CAT- “Finding Your First InfoSec Job – A New Approach (To An Old Question)”
March 8, 2011
My question for you is how does someone who is just starting out gain the experience that is need to land their first job in Info sec. Currently I work as a web producer and have for the past five years. I am currently going to school for a bachelor degree with a major in Information security and computer forensics. I would like to get a security+ and CISSP certifications.
I have interests in pen testing, encryption and computer forensics. I’m really just starting so not to sure what area i would like to become proficient in. I have laid out a career plan as best I could and would like to be in the role of a CSO for a company one day.
I unfortunately am unable to get an internship since I am a family man. Any advice you can give I would appreciate.
“Lets Get It Started”
Dear MC Hammer :
It has been a while since we have answered a question about getting started as an information security professional, but your question has helped me think about an avenue for you, and other information security professionals to jump start their information security career, and get paid for doing it,
The best way to do this is to leverage your current skills of value, to develop new ones. In fact, this advice is applicable to both aspiring information security professionals and experienced professionals looking to build new skills and develop new areas of expertise.
In your particular case, you have 5 years of experience as a Web Producer. Without really knowing you, my thoughts would be that you have programming experience in Web based languages, you understand the composition of Web Applications, and you have some understanding in regards to the SDLC. (for Web Apps). If my assumptions are correct, then you have some marketable skills that many companies need – just not in security.
The advice that I would give to you would be to look for employment in a larger, security conscious, regulated company that has a need for your skills in these areas. When interviewing, you can utilize your interest in security – and producing secure web applications – as a point of differentiation. Hopefully, based upon that experience you can get a job, that can pay you the money necessary to take care of your family.
Once the job is landed, the first thing that you want to do is to try to insert yourself into conversations and projects that involve security. Information security departments in large companies work with all types of technology teams, to build more secure environments. When you have the opportunity to interact with the security person assigned to your group, you should find the opportunity to engage with this person – and demonstrate your passion, interest, and some knowledge for security. The best way to do this would be to speak about some current security issue facing the industry – ( for example – the HB Gary situation, a recent conference (B-Sides, DefCon, or ShmooCon, or the last OWASP meeting you attended) Hopefully you will begin to build somewhat of a relationship, and the person from the security team will be glad to know that they have an advocate for their projects “on the inside.” As the relationship develops, offer to help in your free time, and ask if there is additional work (in a security group there always is) Offer your services for a 3rd shift in an ops center, or to help out with incident response, or on a Web App pen test.
By doing this, you are actually interviewing for your first information security position.
Large companies are known for providing their internal employees opportunities to apply for internal roles, before they search externally. Once a role is posted in the information security group, apply for it. As a fact, companies would rather fill their roles with internal candidates because current employees already understand the culture, the recruitment process is more efficient, and the costs are considerably less ( I can tell you first hand that external recruitment services are not cheap). Since you are now a known commodity in the infosec team, your interview process should be a formality, and the most difficult part of the transition will be informing your current manager that you are transferring groups.
In essence, what you are doing is creating your own opportunity – at that time you can continue to pursue additional certification, training, and gain experience in the areas you previously mentioned (pen testing, forensics, encryption).
At that point you can begin focusing on the development, refinement, and execution of your career plan.
Let us know how this turns out. Hope this helps –
Lee and Mike