One of the common questions I am asked is, “How do I get a job in information security?”  Infosec continues to be a hot career field with many job opportunities.  Therefore, we continue seeing people who are interested, but don’t know the steps it takes to gain employment in information security.  This blog post answers the question, “How do I break into (the) security (career field)?”

A few years ago, I was asked a similar question of how I got started in security.  It all started as a computer science major at Michigan State University. I was also in Air Force ROTC.  This combination allowed me to start developing my security mindset.  As a military intelligence officer, I learned about data classification and safeguarding sensitive information. I left the Air Force for a job as a UNIX systems administrator where I learned how to apply technical controls to protect the systems and its data. As a junior security analyst, I learned the importance of policies and awareness. The combination of technical and managerial experience led me to security management roles. (You can read more about my experiences here: Me and my Job: Ron Woerner, Bellevue University, SC Magazine, April 2011)

To become a security professional, you need a mix of experience, knowledge, and abilities. It’s not generally an entry level career field, because you need time to develop yourself as a security professional who understands the many aspects of cybersecurity.  Traits to be successful in cybersecurity include:

• Curiosity – A wonder on how and why things work
• Critical Thinking – goes with #1. You need to go beyond the obvious
• Communications skills – you can find the coolest things, but if you can’t effectively let others know, it’s like a tree falling in the forest
• Technical Skills – You need to know your way around a computer
• Maturity – Stuff happens. You need to be able to keep your head when all h311 is breaking lose.

The security community has a vast number of articles on breaking into the security career field.

• This article from the great security blog site Securosis  (@securosis) contains recommendations for starting in security and potential career tracks: “Who to Recruit for Security, How to Get Started, and Career Tracks”.
• “I Am InfoSec, and So Can You” is an article by Ben Tomhave (@falconsview).  In particular see his second paragraph explaining what we really need in security. He also has a number of tips for those who are still crazy enough to enter the field.
• George Hulme (@georgevhulme) wrote in March 2015, “Six entry-level cybersecurity job seeker failings,” http://www.csoonline.com/article/2894193/infosec-staffing/six-entry-level-cybersecurity-job-seeker-failings.html
• Jenifer Noss (A Bellevue University MS Cybersecurity graduate) has a nice piece on “Finding work as an IT Security Specialist.”  She is not only a student, but also a seasoned cybersecurity professional. Check out the links in her blog for where to go tshe provides for increasing your cybersecurity potential.
• Trey Ford (@treyford) currently at Rapid7 has two posts that may help cybersecurity career hunters:
  • Networking- https://community.rapid7.com/community/infosec/blog/2015/07/20/the-black-hat-attendee-guide-part-3–networking-at-black-hat … &
  • Job Hunting https://community.rapid7.com/community/infosec/blog/2015/07/29/the-black-hat-attendee-guide-part-6a-on-job-hunting-recruiting …
• @J4vvD has numerous videos answering this question
  • “How I started in Infosec,” https://www.youtube.com/watch?v=ouO2cdnGFK4
  • “How do I learn more about infosec?,” https://www.youtube.com/watch?v=FdDFUSchMuM
  • “Sharing your knowledge,” https://www.youtube.com/watch?v=RCS-DKfmj38
  • “Finding your niche,” https://www.youtube.com/watch?v=sAnj4ZcM3wk
• The National Initiative for Cybersecurity Careers and Studies has a website (https://niccs.us-cert.gov/education/promoting-education) focused on Promoting Education, Engaging Students, and Fostering Communities.

This reminds me that everything old is new again. Many of the articles I mention above were written a few years ago. Things really haven’t changed over the years.  The career path still requires education, training, experience, and persistence.

As an extra, added bonus, here’s a 3 ½ minute Ted talk from Richard St. John: 8 secrets of success – http://www.ted.com/talks/richard_st_john_s_8_secrets_of_success.html (Watch for his explanation of CRAP).  It’s great, general information on how to succeed in any career.

[Note: This article was originally posted on the ‘Educating Next-Gen Cybersecurity Leaders‘ blog on CSOOnline.com.]

“It was the best of times. It was the worst of times.” No, I’m not talking about Dickens’ A Tale of Two Cities. I’m talking about the Internet Age where we have powers beyond our ancestor’s imagination literally at our fingertips. We can work, play, and communicate from almost anywhere and anytime. The flip side is the dangers where people, systems, and data are breached on an all-too-frequent basis. Since you’re reading this, none of it is new to you. What may be new is how Education Technology is rapidly evolving to meet the needs of both students and industry, which epitomizes the best of times and the worst of times.

As a security professional, you may not be aware of all that’s happening in the world of Education Technology (#EdTech) and how it affects the security community. Teachers are using a wide variety of tech tools from smartphones and tablets to Internet applications like Google Docs, Twitter, Edmodo, Udemy, etc. Classrooms are being flipped to be student-focused rather than the traditional ‘sage on the stage’ lecture. The cloud has reached the classroom to where students learn from almost anywhere, anytime from any computing platform. Academic institutions at all levels (K-12, colleges, and universities) are scrambling to keep up with the rapid pace of technology.

Study after study shows we’re lacking combatants on the cyber battlefield to take up both offensive and defensive roles. Steve Morgan’s Cybersecurity Business Report validates this need in the posts Cybersecurity job market to suffer severe workforce shortage and Worldwide cybersecurity market continues its upward trend. He offers some solutions such as, “parents sending their kids to cybersecurity school,” and “getting a Master’s Degree in Cybersecurity.” However, there are underlying issues preventing these from being complete solutions.

One is the disconnection between what’s required by the security industry and what’s currently provided in academia. The body of knowledge for cybersecurity professionals requires such a wide berth that covering all of those areas at any depth is nearly impossible in the traditional classroom. Educators are forced to focus on some areas, while dropping others. They usually pick what’s easiest to teach in the classroom or their interest area or specialty, rather than what’s most needed in the ‘real-world.’

Then there’s the issue of developing essential professional skills such as hands-on technical know-how, real-world problem solving, and fundamental collaboration / communications abilities. Standardized, multiple choice (guess) tests only go so far. Creating and then grading assignments to meet these needs is much easier said than done. Educators at all levels need to be connected with industry professionals to understand and meet the burgeoning needs of not only what’s being taught, but also how.

There are many great activities promoting the next generation of security leaders. Conferences are getting kids involved in safe arenas to learn cybersecurity and practice their skills. Examples include the RSA Conference’s Cyber Safety Village, R00tz held in conjunction with BlackHat/DefCon, and the Hak4kidz conferences.

Cyber competitions promoting both offensive and defensive skills are also available to students from elementary school up through graduate studies. Examples of this area include US CyberPatriot, the ISC²/MITRE Cyber Challenge 2015, and National Collegiate Cyber Defense Competition (CCDC).  Dr. Dan Manson from California State Polytechnic University, Pomona, is consolidating information on the Cybersecurity Competition Federation website.

If you have a cybersecurity competition or kids’ event you’d like promoted in this blog, please let me know.  More information on all of these resources will be coming in future posts.

We have many opportunities to work together to solve this problem of developing more and better students with cyber savvy skills. We need you to join us in educating, training, and preparing the next generation of security leaders.