Being a Security Generalist

August 3, 2023

I am a security generalist. That’s not something I’ve heard many people describe themselves in the industry. In fact when I got into the industry I was told to specialize. That sort of happened with application security but I continued to get drawn back into more generalized roles. I have a diverse background in the field. I was IT focused for 10 years five with the Navy and five with the State of South Carolina. Then I shifted into security and was one of three people wearing multiple hats. I did eventually get an appsec focused role but then the development team was cut and I now had appsec as well as security engineering and pentesting. Which I was fine with. The company was great and the opportunity was interesting. Plus, I actually wanted to get into management.

I certainly think you can specialize but I think it’s okay to be a generalist too. In fact some people just have that mindset. They enjoy learning a bunch of different things instead of diving into on particularly subject. This website and the podcast are a testament to that. I can certainly specialize. I did it well with application security but I can also shift into other field. I’m now in a incident response role. I’ve never been one to dig to deep. Once I get to a certain level of knowledge with a particular topic I start to get bored. I need a constant challenge.

The downside of course is that there is not generalist role in security unless you consider management. Which has it’s own skillset outside of technical ability. I’ve struggled to prove to people on paper that I can do the job with such a diverse background. This is why networking is so important within the field. My current role came about because I knew several people on the company and they knew me and had no qualms about my ability to contribute to the company.

After 20 years of being in IT and security I’ve seen a lot of roles start to specialize. When I came up we wore many different hats across multiple fields. So, it may become harder to be a generalist. The issue I have with that is if someone goes down a path and then discovers it’s not for them. I do not want to be in a security operations center looking at logs all day. I did the job fine but four months in I was ready to be out because I felt like I was chained to my desk. Some people are fine with that. I’m just not one of them.

I encourage everyone just getting into the field to be okay with not knowing and to explore options. If something clicks then stay if not move onto something else and try that. If you do that (or have done that) enough times and nothing really sticks or you keep getting drawn back to other fields then maybe you’re a security generalist. That’s okay because we need security generalists too.

This blog post first appear on Exploring Information Security

Information security is a journey not a destination

June 2, 2019

It’s actually two journeys or two parts.

Part one: Getting into Infosec

This is where the journey begins. Usually with a desire (or need) to get into the information security. Sometimes you didn’t even know you were on the path. Which was my case. I joined IT because it seemed interesting and did a pretty good job of paying the bills.

I’ve been thinking about this more, because I’m going through the hiring process for a junior level position. I’ve noticed a variety of backgrounds of people trying to get in. Some people are coming from the military, others college, and yet others from working in IT. The junior positions don’t require security experience, it does however require some kind of college or IT experience.

Another observation I have is that, the candidates that are sticking out are involved in the infosec community and taking advantage of the many free resources. There are conferences, forums, slack channels, podcasts, blog posts, capture the flag events, videos, VulnHub, Hack the Box, bug bounty programs, and much more. Being involved in those things is very important because once you get in…

Part two: Being in Infosec

You have to utilize all those resources to keep up with the field. It’s been called a cat and mouse game between attackers and defenders. Technology is in a constant state of advancement and enhancements and with it comes new security challenges. A few weeks ago four vulnerabilities got dropped over a four day period that required me to understand the vulnerability. I had to understand how it is exploited and how we can mitigate it. I used blog posts, podcasts, Twitter, Google, and reached out to some people.

That last one is particularly important. The others are found on Google. Getting to know people requires putting yourself out there. Overcoming nervousness and anxiety to meet some new people. The benefit is two fold: you can ping ideas off people and you’ll increase your chances of finding opportunities within infosec. The perfect first job in infosec is rare. By perfect I mean a place to grow and advance. Even if you find a good organization there may not be a chance to advance or move up.

Below are a some links to help look for conference and other events in the area. I like BSides events because they have a low bar to entry. Usually $10-30 bucks for a day of talks, networking opportunities, and food. If that’s too much volunteer. It’s a great way to help out the community (reflects well on a resume) and be in a position that requires interaction. I only interacted with a few people at my first event as an attendee. As I continued to go to events my interactions with different people and the same people increased. How quickly this happens depends on how many events are attended.

These events also don’t require you to be in the field. You can start building your knowledge and opportunities before you get into the field.

Resources

Meetup.com - Good place to find local user groups in your area

Infose-conferences.com - Pick your state and any adjacent state you’re willing to travel to

This blog post first appear on Exploring Information Security

BSides Nashville 2014. One of the first pictures I took for the security community.

