Things I wish I knew before coming to infosec.
Over the last 12 years, I’ve worked in multiple roles in Information Security, from being a pentester to analyst, leading an infosec team responsible for a multi-million dollar company to running my own company in infosec, and there a couple of learnings that I believe, if I had known before coming to infosec would have led to two important outcomes:
1 - Me having an easier life in infosec, and making life easier on others that I was working with/for.
2 - Me acting differently on my career and picking up skills that I only did later much earlier.
I thought that by making these learning public I could potentially help someone that is early in his career and thinking about either coming to infosec, or making the jump to infosec.
If you work in infosec you are well paid and will never lack a job
Like much of the tech market there is indeed a big lack of skilled people, and therefore a huge amount of openings, however much like any other job, you might specifically have certain requirements that are not 101 to be met.
Maybe you like working from home, or maybe you live in a small village and aren’t willing to relocate (many jobs in infosec are in consultancy, therefore you need to be in bigger towns so that you can sit at clients), so in general, it should be fairly easy to find a job but it might not happen in less than 24 hours as lots of people make it seem to be.
Salaries are indeed aligned with rest of tech, so you will be well compensated, but many times we hear about offers over $1 Million/year and its important that you are aware, this is not common, even within offsec. Some CISO level executives will get offers at this level, but again, it won’t be common and you can probably count with your fingers the amount of people that will get offers like these.
InfoSec is fun, you break a ton of stuff
I’d argue this sentence is correct, but incomplete. Infosec is a lot of fun, getting your first shell, finding your first 0day, getting that first CVE code with your name are a ton of fun and I can guarantee that these are moments you will remember for the entirety of your life.
But then, what would we have to add to the sentence to make it complete?
I’d argue the complete sentence would look like this “InfoSec is fun, you break a ton of stuff but it is also your responsability to help fix them”.
We talk about the “breaking” side of things very often, we have entire presentations and conferences about vulnerabilities, red teaming, offensive security, but what about the output of those topics? What happens when you find a vulnerability?
Thats when the “blue team” side of the coin comes out, and it is your responsability to act as a sheperd to developers, sysadmins, business owners and guide them on understanding the risk your brand new shiny vulnerability brings, which systems are affected, or how the code can be correctly fixed.
Infosec when done right, isn’t an individual in a corner breaking things, it’s a collaboration to improve the overall security of an organization or an individual, and honestly I don’t think this is emphasized enough while people are at university, or early in their careers.
Infosec Rockstars
Since before deciding to come to infosec I have met some of the smartest people I ever had the pleasure of having a dialog with in infosec.
I have people that I dare say I’ve long admired and consider them some of my best friends, however… like everything else in life there are good things and bad things in infosec.
The truly authentic rockstars, you will never hear them say they are “rockstars” or even act like it. They will simply help you, teach you, chat with you.
There is a popular saying “Don’t meet your heroes”, in infosec I’d argue it should be “Meet your heroes, but do take them with a grain of salt until you’ve spent some actual time with them”
You have two types of people.
The “twitter infosec”, which if I had to make a comparison with would be like “instagram influencers” and then you have infosec people who are putting out good content, pushing others forward by helping them but that don’t try to push their persona and brand a la “twitter infosec”.
FOMO on DefCon, BlackHat, <insert super expensive, well known security conference here>
You won’t be able to attend every conference, you will see tweets, you will see photos of the parties but guess what? You will be fine. These conferences are useful don’t get me wrong, but by not attending them you will not lose progress in your career. You see the real value of these conferences is the networking. Meeting people and that can be done at much cheaper, lower profile conferences. Plan properly and you will meet all the interesting people. Can’t go to conferences? Send them a tweet. The presentations are typically shared on twitter or youtube channels of the conferences so you will be able to see them anyway.
If you really want to go to DefCon or BlackHat, then set it as a goal to present there. It will drive you and make you work harder on your craft, therefore actually improving your career.
Burnout and repetition
You will work hard schedules every now and then, if you work in foresics you will see things that will keep you up at night, the pressure is intense when you have a network under your responsabilities and there is a constant stream of new vulnerabilities coming out that you might need to keep track of, you will do month long security tests, produce a beautiful, well put out report, only to watch a client say “thanks we will take a look at it” and when you come back the year after things look exactly the same.
You will go to conferences from previous point, hear about stories how a “rockstar” jumped into a garbage bin, found a name in a document, produced a card and then got access into a building, deployed a raspberry pi as a backdoor, only for you to go back to your day to day job, where you test web and mobile apps and find the exact same set of vulnerabilties in all of them, on some engagements maybe you get to do a larger scope that gets you in a network and you get to play with a little more freedom, because in the realworld actual red team engagements that involve those “fun scenarios”, are not all that common, because, clients aren’t prepared for them and would not be able to extract full value out of them.
Your soft skills and business skills will take you very far
You need to learn how to speak to C-levels.
Infosec is no longer a simple game where you can come in and break stuff.
It’s much more than that.
You need to know how to present to a board a vulnerability, and they won’t care about the technical part.
- What impact will this have on us? Of what type? Financial? Reputation?
- Which assets will be affected?
- Ok, you want to buy an item that costs X how many Y millions of potential damage will it save us from?
- What is our business interruption plan in case we do get hacked?
- One of our vendors just got hacked, which dependencies do we have on them?
Business decisions will often override security decisions, and hey, guess what?
A few times this will be OK.
Understanding how your business works, where revenue comes from, which clients you have are critical to you, so that you can properly find a way of aligning the requirements of security with the necessities of running the business.
Also, you need to know how to correctly have a discussion with your peers and colleagues.
Just having the technical knowledge, and going “I was right and you were wrong” ain’t gonna cut it. Be respectful and help others understand how to do things right and when you were wrong, say thanks and let the other person know you learned something new (hint: it’s infosec, you won’t ever know everything!).
Be clear on your explanations, on your reports, on your presentations.
Infosec is still an inefficient and young industry
We keep hearing how there is a lack of resources, and it is true. But it is also true that as of this moment we as an industry are not applying our money in the correct places. There are plenty of things we do manually that could successfully be automated, and even sped up. We still chase IoC’s and signatures even though the past experience with AV’s have shown us that its a bad investment.
We mock machine learning and cyberinsurance, when I’d argue a lot of infosec people don’t even understand how those things work or could be of use to us.
But I also don’t fully blame infosec.
We have had a ton of snake oil pushed on us, so we became sceptics. But new person that is coming, don’t fully buy our sceptisism, there are enough of us out there. Bring us new way of doing things, of automating parts of our work, help us scale and be better at what we do.
We still make pew pew maps, even though we all agree ip geo location is bull**.
We all still do attribution based on weak sources, even though we all agree attribution is extremely hard to do correctly.
We lack formalization, consistency, useful metrics and scientific methodology in our work in many ways. You can see it by asking specific questions to 10 different people in the industry and you might get 10 different answers.
Conclusion
Even after all this, there still isn’t another industry I would have chosen to be in for the beginning of my career. You get to learn about lots of different topics, there is a large spectrum of positions that you can take and with a field this young, there is plenty of impact to be made.