Getting Started in Information Security
For many, entering the information security (infosec) industry is elusive and confusing, with mixed signals and conflicting information about what background or skills are required. The reality is that there is no single path into the industry. Despite the monochromatic portrayals of the community in popular culture and media, the infosec community consists of experts from a diverse range of disciplines, experiences, and training. This diversity of backgrounds is a strength which must continue and, importantly, expand to best prepare for and support the future infosec workforce.
Since we are constantly asked how we entered the field and what steps those seeking to enter the field should take, we compiled our top recommendations below. These recommendations apply to anyone wanting to learn more about the industry, from students preparing to enter the field to someone looking to transition into infosec to someone just wanting to get a taste of infosec and see if it is a good fit. The following should not be viewed as the holistic ‘to-do list’ for getting into infosec, but instead provides several initial recommendations that can be adjusted to meet personal objectives. There is certainly the formal education route. However, given the multidisciplinary nature of infosec, there is no single best route into infosec through formal education, but rather it depends on desired career paths. Instead, we will focus on inexpensive - if not free - recommendations for entering or expanding your skills within the community.
The Three Rs
While many only associate infosec with STEM skill sets, the 3 Rs - reading, writing, and arithmetic (yes, not technically Rs) - remain invaluable for any introduction into infosec. First, from books to social media sites to websites and blogs, there is a wealth of reading material available at your fingertips. There are numerous compilations of top infosec websites, while social media can be an additional resource for hearing from top influencers and directly asking experts their thoughts on specific concepts or approaches. Second, infosec has a large and active online community of contributors who write on a range of topics. This isn’t just for experts; those who craft their own website and produce their own content stand out for recruiters and improve their personal branding. Finally, and sticking within the theme of 3 Rs, mathematically-inclined people are a natural fit for infosec, which increasingly integrates the tools and methodologies of data science. Data scientists in infosec come from a range of disciplines and quickly provide new ways of approaching security challenges such as anomaly detection and behavioral analytics. Clearly, there are many career paths and options for those who aren’t mathematically-inclined, but the mathematics path offers a logical transition for those who may not have the infosec background, but do have a mathematical background and are interested in how their skills may apply.
Open Source Tutorials
Nothing can replace hands-on experience. Fortunately, there are numerous online resources available for someone just getting their feet wet to mid-career as well as senior folks looking to sharpen or develop complementary skills. Tutorials such as Open Security Training and Lena provide free, online training for people interested in developing new skills across a range of security topics, such as forensics, threat hunting, intrusion detection, and cryptanalysis. If you’re interested in reverse engineering, Endgame’s Amanda Rousseau created online reverse engineering workshops that provide comprehensive training at your own pace. SANS offers online tutorials, including the SIFT workstation to explore open-source forensic and incident response tools across a range of scenarios. Many conference talks are also recorded and may provide some hands-on opportunities. Finally, building your own home lab is a great way to understand how all of the pieces fit together. If you don’t know where to begin, there are online tutorials and github repos to streamline the process and help you become your own sysadmin and network engineer - skill sets which dramatically improve your understanding of underlying technologies.
Local conferences arguably provide the best initiation into infosec. Whether attending as a participant or trying out speaking for the first time, local conferences offer a great way to network, learn, and even get hands on experience through workshops and training at the conference. Better yet, most of these are inexpensive or even free if you can snag a ticket. The BSides series takes place across the U.S. and has expanded internationally as well. Other conferences, such as DerbyCon or ShmooCon, are also great places for job seekers, as sponsors often have tables or booths with hiring authorities and recruiters. Importantly, these local conferences are also great venues for networking, building friendships and professional relationships, and exchanging ideas in an extremely informal, social atmosphere. There also are scholarship programs at some of national conferences - such as Black Hat and Women in Cybersecurity - that offer great opportunities and an additional means to interact within the community.
Infosec competitions take many different forms. In general, they may be team-based and focused on achieving specific objectives through real-world scenarios, such as solving a specific problem or defending a network. These occur at all levels and ages, from middle school and high school hackathons to capture the flag (CTF) events at security conferences or company-sponsored events. If you can’t make it to a scheduled competition, the FLARE On Challenge provides a virtual event for individuals to test and hone their skills against some of the best in the community. If you’re in higher education, the National Collegiate Cyber Defense Competition offers another great opportunity for students to test their defensive skills against teams from across the country. Cyber Patriot focuses on middle school and high school students to help them learn more about the industry and how to defend networks, while also providing opportunities to compete regionally and even nationally.
Non-profit Organizations & Meetups
There are numerous non-profit and national organizations whose explicit objective is to help introduce more people into the infosec workforce. There are national organizations such as Girls Who Code, Women Who Code and Black Girls Code who directly aspire to bring more women into the tech workforce, while numerous other groups also seek to diversify and train the workforce. There are also local groups such as Hack the Hood in Oakland and STEMLY in Washington, DC that provide additional networking, training, and professional development focused on low income youth and people of color. Finally, local meetups are a great way to network, learn, and present within your community. They provide an inexpensive - if not free - means to learn more about anything from cloud security to ethical hacking to web application security.
Internships & Apprenticeships
Internships and apprenticeships offer great opportunities to gain on-the-job experience and get a taste for the security industry. Internships usually are posted in November for the summer (including our own current internship openings!), although some occur at various points throughout the year. A broad range of companies offer security internships, including security vendors, tech companies, and non-profits. Importantly, internships are available for a variety of security positions that do not inherently require experience in infosec, such as design, data science, and all-source analysis. Similarly, apprenticeships offer additional opportunities for exploring careers in infosec. Virginia, Maryland, St. Louis and California are among the growing number of regions where government, academic, and private sector entities have introduced cyber and tech apprenticeship programs. To evaluate your own local job prospects, NIST maintains CyberSeek, a website that tracks local and national supply and demand within the security job market.
There is a well-known workforce shortage in infosec, and it is only expected to expand in the coming years. Of course, organizations bear a responsibility in making careers more accessible, such as through more inclusive job descriptions and recruiting processes. In fact, the federal government recently created cybercareers.gov to expedite recruitment and retention within cybersecurity. And for those interested in the field, we hope a few of these recommendations resonate and help encourage more people, from a broad range of backgrounds, to explore a career in infosec.