How to increase your chances of breaking into infosec

December 19, 2018

Get involved with the infosec community. That’s it. I’ll elaborate.

The best way to get hired for a security role is to know someone. The key part of that sentence is the, “know someone” part. That requires getting out there and doing things within the community. That can be a variety of things:

Contributing to open source projects.
Become an active member of a niche community in the field (OMG the slack channels out there). Writing a blog post.
Producing a podcast.
Attend a conference.
Shooting pictures at a conference.
Volunteer at a conference.
Speak at a conference.

These are all the things I’ve done. I also see people doing things like:

Twitch streaming.
Writing a book.
YouTube channels.
Singing.

Find something you’re really passionate about (not infosec) and bring it to the field. For me it started with photography. I’ve always liked taking photography. I have a media arts degree and took some photography courses (so I kind of not what I’m doing). I reached out to a BSides organizer to see if they’d be okay with me coming and shooting some pictures at the conference. That one contribution, eventually led me to my current place of employment (and I absolutely love what I’m doing).

It was BSides Nashville. One of the organizers works at the place I’m currently employed. They were looking for an AppSec guy, so told her AppSec guys. I luckily knew one of those AppSec guys and as a matter of fact had just started an OWASP Chapter with that AppSec guy. You never freaking know when things will connect for an opportunity*.

* I met my wife, because we saw someone we knew on the highway at 80 MPH. A story for another time.

Prior to that I would look for a job via online postings. At one point it took me 15 months to find a new job. I got into security via a job posting, so there is a path that way. It’s just not the most efficient. I got my next security role, because I had helped start a monthly local user group meetup. The CISO was looking for a few good security people. That local user group has gotten several other opportunities. Mostly because of who you know; partly because it looks really good on a resume. It looks like you’re engaged.

Everyone has a different path. What increases the chances is getting out there. Contributing without expecting anything in return. Showing that you can provide value to someone else. What are your strengths and passions? Now bring that to the infosec field.

This blog post first appear on Exploring Information Security

My recommendations for getting started in security

August 28, 2017

I feel like I’ve been asked this question before. “What advice do you have for getting started in infosec?” I swear I’ve been asked this before. I don’t think I have though. At least that I can recall. Usually, the questions are more specific than that.

I believe there are multiple paths to getting into infosec. I’ve talked to a lot of professionals in the field and there are no two paths alike. Everyone’s path is different. First, I would ask you, “What do you want to do?” What are your aspirations in the field. I want context, because I’ll provide someone wanting to go into pen testing with different advice than those going into digital forensics. Both fields have their positives and negatives. Make sure you understand both. I would recommend strongly looking at the negatives more than the positives.

Pen testing is the area I see a lot of people wanting to get into. Did you know that 60% of your time will be writing reports. Yes, you have to have good communication skills to excel as a pentester. You also have to know what actionable advice you can give for an organization. The best pentesters can provide advice with context. “I know you still have to run XP for your business to operate. Have you thought about putting those machines on their own VLAN.” If your advice to a hospital is to upgrade their XP machines, you’ll be frustrated a year later when you find the same issues haven’t been addressed.

For me the “fun” is solving the challenge of securing those vulnerable applications running on a legacy OS. Understanding and responding to the chaos that is the new named vulnerability. One of my most eye opening experiences was discovering that our application running IIS was in fact vulnerable to Heartbleed, because our WAF was Linux based. Then having to report that to leadership and providing guidance on whether to keep the WAF in place and be vulnerable to Heartbleed or turn it off and be vulnerable to other types of attacks. Defense is the more intriguing and challenging side of security.

Don’t get me wrong, I love my hacker buddies and marvel and the things they can do. I just find it more satisfying to build something in security that is lasting and makes a positive impact on an organization. Occasionally I get to break into things and assess an application for security issues (not something to overlook if you want to red team). Most of my time is spent hardening systems and applications.

I recommend working your way up the IT ladder. It’s very important to understand how a help desk works. How a server works. How a network works. My belief is that security is an advanced niche within the IT field. You don’t get into security coming straight out of schooling unless you’ve already worked with computers for several years. Some people can make the jump into security and be successful (remember multiple paths). They usually have several years of experience working with computers on their own.

I think there are benefits to working in other departments before jumping into security. Most security controls are put in place by other departments. Having an understanding of their goals and challenges helps when working with them towards a security solution.

