« Security Industry Plagiarism: Finding 3 examples in 5 minutes with Google | Main | Poll: How do you rank the importance of a vulnerability? »

Five pieces of advice for those new to the infosec industry

I've worked in the security field in various roles (script kiddie, security researcher, incident response, application security engineer, security consultant, strategy, etc..) and thought I'd share a few points to those of you starting out in the security industry.


Things are worse than you expect

The reality is that companies, even large ones, are typically worse off than you'd expect. That's one of the reasons you're hired, to make things better. Things such as patch management, monitoring, incident handling, integration with dev, having contacts in other teams, other teams knowing how to engage the security department, threat modeling/security questionnaires, regular security testing, using security tools, system hardening, etc all are likely not implemented as they should be (or at all). I remember starting out and joining a large company only to find a lot of the basics weren't being done. The first few months were me saying 'Are you fucking kidding me?' and 'what do you mean we don't know anyone in this department to reach out to for this incident'?. After some time cursing about I reached the acceptance phase that a lot wasn't yet being done and it was my job to do everything I could to make things better, even if it wasn't in my security department. This lack of basics wasn't because people didn't care, they did care. It was more that it took awhile to get the funding/buy-in to get more serious about addressing their gaps. This leads me to the next item.


Companies all generally start in the same space

Joining a company that's just starting to get serious about it's security posture you will be great for learning and growing. Personally I don't think I'd ever want to join an extremely mature company, I'd be bored. Organizations that haven't taken security seriously likely:

  • Not have management buy-in, or have not yet approached them to make it a company priority 
  • Have basic vulns everywhere, no good security
  • Be inconsistent about finding problems/have poor coverage (it will likely be very adhoc)
  • Have poor patching, system hardening, and vuln remediation processes
  • Lack an inventory of what is out there that could be risky
  • Don't know what 'risk' is exactly
  • Be inconsistent about ranking the importance of a problem
  • Have difficulties finding the right people to address a problem

If you're considering joining a company, try and get answers to some of the issues above to see if it's the right fit for you.


The community is small

The security industry is a small place, particularly as you branch out to more niche sub-fields. It's important to network at conferences, and local security gatherings and know who's around and in similar interests as you. 

It's important to understand that

  • You don't talk shit about people in the industry (especially if you don't know what they look like)
  • You will work with people again
  • You may work with people from one of those 'vendors' that keep annoying you
  • Your reputation WILL follow you in unexpected ways
  • You don't act cocky even if you're a bad-ass
  • You don't oversell yourself. Acknowledge your weaknesses.

While some of these are common sense and apply to other fields as well, they definitely apply to infosec. 


Compare yourself against others in a similar position

Networking is important, period. While a lot of companies won't admit to chatting with competitors and other large companies, the reality is a lot of the security folks do. Once you've established a good relationship with a few folks, you can begin to talk openly (as much as is possible anyways) about how they are staffed, operate, challenges they've had, tools they've used, etc...

Having these conversations can open opportunities for material sharing, knowledge exchange, and comparing your company against others.


Understand Dev/IT/Operations culture, priorities, and processes

Without understanding how the teams you're supporting operate (security IS a supporting function..) , you will find it extremely difficult to get reactive, and proactive measures to move forward. If you have ideas for how to improve things, investigate how it would fit into the various groups in your company.

Identify who's priority it should be, and

  • Don't go against the grain (includes culture and process)
  • Integrate with other teams processes (Dev, siteops, IT, QA, product management, etc)
  • Convince them to own certain security activities where it makes sense (provide a supporting role/point of escalation)
  • Meet with the leaders in each space, establish good rapport with them. Find ways to communicate the effectiveness of these activities (actual meaningful metrics).


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!

True, Good stuff!, only one thing. Security nowadays IS NOT a supporting function

I'm going to disagree with you there. While security can impact how business is done, it doesn't typically drive revenue. I'm not saying it can't impact the user experience, it often does.

The security department/s are there to make the business safer, assist them with understanding potential risk/impact, and support them in doing so.


Not only do I agree with your statement about the community being small is the core problem. I have found something very interesting. I worked in the defense sector for awhile and was at a round table with some core people recently, the biggest problem is that we really need to get out of the community and into the main market stream. The hacks happening are one thing, but the general public has absolutely no idea about whats going on. This is why the security industry is so small. The worst part is that we spend more time competing against one another for contracts, or deals, etc, or end up having to prove the importance of security so often that its almost absurd.

Take renderman does it really take for someone to expose that level of a security flaw for people to wake up? This is also where I agree with Jeremiah from White Hat said we should hacker our selves, Tyler from Cenzic said we need to be more proactive about security. This is the problem the community is small, and this community has for many years been stuck in the world of compliance. Its about time the rest of the commercial market and the consumer market realize that its no longer just an add on, but a necessity.

Once this happens, the community won't be that small anymore. As security folks, this is direction we should all be talking about...

Teach the kids...