This is a five-part series about getting and keeping job in the information security industry. There is no one way to get and keep a job in the information security industry. This is a good thing! The series doesn’t contain THE advice, it just contains advice. Big difference. Some of this information is also found in the Unsecurity book, chapter 10.
The series consists of the following articles:
The Right Person – Introduction
In the last article, we concluded that there is plenty of opportunity in the information security industry, especially for jobs. The job market looks good far into the future.
Great, now what? There are two types of people asking this question, maybe three:
- People working in the industry who want a change.
- People not working the industry who want to explore the possibility.
- People who don’t care one way of the other about #1 or #2.
Type 1: You might find this article interesting, but I’m not writing it specifically for you. You’ll find more benefit in the fourth and fifth articles of this series; “Becoming Good” and “Staying Healthy”.
Type 2: This is your article. I’m writing this for you, giving you the best advice I can.
Type 3: You should care. You’re either missing out on a possible opportunity for you and your family, or you know someone who could use some advice. People who don’t care about things seem like miserable people to me.
There. I’ve explicitly defined the audience and set expectations. Now, let’s get on with it. Back to our question, now what?
The ‘Now What’
If you’re still reading, you must be interested in getting an information security job, or you know someone who is. The first thing you should know is what it takes to be a security person. There are common traits that good security people have. Rather than trying to build specific security skills, first focus on the traits you possess that will translate well into security roles.
Please don’t overlook these traits or take them for granted. They’re very important.
I’ll share the approach we use at FRSecure because it’s what I know best and it’s served us very well over the past 10 years.
We hire for the intangibles, the things we can’t teach. As a business, there are three things that we must establish with each one our customers before we ever do work with them, and these three things translate directly to our Security Analysts who do all our work:
- Trust – People trust us and we must never betray their trust. Are you trustworthy? Do you consistently do what you say you’re going to do? Can people count on you? Do you put other people’s best interests above your own? (very important for consulting)
- Credibility – Directly related to trust, are you believable? Credible doesn’t mean you know everything, but it does mean that you know what you know and you’re willing to stand by your words and actions.
- Likeability – Nobody wants to work with a jerk, not co-workers and certainly not clients. Are you pleasant, friendly, and easy to like?
You must do well in these three things if you want to work here. Next comes our non-negotiable core values:
- We tell the truth.
- We are collaborative.
- We are supportive and driven to serve.
- We do whatever it takes.
- We are committed to constant improvement.
- We have balance. We work hard and play hard.
- We all buy in to who we are, what we do, and where we’re going.
The non-negotiable traits that make people a good fit here are; truth, collaboration, support, service, doing, commitment, consistency, improvement, balance, and being bought in. These aren’t traits that we negotiate on, we live up to these values always.
Other bonus traits that work:
- Humble – The best information security professionals are humble people who are willing to help others. Ego takes a back seat to building others up. If you’re full of pride and you like to feed your ego, please (for the sake of all of us) don’t become a security professional, you’ll just make everyone’s job more difficult.
- Learner – You will never learn everything there is to learn about information security, and things change very fast. If you don’t like to learn, you’re probably not going to make it far.
- Persistent – I swear I’ve said the same things a million times, and many of the things that I say today, I said 20 years ago. People are slowly getting some of the things we’ve been preaching for years. Persistence will serve you well in all sorts of problem-solving scenarios.
- Aware – Another word for this would be perceptive.
- Logical – There are reasons for just about everything. You’ll need to use logic often. Computers and other digital things are discrete, meaning everything is on or off, a one or a zero. Things can get confusing when there are millions of ones and zeros because what was black and white becomes gray. No matter, there’s logic in all of it. Human beings are a different case altogether, they’re analog.
- Moral – You must be able to discern right from wrong, always. Integrity is a very big deal, do wrong, and you could ruin your career.
- Comfortable with discomfort – Most information security experts are always in some degree of discomfort. If you can’t get comfortable being uncomfortable, you’ll be less happy in this business.
My favorite trait in a good security person is their love of people. The best information security professionals know that information security isn’t as much about information or security as it is about people. People from all walks, all faiths, all colors, all genders, etc., etc. Information security doesn’t discriminate, neither should it’s professionals.
If you don’t have these traits, we probably don’t want to hire you. If you do, then start researching job roles.
You read previously that there were more than 800 variations of different job titles in our industry. Not to make this any more overwhelming, but there are 1,000s of variations of job roles and responsibilities to fit these job titles. Start researching the roles that seem interesting to you and take note of educational and skill requirements. Keep researching until you feel comfortable and convinced about where you want to take your security journey. Research entry-level positions and research expert-level positions. See if you can draw out your career path for yourself beyond landing your first security job. Just because you draw it out doesn’t mean you can’t change it later, after you know more.
