The UNSECURITY Podcast – Episode 54 Show Notes

Show notes are almost on time this week! Yay us.

I started writing our show notes on Thursday night in the Salt Lake City airport, and now I’m finishing them on a plane back from LA. Ugh. The life.

This was a crazy week, but what’s new? While Brad’s been bustin’ his tail keeping up with FRSecure’s sales and operations, I’ve been traveling the country on the SecurityStudio Roadshow. My travels this week took me to Rochester (NY), Baltimore (MD – layover), Kansas City (MO), Salt Lake City (UT – layover), Sacramento (CA), and Los Angeles (CA – layover).

I’m supposed to get home late on Friday night. We’ll see. 🙂

If you’d like to follow the SecurityStudio Roadshow, I write a recap every week on my/this site. Keep up with me, and give me some BBQ tips.

I’ve met some amazing people on my travels, and one really cool cat is Kenneth Bechtel. I met Kenneth during week one of the SecurityStudio Roadshow. On week one, John Harmon and I traveled to Harrisburg, Pennsylvania for BSides. I was speaking in a mid-morning session and Kenneth was the keynote speaker.

I have a lot of respect for Kenneth because he’s been at his game for a long time. He’s been doing threat hunting before threat hunting was a thing. Big props to this guy. During our time together at BSides, Kenneth shared his recent troubles finding a job. This bugs me. So, I invited him to be a guest on the podcast.

We’re honored to have him share some of his wisdom. We’ll try to get to the bottom of his job search struggle too.

Special thanks to Brandon Matis for putting together last week’s anniversary show! That couldn’t have been easy.

Pretty sure I’m supposed to lead this episode, so here goes.

My show to lead this week and these are my notes.


SHOW NOTES – Episode 54

Date: Monday, November 18th, 2019

Show Topics:

Our topics this week:

  • What’s up man?
  • Introducing Kenneth Bechtel
    • The earlier days versus today. What’s changed and what’s the same?
    • The (alleged) infosec labor crunch. Kenneth isn’t the first person who’s had trouble finding work. What gives?
  • New show ideas
  • News
Opening

[Evan] Hey UNSECURITY Podcast listeners! This is episode 54, and the date is November 18th, 2019. I’m Evan Francen, and it’s my show this week. Brad’s here with me too. Care to chime in Brad?

[BradYou know he’s got something to say. Probably something good too!

[Evan] Alright, we’ve got another great show planned!

  • Brad and I are going to catchup with our craziness quick.
  • We’re going to get real with a true information security pioneer Kenneth Bechtel. He’s got an incredible amount of wisdom to share and we want to get to the bottom of why people like Kenneth are not getting hired when we have this alleged talent shortage.
  • We’ll talk about an upcoming show idea that we have, then we’ll wrap with some newsy things.

I’m pumped about this show! So, let’s get on with it, eh?

[Brad] Brad’ll agree probably.

[Evan] So, what’s up man?! I’ve been out for the past two weeks preaching to folks everywhere and stuff. I missed you man.

Catchin’ up with Brad (quick)

[Evan] Alright, enough of that. We are excited and honored to have Kenneth Bechtel on the phone, so let’s welcome him. Hi Kenneth.

[Kenneth] He’ll confirm (unless of course we have some tech issue or something).

[Evan] Can’t tell you how grateful and pumped we are to have you on the show! We’re going to get to know each other more, and discuss things. I’d like to start off with you telling us about you, then we can talk about how the industry has evolved, then lastly, let’s discuss this whole infosec talent shortage thing.

I found an old photo of you on your Team Anti-Virus website.

About Kenneth:

I have been actively involved in Anti-Malware defense and research since 1988 at both a corporate and international level, with close ties to the international Anti-Malware efforts and fellow researchers.

In the corporate world, I have worked as both a Virus Laboratory and Field researcher for major organizations, providing expert support for malware outbreaks.

Internationally, I was a Founding Members of AVIEN – Anti-Virus Information Exchange Network, and served as Chairman of its Disciplinary Committee and well as member of the Advisory Board to the Administrator.

I have presented at international conferences, including the Virus Bulletin Conference, at which I am a regular attendee.

My work has been published in trade magazines and specialized websites such as Security Focus.

I have written a handbook on Anti-Virus Security and was one of the co-authors of the AVIEN Malware Defense Guide. 

I am regularly asked to speak at small organization and company conferences and training seminars.

Media requests, Opportunities and general inquiries are welcome at kbechtel@teamanti-virus.org

Discussion with Kenneth Bechtel
  • Introductions
  • The earlier days versus today. What’s changed and what’s the same?
  • The (alleged) infosec labor crunch. Kenneth isn’t the first person who’s had trouble finding work. What gives?
  • Your recent post about your cowboy hat

[Evan] Alright. Let’s see what we can do here to help each other. Kenneth, I sincerely appreciate your tireless work for this industry and for being on our show!

News

[Evan] Some interesting news stories for us to discuss this week. The first one is interesting because we’ve warned about this and sadly things are going to get much worse before they get better.

Closing

[Evan] OK, cool! Episode 54 is a wrap. Thank you again Kenneth for being on our show. I think our discussion will benefit others!

Thank you to our listeners! Keep the questions and feedback coming. We love it, well Brad does, but I don’t. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh. Kenneth, do you have a way you want people to socialize with you?

Follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies!

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 49 Show Notes

OK, late again. Show notes before the show recording though, so it’s not terrible.

Lately, Brad and I haven’t seen each other much (or at all). I’ve been on the SecurityStudio Roadshow (#S2Roadshow) and Brad’s been swamped running his part of the FRSecure business (solutions development, sales support, innovation, IR support, and Analyst team support, etc.). Brad’s got a lot of stuff!

FRSecure won another award last week, which is super cool! The company was ranked #22 of the 50 fastest growing companies in the Twin Cities! In addition to being the 22nd fastest growing company, FRSecure was also the highest ranked information security consulting company on the list. This is the 3rd consecutive year that FRSecure has made the Fast 50 list, and I AM SUPER PROUD of this team! HUGE CONGRATULATIONS on a great accomplishment! They are all amazing, top to bottom!

When you get out of the way, incredible people to do amazing things. This is how FRSecure works.

Let’s get to some show notes, shall we?


SHOW NOTES – Episode 49

Date: Monday, October 14th, 2019

Show Topics:

Our topics this week:

  • Quick Catch-up/Roadshow Week #2
  • IT Security, Information Security, Cyber Security, and Physical Security
  • Cybersecurity Maturity Model Certification (or “CMMC”)
  • What it takes to do this job
Opening

[Brad] – Hi UNSECURITY Podcast listeners! It’s me, Brad Nigh. This is episode 49 and the date is October 14th. Evan’s here too. Say “hi” Evan.

[Evan] I oblige. I’m nice.

[Brad] It’s been a couple weeks since you and I have been in studio together. Last week, you and John Harmon hosted episode 48 while I was traveling. This week I’m back!

[Evan] It’s good to have you back man! I’m excited to catch-up and record this episode with you!

[Brad] Holy cow, we’ve got a jam-packed show today. Is this what I get for letting you write the show notes?

