When I was in the public sector, I struck up a conversation with the guy tasked with provisioning my mobile phone and laptop. He was working in IT support but said he really wanted to break into information security. Later, I spoke with my friend, the CISO, and mentioned the guy. Two months later, that guy was an infosec junior staffer, and a few months later, a threat analyst.
There’s a thrilling new wave of potential talent comprising people working in adjacent fields trying to break into information security. Sometimes they’re from IT, and sometimes, from adjacent fields like civil engineering, or marketing. These career-transitioners are often bright, technically minded, educated, and curious, and they’re eager to help us fill the yawning chasm in our talent-pool. But we’re just not helping them help us as much as we could be.
At the risk of heresy, I say that rather than advising these new-to-infosec people to gain certifications, we should instead be encouraging people to dive in to the deep-end and see what floats their boats.
In my opinion, if you’re new to this growing industry you would be far better served by getting a job that will expose you to the widest array of infosec functions as possible, so you can see which parts of infosec you really think are awesome.
Then, you can choose to specialize in that area, and get all the certs in the world to support you.
I think this because that’s how a fairly impressive percentage of today’s information security leaders got their start, too. Including me.
Having a Security+, CISSP, CISA, and SSCP won’t help you one whit if they land you a job blowing logs to the SIEM and you learn that you hate logging, and you hate SIEM, you hate your boss who likes SIEM and logging, and it turns out you really want to be on a Red Team, so you quit in frustration.
Sure, certs can play an important role in career advancement. The continuing education component of cert maintenance is also a great tool to ensure new, formalized learning while on-the-job-training continues. but “career advancement” kind of requires a career to advance. Information security isn’t a monolith — there’s so much diversity and one can take learning and expertise so far in niche areas — a reverse engineer, an application penetration tester, an incident responder, a forensics jockey, and an information security compliance manager all can say they work in “Information Security.”
What do you want to do? What do you like? What do you find compelling? That’s where you should focus.
To be sure, sure, an understanding of networking and endpoint functions, capabilities, configuration, and normal operation is absolutely and inviolably essential to success.
A college degree is good evidence that someone can tolerate the level of bullshit and capriciousness necessary to survive a typical year in infosec — but I would point out the number of college drop-outs who’ve reached leadership positions in the industry as proof that it isn’t a prerequisite.
So take a job that will present the widest aperture into the industry. Your background skills can get you into small niches of the industry that are equally important to the rock stars. If you have good organizational skills or project experience, consider being an information security project manager. Wow, talk about a deep-dive into the minutiae of a wide range of activities spread among the real-world implementation of security tools, processes, or functions!
Got an accounting or technical background? Become a compliance auditor, and learn how everything is configured, and what configuration decisions matter.
Work in IT? Find work on a team handling malware response, or tech-support or provisioning (like the guy at my last gig).
Wherever you land, ask tons of questions. Strike up conversations with everyone you meet, and ask for ride-alongs: “Hey, I see you’re digging in to that box, mind if I observe and ask questions?” That’s a great way to learn something new, and hear not from a textbook, but from a practitioner, how it works on the ground.
Hell, if you can get enough people to let you watch them work, you just might discover you have social engineering chops.
Once you’ve found the part of infosec that you really think is the cat’s pajamas, that’s the time to study it, do scut-work to gain on-the-job-training, get those certifications, and land that dream job in something you know you find a real challenge.
Good luck, and go get em!