Monday, April 05, 2010

The First Steps to a Career in Information Security

Last week I talked to the students of Georgia State University's CIS/InfoSec program about things they should be doing now to prepare for an exciting career in information security. Most of the steps they already knew, so I tried to think of the things that nobody told me in school that really helped me.

Here's my 15 minute presentation to the class. Below that is a summary of the talk and the links that I mentioned.

You need a blog.
A blog is a great way to show your writing ability. It is very important to be able to think about security in an analytical way, and to explain these ideas to others. Starting a blog does not have to be a daily activity, and some bloggers find it easier to team up with a colleague to be co-authors. Students should write about what they learn in class, and what topics they find interesting about security. Later on, you'll want to focus your blog to a more specific area of security, once you learn what you like.

To see examples of very popular security blogs, follow The Security Bloggers Network feed in your RSS reader.

You should be on Twitter.
Every day I see connections being made on Twitter. People in information security are using this forum to talk about relavent issues, ask questions, and make new friends. There are several thousand potential users in the industry you can follow and communicate with. I try to make 5 posts a day, and mostly comment on other Security Twits' conversations.

You can also moderate conversations by starting a hashtag. Security experts @jjx, @catalyst, and I started a Twitter debate about whether people should use passwords for secure logins. Add "#PWalt" to your tweet to be included in the conversation.

If you are looking for people to follow, the Security Twits lists are a good place to start. I also mentioned following @stacythayer to tell her how much you love her mentoring program. Follow @infosecevents to see a complete list of happenings and trainings in the field. @jack_daniel, @sfoak, @billbrenner70, @hypatiadotca, @ax0n, @viss, @pinoles, @ryanlrussell, @ryanaraine, @weldpond, @alexhutton, @georgevhulme, @mmurray, @adamshostack, @armorguy, @jsokoly, @shewfig, @csoandy, and @petermannmc are all on my #FollowFriday list too!

You have to create your own internship.
All of these activities build on each other, but this one is obviously the most important. Getting your feet wet in the "real world" of security is useful for deciding what specific area you want to be in. Security is a very diverse field.

So, right now you probably already know that the career services center has a program to help find students internships. However, if you have seen what they have to offer, and nothing seems right for you, it may be time to create your own internship. These are really the coolest internships anyway, because you leverage your personal network and the activities mentioned above to create a job perfectly suited to you.

You've probably also noticed that there aren't a lot of official security internships out there. In security especially, it is really up to the student to create a curriculum and sell it to the prospective employer. At GSU, this outline and list of objectives is required anyway. This will show your future advisor that you are passionate about security, and willing to go the extra mile.

You want to show the employer that there are things you can do for 3 months that will educate you and not take up too much of the employer's time. Think of projects that will require work on your own. This avoids the trap of getting assigned useless busy work. Since you won't be asking for a paid internship, you shouldn't spend more than 20 hours a week on the job, and your employer shouldn't be expected to spend more than 5 of those hours each week teaching you new things. Shadowing a mentor is great for experience and to make networking connections.

I did my internship at a start-up company, and I have to mention those because I think they are the perfect place for student interns. You feel your contributions making a difference, and nobody has time for busy work. It's a great opportunity if you happen to come across one through your networking.

You must learn to love public speaking.
Public speaking is a skill I use every day. Whether you're the lone security evangelist at your company or you're presenting the results of an assessment to management, good public speaking skills make all the difference. It's important to be comfortable talking about these issues.

Public speaking is also a great way to network. Start attending your local security meetups, and see if you can give a short presentation to these groups. I attend most frequently the Atlanta NAISG group, but there is also OWASP, DC404, and if you can travel there's Security B-Sides events. These groups all have equivalent chapters in most major cities.

Other links.
InfoSecLeaders' Lee Kushner and Mike Murray conducted a 2 year study of information security professionals, and found that security pros with a career plan are 33 percent more likely to earn more than $100,000, and 46 percent are more likely to earn more than $120,000. Including the steps in this blog post is a great start for a career plan outline.

Keep in mind the government has criteria for what qualifies as an unpaid internship. Avoid anything that doesn't seem above board. The internship should be "a largely benevolent contribution to the student." The company invests in you now so that after you graduate you will be a better potential candidate.

Other Peoples' Posts on the Topic

"Who to Recruit for Security, How to Get Started, and Career Tracks" by Rich Mogull (@rmogull), with a great comment by Mike Rothman

"I Am InfoSec, and So Can You" by Ben Tomhave (@falconsview)

15 great links to start with and "A Lot of Information Security Career Advice" by Matt Johansen (@mattjay)

"How to Get Started in Information Security, The New School Way" by Adam Shostack reminds us that while self-promotion is good, don't forget to also "Do something useful!"

"How young upstarts can get their big security break in 6 steps" by Bill Brenner (@BillBrenner70)

The proof is in the pudding, folks. "What B-Sides Austin taught me about speaking (and the future of our industry)" By Joseph Sokoly (@JSokoly) on the Security Catalyst website.

"How to Kick Ass in Information Security - Hoff's Spiritually-Enlightened Top Ten Guide to Health, Wealth, and Happiness" By Chris Hoff (@beaker)

"One Man's Life on the Security D-List" Interview with Andrew Hay (@andrewsmhay) At Security B-Sides, infosec author Andrew Hay explains the four pillars for moving from the bottom of the IT security shop to a place of respect, and why getting to the A-list isn't all it's cracked up to be.

"Interviewing for Information Security Internships" by Ted at

No comments: