Getting into the Security Field
Many people ask me for career advice on how to “get into security”. I have a couple high level ideas for all of you, I hope this article helps.
Once you have gotten to know some people, try to find a professional mentor. This is a person who can help you steer your career, and has your best interests at heart.
Remember when you ask someone, you are asking them for a gigantic gift — their knowledge, time, trust, resources and kindness, and you should not take asking them lightly.
Also, if you do take someone on as a mentor, remember to appreciate what they do for you. And if they ask you to do something like “read this book” or a blog post, or something else reasonable, actually do it. They can’t teach you if you don’t follow any of their advice.
Join the community(s) that you want to be a part of. For example, if you want to learn about the security of software and applications, join OWASP. If you want to “hack all the things” join OWASP and also join your local DefCon chapter. If you want to learn about Risk Analysis, join ISSA or ISACA. And if you’re not sure, go to all of them. 🙂
Meet people and network, but don’t just ask for jobs. That’s not networking, and it’s really unattractive if the first time someone meets you they immediately ask you to be their reference, or recommend them, when you are in fact, a stranger. Meet people, know them, talk to them, then tell them you are looking. People help their friends.
Open Source Contributions
If possible, contribute to an open source project, so that you have work to show off. If you are learning how to use security tools, write to a project owner on GitHub and ask if you can scan their app and report some vulnerabilities. Or just spin up your own copy of it, and then add it to their bug list. It’s a great way to learn, and then your username is all over. 🙂
Try to contribute back to the community and field. If you figure out a cool new thing, write a blog post about it. If you made your own script to do something that makes your life easier, open source it. If someone asks if anyone can review their talk or post or whatever, offer to help. Give back.
Bug Bounty Programs
Participate in bug bounty programs, like the one for my employer. This is a chance for you to try to hone your skills, and perhaps make some money while you’re at it.
Offer to do security tasks at your office (assuming you are currently employeed in IT). When I wanted to switch over from Dev to Sec I just kept reporting security problems I found, offering to remediate all the security bugs, and offering to be on the security projects. And one day they gave me a job. 😀
Never Stop Learning
The last idea on this list, and something we should all be doing, is teach yourself. All the time, not just when you are trying to get into the field. There are quite a few amazing free resources on the internet, as I previously blogged about.
Thank you for reading!
And now for some shameless self-promotion: please follow me. My YouTube channel and Twitch show, when I speak live, my blog, my Twitter, LinkedIn, and anything else I do. I’m trying to give back by releasing all of my security research, for free. Feel free to comment, contribute, and share your own thoughts.