I have seen the following question come up in mailing list that I am on: How can I get started in Information Security?

This is a very valid question since there are many people interested in Information Security, but do not have any idea on how to enter into it.  This post is designed to help answer that question and help you determine if you have what is needed now to enter into the field.  The way I answer that is by looking into my background and how I entered into the field and what I have done to stay current and relevant.

First, look at my bio. You will notice that I had some ups and downs in my career. I was a computer/desktop technician and had system administration skills but went “down” to help desk technician. That was actually a good move on my part.  I was at a job that had no forward/upward mobility.  There was a senior person on the team, but we started at the same time and he had no plans to leave (as of this post, he’s still there).  Therefore, I was not moving into his position.  We had an in-house programmer, but it was same situation.  It was during my time as a computer technician that I got interested in Information Security.  We had a firewall installation that I was interesting in learning. I studied the firewall configuration (Checkpoint) and even passed the CCSA (that has since expired).  However, I got some negative feedback from a co-worker.  Basically he said that you cannot make the jump into Information Security. All of those combined reasons is why I made the downward move to help desk technician.  However, the takeaway up to this part is (1) don’t think that if you are in a certain position you cannot move into Information Security and (2) sometimes you have to move down to move up.

It was while I was a help desk technician that I eventually entered the Information Security field.  The current Information Security administrator took a position at another company.  I really wanted to learn this and enter into this position, so I spoke with the IT director.  That is point number 3, if you are already in a company and know that a position is opening up in Information Security (or any position you are interested in), talk with the manager/director in charge and express this to them.  They may not know anyone internally is interested.  They may also put more effort in training you since you know the inner workings of the company verses someone coming in from outside.  I became the Information Security administrator in a dual role – I should note the outgoing Information Security administrator was in a dual role as well.  I received training from the outgoing administrator and got SANS training by doing self-study.  Within my first year, I got my GIAC in GSEC and learned a lot in that position.  Point number 4 is be willing to learn. This is a fundamental point in Information Technology, but needs to be reiterated with Information Security – be willing to learn new things.

I learned new things in each of the Information Security positions I took.  I have SOC (Security Operations Center) experience specifically reading packets and identifying threats, skills that I still use today.  I have experience with firewalls, IDS/IPS (Intrusion Detection/Prevention System), patch management, incident response, and end-user management.  The interesting part of the experience I have relating to Information Security is that some of it is not specific to Information Security and some of it I learned or did while not specifically in an Information Security role.  I did patch management and end-user management as a Linux Administrator.  I also did this as a desktop technician.  You could say I did disaster recovery/business continuity work when I was computer operator backing up the IBM AS400, but I really did this work as a Linux Administrator.  That is point 5; some of the work that you are doing now is preparing you for the Information Security field.  Some would say that the best Information Security professionals were those who did systems/network administration work.  They know the systems and networks.  Depending on the role, they have the information security foundation.

One thing that helped me in my information security role is going to conferences and training.  Some conferences are better than others; some have some insightful material and others are a glorified sales pitch.  If you are paying your way, pick free or low cost conferences but skip expo badges.  There is nothing meaningful with expo badges (IMO) unless you are looking for freebies from companies that will call you to no end.  Think about joining different organizations.  I have joined ISACA and ISSA.  Some of these organizations have discounts for attending conferences, so this is a way to attend cheaply.  They also have chapter meetings that are beneficial for learning and networking.  There may be controversy with the following statement, but certificates can help especially for higher-level positions.  I have GIAC GSEC that was employer paid.  GIAC GISP was self-paid but led to CISSP.  GIAC GCCC was self-paid as well and will probably be the last self-paid for a SANS training course (good courses, but expensive).  However look at what you want to do and see what is available.  If you want to be a penetration tester, check out OSCP. If you want to eventually manage or know the business side of information security, check out CISSP or CISM.  If you want to be an IT auditor, check out CISA.  If you want in-depth, hands on information security skills, check out SANS and specifically SANS work-study (I did this and it was a valuable experience).

This was probably a long post that deviated from the purpose a few times, but I hope you got some valuable information from it.  If anything, take away the following points from this post:

1. Don’t think that you cannot move into an information security position if you are in a certain position. Desktop technicians and help desk technicians have become information security professionals.
2. Depending on your position and the company, think about moving down in order to move up. Take a position that might be a level below you if it means that you might get to position a few levels higher than where you are now.
3. Keep an eye out for openings in your current company and do not be afraid to express your interest to the manager or director over a certain position. Some would rather hire from within, than get someone outside and get him or her up to speed.
4. Be willing to learn – go to conferences, join information technology/information security organizations, attend chapter meetings, get certified, and keep learning.
5. Don’t underestimate the work and experience you are doing now. You might be doing information security work in your everyday job as a desktop technician, systems or network administrator. Those skills will be valuable as you move into information security.

I hope this help answer the question.  I will also post some valuable tools and sites that can help you along your path.