<disclaimer> The story I’m sharing is but one of many. None of us got here the same way. Some of us had common stumbling blocks and successes. All of us had to put in work. This likely applies to many disciplines.</disclaimer>
As of the time this article was posted I have worked in Information Security professionally for a little over a year. It has been quite the fun and challenging ride with its fair share of ups and downs, but much like those ups and downs in weightlifting a little bit of pain resulted in some degree of gains.
In other posts I talked about I talked about how I got started, interests, and what led me towards pursuing a career in Information Security. The odds are if you are the audience I am trying to reach, you are currently where I was within the last three to five years, or you are on your own “year one”. The difference between this and many other “getting your foot in the door” stories is what happens afterward and some of my experiences.
Despite my attempt or even assumption of telling an original story, I can say there are two consistent threads anyone reading this article can gather: The first is how my story varies from others in the sense of finding my own path. The second and probably most common of all is maintaining persistence.
The phrase “its a tough nut to crack” is rather disingenuous. When I use metaphors for penetration testing to describe my journey, it definitely applies. In fact, the tactics used can be applied to many life situations with a little imagination.
Information Gathering
This was where I first started gaining an interest in working in security and doing more than just being a casual observer or hobbyist if you will. This involved tons of conferences, and doing stuff to become a more active participant in the community which would consist of volunteering for more events, participating in CTFs, a bit of mentoring for those that are a few steps behind….(more on this later)
Threat Modeling
So here’s where things get interesting. At first, people look for ways to start working in information security and get into the community, etc but fail to do one thing earlier in the game: Apply for positions. When starting off, its easy to say “I want to be on a red team” or “I want to be a Security Engineer” but without having a good understanding of what that means, how would you know you can or cant do it. Rather than waiting until you’re good enough, get out there and apply. Go in for interviews, but make a conscious effort to apply rather than telling yourself “I’m just ‘playing the field'” I had serious intentions when I applied, but quite a few people don’t take it too seriously (which they admitted). Take it from some one who has spent a lot of time on both sides of the interview table, after interviewing many candidates that becomes transparent and a huge annoyance.
Gaining a Foothold
I prefer using the word “luck” sparingly, as I prefer preparation and discipline; however, I do believe in seizing opportunities when they arise, and as I found out, something that didn’t seem so significant in your past come to benefit you in the future in ways you wont understand in the moment. Years ago, when I was a sysadmin, I also took on a role of doing some work on Ironport, which is an anti-spam appliance. This was at least a few years before I started going back to DEFCON, let alone working in Security full time.
Mid last year, I received a message on LinkedIn from a recruiter with a title “could you have protected Hillary’s email server”. When I first saw this I ignored it thinking ‘is this guy trolling me?’ A couple weeks later, an announcement at work was made referring to my current position being moved to Texas with less than favorable options . This wouldn’t be so bad if I was already working in Security as their community is pretty legit, or already knew enough about Texas to move there, but neither was the case, (not to mention that BBQ). It was at that moment I figured, things seem to be falling into place, and sure enough, I called that recruiter which turned out to be legit, and lead into my first role in security, working as a consultant at a local hospital handling spam and anti-phishing efforts, which at the time was needed as the ransomware attacks on hospitals were increasing. While I was there I took on whatever I could so I also started helping with vulnerability management, running scans on servers and applications whenever needed.
Privilege Escalation
At this point I was happy with the role I was in, but as it was a short term contract, I needed to do something to either get hired permanently (a situation which is mostly out of my control and in many cases also out of control of the hiring manager), or find a full time/contract position somewhere else. With only four months at that job, I was looking for and applying for positions from the moment I started. “There’s a possibility we’ll hire you full-time” is no guarantee and things happen outside of everyone’s control including your hiring manager. On top of this, even if a company wanted to hire me right away, that “right away” often no less than three months….and a lot longer for some sectors.
Maintaining Persistence
So if you’ve made it this far in my blog you might notice I mention the community more than occasionally. In the simplest of terms I doubt I would be where I am without the community. It wasn’t just the words of encouragement, but it was also a way I could focus on a path, independent of my day job. I didn’t want to settle for working on stuff I was merely told to through either an occupation or academic institution.