[Evan] 😉

[Brad] OK, let’s catch-up quick. Let’s chat about the stuff I’ve been up to, and some of the stuff you’ve been up to.

Quick Catch-up/Roadshow Week #2 Discussion

[Brad] Good things. We receive good questions from our listeners each week, and this past week is no exception. There was one question in particular that I wanted to cover with you. It was nice to here that the listener  has adopted our definition of information security in his policies, but he struggling with the term “IT Security”. He’s not alone I guess, because he also provided a link to a CompTIA article titled “What Is the Difference Between IT Security and Cybersecurity?“.

[Evan] Yeah, this can be confusing for some people. Words really do matter, especially when we struggle with using them correctly.

[Brad] The CompTIA article is sort of confusing, as the author covers different approaches to the definitions of IT Security, Information Security, Cyber Security, and Physical Security.

In one diagram, he arranges information security, cyber security, and physical security inside of IT security. In another diagram he drops IT security altogether and puts cyber security and physical security inside of information security. 

He then poses the question “So, which is best? Who is right?”. His answer leaves us hanging and then he a attempts to address whether terminology even matters. Let’s discuss this and address our listener’s question.

IT Security, Information Security, Cyber Security, and Physical Security Discussion

[Brad] Glad we settled it. Maybe we should make a diagram too. Later.

[Evan] Pretty sure we’ve got one or two of these somewhere.

[Brad] Alright. Another listener emailed us this week and asked us about the new(ish) Cybersecurity Maturity Model Certification (“CMMC”). Should we talk about this quick?

[Evan] I’ll agree because I agree.

Quick Cybersecurity Maturity Model Certification Discussion
  • All companies conducting business with the DoD must be certified, regardless of the use/presence of Controlled Unclassified Information (CUI)
  • Initial implementation of the CMMC will only be within the DoD
  • The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity.
  • CMMC is intended to serve as a verification mechanism.
  • CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes.
  • accredited and independent third party commercial certification organization to request and schedule your CMMC assessment
  • Some of the higher level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
  • Your certification level will be made public
  • The government will determine the appropriate tier, contained in sections L & M of future Request for Proposals
  • On October 3rd, the DoD posted the RFI for the CMMC Accreditation Body.
  • The draft CMMC v0.4 is posted.
  • The draft CMMC v0.6 is expected for public review in November, 2019.
  • Finalization of CMMC v1.0 is expected by January, 2020.

[Brad] Lots to say about that. Last week, you mentioned me in a Twitter conversation you were engaged in. The tweet that started the conversation was “Lol lots of people whining about empathy in infosec this morning… what, are you all on the same sensitive mailing list or something?”

[Evan] Yeah. The author had a point and I thought it could be a good conversation about what it takes to be good at what we do from a slightly different perspective.

Discussion about what it takes to do this job

The Twitter thread:

Continues…

Good stuff to discuss, and shoutout to @c0Bchik for engaging in a discussion.

[Brad] Alright, let’s wrap this up with a few news stories.

News

[Brad] I’ve got three news stories to discuss this week:

Closing

[Brad] There you go, episode 49 is a wrap! Like many of you listening, we’ve got another busy week ahead.

Thank you to our loyal listeners! Thank you for your tips and feedback. Send us your wisdom, questions, advice, whatever, by email to unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan’s @evanfrancen. Also, follow SecurityStudio (@studiosecurity) and the #S2Roadshow hashtag.

That’s it! Talk to you all again next week!

You Want to Get Into Security? – Part 5

This is a five-part series about getting a job, keeping a job, and staying healthy as you progress in your career as an information security professional. There is no one way to do things, rather there are many. I won’t cover all advice, or THE advice, I will offer my advice. Some of the information covered in this series is also found in my book; Unsecurity, chapter 10.

The series consists of the following articles:

This is the fifth and final installment in the series; Staying Healthy. After this I’ll wrap the  entire series together, do some editing, and make this a short ebook for anyone who’s interested.

Staying Healthy – Introduction

Caveat: This is where I’m a hypocrite. I will give advice that I don’t follow myself. The (sad) fact is I’ve established habits (some good and some bad) over the years that have become very ingrained into the way I do things. Throughout this article I will share more about my experiences because it’s what I know best. From these experiences, I will offer advice that you can take or leave. If you can follow the advice in this article, you’ll be healthier.

So many of us are passionate about what we do. We love information security, we love helping people, and we can easily take things too seriously if we’re not careful.

I’ll speak for myself here for a second. I love my job, I love the people I work with everyday, and I love the people I get to serve. All this love makes my job not a job. Sounds great, doesn’t it? Sure. It would be, if I didn’t need sleep, or friends, or family, or exercise, or everything else that makes for a health lifestyle. If I were left to my own devices, you would find me dead behind a keyboard, doing what I’m always doing… work.

Thank God I’m not left to my own devices. I’ve got loving support and accountability, both of which are important to health and longevity. These things have served me well so far as I’ve survived more than 25 years in this industry. It’s not that I’m completely unhealthy, I’m just not as healthy as I should be.

Obviously, I don’t know everyone in our industry, but I can’t help thinking that I’m not all that unique. I think many of us work more hours than we should. I think many of us don’t exercise enough. I think many of us don’t eat as well as we should. I think most of us could use a little more sleep. Fine, but is this a problem?

The Problem

Our jobs come with stress. I don’t think we know if it’s more or less stress than other jobs, but I’m not all that concerned about other jobs. I’m concerned about information security jobs. Here’s some recent news and studies about our stress and health:

CISOs appear to be stressed.

CISO Burnout is Real, Survey Finds –  Based on interviews with 408 CISOs around the world. 1 in 4 CISOs suffer from physical or mental health issues due to stress. A little less tha 1 in 5 turn to alcohol or medication. More than half have trouble turning off work, meaning they’re not able to completely disconnect from work to focus on other things, healthy things.

It’s not just CISOs either. I think all security professionals struggle with stress.

The stress isn’t even isolated to information security professionals. Even the non-professionals are feeling it.

OK, so it looks like there’s plenty of stress to go around, and I don’t think it’s going to get better anytime soon. Two things would be sad to see, two things that I’m hoping you and I will avoid:

  1. Burning out, or leaving our industry because of it’s unhealthy affects.
  2. Sticking it out, not living a life of joy, then retiring in mental or physical pain.

If there’s anything I can do to help you to avoid these things, I’m committed to that!

Support

Sometimes, working as an information security professional is a lonely job. We get so focused in the tasks and challenges we face some days. The tasks and challenges can start to become a part of who we are.

I don’t know about you, but sometimes it’s difficult to pull myself out of the work that I’m doing and get back into other parts of my life. When I get home some days (or nights) and I need to unwind, I don’t know where to share my thoughts or feelings for/from the day. If I do share, I feel like the person I’m sharing with doesn’t understand what it’s really like.

I wonder if other information security professionals feel the same way.

Family

The best support structure we have in our lives is our family. I’m convinced of this. Invest your time, energy, and soul into your family relationships, starting with your spouse/partner, and then your children, if you have them. No matter what you may think, family must come first. In return, you will likely get support beyond anything you deserve.

