Landing that infosec job: These experts share their best career advice

apple-jpg.jpg

(Image: Zack Whittaker/Twitter)

"Hey there! You found us," read the first five words of a hidden Apple job listing.

The job listing was posted on one of the company's publicly accessible but hidden servers, hosting data on millions of Apple customers across the US east coast.

In fairness, Apple is not looking for me, but someone who's far smarter and more qualified, and someone who has better office etiquette.

But it did get us thinking: You never know when you're going to need work, let alone find work. Sometimes you have to rely on skill, and it other cases, it's entirely down to chance.

How do people trying to get into the security space know where to start?

ZDNet asked several well-known security professionals on what advice they would give to their younger selves starting out in the infosec world.

"I would say a four-year college degree helps. It's becoming increasingly popular in some infosec circles to downplay it, but I think it opens doors," said White. "Also, a broad range to study -- university or otherwise -- is crucial: politics, history, linguistics, and, of course, computer science. It's important to stay curious and follow passions. At least for me anyway, I'm vastly more productive drilling into complex topics that genuinely interest me than those that don't."

He added that early exposure to basic electronics are the foundation blocks for learning. "It's amazing how many insights you pick up on performance, data flow and logic by understanding simple (and maybe not so simple) circuits," he said. Or, in other words, "break things, tear them down, figure out the 'how'," he said.

"My advice for older pros is much the same as people starting out: build things, stay hands on, learn new languages, frameworks, gadgets -- whatever," he said. "But keep hacking things."

"The first factor is self-motivation and passion to learn," said Carhart, in an email.

"In my career, I have never seen a university, technical school, or certification program that will fully prepare a student to excel in either offensive or defensive security. Certainly there are outstanding programs out there that teach specific skill sets, but technical skills are quickly obsolete and involve depth beyond the material that can be taught in a semester or a year," she said.

"What divides an 'okay' information security candidate from a great one is the motivation to learn more about the field outside work, every week," she said. "What this looks like depends on by niche -- perhaps working in a home lab, or reading new computer legislation."

"Regardless, people who have no interest in the field outside of business hours will quickly find themselves at a disadvantage in the market," she said.

"The second factor is (human) networking." When Carhart isn't doing her day job of digital forensics and incident response, she can usually be found at a security conference. "It seems odd to call out soft skills in a highly technical field, but the community of practice is still small enough that networking (preferably in person) is a big leg up for job seekers," she said. "Nearly every information security professional I have met has obtained at least one job through participating in meetups, social media, hacking conferences, or collaborative research. Often, that job was their entry-level segue into the increasingly competitive field or their niche of choice."

"While commercial conferences like Black Hat may be out of reach for some job seekers, we have an extremely active community with BSides security conferences in cities around the globe and even more expansive networks of meet ups," she said. "I highly recommend job seekers seek them out and take advantage."

Vickery, a relative newcomer to the infosec space, has years of experience under his belt, thanks to carving out his own niche of discovering breached and exposed data in what is already an ever-crowded security space.

In an email, Vickery offered a list of points for anyone wanting to make a name for themselves in the infosec world.

  • "Disrupt the status quo!"
  • "Successful people make enemies."
  • "Drawing people in is more powerful than reaching out."
  • "Doing something extremely well is not enough if no one recognizes you are good at it," he said, adding that, "who you know is equally important as what you know."
  • "Take an intro to paralegal studies class at a local community college. If the professor is decent, you'll gain some valuable insight. (yes, I'm recommending this to the infosec crowd)."
  • "Most of the time, good deeds are not rewarded. Don't expect rewards. Be grateful when they come."
  • "If you are indispensable to a powerful person, they will not tell you so."
  • "Good people are easy to recognize after a short time. Be wary if you have any doubts at all of someone's character."

And, lastly, he said: "Sunshine is the best disinfectant," referring to the famous Louis Brandeis adage.

"My two biggest pieces of career advice are to put some serious time into your resume and interviewing skills, and to network," said Williams.

Networking can include professional meetings and heading to conferences as time and budget allow, he said. "When you are at a conference, networking means more than walking around saying 'I'm looking for a job' and partying. Strike up conversations with people. Ask where they work, what they do, the challenges they face, how they solve problems, etc. and actually listen -- you're likely to learn something."

"But more importantly, these people can let you know when positions open up at their organizations, help you get in the door to get an interview, and make a recommendation to hire on your behalf," he said. "Always be networking."

"If your organization doesn't print business cards for you, print some of your own. It's worth every penny," he said.

Networking will only get you so far. "Your resume must be top notch to actually get a job," said Williams. "If your resume looks like it could have been written in crayon, then you're probably not getting an interview."

"Infosec requires good communication skills -- as do many technology jobs. If you can't write your resume, there's little likelihood that you'll be able to communicate effectively when it comes time to write a critical report. Your resume is the first example of your writing that a potential employer sees," said Williams. "Communication during the interview is also important, so brush up on your interview skills. Do some mock interviews with friends. If you can't interview with friends, you are unlikely to do well in the actual interview."

"Your ability to communicate clearly, confidently, and professionally during the interview is actually more important than knowing all the answers to interview questions," he said.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More



from Latest Topic for ZDNet in... http://ift.tt/2v7bXID