Monday, January 2, 2012

Breaking In

It's a new year and with it comes new challenges and opportunities for growth - hopefully the Mayans were wrong and it won't be that kind of challenge. You may thinking of switching over into Infosec. So I thought I would share my own experience of how I made that transition in hopes that someone may find it useful.

I started out as an application developer and held that position for a number of years - don't go trying to guess my age now. During that period I always had an interest in Information Security. In fact, the reason for getting into application development was because I loved the field so much. During my research on how to be an Infosec professional, I saw mention of the fact that being able to code would put me at an advantage. So off I went to college to do just that.

Be Passionate
During my time as a developer, I would always find stories related to Infosec and would often have several water-cooler discussions on the topic. In my first job I made friends with the Infosec guy at the time and we had some interesting discussions. I remember when I bought a copy of Hacking Exposed and shared it with him. After that I "was on the radar". When I switched jobs I made sure to keep this up. I would always be talking about some interesting news item that dealt with a security related issues. Especially if it related to our environment. You need to demonstrate passion.

Be Prepared
As time went by I decided that it was time to pursue this option. So I started looking for security related courses that I could do. I ended up picking the Certified Ethical Hacker(CEH) - an entire post could be written on this certification not all of it positive. At the time this course seemed like the best option to get my feet wet and in the end it served as a good introduction into the field. There was one small issue though, it required overseas travel. But I decided that Infosec was what I really wanted and I closed my eyes and made the necessary arrangements - travel/hotel etc.

Whats important to note here is that I did not wait on the company to make the first move. Too often a lot us would like to pursue other career paths but believe that somehow the business owes us something. If we want to do a course - the contents of which will be beneficial to the the business - we feel that the business should cover the costs. My advice to you is to drop that line of thinking for the new year. It was after I had made all the arrangements that my company came onboard. And they didn't cover everything either. You have to take the initiative and prepare yourself for the role. Note also that I had already been sharing my passion so when it came to getting support it wasn't a hard sell.

Once I had completed that course, I was convinced that that was what I wanted to do. When I got back from training I immediately started sharing the information I had learned with just about anybody I could find. Eventually I became the "unofficial security guy".

At the time there was no Infosec role in the company. However that soon changed and suddenly the skillset was required. Opportunity they say favors the prepared mind. And so when time came for that post to filled I had already positioned my self to at least be considered for it.Suffice to say when the dust cleared I got the post. The post at the time was for an Application Security Specialist(ASS).

I continued to sharpen my skills and went on to do a number of other certifications. The most notable would probably have been the Offensive Security Certified Professional(OSCP). Again, some of those certifications were paid for out of pocket.

Perform At The Highest Level
I held that post for a couple years and during that time I ensured that I kept up to date and performed at the highest level. I started a blog and got more involved in the Infosec community. I also created my own little hack lab and tried new things. I bought several books and just immersed myself in the content. It's a lot of content, but it's FUN.

A position soon opened up for a Information Systems Security Officer. I was again considered for the post and in the end I got it.

The lesson here is that whatever it is that you are currently doing, do it well. Make sure you stand out, so that when you decide to move to another area your track record will speak for you.

The Infosec Community
It is awesome and is filled with some really talented people. Get involved. Even before you get the position you are after make sure to get involved.
Start your own blog, listen to podcast, join twitter and follow the guys who are masters of the stuff you are interested in, join an online security board - is a great place to start. The point is, start contributing. Don't fall into the trap of thinking that you have nothing to say. I will be the first to admit that the Infosec community is filled with rockstar types. And it is very easy to become intimidated. Don't be.

Infosec Supply Chain
Have you checked out the job boards recently?  If you not, do so now and you will see there are tons of positions waiting to be filled. However, there doesn't seem to be enough skilled professionals to go around. This means that some businesses might be forced to look inside. Start positioning your self, display the passion, take the initiative and get prepared, make sure to perform at the highest level so that when the opportunity presents itself it will be almost feel natural for the business to promote you to that position.

I am still a far way off from reaching my goals but the journey has begun.

Hope this helps......

All the best for 2012.


  1. Thanks. I am a beginner and this kind of stories keep me motivated!

  2. really empowering...... i totally agree with your philosophy all in or nothing "passion" thanks for the post btw