Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Lysa Myers
Lysa Myers
Connect Directly
E-Mail vvv

Lessons from My Strange Journey into InfoSec

Establishing an entree into the security world can be a maddeningly slow process. For those of us already here, it can be an opportunity to help others.

If you looked only at my educational career and résumé, I'm the last person you would expect to go into a career in technology. And yet I'm not unique in this regard; this is a very common situation for people in the infosec industry. You might wonder how we all ended up here and what lessons we can offer to those wishing to start their careers (even via a more traditional path). Here's my story.

People usually assume that because I have a technical job, I must have a degree in computer science. I don't. I dropped out of college and worked as a florist before starting at a security software company. I had never even heard of computer security as a career path.

After leaving my last florist job, my next adventure started with one lucky step: I took a temp job as an office manager's assistant. When I had downtime from my regular duties, I offered to do odd jobs for other departments, including the malware research labs. After my temp job ended, I sought a position working in the labs.

My first position was as the email equivalent of the dreaded auto-attendant: "Your sample is very important to us! Your email will be answered as quickly as possible, in the order in which it was received." To motivate and decrease grumpiness from recipients of this auto-reply, I started adding links to educational resources in my reply templates. Sometimes the resources I needed didn't exist and I ended up having to create them by asking malware analysts what they wanted people to know.

The process of figuring out how to educate the people who were coming to us for help educated me too. Each new thing I learned gave me another idea for how to make my job — and the job of the malware analysts I worked with — easier and more pleasant, and allowed me to take on more of the work of our analysts. Eventually, I had automated much of the process of frontline response and was primarily doing the work of a malware analyst. By the time I left, I was helping to design automation to speed up the malware analysis process.

Much of what I did for the first few years was metaphorically scrubbing latrines for the department, but it was work I thoroughly enjoyed because it gave me a chance to learn new things almost every day. My willingness to do scut work provided me with an amazing opportunity to get a foothold in an industry that is notoriously difficult to break into. Whether you're looking to get into the industry with no official education or experience, or you've got a degree and are still having a hard time getting in, here are two things you can do to improve your odds.

Establish a Good Reputation
Much of what made achieving my first official security job title possible was a matter of establishing my reputation within the research labs as someone who was willing to do even the most onerous tasks quickly, enthusiastically, and effectively. I moderated the impatience of grumpy inquirers so that analysts could focus on malware samples. I created department-wide tool repositories as I learned what the tools did. I created documentation for our whole process so that it was repeatable by new hires as well as by automation.

Even if you don't have the good fortune of working at a company with an established security group, there are plenty of industry-wide groups that you can join and where you can offer your assistance — and learn important skills in the process.

Be Indispensable
A common theme I hear frequently is about how many people get into this industry from surprisingly diverse past careers because they took on a huge problem that no one else had the time or inclination to address. Before their first day in an official security role, they had already created handy tools, or they created much-needed documentation, or they spread information to help people via public blogs or forums. They took time to help others, and thus became indispensable to people who already work in this industry. When a suitable position became available, their lack of technical experience or training was a nonissue because we, collectively, could not afford to be without them.

Establishing a good reputation in this industry is absolutely essential, and it can be a maddeningly slow process. Because of the sensitive nature of the work we do, you must have more than just knowledge and experience to establish your career; someone already in this industry must vouch for you. But this can be an opportunity too, for those of us willing to put ourselves out there to help others.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
7/17/2018 | 3:40:32 AM
Re: Glad for the Company
It is rather common to me seeing people from different backgrounds going into unrelated fields to work. It is really not that hard to get into the desired positions as long as past experiences have brought us there. However, specific roles might not be able to be performed if no expertise within the field is available at that moment in time. Some companies might even send those said employees for courses to upgrade themselves and adapt well into that new unrelated environment.
User Rank: Ninja
7/12/2018 | 7:44:23 PM
Glad for the Company
Loved your post and your story resonates.  Mine is similar except coffee and not flowers was my mainstay before getting into my first tech gig.  I tested out of High School early due to boredom and started working at coffee shops. I honed UNIX and GNU/Linux skills in my free time.  Got my first tech gig at a start-up doing automated software test programming thanks to a friend who thought I might be good at it and went on to work at several software companies doing similar work.  For me, it was the side-gigs that got me exposed to InfoSec and hardening systems, scripting configuration managed GNU/Linux installs and VMs became my passion.  Few people I knew as a kid would ever have expected to see me where I am now, for sure, and in fact I am sometimes not sure how I even got here with my lack of actual credentials.  But what you said is true - I made myself indispensable at every job and did everything I could to stay cutting edge by reading as many security and tech papers as I could and making solid recommendations based on data and research.  I'm still executing my end-game (I keep a shortlist of companies I'd love to work for), but watching careers like yours definitely keeps the passion and confidence burning. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
PUBLISHED: 2020-08-10
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Mes...