Attacks/Breaches

7/12/2018
02:30 PM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Lessons from My Strange Journey into InfoSec

Establishing an entree into the security world can be a maddeningly slow process. For those of us already here, it can be an opportunity to help others.

If you looked only at my educational career and résumé, I'm the last person you would expect to go into a career in technology. And yet I'm not unique in this regard; this is a very common situation for people in the infosec industry. You might wonder how we all ended up here and what lessons we can offer to those wishing to start their careers (even via a more traditional path). Here's my story.

People usually assume that because I have a technical job, I must have a degree in computer science. I don't. I dropped out of college and worked as a florist before starting at a security software company. I had never even heard of computer security as a career path.

After leaving my last florist job, my next adventure started with one lucky step: I took a temp job as an office manager's assistant. When I had downtime from my regular duties, I offered to do odd jobs for other departments, including the malware research labs. After my temp job ended, I sought a position working in the labs.

My first position was as the email equivalent of the dreaded auto-attendant: "Your sample is very important to us! Your email will be answered as quickly as possible, in the order in which it was received." To motivate and decrease grumpiness from recipients of this auto-reply, I started adding links to educational resources in my reply templates. Sometimes the resources I needed didn't exist and I ended up having to create them by asking malware analysts what they wanted people to know.

The process of figuring out how to educate the people who were coming to us for help educated me too. Each new thing I learned gave me another idea for how to make my job — and the job of the malware analysts I worked with — easier and more pleasant, and allowed me to take on more of the work of our analysts. Eventually, I had automated much of the process of frontline response and was primarily doing the work of a malware analyst. By the time I left, I was helping to design automation to speed up the malware analysis process.

Much of what I did for the first few years was metaphorically scrubbing latrines for the department, but it was work I thoroughly enjoyed because it gave me a chance to learn new things almost every day. My willingness to do scut work provided me with an amazing opportunity to get a foothold in an industry that is notoriously difficult to break into. Whether you're looking to get into the industry with no official education or experience, or you've got a degree and are still having a hard time getting in, here are two things you can do to improve your odds.

Establish a Good Reputation
Much of what made achieving my first official security job title possible was a matter of establishing my reputation within the research labs as someone who was willing to do even the most onerous tasks quickly, enthusiastically, and effectively. I moderated the impatience of grumpy inquirers so that analysts could focus on malware samples. I created department-wide tool repositories as I learned what the tools did. I created documentation for our whole process so that it was repeatable by new hires as well as by automation.

Even if you don't have the good fortune of working at a company with an established security group, there are plenty of industry-wide groups that you can join and where you can offer your assistance — and learn important skills in the process.

Be Indispensable
A common theme I hear frequently is about how many people get into this industry from surprisingly diverse past careers because they took on a huge problem that no one else had the time or inclination to address. Before their first day in an official security role, they had already created handy tools, or they created much-needed documentation, or they spread information to help people via public blogs or forums. They took time to help others, and thus became indispensable to people who already work in this industry. When a suitable position became available, their lack of technical experience or training was a nonissue because we, collectively, could not afford to be without them.

Establishing a good reputation in this industry is absolutely essential, and it can be a maddeningly slow process. Because of the sensitive nature of the work we do, you must have more than just knowledge and experience to establish your career; someone already in this industry must vouch for you. But this can be an opportunity too, for those of us willing to put ourselves out there to help others.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkSindone
50%
50%
MarkSindone,
User Rank: Apprentice
7/17/2018 | 3:40:32 AM
Re: Glad for the Company
It is rather common to me seeing people from different backgrounds going into unrelated fields to work. It is really not that hard to get into the desired positions as long as past experiences have brought us there. However, specific roles might not be able to be performed if no expertise within the field is available at that moment in time. Some companies might even send those said employees for courses to upgrade themselves and adapt well into that new unrelated environment.
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
7/12/2018 | 7:44:23 PM
Glad for the Company
Loved your post and your story resonates.  Mine is similar except coffee and not flowers was my mainstay before getting into my first tech gig.  I tested out of High School early due to boredom and started working at coffee shops. I honed UNIX and GNU/Linux skills in my free time.  Got my first tech gig at a start-up doing automated software test programming thanks to a friend who thought I might be good at it and went on to work at several software companies doing similar work.  For me, it was the side-gigs that got me exposed to InfoSec and hardening systems, scripting configuration managed GNU/Linux installs and VMs became my passion.  Few people I knew as a kid would ever have expected to see me where I am now, for sure, and in fact I am sometimes not sure how I even got here with my lack of actual credentials.  But what you said is true - I made myself indispensable at every job and did everything I could to stay cutting edge by reading as many security and tech papers as I could and making solid recommendations based on data and research.  I'm still executing my end-game (I keep a shortlist of companies I'd love to work for), but watching careers like yours definitely keeps the passion and confidence burning. 
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-5067
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Heap Overflow vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.