Welcome to securityCRUSH

Welcome to the securityCRUSH blog, a place where you can find random musings as well as postings relevant to information security, penetration testing, and my latest projects - Daniel Wood.

Friday, February 17, 2012

Seperating yourself from the herd

Perhaps this could also be entitled: How to specialize and carve a niche for yourself while becoming a subject matter expert (SME).  

If you’re just getting started or thinking about jumping into Information Security as a career you may not know where to get started.  From my experience, a lot of professionals get started with conducting security assessments; whether it’s FISMA SA&A’s (formerly C&A’s) within the government realm, or Security Impact Assessments as Jr. Analysts.

SANS has put together a great list of the Top 20 Coolest Jobs in Information Security that provides a ‘How to be Successful’ blurb for each role.  Below is the list, however, I’ve stricken out the roles in the list that I don’t agree with:

  1. Information Security Crime Investigator/Forensics Expert
  2. System, Network, and/or Web Penetration Tester
  3. Forensic Analyst (this can be lumped into #1)
  4. Incident Responder
  5. Security Architect
  6. Malware Analyst
  7. Network Security Engineer
  8. Security Analyst
  9. Computer Crime Investigator (again this can be lumped into #1)
  10. CISO/ISO or Director of Security (this doesn’t happen until you’ve already shown your expertise…usually)
  11. Application Penetration Tester
  12. Security Operations Center Analyst (this is more of a hybrid of #7/#8 and only applies if you’re in a SOC)
  13. Prosecutor Specializing in Information Security Crime
  14. Technical Director and Deputy CISO
  15. Intrusion Analyst (see #4)
  16. Vulnerability Researcher/ Exploit Developer
  17. Security Auditor (being an auditor does not require specialization, generally speaking)
  18. Security-savvy Software Developer
  19. Security Maven in an Application Developer Organization
  20. Disaster Recovery/Business Continuity Analyst/Manager (related to #4)

Don’t get me wrong, SANS’s list is great and extremely helpful, however, I view it as a bit too high level.  If you really want to get into the weeds and deeper in security, I suggest following these few principles:

  1. Choose a technical area that interests you and start learning more about it; either through online articles, technical reference books, or free tutorials.  For example, if you want to get into penetration testing, I highly suggest picking up several introductory books (see my reading list post) and if you don’t know a programming language, start learning basic HTML, Perl, ASP, Javascript, Database (SQL), PHP, and XML.  These are just primers to get you started.  It helps to use multiple references for learning and pick what works best for you.  Don’t forget to practice, practice, practice!
  2. Learn a new technology; whether it’s firewalls, intrusion detection, or log analysis.  If you’re stuck in an analyst position and are looking for a way to carve that niche, knowing Cisco routing and firewall configuration principles will definitely help with transitioning over to a position as a Network Security Engineer (#7 on the list).
  3. Don’t be afraid to ask your project manager for added responsibility, or volunteer for it.  Showing that you are eager to contribute will increase your added value to the team or company, thus making you more indispensable, then say poor Billy who only does what he’s done a million times before and is essentially a paper pusher with no drive.
  4. Contributing to the security community.  Showing that you know your stuff and willing to share it with others will help make a good name for yourself.  Perhaps start off by tutoring your coworkers or when there’s a company training event, volunteer to conduct a training workshop for the company.
  5. Lastly, being a lifelong student is key.  Learning something new on a regular basis is what keeps our minds sharp.  If you are constantly learning and practicing, you will only get better and your knowledge base will only continue to grow.  This can only help your career.  When hiring someone, I take a look at what they’ve done and what they’re currently doing.  I’m not satisfied with a snapshot in time.  I want a dynamic candidate, not someone who is stagnant and happy just doing their job.

With all this being said, remember to choose what interests you and what excites you.  Don’t be satisfied with the status quo - get out there and challenge yourself!


No comments:

Post a Comment