Note: this is a repost from a piece I wrote in October 2008. Most of it still seems very relevant.


I regularly get questions of students who are asking what they need to do to get started in the information security field. Unfortunately, I cannot give a straight unambiguous answer to that. What I can do is start a thought process for that student. In the end, they will have to do the work.

Become experienced
Get a job that sounds like it is relevant to security. It does not actually have to be dead-on, but when a potential employer reads your resume, she must feel some sort of connect. Unfortunately, most security jobs ask for experience, so that is exactly what you need to get.

Most likely, the easiest way to do so is to find a job for a large consultancy organization and make it clear to them that you are willing to work hard, travel when necessary, and add value to their organization. At the same time, don't let your employer ever doubt that you are going to become an information security specialist.

Focus
Information security professionals are service providers, and you need to figure out if you want to become a consultant that comes in to do a job, or if you want to work for the organization that uses your services. Make up your mind if you want to become a product specialist. Early in your career, consulting is not a bad way to go, since that will expose you to different industries, different problems and different working cultures.

Deciding if you want to work in a specific industry, or in a particular geographic area is also part of making the focus decisions. I know people who decided very early on that they wanted to work for a specific organization and they had their career plan centered around that goal. The same is true for geographical areas. If you decide that you want to work in the New York City, you will probably end up in the financial services industry or in fashion. If you are on Long Island, start learning about medical services. Other areas have similar industry focuses.

Specialize
Think hard about the area in which you want to specialize and work towards that. Depending on the direction in which you want to move, you will need to spend just about every waking hour doing "stuff" with security.

If you choose your direction to be penetration testing, find a pentesting job. When you come home, start doing stuff in your own lab. If you want to become an incident responder, look in that area and start dabbling with forensics-type stuff on your own time. If you want to become an information security manager, try to get some leadership experience. If you want to become an application security specialist, start looking at code.

Certify
There is much discussion surrounding the actual value of a security certification, but the basic fact is that employers will look for something that can distinguish you from the rest. Not having a certification is definitely a distinguishing factor, but it may not be what you want.

When choosing your certifications, keep your specialization goals in mind. It is useless (and may even work against you) to pursue vendor-specific certifications if you want to do something with a broader scope. The opposite is also true-- striving to pursue a general certification when you want to be a niche specialist is also pointless.

Branding
Make yourself visible: become a member of security organizations and go to chapter meetings. Attend as many events as you can, even if they are not in your focus area. At worst, you will spend an afternoon thinking about why the topic is not relevant to you (also valuable), and at best you meet your next employer.

If there are no chapters, start one. If you can afford it, begin visiting security conventions and conferences, reading (and comment on) blogs, maybe even start your own blog, join dedicated chat rooms and online forums, jump on twitter, linkedin, etc. Set up your own web site; don't be afraid to oversell yourself, but never lie. As an information security professional, your personal reputation and credibility is everything. The information security field is young, highly dynamic and the good people in the field form a close community. Associate with the right people.

Plan
Finally, come up with a career plan. That plan will be perfect nor complete when you make it first, but continue to update it as your expectations of the future take on more concrete form. Write down that plan on paper (not just as a file on a computer-- paper is more convincing!)

No employer expects that you spend your entire working life with them, but job-hopping every few months will come back to bite you. It creates the impression that you are not reliable, because you are not going to be around long enough to invest in. Plan to stay in a position for at least a year.