Note to those who don’t have a family or those with unhealthy family relationships. I have an extra amount of respect for you because I think your road is a little (or a lot) more difficult, and I admire your strength.

I’m not a family or marriage counselor. I only write from my own experiences on this matter. Without the support of my wife and my family, I wouldn’t be close to where I am today. My wife is my greatest cheerleader, and she make’s the stresses of my job melt away (on most days).

I can’t overemphasize the importance of family support.

Mentor

Here’s mention of a mentor again. I’ve mentioned mentorship in at least three of the articles in this series. Mentors are helpful in so many ways, and getting one is well worth your investment of time and energy. I suggest you find one.

Associations and Trade Groups

Advice from someone who has been there before comes with credibility like no other advice can. There’s something that feels good about being with your own kind too. People in good information security associations (or chapters of associations) are a valuable asset and support structure for you as you rise through the ranks. Initially, you may consume more than you give, but in time the tides will shift and it will be your time to give.

Here’s a list of information security associations from Cybersecurity Ventures. Try a couple groups out, if you don’t feel like you’re getting the support you need, try a different one.

Co-workers and Friends

My experiences have varied with confiding in co-workers and friends, and in seeking advice from them about my career. Mileage varies, and the advice falls somewhere between healthy and destructive. Sharing things with co-workers can sometimes lead to gossip and political crap that makes things worse (at least for someone). Friends sometimes just want to have fun, and will have trouble relating to my work life. Use discernment here.

No matter how tough, or how cool you think you are. You need support. Everyone does. The earlier you setup your support structure, the better.

Accountability

Supporting us doesn’t mean cheering us on and making us feel better all the time. The right type of support comes from someone who loves us. It comes from someone who wants what’s best for us. If someone really supports you, or loves you, they’ll always tell you the truth. Sometimes the truth doesn’t feel good, and neither does accountability.

Find support that will tell you the truth and hold you accountable. For me, this starts with my wife. I also have amazing management teams at FRSecure and SecurityStudio who won’t let me stray too far off the path.

Balance

Personally, this is my hardest fight. I am not a person who understands balance very well, if at all. You see, I have an addictive personality. People with addictive personalities struggle with finding balance more than other people do. This was part of what I alluding to when I mentioned earlier that I would work myself into the grave if I was left to my own devices. I am a work addict, and that’s not good. I have my other additions too which just complicates matters. This is another reason why a health support structure (or system) is critical.

Why is balance so important, if it’s not obvious?

There are (at least) two truths here:

  1. Everything in our lives requires some semblance of balance, otherwise everything falls apart.
  2. Everyone has a different balance, so be careful thinking what works for someone else will work for you.

Balance in your life between family, friends, work, play, etc. is healthy. The sooner you find your balance, the better off you will be. Make adjustments here and there, change your schedule until you get it right. Use your support structure to help you along the way.

The fact that your balance isn’t the same as someone else’s balance should come as no surprise to you. Some people are in balance working 40 hours a week, some are in balance working 60. Some people are in balance when they spend entire weekends with their family, while others work some on weekends. Be careful judging others, and be careful not to think that their balance should be yours. Your balance is your balance.

Find balance and stick to it. Don’t let someone else, even your job, disrupt your balance.

Health

Healthy habits do wonders for how you feel and perform. Your mood, your relationships, and your work all benefit greatly. Maintaining your health is important for life, let alone to your job performance and career longevity. For me this is also hard, it’s hard to find time for church, exercise, and rest. Between work, family, friends, and everything else in life, I don’t have any hours left in my week.

There are people who can live a balanced life, accomplish much, and still create the necessary margin to focus on their health. These people are to be admired and emulated to some extent, just not copied. You and I should create margin and make healthy living part of our lives too.

Spiritual

I rely on my faith every day. The name Jesus offends some people, and I’m certainly not out to offend anyone. I’m here to tell you the truth though. Jesus is the CEO of our business, and He has been since the beginning. Without faith, I think I’d be lost. There’s a long story here, but for now, just know that my faith is critical to my sanity and any of the success I enjoy (it’s a gift). When the day has gone to crap and I don’t know where to turn, I can turn to Jesus.

Now you know my faith, but there are many faiths in this world. People who have faith in something or someone larger than themselves, have something special. Genuine faith has a tendency to bring strength beyond your own, peace beyond your understanding, and courage to face battles you never thought possible. Faith also brings you into a family of other believers of the same faith, whatever faith it is you believe in. So, an added benefit to faith often includes a new support group.

Don’t neglect your spiritual health. If you have, make margin and find it (maybe again).

Physical

There are two parts to physical health, diet and exercise. Diet trumps exercise. If you don’t eat well, exercise won’t really matter as much. Slow down, eat healthy. If you need help eating healthy, get help.

Many, or most of us work in an office environment where we sit at a desk all day. This, without the countering effects of physical exercise, comes with some very negative consequences. According to the Mayo Clinic, the consequences “include obesity and a cluster of conditions — increased blood pressure, high blood sugar, excess body fat around the waist and abnormal cholesterol levels — that make up metabolic syndrome. Too much sitting overall and prolonged periods of sitting also seem to increase the risk of death from cardiovascular disease and cancer.”

Sounds pretty serious. There’s good news though. One study of more than one million people found that an hour to an hour and a half of moderately intense physical activity per day can counter the effects of too much sitting. That’s great, but this is another 60+ minutes that we have to find. More balance, and more margin.

If you have the option of working at a standing desk, this will help with the sitting problem . The point is that you and I need exercise to live a healthy life.

Mental

Mental health often comes with a stigma, and that’s very sad. This one hit close to home for me last year, when we lost someone dear to us. His suicide cast a dark cloud on all of us, and we still struggle with it sometimes. He was a good guy with so many good traits and gobs of untapped potential. On the outside, nobody could have guessed there was anything wrong. On the inside, he must have been living a hell that few of us will ever know. We will miss him, and we’ll always live with this feeling that we could have helped if only we would have known.

Here’s the deal. Mental health issues can be complex, and there is no stigma. Even if there were a stigma, who gives a crap?

If you struggle with any mental health issue, there’s a whole army of people who will run to your side and fight alongside you, for you.

If you’re not suffering with any mental health issues yourself, recognize that there are people in your circle who are. Invest in your relationships and get to know the people in your circle. When you see an opportunity to help someone, help someone. Give them love.

Don’t neglect mental health issues. They don’t just go away, and you don’t just buck up. Mental health issues can be treated, but only with treatment. If you’re struggling with your own mental health issues, please get help!

At Work

Work can be healthy or it can be unhealthy. The decision is up to you.

People falsely believe that they work for someone else, when the truth is that you work for you. You make the decision on what your profession will be, where you will work, and who you will work for. Your employer doesn’t do that. If you feel trapped, get yourself out.

I’ve witnessed two ways that work has negatively affected health in employees. One is stress and the other is a toxic work environment. You can do everything right to live a healthy life, but if your work is killing you, it’s killing you. It doesn’t matter what else you do, if you drink poison, you’re going to die.

