Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/12/2016
07:15 AM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Dark Reading Radio: Advancing Your Security Career

INCYMI! Join us for a fascinating discussion on key trends and opportunities in the rapidly evolving world of cybersecurity.

Whether you're an experienced security professional in today's skills-starved market or a newbie looking for your first job, you have many options for improving your prospects -- from increasing your salary by improving your credentials, to finding a new position at another company, or becoming an independent bug bounty hunter who searches for  security vulnerabilities and responsibly discloses them to a company's security team. 

In our next Dark Reading Radio show, Wednesday, April 13 at 1:00 p.m. EDT/10:00 a.m. PDT, we’ll take a look at the range of opportunities in today’s hot cybersecurity market and discuss the variety of career options to consider based on your individual interests, skills, experience, and industry-specific talents:

Our guests include:

Kymberlee Price, senior director of researcher operations, Bugcrowd, where she pioneered the first security researcher outreach program in the software industry. Prior to that, Kymberlee analyzed APTs at Microsoft, and spent four years investigating product vulnerabilities in BlackBerry's Security Response Team.

Levi Gundert, vice president, threat intelligence, Recorded Future. Before joining the startup Recorded Future, Levi was VP of cyber threat intelligence at Fidelity Investments and technical leader for Cisco's Threat, Research, Analysis and Communications (TRAC) team.

Owanate Bestman, a technical security recruiter in the cyber and information security division of Barclay Simpson, an international corporate governance recruitment firm.

In a broad-based discussion, our panel will share their own career stories, then discuss evolving trends in information security careers, including traditional roles in enterprise security to new titles and concentrations like cyber threat analyst, security software and infrastructure developers, cloud security specialists, and cybersecurity/IT Auditors.  

Other topics we’ll explore:

  • What are the most in-demand skills? What are the hottest markets?
  • Startup versus established company? Specialist or generalist?
  • How do you choose the best career path for your skills?
  • On the job training, certifications, or college degree?
  • What is the standard career path today, or is there one? How do you develop a road map?
  • What soft skills and management experience will you need to advance in an organization?
  • What impact will new technologies like machine learning and big data impact have on the security job market?

I hope you'll join our show and bring your insights and opinions to the conversation. You can post your comments and questions below or take them with you to the Dark Reading Radio studio on Wednesday, where you can participate directly through online chat. Please note, you’ll need to register for the broadcast to participate.

I look forward to seeing you there. But if you can't make it, please check out the broadcast and live chat from our Dark Reading Radio archives. 

Related Content:

 

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AndreGironda1
100%
0%
AndreGironda1,
User Rank: Strategist
4/17/2016 | 4:08:37 PM
Start or Advance?
If you want to start a career in infosec, you need to immediately get a Security+ and find a mentor who will stick with you through multiple jobs in multiple places (perhaps even around the world) that will track you towards a CISSP. These two certifications are proven to get you a job. By maintaining CISSP, you can get your next job.

After you attain these two certs, in order to further advance your career you will need to select one of three paths, a) the Big Enterprise brown-noser, b) the DFIR specialist (defensive security), or, c) the Red Teaming specialist (offensive security).

If you choose Path A, then SANS is a great place to get training and GIAC a wonderful place to start additional certifications, such as GCFA, then GREM, and (ideally) GSE. For this one path, your mentor is someone above your boss but not directly in the chain above your boss. You should stay at that company for 5-15 years. You can go to local meetings or conferences (e.g., ISACA, ISC2, ISSA) but mostly you need to save your time and money for SANS, or writing papers for SANS.

For Path B, get your CCE certification and find multiple mentors (mostly outside of your current job) in this space. You will need to track thousands of blogs and read hundreds of books to be successful enough to change jobs (while constatnly increasing your salary) every 2-2.5 years. What matters most here is on-the-job experience, especially coordinated with law enforcement. Go to every local Infragard meeting and some in nearby locales. Both Raytheon and MWR InfoSec offer great courses on Cyber Defense Detection and Response.

Path C is the most-difficult, best-accomplished through OSCP and OSCE or better certifications, often Corelan or SilentBreakSec training (for the fast-track approach, but these do not guarantee success in this field). You will need to mentor others and be mentored by others week-by-week for at least 5-10 years before even breaking in (pun) to this space. You will need to go to every conference you possibly can, worldwide, and start speaking about your custom current-running exploits a few times per year -- so research is heavily-valued. Try to attend local OWASP chapter events, but connect with likeminded individuals in your locales and build a lab or hackerspace where you can come together at least once or twice a month. I, personally followed this path, and found it best to work for a very-small security boutique or start your own company, such as a partnered LLC/LLP -- but be sure to surround yourself with cyber defenders in addition to offensive security professionals.
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13643
PUBLISHED: 2019-07-18
Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The attack begins by storing a new stream message containing an XSS payload. The stored payload can then be triggered by clicking a malicious link on the...
CVE-2019-13644
PUBLISHED: 2019-07-18
Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the tags/show/$tag_number$ tag summary page.
CVE-2019-13645
PUBLISHED: 2019-07-18
Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during attachments/edit/$file_id$ attachment editing.
CVE-2019-13646
PUBLISHED: 2019-07-18
Firefly III before 4.7.17.3 is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query.
CVE-2019-13647
PUBLISHED: 2019-07-18
Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing.