Career Advice Tuesday – My Specialty

June 15, 2010

This one didn’t come in via email but through a conversation I was having with someone I was coaching through some career questions….

I want to be a penetration tester, but I’m not sure what I should specialize in within the field.  I mean, should I be a network penetration tester, a web app penetration tester?  Perhaps focus on physical penetration testing and social engineering?

How do I decide what to focus on?  How do I know what I want to be when I grow up?

My answer was exactly the opposite of what Anton said in a post a few months ago:

Don’t specialize. At least, not yet.

I find far too many people in this industry try to specialize in something very narrow early in their careers.  Here’s the thing: for the first few years of your career, you’re still attempting to learn about the field you’re in and how your personal aptitudes, skills and desires fit within that career.  The person who I was giving advice to has been around long enough to figure out that he likes breaking in to things, but he’s still figuring out what he wants to do with that.   And people around him are already pushing him toward a specialty within an already narrow part of this industry.

Here’s the trick (and Anton did call this out): penetration testing is a relatively specialized part of the security industry.  And, at least for the first few years, I (as someone who runs a company that does penetration tests and a site that trains penetration testers) want to see someone gather a whole lot of skills.

One of my biggest frustrations in hiring testers is to find that they’re only useful on a very small number of engagements.  For example, the tester who is amazing at running network and system penetration tests but couldn’t find a cross-site scripting hole in a web server to save her life.  Or the tester who knows web apps backwards and forwards but can’t explain how TCP/IP works.

In my experience, it’s almost always easier to gather a significant amount of general knowledge and then specialize than it is to acquire a deep specialty in an area and attempt to generalize afterwards.  So, my advice to my friend was this:

While you’re still early in your career, spend at least a year or two gathering experience in many different areas of the field.   At some point, as you gather that experience, you may find yourself gravitating to a specialty – but you can’t possibly know what that specialty will be until you’ve got enough experience in all of the facets of penetration testing to give you enough experience to get over the awkwardness of the initial learning within those facets.

Of course, if you’re not a penetration tester, that advice doesn’t apply to you.  ;-)

Posted by mmurray | Filed Under Career Advice Tuesday 


Comments are closed.