Written by: Joe Moles, Director of Detection Operations, Red Canary
A side note for my fellow geeks who are already in information security: I encourage you to read and share this post. Take the time to spread some bits of wisdom, start a conversation, and encourage those willing to step up. We all know there’s an extreme shortage of talent in our industry. The more skilled professionals we can get to join us on the frontlines, the better.
As the leader of Red Canary’s Security Operations Center (SOC), I’m in charge of finding world-class SOC analysts. I’m frequently asked: “What are you looking for?” or “How do I get my start in InfoSec if I have no experience?” Many thought leaders in the field have written about this before but I want to discuss it from the lens of someone in charge of hiring, and specifically from the view of joining the Red Canary security team.
I’m going to break my thoughts down into a two-part series of recommendations:
- Part One: How to get a job in InfoSec if you’re new to the industry
- Part Two: Preparing for and interviewing for a job
So you want to be a security professional. Good. We need more qualified individuals. Note that I did say “qualified,” which will be a key point to this topic. There seems to be a growing trend in people thinking that because they have security somewhere on their resume, they are immediately qualified and don’t have to work their way up.
One of the most common questions I hear is, “How do I get a job in InfoSec if I haven’t worked in security before?” If you’re just starting out in the industry, here are four steps to help answer that question.
Step 1: Make sure you’re doing it for the right reasons.
Forget every buzzword and hot marketing term that made you think the field was cool. If you are looking at this as a career path because the market is hot, you can make ton of cash doing it, or any other reason besides having a true passion and interest, please look elsewhere. Think of getting into information security like you’re one of the guys trying to join Tyler Durden and Project Mayhem. You cannot just walk in the front door; you have to put in your time and stubbornly try. If you understand that reference, we are at a good starting point.
Step 2: Start with what you know.
Erase any ideas that there is an easy, structured, or direct path. Like anything else worth doing, getting your start in information security usually means you start at the bottom and work your way up. There is no magical shortcut. So the question is: where do you begin that climb? Start by looking at what you already know. Are you a solid developer, a rock star sysadmin, a first year college student, or some other special and unique snowflake? Use the skills you have and build from there. Every security role builds on some other core IT skill set. For example, to be a great exploit developer, you should first have a solid understanding of coding techniques. If you want to focus on forensics, you should already have a deep understanding of operating systems.
