Security Career Question

by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}

I received an e-mail from a recent college graduate asking me for career advice. I thought he asked some good questions and thought it would be a good idea to share his questions. I will share my answers as well but I would love to here answers from some of my readers.

As my degree is in business/information management, most of the coding that I know is self taught aside from 1 year in computer science. Is there really even such a thing as a security job that does not require alot of coding? I dont mind coding but there are other guys I have talked to that are head over heels for it. Do you think that would be a big pre-requisite for security?

There are many facets of information security and only a few of them require a lot of coding. If you want to do application security or exploit development then you need to do a lot of coding but other wise you can get by using shell scripting in Windows and Linux and by picking up another scripting language like ruby or python. I don't do much development, I usually use other people's scripts and modify them if necessary. I rarely write my own tools.

I also realise that security is not something that most people just step into right out of school. I also realise that people get into security from all kinds of paths and backgrounds, but what kind of jobs would you recommend I try and get to develop a solid foundation for what a security job requires?

The best way to get into information security is to learn the general principles and start applying them in whatever work you are doing. A lot of people start out as system administrators and move over to security from there. The key is determine the kind of work you love and then figure out how to apply information security to that work.

What is the worst thing about a pen testing/security job in your opinion?

For me the worst thing is seeing the same flaws over and over. It makes you feel like nobody cares or listens to you. I also don't like the way companies choose cheap security assessments over thorough security assessments. The security industry catered to the companies wants and we ended up with a bunch of charlatans doing sorry work. There are folks working to change this so maybe things will get better over the next few years.

Of the certifications that you have, which did you feel like you learned the most from? Which ones would you recommend for someone starting out?

I have a CISSP, GSEC, GPEN, and OSCP. Of those four the OSCP was by far the best certification. I am good at taking standardized tests so the other certs were relatively easy. The OSCP kicked my butt the first time I took it. I passed it on the second try but it took a lot of work. If you want to be a pentester the OSCP is the test to take.

What do you think about as far as employment for security jobs goes? Do you think there are enough companies/consulting/whatever firms that I would be able to eventually snag a job here if I was good enough? Or do you think moving to another city would probably give me the best opportunity? I know there is alot going on as far as security jobs go in the DC/Maryland/Virginia area.

The best advice I can give you is to find a city you love and an area of IT you love and start pursuing those two things. If you want to be a pentester then find a company that needs an intern and start learning what you can. If sysadmin type work is what you like then get a help desk job and move up from there. The trick is to find work you love and then figure out how security can be applied to the job.

Looking back at what you studied in college and on your own, what did you find the most interesting? What classes did you take that you thought were fun. What is your passion? After you determine your passion then you determine your path.

For more career advice visit Lenny Zeltser's blog. This article from Lenny Zeltser is the reason I started this blog and became more involved on LinkedIn and Twitter.

If you have any other advice for those starting out in an information security career then put it in the comments.