I think that is the direction I will go with this blog - while I do work on things that are trying to being innovative and bring new concepts into security, this blog will be more about how to implement some of the key security concepts. At least that is what I am trying to do :)
Why me? Why do I think after not being very visible in the security community do I now decide to jump into the fray? That is a good question, let me try to explain.
I have been recently seeing more and more posts, tweets, articles, and presentations on how to get into the security field and at this stage in my career and life, I am wanting to give back - both in knowledge and mentorship. So here it is - how I got into security and some of the things that I think have helped me succeed in the field.
Key take aways for getting into and succeeding in the Information Security field:
- Don't just stick to your job description, be willing to do things that you have never done - just make sure you are still doing what the job dictates
- Always be willing to ask for help
- Create your own systems and network environments - and break them, then fix them, then break them again
- Learn on your own - you were likely hired for your current skill set, although you should be willing to step outside your box at work when everything else is done - you are definitely going to learn more without any of the guard rails that work would have
- If your job provides a training budget, take full advantage of it - go to classes, conferences, lectures, seminars, whatever
- Always bring solutions with you when presenting a problem
- Get out into the security community and meet people, network, share ideas, whatever - having connections who know you and what you can do is probably one of the biggest advantages you can have when looking for new positions.
A long, long time ago I joined the US Navy's Nuclear Power field, eventually becoming one of the chemists of the nuclear plant, maintaining the water chemistry to prevent failure of components and monitoring radiation levels to ensure we were not receiving to much exposure. Did that for 8 years, got out, moved back to the midwest and was going to college for chemistry and that would be that. So I got a job as a bartender and started looking around to schools - but a funny thing happened, I had gotten a computer when I got out of the Navy and I found that when I got home from bartending, I spent the next 6 to 8 hours playing around on the computer. I thought, I really should look to get paid for doing this...
So my first job in the computer field was as a delivery person for a small consulting company. Because of the company's size, there was a lot of other work to be done - building systems, maintaining the office network, troubleshooting systems and networks, and a number of other things that the small staff of techs could not keep up with - so I started chipping in troubleshooting, fixing, building, you name it. That was one of the first things I learned about the computing field - don't just stick inside your preassigned guard rails and job description - make sure you are still doing all of the appropriate tasks for what you got hired for, but don't be scared to dip your toe into deeper water and figure something new out.
Don't worry, this is not just going to be a rehash of my resume - but a couple of positions I have had do have a good story behind them.
Although one of the best things about consulting/external support positions is you get exposed to a lot of different networks, business processes, and strange issues to fix. But I started getting a bit antsy with bouncing from one client to another, so decided to move to a single company and maintain a single environment. This position was pretty routine, but I did learn one very valuable lesson - it just so happened that I was on-call the week I was to give my notice of leaving for another company. On the exact day I was going to give my notice, there appeared to be an issue with the Exchange server - at the time I had far more experience with Groupwise and Lotus Notes (don't laugh...) and those systems were far less temperamental if rebooted, so, you can see where this is going, I ended up rebooting the Exchange server as everyone was coming into the office. So what was the lesson - first, the easiest solution is most likely not even close to the best solution and second, do not be afraid to ask for help if you are in over your head. I was very junior at the time and the more senior folks were only a phone call away...
After that I started on a journey that, I believe, helped me exponentially expand my skills and find that true passion I wanted to have within security. Over the next decade or so I went through a decade or so at a handful of companies - each had their good and bad, each gave me a chance to build security programs and ultimately incident response programs, which has been one of those passions of mine. But, through all of that time, there was one constant, I did a lot of learning, troubleshooting, experimenting, playing around, and breaking things outside of work. Although my wife will disagree, it is far better to break the internet at your home than it is at the office. And break things I did... That is the next thing that I learned - if you really want to expand yourself in the security field, you have to have a home lab (now I guess that would be a few cloud servers) and do not be afraid to break things - you really do learn a heck of a lot more when you have to fix something that breaks than you do just setting something up.
There was one other constant through the first part of my career - I always performed in my position such that my peers and superiors knew they could count on me, trust my judgements, and listen to my recommendations. That does not come easy... Sometimes you just have to sit back and listen, sometimes even if you know the way something is done or architected is not the best or even right way - you have to learn there is a time and a place to question or comment on a solution. If you know someone is wrong, unless it is going to cause significant damage or lead to a compromise, never criticize or question anyone's ideas in a public setting. I am not saying that you cannot have a differing opinion and bring it up in a meeting or other public setting - but just be diplomatic about it - don't degrade the other person's idea and absolutely never think that your way is the only way.
You should never think you are the smartest person in the room - if you are, you really need to surround yourself with people who can challenge you and make you better.
But back to security specifically... if you are really passionate about security, really want to make a difference, even if that difference is just within your organization - you absolutely have to be willing to learn outside of work. You can take class after class, go to conference after conference on the company's dime, but trust me, you will only get better if you create opportunities outside of the office to learn. As I mentioned before, create a home lab or put virtual machines on your system, what ever - then go break them. Even if you could careless about actually troubleshooting and fixing things as a profession - you get a heck of a lot deeper into config files, log files, and learn much more about how something functions than by just viewing the web console.
Never bring just problems, always bring solutions. Ever since I became a manager, I have always told my people to bring me solutions, not problems. Trust me, I have been around the block a few times and while problems happen all the time, don't just come to me with the current problem, bring a solution with you as well. The people I have trusted the most and had done the best in their careers come up with solutions as well. Anyone can detect a problem, heck in today's Machine Learning/Artificial Intelligence buzzword security industry - even the machines can find the problems. Coming up and presenting solutions will get you points in pretty much anyone's book.
Don't feel guilty, if your company offers a training budget, use it! While you can see I am a huge proponent of learning on your own outside of work - there is no reason you cannot learn somethings while on the job as well. Most companies have a training budget set aside for continued improvements - use it to the fullest and perhaps take some course that you perhaps could not afford yourself or attend a conference.
Lastly, I would like to touch on certifications... I have had my share of certifications - my first being Certified Novell Administrator (CNA), then MCSE, CISSP, etc. To be completely honest, I do not know of a single job that I got because I had a certification - I got the job because I knew what I was doing and could provide the company with a distinct set of skills to help protect the company. Did it get me past the HR recruiter because I used to have a CISSP - perhaps, I honestly will never know... However, when I am looking for people to come work for me, I never judge a candidate on his or her certifications. In fact, if I see too many certifications, that tells me that you are too generalized and more learning what is needed to pass a certification test rather than really being good at security. Take that for what it is - I am just one director at one company who is not a huge fan of certifications; however, if my people want to get certifications, as long as I think they are not just taking the course and test for sake of getting the cert, I will support them 100%, because I know they have the background.
Oh, one more lastly, lastly - get out an meet people in the security industry. It is one thing to follow respected security people on Twitter, read their blogs, etc, but it is more to actually meet people in the industry. Go to security related events and groups. ISSA, ISACA, and OWASP are all national level organizations that have chapters in all major cities - even if you are a ways into your career and you think something like ISSA is too high level - do not let that keep you from attending the meetings and meeting people. Heck, if you think the presentations are too simple or high level - propose to speak at an upcoming meeting - just make sure you are presenting on a valuable topic and it will be of interest to the audience.
OK, that's about it. Honestly, if you made it this far, thank you. While it is very easy to write about yourself, knowing that someone read until the end is cool. As I said starting off, I am at a point in my career and life where I want to give back to more than just the company I work for and just to those who work for me and who I work for...
Thank you, I hope this helps someone and please do not hesitate to reach out to me at paul[@]ir4n6[.]com
No comments:
Post a Comment