"Buying In" to the Information Security Industry

Sunday, October 23, 2011

Jackie Singh


I'm writing this for all you kids out there; you know who you are. You're probably between ages 12 and 21.

You might be in elementary, middle, or high school. You may be home-schooled or a dropout. You might even be in college. The common element binding you all together is passion.

You're up late into the night, maybe writing scripts to automate scanning subnets with the latest greatest, possibly running some obscure Linux or BSD on old hardware you dug out of someone's trash, maybe digging into core dumps, maybe walking in open doors with your IRC buddies, maybe social engineering your way in and out of systems that give you some real-world advantage you wouldn't otherwise have. You love this stuff. It's so fun!

You know who you are. I used to be you. This guide is intended to seed new ideas; to help prime your mind for the fact that you will, indeed, be forced to "grow up" one day. Society will demand this of you; there is no escape, unless you are prepared to live your life by significantly unconventional means or are already wealthy enough by birth that you don't need to work to survive.

With that out of the way, the burgeoning information security industry needs YOU. It didn't immediately dawn on me that what I'd spent so much of my life dedicated to would become something I could make a living with. It took time and the examples of others around me to determine how to forge a career from what had only been an obsession/intense hobby.

We're lucky; cumulative advantage is on our side. You're growing of age, immersed in new technologies, at a time when "security" is a fairly new concept. Governments and companies are throwing money at these problems in the hopes they will go away, and will be doing so at an increasing pace for quite the foreseeable future. 

That's where you come in. There are several options, including:

  • Working in a company's security department;
  • Starting your own business and hiring others;
  • Working for yourself and becoming a consultant;
  • Working for the military or government, contracted or directly.

The best things about a career in infosec:

  • "Making a difference" - clicheed yet generally true;
  • Landscape constantly shifting;
  • new attacks and defenses devised all the time;
  • Doing what you love and enjoying high financial rewards as a result.

How to get started without a lot of industry-related experience on your resume? Well, you can attend university. Do I recommend this? No. Waste of time and big waste of money, unless you're really not that sharp and need to get your party on for a few years. In that case, this guide is not intended for you.

Everything you need to learn about this industry you can pick up by reading and doing, essentially the same activities that brought you to your current skillet. Buy/download books. Watch how-to videos. Download podcasts. Use the university courses that are available online and free. Hang out at your local hackerspace.

Start your local hackerspace. Attend conferences and meetups. Start a local con or meetup. Find any hardware you can, and use it. Install and configure servers and operating systems. Run simulation labs to understand how Cisco networks operate. Create an entire enterprise network with VMWare.

Use every and any possible resource at your disposal to learn and become a resource yourself. When you've learned what you enjoy, look for jobs that you're interested in and think you'd fit well with and find out what industry certifications they value for those positions. Take them. Pass them. List them on your resume. Repeat.

Do you want to work defense or offense? You don't have to choose now, or ever, if you don't want to. Infosec professionals enjoy a high degree of flexibility. You may choose to specialize, or not. You may choose to teach at a school, or educate others at security conventions.

Conduct penetration tests for large or small companies. Help organizations figure out how security must mesh into the way they do business. Use your programming skills to evaluate code for flaws. The list of potential infosec-related work/activities is long and will only continue to grow.

However, a word of caution if you choose to dabble in gray/black-hat activities: if you are caught, it will be difficult for society to trust you, and you will find that locating gainful employment with these types of blemishes on your record will become pretty tough, unless you are lucky/smart enough to monetize the situation.

Needless to say, the Kevin Mitnicks of this world are far and few between, so I highly recommend you not tempt fate and keep your nose as clean as possible. We are entering an era of massive and brazen data breaches/theft. If you are (snitched on or discovered) and convicted, be assured that any judge you are unlucky enough to stand in front of will make an example out of you as deterrent for others. It's not worth it.

There really is an unbelievable amount of room to poke and prod, code, hack, and generally make things better and more interesting than before you arrived. There are so many ways to get your fix without doing something that could get you thrown in jail.

I'm talking to you, Anonymous, LulzSec, AntiSec, and every other young, brilliant mind out there. Don't be the person other inmates ask for email help… or worse. Buy in, don't sell out.

Possibly Related Articles:
Information Security
Hacking Careers Consulting Hacktivist Kids Information Security Infosec
Post Rating I Like this!
Javvad Malik Nice post Jackie. I think you've touched upon a very relevant point in addressing the next generation. They have a lot more to lose by getting caught and the industry does need more people with genuine knowledge as opposed to grads scooped up by big consultancies who simply attain a few certifications and believe they are security experts.

