Thursday, January 28, 2010

How to Get A Start in Information Security

How I got in was a bit of a journey. I always knew I wanted to work in Information Security. I wanted a job in information security. I wanted to break into computer systems. I wanted to learn how to detect hackers. I wanted to learn the ins and outs.

At first the desire was born out of a desire to learn, then eventually protect myself knowing that our entire lives would be stored on computers (ten years ago, did anyone predict we literally would with the likes of MySpace and Facebook??). I had a desire. I had a goal. Several infact.

After completing my degree I said I wanted to be working in information security by age 25. I set an income figure I wanted to achieve. I set some other goals I didn't reach (like being able to do full splits back when I did tae kwon do) and drive a nice Trans Am but I did hit most of them (I didn't drive a Trans Am but I did drive a nice sports coupe). They might not be lofty goals compared to some but hey, they were mine. :)

What was interesting was that when I started down this path, InfoSec wasn't a discipline in its own. It was a responsibility tacked onto the job description of system administrators, network engineers, etc. At least, so it was in Australia back in the early 2000s. Separate positions in this line of work were virtually unheard of. I set out to learn what I could (since my degree didn't teach me much apart from how to cut code).

My break came when I moved to the USA. There's a bit of a story involved there but suffice to say that the US market is much larger than Australia and the US, between HIPAA and Sarbanes Oxley, the companies there recognised the need for Information Security as a discipline in its own right - not just for the sake of compliance but to jump the technical hurdles required to meet it.

My role there was a Network Abuse Engineer - which effectively meant I had information security responsibilities woven into my job role. While I can argue that I had those responsibilities indirectly in my various roles in the years prior, this was the first where it was specifically stated.

Fastforward to 2004 when I moved back to Australia. I had just got my first information security role at a major Australian university as an IT Security Analyst. It was a real learning experience. I was grateful to have a couple of fantastic mentors that really took me under their wing and showed me the ropes. It took me awhile to get my career to where I wanted it to be but eventually I did -- mostly because I didn't pursue it with the same zeal that I did later on. I was too busy with things like travel and my personal life.

In retrospect I'm not fully sure how I got my break, but I can say what I did, why I did it and hope that it helps others. It wasn't until years after the fact I read about the Tony Robbins 'Ultimate Success Formula' and honestly - I'm a believer. It's not difficult either, its just common sense.

1) Define your goals.
Aim high. If you want more, ask for more - life only gives you what you ask of it. Have a picture of what you want. If you want a career in information security you need to be able to visualise it. What do you see yourself doing? What sort of skills do you want to acquire? What do you hope to achieve at the end? What the mind can conceive the body can achieve.

What does this mean in a practical sense?

Think first is this what you want. Understand that information security requires a lot of study in your spare time. It is unlikely you'll learn all you need to in a university degree or a certification. This means a commitment in your spare time. Building test labs, reading books, blogs, code, experimentation, etc. Is it rewarding? I think so. The ability to know that your efforts can make a difference to an organisation and ostensibly, your fellow man - is empowering.

2) Find role models.
Look for those who have achieved your goals and model their behaviour. Do you have friends who are already in the industry? How did they get in? What skills did they have? What certifications did they have? Are there lessons you can learn? Can you fast track what they did? A wise man is said to learn from the mistakes of others as well as his own.

Expanding upont his further - did they undertake any higher education? Qualifications? What where the skills they obtained that got them employed? Was there a job in particular that cemented their career in information security? What was it about that job that helped that to occur?

3) Keep track of your progress. Are your actions congruent with your goals? Are your goals still the same? Are your results matching your desired outcomes? If not, you need to reassess and like a ship that is off course, you may need to re-adjust your sails.

If you are not where you want to be, consider what you have done wrong before blaming others. Could you have handled a particular project or encounter better? Could you have behaved differently during a challenging situation - and thus, set a new standard or expectation with a keys stakeholder? Have you turned down opportunities that could have lead to career progression? Did you fail to seize the initiative on a unique situation?

More often than not (by that I mean 99% of the time) chances are YOU screwed up somewhere, not someone else. Don't get me wrong, sometimes we all just want a break and are looking hard for it and need someone else to take a chance on us. But if that wave isn't coming, perhaps its time to find another beach upon which to surf?

DON'T wait for the perfect opportunity - they never come. Look to create those perfect situations. It is said "success leaves clues" and I'm a firm believer in this. Look for those clues with vigor and pursue them.

If anyone has any specific questions, feel free to message me. I'm happy to help anyone that wants to break into the industry.


- J.

Happy New Year

Hi all

Happy New Year.

I know its almost the end of January - but apart from being suprisingly busy I've spent a lot of time this month mentally taking stock of my goals for this year.

As part of my goals, I've decided to be more dilligent in my blogging efforts and really try and add some value to the InfoSec community. I'm hoping to cater to three specific areas:
1) people who are interested in information security but as outsiders to the profession (ranging from home users, to corporates to power users),
2) people wanting to break into the security industry,
3) people already working in the InfoSec industry and hopefully share information on a peer-to-peer level.

One thing I learned about writing many moons ago is that you must know your target audience. I don't expect to crack all three in a single blog post typically, but hopefully, I can hit all three within a given month. :)

With that said as a stated goal, I hope to reach more people and share my thoughts and hopefully inspire others along the way.

Best wishes.

- Jarrod