Blog: How Tos

How to get into Information Security

consultant-placeholder07 James Mace 13 Nov 2013

However much we might hope otherwise many people are unaccustomed to the importance of information security. However there has been much deliberation recently in the media regarding cyber security and how the demand security is at its highest. The information security sector is experiencing exponential growth and is constantly adapting to the ever changing threat landscape; this makes it an exciting and rewarding place to work.

With this high demand for security experts, you might well ask “how do I get started with a career in information security?”

Due to the often secretive nature of this industry, it is often not clear what the desired experience or qualifications are. The typical route into security normally consists of someone with either a development or technical support background which would provide a base for a seamless transition into security. However if you’ve just left college or are brand new to information security and don’t come with this experience, it can be very unclear as to how to start your journey.

When I first decided I wanted a career in information security, I too was stuck at this same hurdle. My interest in hacking first arose from tinkering with PC’s, phones and games consoles, all back in my younger days, I was fascinated by manipulation and the power that held. Since then, I knew I wanted to pursue a career in security, and at first, I had no clue of how to get into this industry. Luckily, at the time I was applying for university, ‘Ethical Hacking’ courses were just being rolled out across a small number of universities.

Ever since I saw the advertisement for such a course, I knew that any other course was not going to spark my interest like this one was. I put down my choices and was initially accepted at Northumbria University however, a couple of months before the course was due to start, I received a phone call telling me that the course was no longer being ran as they were unsure of the types of individuals the course would attract. This was unfortunate; however the remaining university running the course, Coventry University were going ahead with the course. This was a relief and it was the start of my info sec adventure.

During my studies I managed to get a part time job at the university doing 1st line technical support. One piece of advice I would give, is to checkout any courses beforehand and if you can, speak to the lecturers who will be teaching the content. In my case I had a down to earth and very knowledgeable lecturer, I was fortunate; this may not be the case on all courses. Fast forwarding 3 years after completing my degree, I asked myself two questions upon reflection:
Do I think the course gave me everything I needed to be a 100% expert in information security? No. I don’t think any single course can do this, however it did provide with the foundation knowledge I needed to kick-start my career.

Do I think this course gave me the stepping stone I needed to get my foot into the door of a fascinating industry? Yes. If it wasn’t for having such a course on my CV, my experience alone may have not been enough to get me the interview and opportunity I needed, after all your CV needs to be attractive to potential employers.

I’ve jotted down some tips for newcomers which I believe should be helpful if you have little previous experience:

  • Don’t be afraid to email security companies and well known individuals asking if any internships or volunteering jobs are available, show your interest and you may just get lucky.
  • Any experience is good experience when working in IT, don’t be the person who doesn’t believe a part time tech support job or being involved with volunteering for tech setup at events will not be beneficial to their knowledge and future endeavours.
  • Engage in and complete as many security related courses as you can get your hands on, many employers are looking for key certifications such as CREST, which is largely becoming the standard for UK specialists.
  • I cannot emphasise enough on portraying your passion in front of a potential employer. Do not slouch back in your seat and merely talk about infosec like your reading todays newspaper, look sharp and show them your willingness to learn and thirst for security.
  • Understand that security is based largely on securing assets and therefore many businesses do not understand technical risk. It is essential that you can convert technical jargon into real world business risk, otherwise your advice will fall on deaf ears and the value gained from a penetration test will be insignificant.
  • Participate/network where possible, whether this be in local meetups such as OWASP or national conferences such as 44con or bsides; bsides also now offer a rookie track, allowing up and coming enthusiasts to get a taster of getting up on stage and sharing their research.
  • Other organisations such as the cyber security challenge which are designed to spot talented individuals in the UK can also be a great leg-up, competing will give you chance to meet like-minded people and the companies who are actively hiring security engineers.
  • Get involved in community projects – There are many open source tools/frameworks out there which are in need of contributors help to keep them progressing, let your creatively flow here.
  • And finally, don’t give up! one set back is not the end of your journey in information security, persistence pays off so don’t be upset if one employer fails to see your potential or you’re turned away from the first door you come to, there are plenty of others go at.

I hope this post has been helpful to people, especially those who are sat wondering if you will ever get a chance to showcase your abilities.