As existing security pros we should engage more.
Krypt3ia Jackie, I think the next post should be about how to deal with the companies (respective) you work for and how they will ignore much of what you tell them. I think the kids need to know how to deal with managing their elephants.

Jackie Singh @Krypt3ia Good idea. Javvad helped me with this recently - Managing your own expectations is as important as managing the client's.

Thanks Lance!
the first last Great post Jackie,

I think you captured the ideology, that most of us that made the leap from youthful hacker to professional computer nerd are thinking.

Most of us started off the same way, as you mentioned. Late nights, dark room, lots of caffeine and techno music in front of a neon green font CLI. Exploring places where we shouldn't, reading manuals, messing with OSes, apps and hardware we found laying around the digital landscape. We met others like us, shared information and found others like us all around the world. I had fun, learned alot, developed my love and passion for figuring stuff out.

I don't believe there is anything wrong with youthful hacking, its a good way to learn and use of one's time. We all did bad things in the digital world back the, never anything super bad.

Just because i got into someone's system, network or router didnt mean i needed to trash the joint, getting in was good enough, leave a msg saying "secure ur box" and was out, onto learning new stuff.

Youthful hacking and all that entails provides the skillset, drive and passion that school taught "hackers" and security professionals" cannot compete against. They dont have the drive, the love the passion for what it takes to do real security and troubleshooting work, they give up too easy.

Out in the grown up world, us hackers can smoke any school taught expert any day. Most companies and organizations know this and YOU the "street taught" hackers have a place out here making good money, solving problems, having fun and not selling out. I know, cause i am doing it. I still dress the same, act the same, think the same as i did when i was younger. After you get your job, learn it, show the organization that hired you that, you can do the job. Once they just trust you. You can then figure out how to make things better, more efficient, more cool.

Out in the real world, i break warranties not laws, if fix the unfixable. Organizations know this and trust me and the best part, they know that if they want you to work your magic, they let you do it the way you want. Working night times, techno music, alone in your own little world figuring stuff out and solving problems, pushing existing technologies to do more and making them better than the manufacturers intended.

I agree with Jackie, there's a place for you all out here. Just don't screw it all up with some jail time. Have fun hacking and learning.
Andrew Auernheimer Great article Jackie! It's good to see African-American women represented in the IT industry. We need more like you! :)
Jackie Singh Thanks, Andrew. While I am not African-American, I'm glad you took the time to read and comment.
Andrew Auernheimer Oh my bad. I presumed the woman in your profile picture was you.
Jay R Although your writing is good and I suppose you somehow convey a legitimate point. However Jackie, there are vast amounts of reasons for hacking these days. I just barely fall into your 12 to 21 bracket. I assure you my entire goal, through-out my life has been to find and disclose the truth. The only thing that even allows me to close my eyes is that someone out in the world knows the truth. I don't buy into conspiracy theories, I don't think the governments of the world are as intelligent as they appear, rather, the people who they have, are. The l33t will carry on as they always have, clearing the way and setting "good guy" guidelines. A hacker's motive may be many, but I surely would never work for profit. I would never code if I didn't love it, if I didn't want to do something amazing, then take it away. Just to show that the hardline establishment everyone finds so much safety in, is a house of straw on the web(and to certain minds). That nothing lasts forever, or is permanent. Not even our universe.

So long as questions exist, the thirst for knowledge prevails and the abilities to retrieve/find it evolve. Some wonder why they call it rEvolution. First comes the revolt, then we evolve.

Justice, the law of the land, the law of life, always comes to fruition. What would they do if we all were to be hacktivists? The saying holds true that their are strengths in numbers. Governments are toppled, empires fall, and the 1% are currently enemy #1.

Why are people upset hacking is on the rise? I see it in the brightest of lights, wikileaks is a God-send for those who have been proclaiming the lies of government for years. Capitalism and politics are in bed, like an oil company and lobbyists. When exxon builds infrastructure like their supposed to be doing, in Africa then I'l be amazed. Instead of building the infrastructure for the African inhabitants of the boast Exxon gets oil from to have natural gas, they burn it, because it's cheaper. You want Hacker's gone, expose everything, lay everything on the table. Come clean, and then, and only then would someone like myself ever come clear. Until then, all is fair in love and war. And you can't kill all of us, without killing yourselves/themselves. Greed and injustice are in our cross-hairs.

<3 Thought promotes value, value isn't justified without representation, justification is only held hostage by logic, I represent the truth and am a lifetime dedicated seeker of it.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.