Item 2: A Mashable article about the dearth of infosec skills, one of a bumper crop of similar articles: "There’s plenty of jobs, but relatively few qualified applicants."
Item 3: Tad Puckett, commenter on that Mashable article, who claims a list of security certifications and is indicative of an army of frustrated infosec warrior wannabes: "Hogwash!"
What Puckett really said was that in spite of having a few security certifications under his* belt and working toward a CCNA (Cisco Certified Network Associate) certification, and despite the piles of stories about organizations being desperate for scarce security skills, there are zilch entry-level openings to be had.
"Where are all these jobs in IT Security I keep hearing about?" he wrote. "I am looking at QA testing, help desk jobs, and remote tech support. … I contacted the [Department of Defense] well in advance of my graduation looking for information on entry-level job opportunities. They sent me a canned email directing me to apply to job postings on their site. Of which there were no entry-level security positions. But they are desperate for people in the field."
There have been quite a few stories about the dearth of security skills. Among them are quite a few commenters crying, "Bollocks! They won't hire us."
Can both things be true? Can there be a scarcity of infosec skills that coincides with a lack of entry-level jobs?
Oh, yes. Here's the problem: There's nothing whatsoever "entry level" about security.
Think about it. Are there any aspects of security you'd entrust to a fluffy hatchling? A network, say? Infrastructure? Applications? Workstations? Of course not. Nobody can secure those things until he or she thoroughly understands how they work, and that takes time, precious time spent learning how particular things break and how to fix them and then how to secure them.
"I wouldn't say the infosec positions [businesses are trying to fill nowadays] are entry-level jobs," says Jerry Irvine, CIO of Prescient Solutions and a member of the National Cyber Security Task Force. "They're the 5-10 years positions.” To get to that level, Irvine says, you need to know security at each individual granular level you're working at. “How do you secure a Microsoft workstation first? How do you secure the architecture behind Active Directory? Those things build up and create a great security professional,” he says.
That's right: All these places howling for infosec skills want those skills to come corked up in well-aged vintage bottles. It's a Catch 22. For example, you can't get the hallowed CISSP (Certified Information Systems Security Professional) certification without a minimum of five years of direct full-time security work experience, but there are many security jobs you can't get without a CISSP.
Nonetheless, stop pulling your hair out. If you don't have the experience, you have to get it – and you can. Just make the entry-level job yourself. I checked with security pros, most of whom have CISSPs, to find out how they got their start. They gave me some tips on how you can roll your own entry-level security job.
Do You Want to Be a Dermatologist or a Neurosurgeon?
Infosec pros have this analogy with medicine they roll out, because both medicine and infosec are general terms that cover many specialties.
Richard Bejtlich, a prominent security blogger, chief security officer at security forensics firm Mandiant, and former director of incident response at General Electric, wrote a piece about breaking into security for Brian Krebs' Krebs On Security blog.
In that article, Bejtlich said that you'll get a different take on how to start in security from everybody you ask. "If you ask a neurosurgeon, he or she may propose some sort of experiment with dead frog legs and batteries," he wrote. "If you ask a dermatologist, you might get advice on protection from the sun whenever you go outside. Asking a 'security person' will likewise result in many different responses, depending on the individual’s background and tastes."
I got Bejtlich on the phone. He told me you really do need to figure out where your tech passions lie before you set your cap on being something as nebulously labeled as “infosec expert.” It's your No. 1 task if you want to break into the field.
Bejtlich himself got his start in the military and thinks it's the perfect place for it. You're in your mid-20s, and you're responsible for hundreds of other people—responsible for their lives, mind you, not the bloodless kind of corporate responsibility. That level of responsibility is going to impress most anybody you're trying to talk into giving you an entry-level infosec job.
Bejtlich started as a military intelligence officer and was drawn to the "coolest part of the building," he says: the Air Force's information work center. He worked up from being a junior analyst, to taking over the night shift, to taking over the entire detection operation. That's a perfect beginning for somebody who'd go on to become a computer forensics expert.
Getting Your Hands-On
Prescient's Irvine is another case in point who, actually, sired another case in point. He himself started on the help desk around 1990, went on to network administration with Novell NetWare, got into Microsoft Windows NT when it came around, and was taught the wisdom of limited installed options when Windows NT Server 4.0 came out with "absolutely everything" installed and absolutely everybody suddenly acquiring access to that everything, he says.
Today's default network settings is “least amount of privileges.” But in the Window NT 4.0 era, network administrators like Irvine were forced to learn how to lock down the zombie hoards of people who had too much access. It was yet another appropriate training ground for somebody who'd go on to rack up the experience needed to get a CISSP, which Irvine did, along with a host of other certifications.
"For a new guy getting into [infosec], the way I did it, and the way we look for people, is we don't look for a book technician," he says. "We look for somebody with hands-on.” Irvine looks for security staff that grew up in a specific industry. It might be systems and Microsoft certifications, or Citrix and VMware. He hopes that along with those specific focuses a job candidate learns industry best standards, and also security best standards for those apps.
His son, meanwhile, is a junior at DePaul University, working on an infosec degree.
But learning the book way doesn't mean he's not getting hands-on experience. Irvine, having learned in the trenches, asked his son how, exactly, does one learn infosec in a regimented college program?
