Skip to main content

Requirements for Information Security

If you want to get into Information Security you HAVE to be a/have this skill... Why this is total BS.

Almost daily I see someone posting on twitter, trying to be helpful to folks who are looking to get into InfoSec. Often I see "If you want to be in Information Security (Cyber Security) then you HAVE to be a programmer" or "If you want to be successful you have to be a hacker/have a criminal record/have abused systems without permission" etc.

While having technical capabilities (such as programming) and having the ability to compromise a system shows a specific skillset neither are required.

When talking to people who are interested in Information Security I often refer to it as a cake, there are tons of slices, many flavors, many pieces and parts you can sample, choose to focus on, will be expected to know something about, etc. Incident Response and Forensics (my current focus) is not the only part of Information Security, and certainly not the only part that matters.

The most important things to bring to the table are:


  • Curiosity - the desire to answer the "why" question when looking at a technical problem
  • Persistence - often we are on the front lines of research, and ask questions that there aren't easy answers for. Be prepared to not find an easy answer on google. Develop your network of peers, co-workers, and your own skills to be able to figure out how to get the answers.
  • Ability, and desire to learn - this does not mean a university degree (although that level of rigor may help some) this is the thirst for knowledge and willingness to admit you may not know the answer, but you can figure out how to get it, conduct research, and document.
  • Communication skills - especially if you work with people (most of us do) and absolutely if you work FOR people (as a consultant for example) you need to be able to communicate your findings or questions in a way that is understandable and actionable by your audience. If you tell a company executive "you need to rebuild your entire AD forest" expect a blank look. If you explain "Your Active Directory infrastructure, which is where you login to, appears to have been compromised, and we recommend a full rebuild. We have additional technical details if you'd like, or we can share with your tech team". Along with spoken communication I would also include professional acumine and written communication (especially report writing/documentation).
This is in addition to the standard technical capabilities that would be expected, and that depends entirely on your role. As an example if you are in Information Security Risk Management, you don't need to be "in the bits" technical, you need a good understanding of risks, threats, controls, and how your organization handles those. If you are applying for a very technical hand-on role (e.g. DFIR type of consulting) expect to have your technical knowledge questioned heavily.

If your role does actually provide Information Security code review, then you will likely be expected to be able to review and understand code. Likely you will also be expected to use a tool or series of tools to assist with consistently accomplishing your goals.

I hope this helps. Anyone who has the desire, the skills I outlined, and technical knowledge could get into Information Security. Realize you may start "at the bottom" and expect you may have to prove your skills on the job to advance, but that is true with any career. With those key skills you should be ahead of many of your peers and prepared for the unexpected, which is what this job is all about.

Good luck,





Comments

Post a Comment

Popular posts from this blog

Busting the myth of the malicious insider

The Myth of the Insider Threat Too often after the announcement of a new breach, the first reaction from the victim company and the media is "another malicious insider attack".  Case in point, I was catching up on news from various sources and came across the following: http://www.idgconnect.com/abstract/19647/lessons-sage-leak " “We believe there has been some unauthorised access using an internal login to the data of a small number of our UK customers so we are working closely with the authorities to investigate the situation,” the Newcastle, England-headquartered firm said in a statement." Of course an internal login was used to access the data, as part of the attack lifecycle, during your reconnaissance phase you identify accounts to target for possible compromise, based on the access/role of the individual.   Phishing attacks or other simply attacks are often successful in gathering login credentials for individual users, which can then of
Post a Comment
Read more
Weekly recap and why you should be concerned about "attackers" even if you have "nothing to hide" Why you should be aware of, defend against, and prevent attackers... even at home: I often hear from future victims "well I don't have anything to hide/anything of value/why would they target me!?" It's really not about you, usually the attackers aren't looking for your data (if they get it, or have easy access to it, they may try to profit from it, but the people doing the compromising aren't usually the same folks that monetize). What the attackers want are compromised systems they can use to do what they want at scale. So if they can compromise 50 systems, they can send 50X the amount of SPAM... 100 systems, 100X, etc. Some operations get paid based on the number of emails they can send per day. Of course the email will likely not just be SPAM, but may also be malicious (ransomware, etc.). http://thehackernews.com/2017/09/linux-ma
Post a Comment
Read more