Maybe you've always dreamt of getting into the InfoSec field, and have been thinking about getting into information security for a while, or it's just coming to mind now. Regardless of where you are in your journey, welcome to the InfoSec community! In the words of the great Kung Fu Master, Shifu, “There is no level zero.”
If you’ve seen Kung Fu Panda, you may recall that Po is a panda who eats, sleeps, and breathes Kung Fu, yet finds himself outside that community. He dreams of being a warrior. One day, he sees an opportunity to witness a significant moment in Kung Fu history and so he sets out on his journey. But first, he must climb to the temple. It would have been easy for him to zig-zag his way to the top of the mountain, though it might have taken longer. Instead, he started with the logical place... the stairs - a much shorter path. You too will have to choose your path to awesomeness. Allow me to illuminate the way.
“There is no level zero.”
Find Your Why
Po wanted to be great at Kung Fu purely for the sake of being great. Unfortunately, that probably won’t be enough to sustain you in the InfoSec field. We all have selfish motivations, but they should pale in comparison to the greater good of our community, industry, and humanity. You will meet many who have forgotten that we are doing this for people, not to serve technology. Find your "why", and let it be outside yourself. That motivation will carry you through the many challenges, twists, and turns along the way.
“You will meet many who have forgotten we are doing this for people…”
Take the Shortest Path
The circuitous route is to acquire the necessary skills along whatever path you are on now. Even so, you will at some point have to focus on the particulars of those skill areas and invest in them.
The alternative is the more direct route of certification and/or education. Although it may be more difficult, it will give you a more immediate opportunity. Certifications offer concentrated, focused training in a specific set of topics to support your goals. For example, the SANS Institute and CompTIA have well-planned certification roadmaps. Simply take a look at them, consider your current ability level and pick a certification as a starting point. Another resource is the free site Cybrary.it which hosts training courses in the certification area of your choosing. Don't forget to schedule your exam to give you motivation. Just taking an exam is a learning experience. Here’s a blog on the value of certifications you might want to look at.
A wise mentor once told me that in order to be successful in InfoSec you need strong bases in at least one but preferably two of three areas: development, system administration, or networking. You may, perhaps, choose certifications such as Python and Powershell, A+, NET+, CCNA, Windows, Linux, and others. These may be vendor specific or vendor-agnostic. Employers will prefer a mix of both, depending on their alliances, partnerships, and the technologies that they leverage to deliver their business. Security job postings are an excellent source of this business intelligence.
Regardless of how you choose to invest your time and energy, be certain to focus on fundamentals and work toward talking through the concepts. Job interviews will often include white boarding architecture, security concepts, and troubleshooting scenarios.
“...to be successful in infosec you need strong bases...”
Connect with Others - Mentor and Mentee
Like Po, once you join the community you will encounter practitioners, commentators and others with their own experiences gathered over years, and some of them will be potentially valuable mentors who have years of training and refinement. They may be skeptical at first but let them see your integrity, motivation, and determination. You may occasionally experience some rather *ahem* skeptical colleagues who are not always silent. We (professionals) apologize for them in advance. Ignore them; they are not the Kung Fu Masters whom you seek. That being said, very few of them will be willing to do much hand-holding. They will expect that you are doing your own research. They will also be the ones you call upon when you’re looking for a job, whether it’s planned or unplanned.
Warriors Who Stand on the Shoulders of Legends
Information Security is a specialized field. Some would say it falls within the Information Technology realm, but it has taken on a significant business flavor as companies recognize the risks involved and seek to mitigate them. For a satirical commentary on this, check out the classic (in this author’s opinion) video with AlienVault’s own @J4vv4d “Host Unknown presents: Accepted the Risk.” An ever-increasing ability to be able to express the real-world risks to businesses, individuals, and nations has increasingly become a focus of this industry in order to be relevant to the business.
Technology is changing rapidly, as you know, and with it the InfoSec industry. It must in order to keep astride the changing threat landscape defined by that technology and which attackers hope to exploit. Develop a continual appetite for consuming new thoughts, trends, tools, and research to stay abreast of these changes. The Twitter #InfoSec community is just one thriving example.
Make Your own Dojo
Many have bemoaned the woes of needing a job to get experience and needing experience to secure a job. Fear not! You can and should practice and document your project(s) in a home lab environment. Documentation can come in the form of a blog, vlog, write-up, or analysis of some part of the project you did in your home lab. Then, include it on your resumé & LinkedIn profile and be ready to talk about it.
They say that a journey of a thousand miles begins with a single step. This post is that step.