His son outlined a learning path that's basically the mirror image of what his father went through. First, his son said, you learn the PC: the network and systems. Then you learn how they interact, and then you learn how to secure them. As you learn how to secure the computers, you also learn that part of security isn't just giving people access and protecting against viruses and other nastiness. It's recognizing that the mere interaction of networks and PCs and anything else can do undesirable things to your systems. Then the question becomes, “How do I get it back?”
This is the type of entry-level person whom infosec companies hire: those who've experienced security at all the various levels they've encountered it.
"That's the type of individual we want," Irvine says. "Those with on-the-job training. When we look for pros, we're not necessarily looking for somebody who picked up a book and said, 'I want to be a security guy.' [We're looking for people] who looked at [security] and learned it at each individual layer: workstations, apps, network infrastructure, access controls. Those are individuals who become strong infosec personnel."
If you already know something in IT, learn the security component of what you already know, Irvine advises. Then go from there.
To Hades With the “5 Years Experience”—Just Pass the CISSP Exam
Case in point is Jason Yakencheck, who has one of those vaunted CISSPs. Now, he's a managing consultant in a cybersecurity and privacy practice; he’s also a member of the Young Professionals Committee at ISACA, a professional association that deals with IT governance and grants various infosec certifications.
Yakencheck was hustling before he got to this point, though. Back when he was new in the field, he passed the certification exam just to show he knew his stuff. Just passing the exam, after all, is street cred.
"Successfully passing the exam demonstrates your level of knowledge, and once you reach the required years of experience, you can earn the credential through an application process," he says. "I took this approach when getting my CISSP and I found it to be very beneficial, since it gave me added creditability at an early stage of my career.”
Then again, other infosec certifications don't require five years of experience, such as ISACA's CRISC, he points out. That one requires only three years of experience.
There are, actually, scads of infosec certifications: CSSLP for software, CISA for auditing, CISM for managers, CEH for ethical hacking, CWSP for wireless, GCWN for Windows admins, and a host of other vendor-specific ones. (See also: The Top IT Certifications.)
Why is CISSP seen as the crème de la crème? For one thing, given the years of experience required to get it, the certification's shorthand for "been around the block."
Also, lest we forget, as Bejtlich points out, security job descriptions aren't necessarily written by people with any knowledge of infosec. Human Resources people have recently started to realize (translation: are being emphatically made to realize by security breach-leery upper management) that security matters. But that doesn't mean their understanding of the field is particularly sophisticated. "HR departments, and hiring managers, well, if they're hiring their first security people, they write unrealistic job descriptions," Bejtlich says. They want to hire a multitalented specialist. They're all looking for a single person who can do several things, all at the expert level, he says, though that's not true of anyone.
Network With the InfoSec Warriors
It certainly doesn't hurt to become a member of a professional association like ISACA. "It's a great way for individuals newer to the industry to network with experienced professionals and executives in order to learn about new opportunities," Yakencheck says.
The ISACA's Young Professionals Committee would be good for those with interest in infosec and auditing. Don't limit yourself to using these associations just to find a job, though; professional associations are also a good place to pick up mentors.
Bejtlich says that if he were junior level, looking to break into infosec, he'd pick something he's interested in, get out there, and get involved. He'd have a blog, he'd tweet, and he'd contribute to open-source software. You don't have to be a programmer. There are other things you can do. Software testing, for example. He downloaded and installed FreeBSD. He had a problem. He fixed it. Now he's part of the open-source world.
"Get out there and establish a presence, so if somebody's looking for [what you're involved in], that's your CV,” he says. “That's a track record of all the things you're working on and that you like. That's how you find junior talent that's a cut above everybody else."
Do Not Worry About Age Apartheid if You Want to Get Into InfoSec
"Junior" doesn't equate to "young" in infosec. Bejtlich has hired both young people and mid-career people. He likes to get them working together, so the older infosec trainee can keep an eye on the younger, potentially video game-playing, possibly tardy, infosec stripling.
When Bejtlich was at GE, he hired a 35-year GE veteran out of another center. The man could read punch cards upside down, but he came in as a junior infosec pro.
From the get-go, that guy had deep knowledge about how the network was built and about how the company worked, Bejtlich says.
"Security sounds like a young person's game," he says. "As if you have to start when you're 12, then when you're 22 you can put 10 years of experience on your resume even though you can barely drink. I don't believe in that. I did some as a kid, but I didn't get back into it until I was 26. In some circles, that's close to washed out. You don't have to be that 15-year-old wunderkind to get into security."
So Go Get an InfoSec Job
Have you already figured out your passion so you can carve out a specialty in infosec? Have you gotten your hands dirty? Have you soaked up all the knowledge about your particular technology niche, including how to secure your corner of the cyber world?
Recruiters have a succinct phrase for the job candidate with an impossibly perfect combination of skills and/or experience: the Purple Squirrel.
Security skills hunger is breeding many job listings for Purple Squirrels.
Are you ready for an entry-level infosec job?
If you're looking, Bejtlich says Mandiant just opened a new security operations center in San Francisco.
Go get your hands even dirtier.
*The male gender is a guess, given that the quote was taken from a Mashable comments section.