My experience is along those same lines (yes, I’m biased). I joined the NAVY for six years as an Electronics Technician coming out of high school. I got some computer experience along with some other general electronic experiences. The most beneficial thing I learned in the Navy was troubleshooting. I learned how to troubleshoot issues in a circuit boards. Figured out if it was a transistor or a chip that was causing the issue. What an open and closed circuit meant. A lot of those same techniques applied to troubleshooting a computer, server, network issue, and security problem.

I got to patch our machines on the SIPRNET (secret military net). Handled the creation and deactivation of user accounts. Being stationed in San Diego allowed me the opportunity to tag along for a ride to Las Vegas to attend DEFCON. I had no idea what I was doing (the casinos were fun). I did attend a few talks and found them fascinating. It didn’t exactly spark an interest in security at the time (maybe a seed, though). I had a great time serving in the Navy and I learned a lot. I was able to put a lot of my experiences on a resume.

After the Navy, I pulled cable and inventoried electronic equipment. I didn’t apply myself as much as I could have coming out of the Navy. Which is why I ended up working entry level IT jobs. I had the experience for positions higher on the IT ladder. After about six months of that I landed a system analyst II role (advanced help desk) at a manufacturing plant. I got some good computer experience, with a little server and networking experience.

I also got some security experience. Try keeping manufacturer workers from writing the password (in marker) on the floor computer monitor. The computers on the floor needed constant maintenance because they were getting malware on them. I worked with the network team after we were told our phone bill was through the roof. Someone was using our phone system to make long distance calls due to a vulnerability in the phone system (patch your shit).

From there I moved to a network/system administrator position with the state of South Carolina, at the department of Juvenile Justice (the kids knew all the good proxies). This is where I started to learn the ins and outs of network and system administration. The first appliance I got to play with was our SourceFire box (intrusion detection system). It had been setup and never touched (or monitored for that matter). I started getting familiar with it (why are we talking to China?!?) and setup my online SOC for identifying machines that needed to be cleaned or reimaged. I also got introduced to forensics and some other security concepts. My other responsibilities included webfilter, spam filter, load balancer, imaging, and backup administration (sucks!). All of those responsibilities have played into my roles as a security professional.

After that I jumped to my first security role with the Department of Employment and Workforce. Six months into that role our website was defaced. Mind you, this was two to three months after the Department of Revenue announced a breach (we made the local news). My previous experience allowed me to be useful during our response to the incident. At one point, I had two different vendors on the phone (in the wee hours of the morning) asking them to explain how the attack had gotten by our WAF and intrusion prevention system (IPS). My experience from previous roles both in the security field and outside it allowed me to remain calm and collected.

My recommendation for getting into security is to get some information technology experience. I promise you’ll be doing security related activities in those roles.

This blog post first appeared on Exploring Information Security.

To cover letter or not to cover letter

May 30, 2017

TL;DR

Yes, write a cover letter. They will help you standout and express things about you that bullet points can not.

There is one scenario in which I don't write a resume. If I'm working through the process with someone I know or have an acquaintance with. Any other opportunity I am writing a cover letter to go along with a resume.

Why cover letters are important

Cover letters are a great opportunity to stand out from the pile of resumes sitting on a hiring managers desk. I recently heard some chatter that cover letters aren't relevant anymore. I would argue that they're rare. Which is exactly why you should write a cover letter for a job posting.

I used to not write cover letters. Writing a cover letter is hard. It requires inner reflection and an ability to write coherent sentences. For a non-writer that can seem daunting. I'll walk through how I write a cover letter below. I took chances in my cover letter and I was rewarded with at the very least a conversation. That's all we are looking for from a resume and cover letter, a chance for a conversation.

Cover letters are a great opportunity to show what you know and why you would be a good fit. Here are my two most recent cover letters.

Example one

You have to be very careful about pointing out issues in a website. It's like telling someone their baby is ugly. I ended up getting a call anyway. It was a short call. They were looking for someone who would jump in and start writing secure code. I was not that person. We both agreed it wasn't a great fit for them or myself.

Example two

In this example, I went much further in the interview process. I did several interviews and even made it to the sample security assessment on an application phase. This example is a little more standard. It highlights my desire to get into the appsec field and the activities I'm doing to accomplish that goal. I didn't get this role either. They were looking for someone more senior and I was looking for something closer to junior. Going deep into the process, though, was a valuable experience.

