Silicon Shecky

Infosec Practitioner

  • About
  • Categories
    • General
    • Computers
    • Software
    • Rants
    • Security
    • Internet/Music
    • Reviews
    • Microsoft
    • Hardware
    • Mobile Computing
  • Links
    • Infosec
      • Burbsec
      • Infosec Exchange Mastodon
      • Hacks4Pancakes Blog
      • Krebs On Security
      • Bleeping Computer
  • Archives

Connect

  • Bluesky
  • LinkedIn
  • Mastodon
  • RSS
  • Twitter

[footer_backtotop]

Copyright © 2025 ·Sixteen Nine Pro Theme · Genesis Framework by StudioPress · WordPress

Infosec: You are probably already doing it

December 28, 2015 By Michael Kavka Leave a Comment

Recently on Twitter, a bunch of people in the Infosec community have been talking about getting new people involved more. Helping the next round of professionals get up to speed or keeping them interested and getting them in the field. So what is the problem here? Why aren’t they coming in and switching over. Using the path I’ve taken to become a “professional” Infosec guy I figured I’d talk a bit about how daunting a task it can seem.

I WANT TO BREAK INTO INFOSEC!

This was my mantra for a long time. I did what I thought I could. I started going to the Burbsec meetings in Chicago so I could meet the professionals and ask advice. Still, even going to them, I felt like a schmuck. I had nowhere near their level of experience. When they talked tech at these get togethers, so much went over my head and I didn’t want to seem like I knew nothing. After time (and some encouragement from my SO to keep going to these meetings), I started feeling comfortable around the people. I didn’t have a ton more knowledge, but I was welcomed and talked to as an equal and if I had a question, it wasn’t looked at like I was some pariah. People like @j0hnnyxm4s, @Hacks4pancakes, @Ben0xA and many others not only encouraged me, but gave me tips on how to move forward in the industry.

I was doing Network Engineering, Administration and Design work for a living. Not what I would consider being an Infosec professional by any means. Still, I went to BSides Chicago, and even got up the gumption to give a talk about the Small Businesses and their security needs at the 2014 one. Even with all of that being an Infosec professional seemed as far away as ever. Why? Well…

 

I DON’T HAVE THE TRAINING/CERTIFICATIONS TO GET INTO THE FIELD

Working in the wonderful world of IT you hear a ton about certifications. Look at the alphabet soup out there: A+, Network+, Security+, CCNA, CCNE, MSCE, CISSP, CEH, GIAC and the list goes on and on. Classes alone for some of these can be in the thousands of dollars, and if you aren’t getting work to pay for them, can be unaffordable. Now, I am not trying to start a debate on certifications. The thing about them is they are a way in, by means of getting past the HR people, and in some instances are required for the job due to say Government involvement. They also are a way of learning some of the basics.

Speaking of learning, one thing I think is lacking is a repository of VMs that can be used for learning. Most people who want/are involved in Infosec tend to have their own labs. Today, with Virtual Machines, the cost of labs has gone drastically down. Sharing a VM or two with someone wanting to be involved can be extremely helpful, but so can helping that person set up their own lab.

RISK VERSUS REWARD

This is one of the biggest things in any form of security, so why should it not be brought up as part of the path. Sometimes, more often than you might think, you need to take that risk to get into the field. Maybe it is doing a talk at a con or local group meetup. Maybe it is applying for that job you think you have no chance in hell at. The rewards for taking those risks can be great, as long as you understand that rejection is nothing more than another learning experience. In most cases you can talk to the organizers or people you interviewed with and get some feedback so the next time you have a better shot. When I applied for my current position I took a risk, as I felt I was not what they wanted based on the job description and requirements.  I was wrong because to my surprise I was told…

YOU ARE ALREADY DOING INFOSEC AT LEAST PART TIME

My boss leveled that on me when I was going through the interview process. His statement to me was since I was dealing with Firewalls and Firewall Rules, dealing with antivirus and antimalware, removing malware and dealing with PCI requirements for some, that I already had years of experience in the field. This floored me, because, like a lot of people trying to break into the field, I think of Pentesting, DFIR, Reverse Engineering, and finding zero days as the things Infosec Professionals do. That and Speak at a ton of conferences if you want to be well known. Reality set in that security is so much more than that. I had no idea that I was thought of in that fashion, but I came to understand it. Infosec is such a broad area, that especially people new to it, need to learn that they already took the first steps into the field by wanting to learn and doing day to day stuff. Going over logs to find an issue, opening up a pinhole in a firewall, taking care of vlans, patching systems, all of that is part of Infosec. To get into the “well known” items listed before it just takes a little bit more.

DON’T BE AFRAID

Talk to people out there. I have a twitter feed on the side of this page with a list of Infosec twitter accounts I follow. Use that if you have to as a starting point to talk to people, or at least follow them. Do some research, find out if there is a local Infosec meeting near to you that you can go to. Get to cons, and talk to people in the hallways, besides seeing the talks/panels. Also I recommend this post from @hacks4pancakes: Starting an InfoSec Career – The Megamix – Chapters 1-3. It is the start of a 2 part post that really will help.

 

 

Filed Under: Rants, Security Tagged With: General Thoughts, InfoSec, starting points

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

RSS Taggart Institute Intel Feed

  • ParkMobile pays... $1 each for 2021 data breach that hit 22 million October 5, 2025 Ax Sharma
  • Federal judge blocks Trump's National Guard mobilization in Oregon October 5, 2025 Chris Geidner
  • Using .LNK files as lolbins October 4, 2025 adam
  • Leaked Apple iPad Pro M5 benchmark shows it's faster than some laptop CPUs October 4, 2025 Mayank Parmar
  • Leaked Apple iPad Pro M5 benchmark shows massive improvements October 4, 2025 Mayank Parmar
  • Just days before its data might be leaked, Qantas Airways obtained a permanent injunction October 4, 2025 Dissent
  • ChatGPT social could be a thing, as leak shows direct messages support October 4, 2025 Mayank Parmar
  • The Case for Alien Life on Saturn’s Moon Just Got a Boost October 4, 2025 Becky Ferreira
  • OpenAI rolls out GPT Codex Alpha with early access to new models October 4, 2025 Mayank Parmar
  • OpenAI wants ChatGPT to be your emotional support October 4, 2025 Mayank Parmar

Browse by tags

Active Directory Android Antivirus Apple Beta Chrome Computers Exchange Exchange 2007 Firefox General Thoughts Google InfoSec Internet Explorer iOS iPad IT Linux Mac Malware Microsoft OS OSx Patches Rants SBS SBS 2008 Security Security Patches Server SMB Software Support Surface TechEd Tweets Ubuntu Verizon Virus Vista vulnerabilities Windows Windows 7 Windows 8 XP