So you decided that they want to pursue a career in information security. Of course, the first thought may be to go to school or study to pass certification exams such as Security+, CISSP, or CEH. However, there is an increasing argument that you can’t just walk right into a security job out of school or just by getting a certification.
— SwiftOnSecurity (@SwiftOnSecurity) May 21, 2018
I spent ten years in Ops, not a dedicated security role. That experience is what made me who I am. Nobody should think your first job should or has to be some security title. Virtually every IT position involves bootstrapping deep security knowledge in that area. https://t.co/46aMnNiDSx
The fact of the matter is there is a significant cybersecurity skills shortage, and there are many reasons for this. For those already in the cybersecurity field, this means endless opportunity and job security. However, those who have no workplace experience, or experience with business operations, such as DevOps or HelpDesk, may find it harder to land an entry level gig.
Because security and IT teams often have a symbiotic relationship, there's a common argument that the best cybersecurity talent are those with years of IT experience as a Helpdesk or Sysadmin. However, many believe that having basic understanding of how systems and applications work and experience exploiting those issues in personal work without any real IT experience is enough to be a stalwart entry-level information security professional. Those who have spent years in the IT industry before moving to security think not.
One of those cybersecurity professionals in the latter camp is Logan Hicks, and he has a point. Logan provided the below flow chart to help explain the best way to land a job in cybersecurity.
Click on the image to see in PDF form.
As you can see from Logan's flowchart, there are a few ways to get into security, but it can't be done without paying your dues, so to speak. Logan's reasons are clear enough. How can you have any inkling of what you are doing if you don't understand the applications, services, and infrastructure you are tasked to protect?
This isn't to say that private study won't increase your skills in security, it's just you can't learn how about how IT teams and security teams work together on your own. You need to experience it first hand. Even as an entry level cyber professional, or a "junior" as Logan calls it, you need strict guidelines for any given pentest, malware dissection, or employee training exercise. The manager of the junior employee will need to make sure that the junior is following suit and will not cause any service failures. This is because many IT teams, especially in enterprise business, have strict SLAs that must be maintained.
Being the devil's advocate, I argued that you may get some great experience testing your security chops in a test/dev environment that is not connected to any live services. This helps, but is certainly not adequate for security training in a live production environment, argues Logan. You can't really emulate what is taught in a dev environment that would otherwise work in a production environment without the risk of some sort of outage. As we know, once a pentest or exploit affects an end user or client, then it's a matter of losing money and reputation.
The Counter Argument
There is some controversy to Logan's and @SwiftOnSecurity's logic. There are a few that have stated that working in helpdesk or IT operations is not necessary to be a cybersecurity professional. Simply having cybersecurity chops by being self taught by finding exploits in live systems as a hobby or even consistently doing bug bounties is a fine way to land a cybersecurity job.
This approach to getting into cybersecurity is, of course, a little more ad hoc and some would say shady. Now don't get me wrong, I'm not saying that black hats or grey hats don't make great cyber security professionals, I think they would make a great edition to any red team. However, these are the people you hear about on the news who get in trouble with the FBI for taking down something, regardless of if their intentions are in good faith.
Related: Setting Up Red And Blue Security Teams
The problem with this pathway into cybersecurity is that there is more risk involved. Anybody can learn about script kiddies and use it against a business and then go to the business and say, "Hey! I took down your systems. Now hire me so I can show you why more of your systems are unsecured!"
Ethics aside, the problem here is that there is no fundamental understanding of the systems at hand. There are a lot of people out there who want to work in cybersecurity because they are good at creating or dissecting malware and that's definitely a great skill to have in the information security field. But the argument by many proud and true cybersecurity professionals is that you can be great at breaking into business infrastructures, but you need to be able to know how to patch and secure those holes as well.
What do you think? Was your journey into the world of information security different? Let us know, we'd love to hear your arguments as to what skills and experience make the best cybersecurity professionals.