How to write a cover letter

Hopefully, those two examples are useful and provide ideas for writing a cover letter. Walking through both examples the first part of the cover letter is all the contact information. Your information and the companies information and the date.

If you have a name for the person who will review the cover letter address it to that person. I recommend not using "To whom it may concern," because there's something about the phrase that can rub people the wrong way. I like "Hiring Authority," because it empowers the person reading the letter. It provides them with a sense of importance that "to whom it may concern" doesn't.

My first paragraph focuses on the role I'm applying for and what makes me a good fit for the role. In the first example, I'm focusing more on recommendations I can make in the role. The second example, I'm trying to say that I have a strong interest in appsec, despite a weak background in development. Re-reading both first paragraphs makes me want to throw up. However, I'm keeping them (and the rest unedited) to show that a cover letter doesn't have to be an amazing thing. Try to provide a little insight into your personality. Take chances.

The middle paragraphs I'm focusing on me. What makes me a good candidate. What experience do I have. What activities I'm doing to help improve my skills in the field.

The final paragraph I focus back on the position and highlight what makes me a good fit for the role. Sort of summarizing the whole thing. Then finally sincerely your name. In example two I misspelled sincerely, which simply highlights making sure to re-read your cover letter for mistakes.

Write a cover letter to stand out

When I talk to people trying to fill a particular role, one of my questions is how many cover letters were submitted. The numbers I get from those people are very low. Cover letters give you an opportunity to standout and highlight your strengths as a candidate. Resumes are bullet points of accomplishments and responsibilities. They say very little about you as a person.

Cover letters are frustrating to write. The more you write them, the easier they become to write. I would avoid using a template. For each job you're submitting to, write a fresh cover letter. Cover letters show a willingness to go the extra mile. Which is why you may be surprised to find more calls from potential employers.

This blog post first appeared on Exploring Information Security.

Recommended resources for information security

February 20, 2017

“What are some good materials you would recommend on InfoSec?” -Kenneth Reavis

This is such a great question and one I thought worth a post. My short answer is podcasts, blogs, and videos. These are what I use to help improve and stay relevant in the information security field. I listen to podcasts on my ride into work. I read Feedly to stay up with news events and people in the industry. I watch YouTube and Pluralsight when I need to pick up a complicated concept or technical topic.

Podcasts

I love podcasts. I love them so much that I produce my own. Security Weekly is the first podcast I started to listen to when I got in the field. Each episode contains a news, interview, and demo segment. I found the interview segment to be the most useful. This is a good first podcast to start with. The show has been around for years. It has a lot of good content and it’s a good crash course to the hacker culture of the field.

Risky Business is the best podcast in the infosec field. The production quality and content are top notch. The show starts with a news segment. That leads into two interview segments. The first usually deals with a current topic being discussed in the field. The other is a sponsor interview, which is usually just as useful as the other interview. The show is usually 50-65 minutes long.

Peerlyst has a long list of podcasts. Look for a few that are of interest. Give the podcast about three episodes before making a decision. Podcasters do sometimes have “off” shows. Here are some of the other podcasts with good content.

Down the Security Rabbit Hole - Leadership and business

Defensive Security podcast - Blue team focused

Data Driven Security - Data scientist focused

DevelopSec - Application security focused

On my ride home I listen to hobby and interest focused podcasts. I found that when I listened to infosec podcasts both ways I started to get burned out on podcasts. I now listen to infosec or business related podcast on my drive in. This helps me get focused. On the ride home I listen to hobby podcasts. This helps me transition from work to home much easier.

My last recommendation is to pick up podcasts that don’t have an infosec lean but focus on improving the self. I listen to both Manager and Career Tools for business etiquette guidance. I also listen to the Art of Charm for relationship building and self-improvement guidance. Both have helped tremendously in my day-to-day interactions at work.

Blogs

I use Feedly to collect RSS feeds from the sites and blogs I have an interest in. I follow ars-technica for news. Their articles are both informative and usually a quick read. I also follow Steve Ragan at CSO for news.

I work in the application security field. Troy Hunt is one of the bigger names in the field that produces content regularly. He also runs Have I Been Pwned which is a very useful tool for incidents involving a breach.

Brian Krebs is the man when it comes to reporting on breaches and criminal activities involving digital technology and ATMs.

Bruce Schneier is one of the top names in the cryptography and encryption field. He also tends to focus on the bigger picture and ramifications of security in society.

