this is great and would have liked to have something like this earlier on in my pursuit of a career in infosec.

I want to share my story in the hopes that someone will be able to relate and maybe get some pointers. Since I am still a student who has recently accepted a job as an Application Security Analyst, I thought it would be nice to share how I am feeling about that as well as how I got here.

How I got here.. (tl;dr at the end of the post)

I began my path towards a career in IT in my late teens when I started an AAS in Network Administration. At that point, even an IT Helpdesk job was out of reach since I really didn’t know much. About a semester in, I saw an opening for a contract job helping a local hospital upgrade to Windows 7. I of course applied to this for some exposure and ended up working that contract for a couple months. The contracting company ran an IT services firm and ended up giving me a full-time job offer in their NOC (Network Operations Center). I honestly do not believe they hired me because I knew what I was doing. They hired me because they heard good things about me from the hospital I was contracted to work with. This is when I learned that hard work and a good attitude goes much further than raw knowledge.

I put a year or so into that NOC job where I learned the basics of System Administration. This job was fundamental in building a base of knowledge on how networks actually work vs perfect theoretical networks taught in school. While going to school and working in the NOC, I started participating in the CCDC (Collegiate Cyber Defense Competition). This taught me skills like teamwork and task management, as well as a great exposure to offensive security. The sysadmin experience even helped me more.

Shortly after I received my AAS in Network Administration, I received the CyberCorps: Scholarship For Service. I quit my NOC job and moved to a new location to get my BS in IT Security.

While pursuing my BS, I participated in CCDC and attended conferences such as DefCon. I got very interested in offensive security and spent a semester immersing myself in the PWK course and ended up getting my OSCP that same semester. I started a blog and wrote about things that interested me. I started digging around sites that had Bug Bounties. I began to study for my OSCE. I bought and read books like the Shell Coders Handbook, the Web App Hackers Handbook and Hacking: The Art of Exploitation. I spent hundreds of hours on security blogs.  I made a Twitter and began to follow infosec people. I reached out to potential employers with cover letters crafted specifically for the position I applied for.

Whatever niche you want to get into, I promise that if you demonstrate a passion for it, you will eventually get a job. This isn’t to say you won’t get ignored by potential employers, because you will. Most of the time, I never even got a reply or a phone call.

The cold shoulders pushed me to learn more, become better, show them that this is the path I want to take by demonstrating passion. A lot of people aren’t lucky enough to get a full ride scholarship that helps with extra costs for certs, books and conferences. I understand that and if that is the case for you, shoot for entry level IT jobs. My entry level IT jobs taught me more than I ever would have imagined. Consider it an extension of school, get your employer to help fund certs geared towards your desired niche, don’t worry about jobs going away, they aren’t. The IT security field needs people and there is a true shortage of qualified people. The jobs will be there today, tomorrow and in 5 years.

And at the end of the day, everything I did to get a job, isn’t going to stop once I have a job. It was never a chore to sit down and figure out how shellcode works, or figure out how nse scripts work or any of the things I have been doing for the past couple years. It’s a continuous learning process and if that scares you away, maybe this isn’t the career for you. If that excites you, then hop on the bandwagon and get started.

Now that I have a job, am I worried that I don’t know enough? Absolutely. I get the feeling that there were so many things they could have asked me in the interview process that would have “exposed” me. And the couple things I truly didn’t have the answer for, I admitted it. And I dwelled on those questions, probably way too much after the interview process. Guess what, admitting you don’t know something isn’t a deal breaker. No one knows everything. If you’re lucky, you will interview with a team that tries not to grill you with technical specifications like packet sizes and TCP flags. Even if you’re unlucky and your interview is a repeat of your Data Networks midterm, chances are, the other interviewees are feeling the same way you feel. If you don’t get the job, consider that interview a great experience and start preparing for the next one.

I asked one of my interviewers what was most important when identifying candidates that would be a good fit for a position in IT Security and their answer, while a cliché, was one word: passion. Demonstrate it to them. Telling them that you’re passionate is not enough, everyone says they’re passionate.

I also asked what they wish they would see more with candidates and the answer was experience. While that seems like a double standard, especially for an entry level position, its actually really understandable. If you’re applying for an entry level IT Security position, having 2 years of Help Desk experience while you were in school just makes you a better entry level candidate. Humble yourself and get that IT help desk, I promise it will help.

tl;dr

I got a job in security post-graduation by doing the following things:

  • Blogging about security stuff.
  • Willingness to take low level IT jobs to learn more.
  • Participate in CTF events. (I did CCDC and lots of VulnHub, I also hosted a CTF for college students in my local area)
  • The OSCP is attainable if you can afford it, I advise you to save for it if you think you can’t afford it. No matter what your current skill level, given enough time, you can get it.
  • Blogs and Books. Books will be your best friend. Lots of good ones out there.
  • Twitter, most of my infosec news is first seen in a tweet with a link to a random blog. (Also reddit has lots of good infosec news)
  • Got a BS in IT Security
  • A professional resume and tailored cover letters or emails to hiring managers. – This is very important and not enough people do it.