Stress

The number one unhealthy factor at work for security professionals is stress. Our jobs already come with inherent stress. It’s just the nature of our work. Like I stated earlier, regardless of whether it feels like we live with more stress than other people, this is hard to say. It’s hard to say if our jobs come with any more stress than other peoples’ jobs, say like an accountant or janitor. It depends on the person. I know that I would absolutely stress out if I had to do accounting or clean some of the things janitors do.

I can’t help but wonder how much stress is caused by the person who’s stressed or by a person’s ability to cope with it.

Stressful situations affect different people in different ways. What makes one person stressed out can have little or no effect on others. It doesn’t mean that there’s something wrong with one person, it just means that they’re different people. If you’re stressed at work, don’t let it continue. Look for the source and talk to someone about it. If you find the source, and it’s addressable, address it. If you can’t find the source, or can’t find relief, give serious consideration to getting out of the environment you’re in and finding a new job or a new profession.

Maybe the environment you work in doesn’t jibe with you. Maybe the culture is counter to what you believe it, even if it’s not overtly expressed, you can feel it. Maybe you’re not made for the job you do. Maybe this career isn’t the right career for you. Nobody will know the answers like you can. Tap into your support structure for help. Living through a long career, laden with stress, will take it’s toll on you and your family, and I don’t think it’s worth it.

Pro tip: Slow down.

Toxic Work Environment

Studies have shown that working in a toxic environment will negatively affect your mental health. I had a job like this once. Thank God I was able to leave after ten months, even though it felt like an eternity. These were ten of the hardest months of my life, and I wasn’t the only one who noticed. My wife could tell that I was depressed and she knew the source. I’m grateful that I had good support and other options. You can have these things too with a good support, a little creativity and some work.

If you can’t change toxic work environment you’re in, which is unlikely, then leave. Staying, even for a boatload of money, isn’t worth it. Especially when you consider that many of us possess skills that are in high demand elsewhere.

Summary

The information security industry is like no other, but it’s a great industry. Sure it’s a broken industry, but it will become more functional over time. Despite our brokenness, this is a wonderful industry filled with AMAZING people. The good people in our industry are my brothers and sisters. We fight every day to make the world a little better that it was the day before. I’m grateful for the men and women in this industry.

If you want to get into this industry, do it. If you’ve got the intangibles, we welcome you with open arms. I hope you found use in this series, and I’d love to hear your thoughts. Comment below or use the contact page to get in touch.

My best wishes for you!

You Want to Get Into Security? – Part 4

This is a five-part series about getting a job, keeping a job, and staying healthy as you progress in your career as an information security professional. There is no one way to do things, rather there are many. I won’t cover all advice, or THE advice, I will offer my advice. Some of the information covered in this series is also found in my book; Unsecurity, chapter 10.

The series consists of the following articles:

This is the fourth installment in the aforementioned series; Becoming Good.

Becoming Good – Introduction

Assuming that we’re progressing through this series in order, maybe you’ve landed your first job! Your first gig! Good for you!

If you’re like most* of us, you’re going to progress in your career. Some will progress because it’s just the natural thing as a function of time and opportunity. Some will progress because they deserve it, because they’re damn good at what they do!

It’s one thing to be an information security professional, it’s an entirely different thing to be a good information security professional. I say “professional” because we get paid, and I also use it as a generic term to apply to all the various types of jobs we do in this industry. Here’s a small sampling:

  • Chief Information Security Officer
  • Chief Risk Officer
  • Penetration Tester
  • Security Researcher
  • IT Security Engineer
  • Information Assurance Analyst
  • Security Systems Administrator
  • Senior IT Security Consultant

Every position in our industry, plays a specific role in an organization and comes with specific responsibilities. The specific responsibilities may not be documented (different issue), but that doesn’t mean they don’t exist. They exist, and they’re not the same from position to position. Each role in information security requires the mastery of certain skills.

Is skills all it takes to be “good” though? The answer is NO. There’s more to it than that. Read on.

*NOTE – I use the word “most” because it’s generic. This means there are exceptions. Some (the leftovers from most) people have no desire to take on additional responsibilities in their career, they’re content right where they are. Perhaps they’ve reached the top, maybe they’re just OK with their place in the middle, or at the bottom somewhere. If you haven’t reached your potential, it’s sad to leave so much more untapped potential.

Not Good? – You’re A Problem

When you’re not good at your job, there’s a good chance someone else, or many someone elses, pay the price to compensate for your lack of goodness. Sure, information security is about managing risk, not eliminating it, but your lack of “good” leads to poor risk management, and that costs someone something.

You see, information security isn’t as much about information or security as it is about people. It’s always been about people and it will always be about people. The more you and I suck at our jobs, the more people suffer for it. Sure, we can’t eliminate suffering, but we can do our best we can to make it less likely and less impactful*. If nobody suffered, there wouldn’t ever be a need for what we do.

The less good you are, the more people will suffer (in general).

*Less likely and less impactful ring a bell? That’s risk. The likelihood of something bad happening and the impact if it did. That’s the layman’s definition of risk.

If you’ve been around long enough, you can thinks of dozens, even hundreds of examples where bad advice was given, and an organization suffered for it, and through that, customers also suffered (eventually). If you haven’t been around long enough, here’s a quick example off the top of my head:

You advise an organization to buy an SIEM solution because monitoring and alerting is a good thing to do. They spend $100K+ on the SIEM and struggle over the next 6-12 months to get it working right (operationally). Great. They don’t patch and they have no asset inventory. Two questions then, 1) was SIEM the best place to spend the $100K+, meaning was it the most significant risk, and 2) how effective do you think the SIEM is going to be when the company doesn’t even know what assets they need to protect?

Was there more harm done than good? The devil’s in the details, but yes. There was more harm than good. Money is a limited resource and constraint; therefore, it must be spent wisely. The money spent on SIEM should have been better spent on the organization’s most significant risk(s), not on a technology because it’s “a good thing to do”. The most significant risk still exists, and customers are still more likely to suffer for it.

Simplified example, but you get the gist. Good intentioned security professionals aren’t aware of the harm they cause sometimes, and this might be most obvious in the rapid growth in consulting.

Dangerous Consultants

We see them all the time, and they come in all shapes. Some are really good people with great intentions to make a difference. Some consultants are people a little less virtuous, wanting to make as much money as possible, regardless of who they help or harm. Both types of consultants can be dangerous if they’re not good. That’s the simple truth.

Read some books, passed some tests, bought a laptop, and setup a Web site. You are now an information security consultant! You’re smart. You have the best intentions. You’re likeable, and you’re inexpensive. You’re ready to advise organizations on what they should do to secure their livelihoods, right?

Mmmm. Maybe, but God I hope not.

There’s more to being good, than that. It takes more than skills and more than good intentions. More than reading books, and more than passing tests. Smart helps, but there’s still something missing.

If you’re going to be a consultant, get good first. Please.

It’s easy to convince someone who’s more ignorant than yourself that you’re an expert. Use buzzwords, look confident, talk fast, and you’re well on your way. But you’re not good (yet).

  • Good consultants don’t need buzzwords, they can explain things in plain English so that others can learn and apply concepts.
  • Good consultants are confident when they’re doing what they’re good at. A good consultant will admit when they’re not good at something, but they usually know someone who is.
  • Good consultants talk at the pace of their audience. They’re not only good information security professionals, they’re also good communicators.

