![[ Plzhow ] Written and illustrated explanations](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0wb8SWgzkXTHmz2gI0D9wCA-XZK1GxFwT6EzfZ4IK3a2FV7eeIugnYcjwxYt4T6XtGc9mp52i63BfQjK94ow8tti1VyCEMMjBbYr8JZDgz8AUdopwlkfUDU1Ln9jQKAOSgf6qXxMNWNo/s1600/ff.png)
A lot of ink has been spilt about the shortage
of people trained in information security – especially about the
shortage of women in tech and in this industry in particular. I was
recently interviewed by Matthew J. Schwartz
for a podcast in which we discussed this topic, and it seems to have
struck a chord with a lot of people. I’ve received quite a few requests
for information about how to get into this industry, especially for
those who don’t yet have a lot of technical experience.
Since this seems to be such a popular topic, I
thought I’d devote a blog post to exploring it, so that more people can
make use of this information (and please add your own experiences in the
comments!).
The first thing I would recommend to folks
looking to get into this industry is to take some classes on Information
Security. You can do that in a school setting, or you can get education
in the form of a training program, or as part of a conference depending
on how comfortable you are with wading into this subject. Starting a
college or university degree program could be considered jumping in
headfirst as it can be rather a costly and time-consuming endeavor if
you’re not yet sure, but there are plenty of short-term and low-cost
options if you would like to just dip your toes into the waters of
computer security.
The next thing, but no less important, would be
to join in industry groups or attend events so that you can meet
security practitioners. Getting to know people who are in the security
industry is not just a great way to find out what it’s like on a
day-to-day basis in your potential new career; it can be an essential
part of gaining trust and recommendations when it comes time to find a
position.
Conferences, Meetups and Online Resources
If you’re an absolute beginner in InfoSec,
you’re starting at the right place – by reading security blogs and
magazines. Many of these webpages (ours included) also have webinars and videos where you can learn more about different aspects of security.
If you want to get a better view into what it’s like to work in this industry, you can seek out Security Meetup groups and professional conferences in your area. There are annual Security BSides conferences
in most major cities, and these are free to attend. They are an
excellent way to meet local people in this field, and they can be a
great way to dip your toe into presenting your research once you’ve got
some InfoSec experience under your belt.
There are countless other security-specific conferences
throughout the year, many of them generally about offensive or
defensive security. A growing number of the conferences focus on more
specific aspects of security or the security community. These
conferences vary in cost from a few hundred dollars to a few thousand
dollars for some of the year’s largest events.
If you’re already in your chosen career and
looking to add to your InfoSec chops, a lot of IT conferences that are
specific to industries such as Health, Education and Finance are adding
security sessions or even content tracks devoted to security
information. For example, this year’s Health Information Management Systems Society (HIMSS) conference added a Cybersecurity Command Center that had a special area devoted to security sessions and vendor kiosks.
More in-depth training
Whether you’ve just completed your college or
university degree program, or you’re looking for a way to ease into more
in-depth training in InfoSec, the SANS Institute trainings
offer a wide variety of security topics at a wide variety of levels.
I’ve taken their Reverse Engineering course myself and found it was a
fantastic refresher course for me, on the tools and techniques used to
analyze malware. My classmates who were new to malware analysis found it
to be a very approachable approach to a fairly technical subject.
The Black Hat Executive Summits will be happening in the US in a few months’ time. This conference includes several days of training sessions
before the Briefings sessions begin. (Though if you’re interested in
attending this year, act quickly as the sessions are already beginning
to sell out) Both Black Hat and SANS Institute training sessions cost
several thousand dollars, so while this is far less investment than a
degree program, it may not be the best first step for absolute
beginners.
Trust, but verify
It’s worth noting that while networking is a
good idea whenever you decide to switch careers, this is doubly true in
Security. Trust relationships are vital when dealing with sensitive and
potentially harmful materials, as we do in this industry. My emphasis on
joining security groups or attending security events may seem strange –
but in this industry more than most, it is not enough just to know your
craft well. You can be exceptionally proficient at either offensive or
defensive security skills, but if people within the industry don’t know
you or trust you well enough to recommend you, you will have a very
difficult time finding the job you seek. On the other hand, if people
know you well enough to trust you and see that you are eager and able to
learn quickly, you may be given the chance to prove yourself.
EmoticonEmoticon