As someone who has been deeply involved in the Information Security profession, or better known today as a cybersecurity professional, I am frequently asked, “Where do I start?” or “How do I get into the profession?” The answer to that simple question is complex, and there is no easy or singular response.
The next question I am asked is, “How did you get your start?” In answering this question recently, I went through a self-discovery that really gets to a nagging question I’ve always had: “Is a cybersecurity professional the product of nature or nurture?”
My security career started out at Digital Equipment Corporation, working in a Learning Center. (Hint: Having a strong desire to continuously learn and to “do good” for others is common among security folks.) I was asked to learn and teach a new security tool developed in house that would “lock down” VAX/VMS and report on compliance. I agreed and quickly became the go-to instructor for this program, flying around the country offering classes. This began my fast track as a security professional.
I am also frequently asked, “How did you pick up the knowledge necessary to perform your jobs?” Odd thing is, thinking back, there weren’t any classes or university programs at the time. It was the school of hard knocks, and trial and error. Knowledge was picked up from talking with others and piecing things together. (Hint: Determination to solve problems and uncover solutions by thinking outside the box is also a common trait of cybersecurity professionals.) Back then, I was a “young pup” and looked up to engineers and really smart people who developed the basic methodologies for security – such as the CIA triad of confidentiality, integrity and availability. (Hint: Identify mentors to politely and respectfully learn as much as you can from them.)
Knowing that I had a good deal of experience with locking down computer systems and the like, I was approached by the manager of the data center to apply for a job as a systems manager or administrator. Seeing this as a new opportunity to learn and grow, I applied and was offered the job. I often joke saying that since I was the only woman in the group, they gave me all the jobs the guys didn’t want – security and print servers. Print servers didn’t work out as a career, but security seems to have. I also must say that working for a high tech company had its benefits – as new technologies came out, I was fortunate to get early access to them. (Hint: “Just in time learning” is critical in order to stay on top of technology and risks.)
The next major wave of growth for me was when Digital decided to send all of their information security staff through the ISC2 training program to become CISSPs. This was a relatively new program and we had brought instructors in house to instruct the team of 20 or so staff members brought in from around the world. In my opinion, this was an example of how much Digital was ahead of its time by having full time security people on staff and sending them through the certification program. (Hint: Be sure to work for organizations that invest and support in security efforts.) Thanks to that class, I am proud to say that I have a very low 4-digit certification number. That was one of the most fun and memorable times I had working there. (Hint: There is tremendous value in sharing information with groups of like-minded people.)
From that point forward I was committed to my new work as an information security professional. I learned as much as I could, talking to as many like-minded people I could find.
As a new CISSP, I decided to join the Information Systems Security Association (ISSA). By attending regular meetings, I would be able to maintain my Continuing Professional Education (CPE) credits that were necessary for my certification. This offered much of what my particular learning style craved: ISSA chapter meetings provided networking opportunities, a forum to discuss challenges, and hands-on training.
If you have an innate passion for learning, solving problems, thinking outside the box and sharing with like-minded people, I offer these tips/suggestions to get started in a career in InfoSec:
- Get a base education through college or university if you can.
- If you have no formal technology training, start with the basics of technology, such as networking and computer systems. Believe it or not, there are plenty of YouTube videos that offer a decent knowledge base for you. If you don’t quite “get it” with one video, keep trying. There are many styles of learning – just find one that resonates with you.
- As a beginner, consider the CompTIA Security+ certification; there are many programs that will provide you with the knowledge you will need for this certification that range from free to pay-to-attend. One of my favorites at the moment is Cybrary. It’s free until you need to take the certification exam, and there are lots of courses in Cybrary for everyone.
- The next level is the Associate of ISC2. Although they have it poised as a beginner’s certification, it’s a little bit more than that. It is essentially the CISSP, minus the years of experience that certification requires.
- Get involved in a professional association. Of course, I’m rather partial to the ISSA, having been a member for 25+ years, but any one of those that are dedicated to the cyber profession will do. The important thing is to network with other cybersecurity professionals. From this experience you will get training, education, socializing and guidance, which brings me to the next tip…
- Find a mentor or multiple mentors to help guide you through your career path. Know that your mentors will change as your needs for specific knowledge and skills change. There are no written rules of engagement with mentoring. It’s kind of like dating. If it’s too structured, it’s awkward and unnatural. It comes down to connecting with someone you get along with personally, someone you respect and feel comfortable asking questions to. There are professionals out there who have experience and are willing to help – you just need to ask.Check out CyberSeek to gain some knowledge of the overall profession. This is a pretty cool website that has been created in partnership with BurningGlass, CompTIA and NICE. It offers a heatmap showing where the hot jobs are for cybersecurity and a “Career Pathway” section exploring some common job titles, along with expected salaries and top skills needed.
Never stop learning. We live in a wondrous time in which technology is bountiful and there is something new always to be learned. That is both a good thing and a bad thing. In many of my presentations I speak to the challenge that we have as technologists: Technology seems to move at the speed of light, and as technologists, we must not only keep up, but stay ahead of the curve or we will get lost. It is our job to be informed about evolving technology and then understand the risks inherent in its use. That is the challenge we face.
As the beer commercial used to say, “Stay thirsty, my friends” – so must you with your thirst for knowledge to be successful in InfoSec.
About Candy Alexander
Candy has nearly 30 years experience in the security industry working for companies such as Digital Equipment, Compaq Computer Corporation, and Symantec. She has held several positions as CISO (Chief Information Security Officer) for which she developed and managed Corporate Security Programs.