I could write all day about good versus bad consultants. Probably gone too far already.

What about you? Are you already good? We’ll see. Let’s explore how to get good!

How to Get Good

One more thing before we dig in. Are you a sports person? If you are, you’ll get this a little better than those who aren’t. In sports (depending on the sport), there are players, coaches, and player/coaches. Players perform on the field, or behind the keyboard, or wherever the game is being played. Coaches mentor, teach, lead, and prepare their players for the game. Player/coaches do both; they’re typically really good coaches, but they don’t play as much as they used to.

I say these things because I’m a player/coach. I don’t play nearly as much or as well as I used to. It’s important for you to know that as you consider my advice.

I assume you’re here because you want to get good. So what does it take to be a good information security professional, or good at anything really? Like most things in information security, the concept is simple, but the application is hard. There are three simple ingredients; intangibles, education, and experience. Anything else is icing on the cake.

F26C0863-3086-48F9-AD47-8810E3EAD0B7

These things (or ingredients) are in the book, they were in a recent tweet (above), and they’re also here. Consistent message from me because it’s truth.

Words of caution…

It’s important that you don’t rush things. There’s enough stress in most information security jobs, and I highly recommend that you refrain from adding the stress of trying to outperform yourself. Take your time, keep moving forward, don’t take shortcuts, and you’ll be fine. I know there’s lots of opportunity out there, and I know there’s a ton of money to be made, but my best advice is DON’T RUSH. The opportunity and money will come, and you’ll be healthier for it, if you do things the right way.

Intangibles

You might recall that I also covered intangibles in the second article of this series (The Right Person). Intangibles are things that can’t be taught. You either have them or you don’t. There are moral intangibles, like the ones covered in the previous article, and their are gifts (sometimes called natural talent).

Some people are just gifted for certain things while others are not. Do what you can to find your gifts or strengths early and often. The sooner you understand what you’re gifted for, the sooner you’ll find what you’ve been built for. The information security field is broad enough to accommodate a wide variety of gifts, so don’t fret about that.

Get honest with yourself and discover what you’ve been built for, but how?

I don’t think that there is any one way that works best for everyone. Meditation works great for some, but not others. Faith works well for some, but not others. Therapy and/or counseling works well for some, but not others. I’ll share what works for me, but let me remind you that you may not get the same results. I find my honesty and gifts through faith, and I found good value in a book called StrengthsFinder. My faith provided a foundation, while StengthsFinder led me to what I’m naturally good at.

Find what your gifts are and keep seeking. No matter how good you get at knowing yourself and your gifts, you’ll still need to engage in some gotrial and error. You will learn what your gifted for over time (if you focus on it), but you’ll need to find the courage to act.

Education

I include skills with, or under, education. There are millions of opportunities to educate yourself. Some people prefer a formal college degree, some don’t. Some people prefer certifications, some don’t. Some like books, some like instructor-led courses, some prefer video. Whatever method of education works best for you, do it. Then keep doing it. You will never learn everything there is to know. Learning is awesome. DON’T EVER STOP LEARNING.

If you stop learning, you die. At least your career does.

Find the learning resources that work best for you. If you recall, I shared some learning resources in a previous article too. One learning opportunity that I invite you to personally is the FRSecure CISSP Mentor Program. It’s free, and it’s a great opportunity to  learn (and share).

Experience

This is the one ingredient that I see new information security professionals struggle with the most. It’s because this is the one ingredient that takes the most patience. People who de-emphasize the value of experience are some of the most dangerous information security people in our industry. Without experience, we lack the street smarts to know how things will really (or actually) work. Education and skills will teach us how to do stuff, but we won’t learn all the circumstances, context, and oops’ unless we’ve done it before (or been with/witnessed someone else who did).

The experience catch-22. You need experience to do something (or progress in your career), but the only way you’ll get experience is by doing the something. The experience catch-22 sucks, doesn’t it? Here are some suggestions to overcome:

  • You might need a mentor to take you under his/her wings a little.
  • Sometimes we have to take calculated risks, like doing something that we’ve never done before, but doing it in a way that will be calculated and not reckless.
  • Hate to admit it, but sometimes we (hopefully slightly) fake it until we make it too.

Combatting the experience catch-22 isn’t easy, but you can find your way over it (or around it) if your focused and determined.

Wrapping This Up

That’s it. Want to get good? Focus on you. Work on what you’re gifted at, get educated, get out there and take your lumps in the real-world. If you lack experience in something that you need experience in, go get the experience, even if it means a different job. At the end of the day, you work for you (ahead of your company).

Whatever you do, don’t ever try to be someone you’re not. You will fail, and you will fail those who believed in you.

We’ll wrap up this series in our next article. Once that article is complete, we’ll compile this series into a small ebook for you and anyone else who liked it.

You Want to Get Into Security? – Part 3

This is a five-part series about getting and keeping job in the information security industry. There is no one way to get and keep a job in the information security industry. This is a good thing! The series doesn’t contain THE advice, it just contains advice. Big difference. Some of this information is also found in the Unsecurity book, chapter 10.

The series consists of the following articles:

This is the third installment in the aforementioned series; Landing Your First Job.

Landing Your First Job – Introduction

I have to admit, it’s been a very long time since I landed my first information security job, and it’s been more than 10 years since I’ve hunted for any job at all. This means that my advice will come from somebody who hires more than it will as someone who’s looking for a job. I think the advice is still valid, but you can judge for yourself.

My first information security job came in the early 1990s. I had the pleasure of cleaning boot sector viruses off thousands of Windows 3.0 and 3.1 computers. Back then, information security wasn’t really a thing like it is today. Even though there are more information security jobs today then there were then, I think it’s harder to get jobs now for some reason. Probably unrealistic expectations. Anyway, it’s not easy for most people to land their first information security job.

In this article I’ll give you some tips that I hope will help you get your first information security job.

Matchmaking

Getting a job is like finding a girlfriend or boyfriend on a matchmaking site. People post a profile of themselves and all the things they’re looking for in a mate. Then there’s other people who also post a profile, but they’re more active in looking for a date. These people browse profiles, sometimes for hours, looking for the right person to contact. In our analogy, the first person is the company or recruiter, and the second person is the one looking for a job.

The first objective is to get a date with someone. The ultimate objective is to go steady, or enter into a committed relationship. Dates are interviews and going steady is landing the job.

A match isn’t likely to happen if either party has unrealistic expectations. Not all jobs are like an exceptionally attractive European noble with billions of dollars and a love for puppies. You might want a unicorn job, and the hiring organization might want a unicorn to work for them, but these things are extremely rare for someone who’s new to this industry. Keep your expectations in check.

The matchmaking analogy applies best to using job sites like Google, Indeed, Monster and others. As we’ll see, this is only one way you can go about finding a date, and it might not be the best.

Getting a Date

When you’re trying to get a date, you don’t want a date with just anyone do you? Hopefully not. We want to find the right person, the right job. Hopefully, you’ve done some research and prepared yourself for the job market as we outlined in our previous article. If you did the research, you’ve probably found some good job sites .

