Annually, at the FBI/Infragard Cyber Camp in Charlotte, NC, I stand up in front of around 30 aspiring high school students who have an interest of getting into information security. When I stand up on the podium and talk about what I did to get from their seat to mine, I feel as if I talk too much because there’s a lot I’ve done since high school to get where I am today, but that’s what the information security field is in a nutshell – a lot of hard work, determination and passion.
Breaking into infosec is not something easy; it’s one of the hottest fields out there and has a very high learning curve, with the addition of a need to know how everything in IT works. I’m not saying you need to know how to write in every programming language and know how to break into a Windows 2008 R2 server without using Metasploit, but you need to know how everything comes together, both on the networking side and system administrative side.
I would even argue you need end-user support experience as well, because at the end of the day infosec is all about protecting people, property and assets in both the digital and physical world. So, the question is how do I get from knowing nothing to knowing everything? The answer is the same four words I used to describe the infosec field – hard work, determination and passion.
I started as an intern for an enterprise company and dealt with managing servers that ran the security systems on hydro plants, coal plants, power plants, etc. From there I was promoted to system administrator where I got a lot of networking and system administrative experience. From there I moved to a security engineer role for a short while until I moved into a security analyst role with a focus on penetration testing.
Through all that I went to school majoring in cybersecurity, but I can say without a doubt that my experience throughout my IT career has taught me a 100-times more than my degree did (and it’s a darn good school!). I have no certifications (OSCP is on the radar, though).
The typical path to infosec is a long one. It’s rare anyone actually breaks into field right out of college, let alone high school, but before breaking into infosec you have to break into IT. Generally, people start at the bottom of the IT totem pole, which is tech support/end user support (EUS). This isn’t discounting EUS at all, they do a job I never could and I respect them so much, but that’s generally the entry level role for people getting into IT.
An alternative is an internship (like what I did) in any IT role. From there people will make a jump to desktop support or even leap to a system administrator role. After a few years of learning how to be the administrator of a computer network or server domain, that is when people jump into infosec, often in the fashion of a security operations center (SOC) analyst. From there, the infosec world is your oyster because after the initial breakthrough, you have a ton of options on where to go.
The common misconception is that infosec is a small field when in reality, it’s huge. You can jump into audit review, network security, penetration testing, general analyst, application security, web security development, cryptography, and the list goes on and on. Information security is a very large field and one of the hottest, but with that brings a lot of competition.
To diverse yourself from the competition you must demonstrate a passion. When I speak with hiring managers on what they want to see, passion and experience are the two most common things.
Demonstrating that passion is even bigger, because saying is one thing - but showing is another. I have a personal blog set up to document my learnings, and I do pen testing write-ups because it’s a hobby of mine.
At home, I have a homelab set up to sandbox and play around with any software, configuration, or set up I please. I read a ton of articles and have a Twitter account where I follow some of the best infosec professionals around. By demonstrating a passion for the industry, you will set yourself aside from the competition and not seem like a person just gunning for the paychecks.
By hard work you will break into the IT field and build up your experience and resume. Finally, determination will eventually land you a job in the information security field and from there you can go where you want, but only if you show that you want it.
Ryan Hausknecht is a 24 year old information security analyst and penetration tester from Charlotte, NC. Ryan has been in IT for over eight years with experience as a computer forensic consultant, system administrator, security engineer, and security analyst & penetration tester. Ryan has a passion for learning and teaching as well as writing about information security. Ryan graduates with honors from Norwich University at the end of 2017 with a Bachelor's Degree in Cyber Security.