I've worked in the security field in various roles (script kiddie, security researcher, incident response, application security engineer, security consultant, strategy, etc..) and thought I'd share a few points to those of you starting out in the security industry.
Things are worse than you expect
The reality is that companies, even large ones, are typically worse off than you'd expect. That's one of the reasons you're hired, to make things better. Things such as patch management, monitoring, incident handling, integration with dev, having contacts in other teams, other teams knowing how to engage the security department, threat modeling/security questionnaires, regular security testing, using security tools, system hardening, etc all are likely not implemented as they should be (or at all). I remember starting out and joining a large company only to find a lot of the basics weren't being done. The first few months were me saying 'Are you fucking kidding me?' and 'what do you mean we don't know anyone in this department to reach out to for this incident'?. After some time cursing about I reached the acceptance phase that a lot wasn't yet being done and it was my job to do everything I could to make things better, even if it wasn't in my security department. This lack of basics wasn't because people didn't care, they did care. It was more that it took awhile to get the funding/buy-in to get more serious about addressing their gaps. This leads me to the next item.
Companies all generally start in the same space
Joining a company that's just starting to get serious about it's security posture you will be great for learning and growing. Personally I don't think I'd ever want to join an extremely mature company, I'd be bored. Organizations that haven't taken security seriously likely:
- Not have management buy-in, or have not yet approached them to make it a company priority
- Have basic vulns everywhere, no good security
- Be inconsistent about finding problems/have poor coverage (it will likely be very adhoc)
- Have poor patching, system hardening, and vuln remediation processes
- Lack an inventory of what is out there that could be risky
- Don't know what 'risk' is exactly
- Be inconsistent about ranking the importance of a problem
- Have difficulties finding the right people to address a problem
If you're considering joining a company, try and get answers to some of the issues above to see if it's the right fit for you.
The community is small
The security industry is a small place, particularly as you branch out to more niche sub-fields. It's important to network at conferences, and local security gatherings and know who's around and in similar interests as you.
It's important to understand that
- You don't talk shit about people in the industry (especially if you don't know what they look like)
- You will work with people again
- You may work with people from one of those 'vendors' that keep annoying you
- Your reputation WILL follow you in unexpected ways
- You don't act cocky even if you're a bad-ass
- You don't oversell yourself. Acknowledge your weaknesses.
While some of these are common sense and apply to other fields as well, they definitely apply to infosec.
Compare yourself against others in a similar position
Networking is important, period. While a lot of companies won't admit to chatting with competitors and other large companies, the reality is a lot of the security folks do. Once you've established a good relationship with a few folks, you can begin to talk openly (as much as is possible anyways) about how they are staffed, operate, challenges they've had, tools they've used, etc...
Having these conversations can open opportunities for material sharing, knowledge exchange, and comparing your company against others.
Understand Dev/IT/Operations culture, priorities, and processes
Without understanding how the teams you're supporting operate (security IS a supporting function..) , you will find it extremely difficult to get reactive, and proactive measures to move forward. If you have ideas for how to improve things, investigate how it would fit into the various groups in your company.
Identify who's priority it should be, and
- Don't go against the grain (includes culture and process)
- Integrate with other teams processes (Dev, siteops, IT, QA, product management, etc)
- Convince them to own certain security activities where it makes sense (provide a supporting role/point of escalation)
- Meet with the leaders in each space, establish good rapport with them. Find ways to communicate the effectiveness of these activities (actual meaningful metrics).