Where to find dates

There are many ways and places to land a date, and there are many places you can go to try to find an interview. Depending upon your specific circumstances and your specific preferences, choose the right path or paths for you. Here are ways people find us at FRSecure and where we might find you too:

Internships

Internships aren’t for everyone because they don’t usually pay well, if at all. Internships come in all forms. Some are paid, some are not, some require experience, some do not. Paid internships can be a challenge to find, but they’re out there. Unpaid internships are a little easier to find. A simple Google search for “where to find information security internships” will produce many leads for you; however, the best way to find an internship is through someone you know. Ask around.

‘Most large organizations with security teams and information security companies offer internships. Contact them directly and inquire. This will give you more control and might land you an opportunity with a company you like more.

Job Sites

Using a job site is fast and easy. It should be included in your strategy, but I caution against using job sites as your sole source for dates/interviews. These are some of the job sites you might want to check out:

  • Google – Google integrated with ZipRecruiter in 2017 and produces pretty good results. Just type a job title and the word “jobs” into Google search.
  • LinkedIn Jobs – There are plenty of jobs and some good job seeking advice on LinkedIn. You will probably want to use LinkedIn for yourself anyway as you build your career, it’s a well known and heavily used networking tool.
  • Indeed – A clean, quality job site.
  • Monster – A job site that has been around for a long time (1994). It’s still a quality site, even though it’s not as dominant as it used to be.
  • ZipRecruiter – A very popular job site, and probably one of the fastest growing.
  • CareerBuilding – A popular job site, but not one of my favorites. I have no objective reason for this site not being one of my favorites though, it just isn’t.

These are the major job sites that I know of. Whatever site(s) you use, be sure to document what jobs you’ve applied to and keep track of any/all responses. It probably doesn’t reflect very well if you apply to the same job multiple times through multiple sites.

Networking

Networking is difficult for some people because they don’t feel confident or comfortable in groups or crowds. I get it. I’m one of those people. Go to local information security events, meetups, chapter meetings, etc. to meet new people. You can network with anybody, and they don’t have to be security people. If you get good at networking, you’ll find that most people know a security person that they can put you in touch with. Getting referrals or door openers is a differentiator that could work in your favor.

Mentor

Mentors are great for many things, helping you land a job is just one of those things. Mentors will help you prep for interviews and offer wisdom throughout your career too. Everyone should have a mentor, no matter where you’re at in your career. My mentor and I met in 1995. He was my boss when I worked for Jasc Software (known for Paint Shop Pro). We’ve both moved on in our careers, but we still have a standing coffee meeting every Friday, and his support has been instrumental in my success.

Finding a mentor isn’t easy. You’ll have to take a risk and ask someone, and they might say no. A mentor could be a teacher you had in school, a boss you admire (like my mentor), a friend you respect, a family member, someone from church, or anyone in between. I suggest that you write down the names of five to ten people you respect and admire, then go ask them if they’d be willing to be your mentor. If you strike out, do some online searches for mentorship programs. They come and go all the time.

Once you feel you’re ready, be sure to return the favor by becoming a mentor for someone else.

Local Community Events

There are groups of information security people meeting all over the place, all the time. Chances are very good that there are information security groups meeting regularly in your area. These are great places to meet and learn from other information security professionals. Building relationships with others will create a wonderful support group for yourself and open doors to all sorts of opportunities, including jobs.

Where I live, in Minneapolis, there are more than fifteen information security-related groups that meet regularly. This means that I could conceivably attend fifteen or more events every month, and meet hundreds of other security professionals. Pure gold!

92A2F78B-DF88-4665-BD99-F7758134AB53

A simple search on meetup.com, will probably produce some good leads for you. The Information Systems Security Association (ISSA) has local chapters all over the world, and they welcome new visitors. Other organizations that have local chapters all over the United States (and maybe the world) include the Information Systems Audit and Control Association (ISACA), InfraGard, and the International Information Systems Security Certification Consortium (ISC2). Check them out, it’s worth it.

Prep for Dating

Alright, hopefully you’ve got some good leads now. You have a solid resume, right? If you don’t, get one.

Need help? Start with a sample resume. You can ask for one from a friend or see if you like one of these free online samples:

Now you need to plug your information into the sample/template resume. If you don’t have any experience, you might not have much to put down. Don’t let that discourage you. There are companies who put a high price on intangibles. Take where I work for example, we always hire for the intangibles first. Intangibles are the things that align with our core values, which were covered previously in Part 2.

Think we’re the only company who does this? Think again. Just last week (2/21/19) I had the honor of moderating a panel of amazing female security experts for an AnitaB.org event at the University of Minnesota. AnitaB.org is a great organization supporting women in technology. One of the questions for the panel was “What skill sets would you look for in your team?” Each of the panelists gave their answer, but none of the answers had anything to do with technology skills. All the answers were about the intangibles! Good validation for what we already knew.

Fill your resume with information about you, focusing on how you will help your employer. Include your community work (if you have any) and be sure to list these groups you’ve been attending (see above). I used to customize my resume for each job that I applied for. This would ensure that my tangible and intangible skills would align perfectly with what they were looking for

Additional tips for writing a good resume can be found online:

Above all, be sure that the resume is true to who you are. We want a company to like you for you.

Your Best Face

Alright, you got a date?!

You want to be you, but you also want to be a good fit for the culture of the organization. If you haven’t already, now’s the time to do some research. Find out everything you can about the organization and about their culture. Find out how they dress, because you don’t want to overdress or underdress for the interview. Find out what they believe in, because you’ll want to validate and compliment their mission. Find out about their successes, because you’ll want to acknowledge them and verbalize your commitment to helping them get more similar successes.

Put the address for the interview into a mapping application days before your interview. Figure out your route and how long it will take you to get there. If you don’t feel comfortable with the drive, make the drive yourself a day or two before your interview.

Get to the interview at least 15 minutes early.

Eat something reasonable before you go to the interview. Pee before you get there.

The best advice I can give you in preparing for an interview is to be you. Don’t try to BS or be somebody you’re not. The person your interviewing with will probably see through your ruse, and if they don’t, you can’t feel good about starting your relationship being somebody you’re not.

Making a Commitment

You had an interview or two, or twenty. Now you get an actual job offer! Somebody wants to go steady. Yay you! Now you need to make a choice, do you take it or not? This is gut check time. My suggestion is to not take any job that you can’t commit to for at least two years, and ideally five years. Ask yourself if you could see yourself with this organization for two years or more. If the answer is no, I would say no to the offer. This takes a certain amount of discipline, and your circumstances may not permit any choosiness. Most people would take the offer anyway

The reason why I suggest staying with an organization for two years or more is because it validates your intangibles. It shows that you take commitment seriously, you are loyal, and you understand that you can’t rush experience.

You may decide to negotiate your offer, but if you’re new to the industry, you probably don’t have much to negotiate with. I’d advise against much, if any negotiation.

CONGRATS on the offer and the new job (hopefully)!

Conclusion

Getting your first job in this industry isn’t as easy as some people think. You need to work at it and you need to be creative. Make friends, make connections, and earn a good reputation. Take a pragmatic and formal approach to the process, after all, you are working for you!

Now that you landed your first information security job, how are you going to become a good (and ever-improving) information security expert?

