I’ve worked in the Information Security field for close to a decade and there are some questions that I get asked a lot. One of these questions is “How do I get into the Information Security field?” and it’s a bit harder to answer than you might think. After having stumbled my way through an ad-lib answer to this question a few times, I thought it would be worthwhile for me to compile a more thoughtful response. So, to that end, this is my response to that question.
As you might guess, the short answer is: it depends.
In general, I wouldn’t recommend following the path that I did to get into security. I sort of fell into a security role early on in my career and skipped a lot of early time spent cutting my teeth doing IT support. You certainly CAN go that route if the chips fall in a way that lets you, but what results is that you wind up spending a lot of time going back and figuring out all the basic ‘how the hell does all this work’ stuff at the same time that you’re supposed to understand enough to be able to secure it. It’s doable, you just have to be willing/able to learn in parallel and be able to pick up new concepts fairly quickly.
The course that I would actually recommend is to not start in Information Security at all. Information Technology as an overarching practice focuses on making a wide range of different technologies work together to accomplish a specific task. A simplistic example would be an environment where servers need to communicate with one another and with end-user devices (eg: workstations) over network infrastructure. A good Information Security practitioner will understand all of those pieces (network devices, servers, end-user devices, etc) well enough to be able to identify ways that an attacker could exploit weaknesses to gain access that they aren’t authorized to have. Whether that’s access to devices, to information, or to anything else, the end goal is ultimately the same: stop attackers from gaining access to <insert sensitive thing here> that they aren’t authorized to have. So on some level, Information Security specialists need to have enough general Information Technology knowledge to be able to speak accurately and efficiently about the environment, and then extensive specialized knowledge about the threat landscape (about the practice of security).
Given that Information Security practitioners need at least a solid foundation in general Information Technology, I would highly recommend that anyone looking to get into Information Security start in a more general Information Technology role. Conceptually, it almost doesn’t matter what specific role is the starting point, the important point is that an Information Security practitioner have had hands-on experience supporting some type of technology that an Information Security practitioner would then have to secure. It gives a very concrete understanding of the real world and solidifies what would otherwise be more of a textbook knowledge of the technology.
In an ideal world, there is some type of technology that really interests you and you should get a job that involves you learning/supporting whatever that piece of technology is. If you’re really interested in whatever that technology is, you’ll be more engaged and consequently learn a lot more about the entire environment as a whole, not just that specific piece of technology.
Failing some insatiable interest that you already know about, I would recommend starting in either a systems or network administration role. Understanding the ins and outs of how server and network infrastructure works (from daily administrative experience) is immensely helpful. Transitioning from one of those two roles into Information Security is really pretty easy. If a systems or network administration role isn’t easily available or achievable, a help/service desk or development (programmer) position would be next on my list of recommended starting points. Help/service desk technicians have the opportunity to learn all about end-user devices and how they work which again, is a foundational component to all Information Technology environments. I’m throwing development into the mix as well because if you have a strong programming background, it’s very easy to transition into application security which is a specialization within the Information Security practice which focuses on (you guessed it) coding security.
So, recommended starting points in order:
- System Administrator (virtually interchangeable with item 2)
- Network Administrator
- Help/Service Desk technician
There are basic ‘entry-level’ certifications which can help you solidify your technical foundation which I would certainly recommend. Specific to Information Security, I would recommend the CompTIA Security+ or ISC2 SSCP certifications as a starting point. These two certifications are very similar and both give a good, broad assessment of a wide range of security practices. Beyond those two, the typical ‘gold standard’ certification is the ISC2 CISSP which will help greatly from a career standpoint. SANS courses are much more specialized and will provide a really good understanding of specific aspects of Information Security. If you’re taking SANS courses though, you’re probably already in the Infosec field and likely aren’t super interested in this.
That’s about the extent of my thoughts on the ‘how do I get into Information Security?’ question. Hopefully it’s helpful.