I add and prune my feed pretty regularly. If I get too far behind on my feed I’ll look to simplify it and get rid of the blogs. I look for blogs that aren’t providing as much value or report on stories I see from other feeds.

Get an RSS reader setup (it doesn’t have to be Feedly). Start adding to it and adjust if necessary. Feeds are also good for keeping up with alerts and vulnerability databases.

Video

I am a visual learner. The two resources I use extensively are YouTube and Pluralsight. I add a lot of conference talks to my Watch Later list. That list has 48 videos as of this writing. I don’t get on YouTube as much as I would like, but it’s still a useful tool for research. And every once and a while I'll create a playlist. It’s a valuable resource for better understanding a technology or infosec technique. Pluralsight requires a subscription. The content is top notch and provides a more indepth look at technology or security topics. It's $300 a year. I've had my place of employment pay for the last few years. It's usually an easy sell.

Conclusion

Those are the resources I use on a daily basis to learn and keep up with information security. There are a lot of other great resources out there. I just haven't found them or don't get as much value out of it. There are a lot of great digital forensics and incident response resources. I just don't work in that field. Find what gives the most value. If it's giving very little, ditch it.

Blogs allow me to keep up with daily news and read interesting new content. I have several hobby feeds setup in there so I get a nice mix throughout the day (I sometimes need a break from infosec). I listen to podcasts almost daily. There are general podcasts and more focused podcasts. Some have varying degrees of quality, but most have really good content. Finally, videos provide a visual opportunity to learn and research topics. I don’t use these on a daily basis. Instead I use them when I need to dig deeper into a topic.

There are a lot of great resources out there. Ask around. Find what type of medium you prefer and fits best into your lifestyle. Try something. If it provides value, great! If not, get rid of it. I just realized I didn't even touch on boxes. I may save that for another post.

This post first appeared on Exploring Information Security.

Resources for marketing yourself better

July 20, 2016

I was recently asked for the resources I use to help market myself and alsowhy I chose Squarespace for my website. I use podcasts, books, and the content I produce to help improve my marketability. As for Squarespace, I like the convenience.

Podcasts

I listen to two podcasts with the intent of improving myself. I listen to Career Tools for business and professional etiquette. For personal improvement I listen to the Art of Charm.

I mentioned Career Tools in the EIS podcast on writing an infosec resume. Career Tools covers various topics. It gives advice on Looking for a new job. Email usage and relationship building with peers. As well as other basic business etiquette in a work environment. Having a solid resume and interviewing techniques is great for external marketability, but don't forget about marketing yourself in your current role.

To improve my soft skills I listen to the Art of Charm. The tag line of the site is, "Advanced social skills training for top performers." Every guest has accomplished some form of success. The topics range from improving relationships, getting ahead in business, or improving your lifestyle. The podcasts gives me a different angle to think about how I approach life.

These are two of the podcasts I found the most useful and enjoyable to listen to. They are not for everyone. Give them a try, but recognize that if they don't work there are plenty of others to listen to. Find the podcasts that work for you. Maybe podcasts just isn't your thing. Maybe your thing is reading.

Reading

I’ve always loved reading. Several books have had a huge impact on my life. One that I’m reading right now is How to Wow: Proven Strategies for Presenting Your Ideas, Persuading Your Audience, and Perfecting Your Image by Frances Cole Jones. The other I will recommend is What Color is My Parachute by Richard N. Bolles.

How to Wow covers several different topics in the professional world. Presenting, interviewing, managing, and more are all topics covered in the book. It’s helping me refine my approach to different aspects in my professional career. Self-improvement books are a genre of books that I've been reading for a while. I don't think I'd be where I am now without them (which may make for another post).

A more technical option for job seekers is What Color is My Parachute. The book is updated yearly with job-hunting trends and techniques. I used this book to help with writing a resume, performing a job search, and interview techniques. One of the lasting impressions the book gave me was the idea that there is no perfect resume. All that matters is if it results in an interview opportunity.

There are a lot of self-improvement and marketing books available. Asks friends, family, or colleagues for suggestions. Another book I recommend is the Seven Habits of Highly Effective People by Stephen Covey. The book is a classic that helps recognize and change habits in day-to-day life.

Website

I’ve messed around with Blogger and I’ve helped manage a few WordPress sites. I choose Squarespace because all I have to do to maintain the site is post content and pay a monthly fee. The fee is between $9 and $16 a month, depending on how much content you put up on your site. After 20 pages it bumps up to $16. Which is where I’m at (I actually pay yearly for the discount). There’s a two-week trial available for those looking to test the waters.

