Thursday, January 28, 2010

How to Get A Start in Information Security

How I got in was a bit of a journey. I always knew I wanted to work in Information Security. I wanted a job in information security. I wanted to break into computer systems. I wanted to learn how to detect hackers. I wanted to learn the ins and outs.

At first the desire was born out of a desire to learn, then eventually protect myself knowing that our entire lives would be stored on computers (ten years ago, did anyone predict we literally would with the likes of MySpace and Facebook??). I had a desire. I had a goal. Several infact.

After completing my degree I said I wanted to be working in information security by age 25. I set an income figure I wanted to achieve. I set some other goals I didn't reach (like being able to do full splits back when I did tae kwon do) and drive a nice Trans Am but I did hit most of them (I didn't drive a Trans Am but I did drive a nice sports coupe). They might not be lofty goals compared to some but hey, they were mine. :)

What was interesting was that when I started down this path, InfoSec wasn't a discipline in its own. It was a responsibility tacked onto the job description of system administrators, network engineers, etc. At least, so it was in Australia back in the early 2000s. Separate positions in this line of work were virtually unheard of. I set out to learn what I could (since my degree didn't teach me much apart from how to cut code).

My break came when I moved to the USA. There's a bit of a story involved there but suffice to say that the US market is much larger than Australia and the US, between HIPAA and Sarbanes Oxley, the companies there recognised the need for Information Security as a discipline in its own right - not just for the sake of compliance but to jump the technical hurdles required to meet it.

My role there was a Network Abuse Engineer - which effectively meant I had information security responsibilities woven into my job role. While I can argue that I had those responsibilities indirectly in my various roles in the years prior, this was the first where it was specifically stated.

Fastforward to 2004 when I moved back to Australia. I had just got my first information security role at a major Australian university as an IT Security Analyst. It was a real learning experience. I was grateful to have a couple of fantastic mentors that really took me under their wing and showed me the ropes. It took me awhile to get my career to where I wanted it to be but eventually I did -- mostly because I didn't pursue it with the same zeal that I did later on. I was too busy with things like travel and my personal life.

In retrospect I'm not fully sure how I got my break, but I can say what I did, why I did it and hope that it helps others. It wasn't until years after the fact I read about the Tony Robbins 'Ultimate Success Formula' and honestly - I'm a believer. It's not difficult either, its just common sense.

1) Define your goals.
Aim high. If you want more, ask for more - life only gives you what you ask of it. Have a picture of what you want. If you want a career in information security you need to be able to visualise it. What do you see yourself doing? What sort of skills do you want to acquire? What do you hope to achieve at the end? What the mind can conceive the body can achieve.

What does this mean in a practical sense?

Think first is this what you want. Understand that information security requires a lot of study in your spare time. It is unlikely you'll learn all you need to in a university degree or a certification. This means a commitment in your spare time. Building test labs, reading books, blogs, code, experimentation, etc. Is it rewarding? I think so. The ability to know that your efforts can make a difference to an organisation and ostensibly, your fellow man - is empowering.

2) Find role models.
Look for those who have achieved your goals and model their behaviour. Do you have friends who are already in the industry? How did they get in? What skills did they have? What certifications did they have? Are there lessons you can learn? Can you fast track what they did? A wise man is said to learn from the mistakes of others as well as his own.

Expanding upont his further - did they undertake any higher education? Qualifications? What where the skills they obtained that got them employed? Was there a job in particular that cemented their career in information security? What was it about that job that helped that to occur?

3) Keep track of your progress. Are your actions congruent with your goals? Are your goals still the same? Are your results matching your desired outcomes? If not, you need to reassess and like a ship that is off course, you may need to re-adjust your sails.

If you are not where you want to be, consider what you have done wrong before blaming others. Could you have handled a particular project or encounter better? Could you have behaved differently during a challenging situation - and thus, set a new standard or expectation with a keys stakeholder? Have you turned down opportunities that could have lead to career progression? Did you fail to seize the initiative on a unique situation?

More often than not (by that I mean 99% of the time) chances are YOU screwed up somewhere, not someone else. Don't get me wrong, sometimes we all just want a break and are looking hard for it and need someone else to take a chance on us. But if that wave isn't coming, perhaps its time to find another beach upon which to surf?

DON'T wait for the perfect opportunity - they never come. Look to create those perfect situations. It is said "success leaves clues" and I'm a firm believer in this. Look for those clues with vigor and pursue them.

If anyone has any specific questions, feel free to message me. I'm happy to help anyone that wants to break into the industry.


- J.


bhowmik said...

Hi Jarrod,

Talk about timing, I got to your post through a link tweeted by one of the InfoSec professionals I follow and it sort of strikes home.

Like you i have always known that i want to work in InfoSec. To that end i've been careful in selecting roles such that i get relevant experience but now after 4 years as a sysadmin i fear i am getting slotted into that particular role.

If you don't mind me sending you an email i'd love to get some pointers and suggestions on how do i go about with getting a break in InfoSec.

I've done by graduation from RMIT and have 4 years of solid sysadmin experience as a Linux sys admin, I am currently doing my Masters in Information Security and Risk Assurance from RMIT as well. In the meantime i've managed to snag an RHCE, attended a couple of SANS courses and plan on taking the CISA this June among other things.

I'd love to hear back from you.


Ashu said...

Hi Jarrod,

Just to add to what Bhowmik said above. Please advice me on the same as well.
I have been working as a Technical Consultant for an year now but unlike bhowmik I don't have any certifications.

Thanks and looking forward to hear from you.

PS: Bhowmik and Me are class mates in Masters of information security.