Places to review information security job roles, education, and skills:
- LinkedIn – the site (or the app) has really good search filters, so you can look by experience level, location, type, and several other criteria.
- Google – Google has a nice search function, with many filtering options, built right into the search engine. Just Google “information security jobs’ and you’ll see what I mean.
- Indeed.com – A solid job site with many options.
- CareerBuilder – Another pretty good site.
Keep researching until you feel like you know what want, or at least you think you know what you want. If you get it wrong, not a huge deal. Like most things, you can adjust later.
Bonus: A Mentor
Navigating the waters of the information security industry is always better with someone who’s been there, done that. If you know someone who’s been in the industry for a while, ask them if they’d be willing to be a mentor for you. If you don’t know anyone, ask around. If that still doesn’t yield any results, you can try other resources like your local Information Systems Security Association (ISSA) or International Information Systems Security Certification Consortium (ISC2) chapter. There are always good and helpful security pros at the chapter meetings. Another resource that I just ran across recently is MentorCruise. I’ve never used this service before, and I don’t personally know anyone who has. I can’t really recommend it, but I can’t not recommend it either. Worth checking out.
A good mentor makes a big difference. I’ve always had a mentor.
Now you know what traits are important (sort of), you know what role you want (sort of), and you know what skills you need (sort of). You won’t be certain of any of these things until you get going, if ever.
You don’t have to be a technical genius to get a security job. You don’t even need have strong technical skills. Some people disagree with me on this, but it’s usually because we’re not saying the same thing. Let me explain.
People who are new to our industry, and even some who are already in our industry, are easily confused by the words and terms that we use. Don’t let the confusion lead to intimidation and don’t become too easily discouraged. Take the terms “information security” and “cybersecurity” for instance.
Information Security and Cybersecurity
You will encounter times when the term information security and the word cybersecurity are used interchangeably. They are two different things, and this is important to know. Information security deals with administrative (people and process), physical and technical controls (or safeguards), whereas cybersecurity only deals with technical controls. Further proof of this is the definition of the word “cyber” by itself:
relating to electronic communication networks and virtual reality.
So, when I say you don’t need to be a technical genius, I’m talking about for the information security field. Cybersecurity jobs are ones where more technical acumen is required. It’s important for you to understand this. The misconception that you must be a “techie” or a “geek” to get into this industry is false and shuts the door on good people. There are many jobs in our industry that don’t require an in depth, expert-level understanding of technology. Having said that, you will need to learn basic technical concepts.
The advice I received from my mentor when I first started out in technology (before information security was formally a thing) was to read anything and everything I could get my hands on about the subjects I was interested in. This is good advice.
My advice to you is to follow industry news, read books, take courses, and learn everything you can. Learn, learn, learn, but DON’T RUSH. Rushing yourself creates undue pressure and steals the enjoyment. Everyone has their own healthy pace. Find yours and commit to it.
Here are some resources that I use, or have used in the past. This is not an all-inclusive list, so don’t get bent out of shape if your favorite isn’t listed, OK?
Industry News Sources
- Ars Technica
- CIO (IDG Communications)
- Threat Post
- CSO Online (IDG Communications)
- Dark Reading
- The Guardian
- Homeland Security News Wire
- Infosecurity Magazine
- SC Magazine
- Security Watch/PC Mag
- Wired Magazine
- Cybercrime Magazine
- Security Week
- The Register
- Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry? (My book, of course I’d recommend this one!)
- Beginner’s Guide to Information Security: Kickstart your security career with insight from InfoSec experts
- Cybersecurity for Beginners
- Cybersecurity for Executives: A Practical Guide
- CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide
- FRSecure CISSP Mentor Program
- SANS Cyber Aces
- ICS-CERT Virtual Learning Portal (VLP)
The order you go in, and the specific path you take will be up to you. There is no one way. You’ll notice that I didn’t mention degree programs in this article. This doesn’t mean that I don’t believe in them. Most degree programs have job placement and job assistance services included; therefore, many of these students will get what they need to land a job. Although degree programs are good, you don’t have to have a cybersecurity or information security degree to get a job with us.
If you want to get a job in the information security industry, you can. I hope you have the right traits, and I hope you’ll help fix problems in our industry and won’t add to them. Many of us who work in this industry take our jobs very seriously and we welcome new recruits. Don’t take shortcuts and do the right thing (always), and you’ll do great. If you run into a jerk along the way, ignore them. They’ve got personal problems that you won’t be able to solve anyway.
Good Luck! Next is Landing Your First Job.