Advice for breaking into InfoSec

In studying for the OSCP, I have had the great pleasure to virtually meet and build relationships with a number of individuals pursuing a career in Information Security. Until now I’ve been offering career advice and reviewing CV’s on an individual basis to help where I can, but through many conversations - as well as recent discussions on InfoSec Mastodon - I’ve realized it might be worthwhile to consolidate the advice I find myself repeating.

That said, please understand that this advice is shaped by my own experience - and as a white man in America, I receive a certain amount of privilege that I did not have to ask (or fight) for. What works best for your situation may require some variation on this advice - but overall, I believe that pursuing each of these five areas in some capacity will lead to successfully breaking into the industry.

And - should you ever feel disheartened - remember this graph:

A line graph split down the middle, where the left side shows a bunch of black squigly lines with one green line indicating your life's path up until this moment. The middle vertical line indicates where you are today, ending all of the other black lines from the left side. The right side of the graph is a collection of green squigly lines, indicating the paths available to you in the future.

Build your Brand

In today’s job market, I cannot stress enough how valuable it is to build and maintain your brand. Your brand will act as a sword to cut through the resume review process and quickly move past the velvet rope of Talent and HR personnel; it will also serve as a shield in the face of layoffs. And what’s more - when receiving an offer, a solid brand provides a lot of power in negotiating compensation and defining your working conditions. Not to mention that you’ll also find more opportunities available to you as people become increasingly aware of your brand.

For example, over a decade ago Troy Hunt published a blog post called Why Online Identities are Smart Career Moves - and while it mostly relates to the world of software development, the brand advice still resonates today. By continuing to build and maintain his brand since publishing the post, Troy has accomplished a great deal of freedom in his career - some of which he shares in his 2017 NDC Oslo talk titled Hacking your Career. Your brand gives you control over your career.

My Advice - Build and maintain your brand through a medium that you have complete control over. Daniel Miessler’s Advice on Building your Brand through your own domain is a critical starting point, as your domain serves as a central hub for the content you generate. From there - whether you choose to write a blog, contribute to open source, start a podcast, record videos, or stream content - share links to all of the content you’re working on through your domain. In doing so, your domain becomes both a living resume and a way to continue building a following as you grow your brand.

Engage with the Community

For me personally, I can trace my success for breaking into the industry directly back to volunteering at the BSides Boston conference in 2016. It was because of this experience that I met several mentors, went on to become an organizer for the conference in 2017, built relationships with industry influencers, and eventually went on to become a podcast personality myself. All of the things I’ve done since then happened because I spent a day checking in conference attendees, handing out swag, and working with organizers to run a smooth event.

Now - in the midst of the COVID-19 pandemic I wouldn’t necessarily suggest doing this sort of thing if the necessary protections aren’t in place (like masking and air filtration), but I still believe there are opportunities to meaningfully engage with the community virtually. Many security professionals are on InfoSec Mastodon, and there are a great deal of open Discord and Slack communities available to join and engage with.

That said, if you are able to safely engage with the community in-person, then local meetups and conferences are a great way to build relationships with others of similar interest. If you go a step further and volunteer to help organize such events, you’ll likely find that speakers and other influential members of your local community are willing to spend a little extra time time talking with you and sharing their own advice. This is a great way to leverage other’s networks for introductions - and to find out about job opportunities.

My Advice - Be frequently engaged with the community in whatever ways are safe for you to do so. The relationships you build through your engagement with others will help you find job opportunities, identify mentors and career advisors, and even make friends who you can share war stories with. There are a number of online communities that I’d recommend starting with, such as InfoSec Mastodon as well as various Discord servers like HackTheBox, TryHackMe and many more. Find a place you feel comfortable being yourself, then engage with others and share your content!

How to support this content: If you find this post useful, enjoyable, or influential (and have the coin to spare) - you can support the content I create via Patreon.️ Thank you to those who already support this blog! 😊 And now, back to that content you were enjoying! 🎉

Develop your Knowledge

One of the most controversial topics in the field of Information Security is whether to pursue a degree, certification(s) - or both - in order to break into the industry. While I personally believe that people only need the right Attitude, Aptitude, and Engagement to break in, Alyssa Miller wrote a great post on Mastodon where she calls out the frustrating experience people have when asking for guidance on this topic - and she’s absolutely right with the points she makes.