BONUS: What is an “expert” anyway? This was a question that Brad Nigh (co-host of the UNSECURITY Podcast) asked me today during our recording of episode 16 (available 2/25). Comment below. No Googling or official definitions allowed. 😉

You Want to Get Into Security? – Part 2

This is a five-part series about getting and keeping job in the information security industry. There is no one way to get and keep a job in the information security industry. This is a good thing! The series doesn’t contain THE advice, it just contains advice. Big difference. Some of this information is also found in the Unsecurity book, chapter 10.

The series consists of the following articles:

The Right Person – Introduction

In the last article, we concluded that there is plenty of opportunity in the information security industry, especially for jobs. The job market looks good far into the future.

Great, now what? There are two types of people asking this question, maybe three:

  • People working in the industry who want a change.
  • People not working the industry who want to explore the possibility.
  • People who don’t care one way of the other about #1 or #2.

Type 1: You might find this article interesting, but I’m not writing it specifically for you. You’ll find more benefit in the fourth and fifth articles of this series; “Becoming Good” and “Staying Healthy”.

Type 2: This is your article. I’m writing this for you, giving you the best advice I can.

Type 3: You should care. You’re either missing out on a possible opportunity for you and your family, or you know someone who could use some advice. People who don’t care about things seem like miserable people to me.

There. I’ve explicitly defined the audience and set expectations. Now, let’s get on with it. Back to our question, now what?

The ‘Now What’

If you’re still reading, you must be interested in getting an information security job, or you know someone who is. The first thing you should know is what it takes to be a security person. There are common traits that good security people have.  Rather than trying to build specific security skills, first focus on the traits you possess that will translate well into security roles.

Please don’t overlook these traits or take them for granted. They’re very important.

I’ll share the approach we use at FRSecure because it’s what I know best and it’s served us very well over the past 10 years.

FRSecure’s Approach

We hire for the intangibles, the things we can’t teach. As a business, there are three things that we must establish with each one our customers before we ever do work with them, and these three things translate directly to our Security Analysts who do all our work:

  1. Trust – People trust us and we must never betray their trust. Are you trustworthy? Do you consistently do what you say you’re going to do? Can people count on you? Do you put other people’s best interests above your own? (very important for consulting)
  2. Credibility – Directly related to trust, are you believable? Credible doesn’t mean you know everything, but it does mean that you know what you know and you’re willing to stand by your words and actions.
  3. Likeability – Nobody wants to work with a jerk, not co-workers and certainly not clients. Are you pleasant, friendly, and easy to like?

You must do well in these three things if you want to work here. Next comes our non-negotiable core values:

  • We tell the truth.
  • We are collaborative.
  • We are supportive and driven to serve.
  • We do whatever it takes.
  • We are committed to constant improvement.
  • We have balance. We work hard and play hard.
  • We all buy in to who we are, what we do, and where we’re going.

The non-negotiable traits that make people a good fit here are; truth, collaboration, support, service, doing, commitment, consistency, improvement, balance, and being bought in. These aren’t traits that we negotiate on, we live up to these values always.

Other bonus traits that work:

  • Humble – The best information security professionals are humble people who are willing to help others. Ego takes a back seat to building others up. If you’re full of pride and you like to feed your ego, please (for the sake of all of us) don’t become a security professional, you’ll just make everyone’s job more difficult.
  • Learner – You will never learn everything there is to learn about information security, and things change very fast. If you don’t like to learn, you’re probably not going to make it far.
  • Persistent – I swear I’ve said the same things a million times, and many of the things that I say today, I said 20 years ago. People are slowly getting some of the things we’ve been preaching for years. Persistence will serve you well in all sorts of problem-solving scenarios.
  • Aware – Another word for this would be perceptive.
  • Logical – There are reasons for just about everything. You’ll need to use logic often. Computers and other digital things are discrete, meaning everything is on or off, a one or a zero. Things can get confusing when there are millions of ones and zeros because what was black and white becomes gray. No matter, there’s logic in all of it. Human beings are a different case altogether, they’re analog.
  • Moral – You must be able to discern right from wrong, always. Integrity is a very big deal, do wrong, and you could ruin your career.
  • Comfortable with discomfort – Most information security experts are always in some degree of discomfort. If you can’t get comfortable being uncomfortable, you’ll be less happy in this business.

Love People

My favorite trait in a good security person is their love of people. The best information security professionals know that information security isn’t as much about information or security as it is about people. People from all walks, all faiths, all colors, all genders, etc., etc. Information security doesn’t discriminate, neither should it’s professionals.

If you don’t have these traits, we probably don’t want to hire you. If you do, then start researching job roles.

Job Roles

You read previously that there were more than 800 variations of different job titles in our industry. Not to make this any more overwhelming, but there are 1,000s of variations of job roles and responsibilities to fit these job titles. Start researching the roles that seem interesting to you and take note of educational and skill requirements. Keep researching until you feel comfortable and convinced about where you want to take your security journey. Research entry-level positions and research expert-level positions. See if you can draw out your career path for yourself beyond landing your first security job. Just because you draw it out doesn’t mean you can’t change it later, after you know more.

Places to review information security job roles, education, and skills:

  • LinkedIn – the site (or the app) has really good search filters, so you can look by experience level, location, type, and several other criteria.
  • Google – Google has a nice search function, with many filtering options, built right into the search engine. Just Google “information security jobs’ and you’ll see what I mean.
  • Indeed.com – A solid job site with many options.
  • CareerBuilder – Another pretty good site.

Keep researching until you feel like you know what want, or at least you think you know what you want. If you get it wrong, not a huge deal. Like most things, you can adjust later.

Bonus: A Mentor

Navigating the waters of the information security industry is always better with someone who’s been there, done that. If you know someone who’s been in the industry for a while, ask them if they’d be willing to be a mentor for you. If you don’t know anyone, ask around. If that still doesn’t yield any results, you can try other resources like your local Information Systems Security Association (ISSA) or International Information Systems Security Certification Consortium (ISC2) chapter. There are always good and helpful security pros at the chapter meetings. Another resource that I just ran across recently is MentorCruise. I’ve never used this service before, and I don’t personally know anyone who has. I can’t really recommend it, but I can’t not recommend it either. Worth checking out.

A good mentor makes a big difference. I’ve always had a mentor.

Skills

Now you know what traits are important (sort of), you know what role you want (sort of), and you know what skills you need (sort of). You won’t be certain of any of these things until you get going, if ever.

You don’t have to be a technical genius to get a security job. You don’t even need have strong technical skills. Some people disagree with me on this, but it’s usually because we’re not saying the same thing. Let me explain.

People who are new to our industry, and even some who are already in our industry, are easily confused by the words and terms that we use. Don’t let the confusion lead to intimidation and don’t become too easily discouraged. Take the terms “information security” and “cybersecurity” for instance.

Information Security and Cybersecurity

You will encounter times when the term information security and the word cybersecurity are used interchangeably. They are two different things, and this is important to know. Information security deals with administrative (people and process), physical and technical controls (or safeguards), whereas cybersecurity only deals with technical controls. Further proof of this is the definition of the word “cyber” by itself:

relating to electronic communication networks and virtual reality.