An important thing to note is that I have heard people from underrepresented groups say certifications and/or collegiate degrees are helpful (and sometimes necessary) in order for them to break into the industry. I believe them, and so I do not want to dissuade anyone from pursuing such credentials if it will be helpful. That said, Daniel Miessler has a great blog post called How to Build a Cybersecurity Career which goes into a lot more depth on the Certifications and/or Education piece (along with everything else I discuss in this post).

My Advice - I have yet to meet someone with a solid brand, that is present and engaged in the community, who absolutely needed a certification or degree in order to break in. My degree is in Psychology, for example. There are a lot of people in the industry with a similar “lack of credentials” who have been (and continue to be) wildly successful in this industry.

Anyway - if you spend time gaining practical experience (see next section) and both generate and share content that highlights this practical experience intelligently, you’re likely not going to need that certification or degree to break in. I would recommend focusing on these elements first - and then having your employer pay for certifications and/or higher education if those things are interesting (and beneficial) to you.

Gain Practical Experience

I’m sure you’re probably asking - but how do I gain practical experience if I’m not employed in a role where I gain said experience? Well, for better or worse you’re going to need to allocate some of your personal time to this endeavor until you manage to break in. How you spend that time - and how you use that experience to generate content in order to further build your brand - will vary based on the the area of Information Security you want to break into.

For example - if you’re interested in going down the path of penetration testing, then spending time practicing with Kali Linux on platforms like TryHackMe and/or HackTheBox will prove beneficial to you. On the other hand, if you’re interested in topics like network defense and security operations then taking a course from Chris Sander’s Applied Network Defense might be the best path for you.

My Advice - Regardless how you choose to gain practical experience - there are three things you can do to consistently add value to your brand. The first thing you need is to have some sort of home lab - or at least a set of tools you’re working with. The second thing you need to do is practice regularly in that lab, or with those tools. No matter how much reading you do, none of that will matter during a technical interview if you don’t have hands-on experience.

The third thing you need to do is generate content based on what you’re practicing - and then share that content publicly. There’s no better way to show potential employers you know what you’re talking about than by proving it with your content. It’ll make the process of getting an interview that much easier - and you’ll feel a lot more comfortable talking about your experience in an interview if you’ve already published content about related topics.

Stay Informed

One of the most impressive skills candidates can bring to an interview is the ability to talk about recent trends in a relevant topic, and then relate those trends back to their practical experience(s). If you’re engaging with the community on social media, it should be pretty easy to stay informed of breaking news and industry trends; but, many people experience social media as a negative influence on their attention and mental well being - in which case it’s important to find other ways to stay informed.

Thankfully there’s an abundance of content available in nearly every topic the industry has to offer. Whether you’re into podcasts, blogs, newsletters, conference talks (usually on YouTube), or research papers - you’re pretty much guaranteed to find something interesting and informative. That said, here’s some of the content I personally enjoys:

My Advice - Stay informed without forgetting to spend time gaining practical experience, and generating content of your own to share! Form strong opinions held loosely; Test them in your lab, in the content you publish, and in your engagement with others. Most importantly - be willing to change those opinions when you learn new (and possibly conflicting) information. Use the things you are informed about to build questions for interviews - and for generating experiments to test in your lab.

Good luck - and remember, there are dozens of paths available to you. Which one are you pursuing?

Thanks again for stopping by to read my pseudo-random musings 😊 While I work on writing my next blog post, you can git checkout other (usually off-topic) content I’m reading over at Instapaper - or read through my series on the DevSecOps Essentials as you consider the challenging market dynamics we’re likely to experience this year.

Until next time, remember to git commit && stay classy!


Keith // securingdev

If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thanks once again to those who already support this content!😊

This post is licensed under CC BY 4.0 by the author.