So, when I say you don’t need to be a technical genius, I’m talking about for the information security field. Cybersecurity jobs are ones where more technical acumen is required. It’s important for you to understand this. The misconception that you must be a “techie” or a “geek” to get into this industry is false and shuts the door on good people. There are many jobs in our industry that don’t require an in depth, expert-level understanding of technology. Having said that, you will need to learn basic technical concepts.

The advice I received from my mentor when I first started out in technology (before information security was formally a thing) was to read anything and everything I could get my hands on about the subjects I was interested in. This is good advice.

My advice to you is to follow industry news, read books, take courses, and learn everything you can. Learn, learn, learn, but DON’T RUSH. Rushing yourself creates undue pressure and steals the enjoyment. Everyone has their own healthy pace. Find yours and commit to it.

Resources

Here are some resources that I use, or have used in the past. This is not an all-inclusive list, so don’t get bent out of shape if your favorite isn’t listed, OK?

Industry News Sources

Books

Courses (FREE)

Conclusion

The order you go in, and the specific path you take will be up to you. There is no one way. You’ll notice that I didn’t mention degree programs in this article. This doesn’t mean that I don’t believe in them. Most degree programs have job placement and job assistance services included; therefore, many of these students will get what they need to land a job. Although degree programs are good, you don’t have to have a cybersecurity or information security degree to get a job with us.

If you want to get a job in the information security industry, you can. I hope you have the right traits, and I hope you’ll help fix problems in our industry and won’t add to them. Many of us who work in this industry take our jobs very seriously and we welcome new recruits. Don’t take shortcuts and do the right thing (always), and you’ll do great. If you run into a jerk along the way, ignore them. They’ve got personal problems that you won’t be able to solve anyway.

Good Luck! Next is Landing Your First Job.

You Want to Get Into Security? – Part 1

This is a five-part series about getting and keeping job in the information security industry. There is no one way to get and keep a job in the information security industry. This is a good thing! The series doesn’t contain THE advice, it just contains advice. Big difference. Some of this information is also found in the Unsecurity book, chapter 10.

The series consists of the following articles:

Abundance of Opportunity – Introduction

First, a little background.

1992. That was the year I started my career in information security. We didn’t really call it information security back then, but it’s (mostly) what it was. There didn’t seem to be much specialization then. Most of us just did what had to be done to keep the business running. Certifications weren’t very popular yet, and there wasn’t a call for security-certified personnel. The first Microsoft Certified Systems Engineers (MCSEs) were named in 1993, and so were the first Certified Information Systems Security Professional’s (CISSPs). The information security industry was just starting to become a mainstream thing.

Today the information security industry is still young and relatively immature. This is especially true when we compare it with other service-related industries. For instance, the American Institute of Certified Public Accountants (AICPA) traces its roots back to 1887, and the American Bar Association was founded in 1878.

The information security industry is also complex. With each passing day, the industry seems to grow in it’s complexity, which is sad because I’m a firm believer that complexity is the enemy of security. The complexity leads to confusion. In fact, confusion reigns. It reigns despite the fact that some among us are too proud to admit it. The confusion creates chaos, and out of the chaos comes opportunity. Opportunities for investors, security product peddlers, consulting companies, and many others.

One opportunity in particular, and the one that we’re most interested in here, is the abundance of well-paying jobs. Like, lots of jobs.

Information security professionals, people like me, are in very high demand. Jobs are everywhere (for certain disciplines), the money is good, and future employment prospects are sky-high. A very frequent question that I get is, “How can I get an information security job?”. I could just tell you what I think, but I would be remiss if I didn’t put things into context for you.

Before you start enrolling in classes, updating your resume, and applying for jobs, you should know more about what you could be getting yourself into. One central theme throughout this series is to slow down. Don’t rush things.

Abundance of Opportunity.

When some people hear the word “opportunity”, they rush head on. They’ll rush without even knowing what the opportunity is. If you’re considering a new career in information security, or a career change, you should know more about the opportunities. If I were you, I’d be asking a few questions.first.

How much opportunity is there?

Do some research! Wait a second. Did you want me to do this for you?!

Fine. Here’s what I’ve found.

There’s a general consensus that the informations security industry is very talent poor, meaning that we’re hurting for more information security professionals. There are thousands of information security positions open right now. In fact, Cyber Seek estimates that there are 315,735 open positions in the United States alone. Here are some additional details about our talent shortage:

Seems like there are plenty of job openings, so that shouldn’t be a problem. Basic supply and demand would indicate that the pay must be pretty good then. It is.

*NOTE: The CISO position is the top of the corporate ladder for information security professionals. Two things to think about. First, you may choose a path of specialization in our industry and never become a CISO. This is not necessarily a career-limiting decision. There are non-CISOs that I know personally who have a tremendous impact and make more salary than the range cited above. Second, it takes a while (or should) to become a CISO. If you’re newly employed in this industry, it may take you more than 10 years to earn such a role. Keyword is “earn”. Please don’t take a role that you haven’t earned. Doing so hurts your career, your employer, and the rest of us in this industry. Wishful thinking…

Here’s another thing that I’ve learned about jobs in our industry, job titles matter. Not only do titles matter, there are a ton of them to choose from. In 2015, Lenny Zeltser identified 822 variations of information security job titles. This is probably a function of the industry’s immaturity and complexity. The job title you target or obtain will likely matter though. According to Nate Swanner at Dice.com, “If you want a decent cyber security salary, presenting yourself as an ‘engineer’ is your best bet: It’s a title that tends to pay on the higher end of the tech pro salary spectrum.”

If salary is your thing, there’s another factor to consider. Location. Some metro areas have a higher demand for security talent and some metro areas have a higher cost of living. Two important factors to consider. The metro areas with the highest paying information security jobs are Charlotte, North Carolina, Chicago, Illinois, and San Francisco, California. 

The graphic below is taken from the Cyber Seek website, and it shows the talent demand on a state-by-state basis.

6C3B2611-D130-486B-B236-49339BC3C684

To summarize, there are opportunities just about everywhere. More experience will mean more pay. Physical location and job titles should be taken into consideration too because certain locations and certain titles might mean more opportunity and/or salary.

If you have no experience, you might not have much choice in job title, location or pay. You will probably have to take what you can get. The information that I’ve presented to you thus far should be considered as you decide what path you’ll take in your information security career journey. It’s exciting to be someone who’s just starting out because you’ll have so many options along the way!

What’s the starting salary, and can I afford it?

This will depend on some additional factors such as how much (if any) experience you have, your education level, the type of organization that you choose to work for, and the industry your potential employer operates within. In general, the entry-level salary range is $38,000 – $68,000 for someone with no experience and without a degree. That’s a wide range because there are a wide range of different opportunities available.

The entry-level salary range for someone who has a few security skills (but not much) and a Bachelors degree is $49,214 – $92,285, with a median of $65,338. Again, this is a wide range for the same reason that I cited previously.  If you have more experience and/or education, you might expect more salary.

Now that you know more about the abundance of opportunity, we’ll get honest with ourselves and see if you’re the right person for the job. We’ll tackle this in the next article. Coming soon!