I wanted a clean simple look for my site and that’s what they offered. I was able to choose my theme and go. I uploaded my content and setup links to all the external content on my site. The toughest part was writing the about me page. I don’t have to worry about patches or any other maintenance that occurs on other platforms.

WordPress experience isn’t a bad thing for someone looking to get into IT. I’ve had to manage (and cleanup) a few WordPress sites during my time. It’s also a good opportunity for those interested in web development. For me I’d rather pay for the convenience than deal with the hassle. I’ve got several other things going on in my life and website maintenance isn’t one of them.

Conclusion

The resources I rely on to help with that are podcasts, books, and a website. The podcasts I use include the Manager/Career Tools podcasts and the Art of Charm. Manager Tools focuses on business etiquette. Art of Charm focuses on self-improvement. There are a variety of books that have helped me better market myself. I’m currently reading How to Wow by Frances Cole Jones. I’ve used What Color Is Your Parachute by Richard N. Bolles for resume and job search advice.

I started a website because I wanted to collect all my content in one place. It also allows me to control how I am presented on the web. When someone searches my name I want them to be able to find my site and find out who I am and what I’ve done. There are plenty of website options available. I chose Squarespace because it gives me a clean look and convenience.

Marketing yourself is an important aspect of a professional career. It can help highlight experiences but also who you are as a person. It is valuable for getting into infosec, but also for advancing your career.

This post first appeared on Exploring Information Security.

How to build a home lab links

June 17, 2016

This past week I presented on getting started building a home lab at CircleCityCon and ShowMeCon. Below are the resources and content Chris Maddalena and I created around the topic.

Google slides - ShowMeCon

Google slides - CircleCityCon

YouTube - BSides Detroit Talk

YouTube - ShowMeCon talk

YouTube - CircleCityCon training - part 1

YouTube - CircleCityCon training - part 2

How to build a home lab - Exploring Information Security podcast

How to make time for a home lab - Exploring Information Security podcast

What is another home lab use case? - Exploring Information Security podcast

This post first appeared on Exploring Information Security.

Josh Huff presenting at ColaSec - March 2016

How Josh Huff got into information security

May 29, 2016

I've gotten a lot of good feedback form the most recent episode of the Exploring Information Security podcast, "How I got into information security." People seem to like the solo podcast. More importantly a lot of people identify with my story. Some had a similar story. Others appreciated the story as they were in the process of getting into information security.

One such person is Josh Huff. Whom I've gotten to know the several months personally. He's a regular at our ColaSec meetings and recently found his own way into infosec. He shared his story with me.

"I was raised on technology. I was computing on Commodore 64 at the age of 5 and playing Atari 2600 video games. So growing up I saw, used and played with most forms of technology as it developed into what it is today. (Does anybody miss Palm Pilots?) I wasn’t sure what I wanted to study in college. Since I was comfortable with technology and I liked math and science mechanical engineering was my choice.

Although I learned some awesome things about the business and manufacturing world being an engineer was NOT my calling. I changed my major to business. I changed colleges a couple of times. Then at some point in my part time college job, I took a promotion into full time retail management. Now my comfort level with technology was used to teach and sell technology to customers and train my sales staff. Retail management wasn’t perfect as a career by any means, but it was a good fit for my skill set and I was good at my job. I was good at it for about 13 years in fact.

As my son grew older and family time became a much higher priority I had to make a career choice that would get me off the retail work schedule. So in May of 2015 I started studying everything InfoSec related I could find. At this point I also quit my job and enrolled in technical college. I realized all my old college credits weren’t far off from an Associate’s degree. In just under 2 semesters I got my degree and started looking into how I could land a job in information security.

Podcasts, blogs, an InfoSec twitter feed and security books were my source of guidance. The biggest challenge with learning this way was “drinking from the fire hose” which means taking in way too much to learn anything. I was reading about pen testing, malware, lock picking, network sniffing and cryptography. I researched coding, firewalls, forensics, open source intelligence, networking, vulnerabilities and social engineering. Everything I read was interesting, but I didn’t know how I proceed to this magical job in security. I needed to network with real people that were working in security and find out what they do and how they got there.

I looked online for local meetups. There were some community groups like a Linux user group, open hack Columbia and something called ColaSec. ColaSec had a meetup 3 days later. Plus they said it was an open invitation group, so I just decided to show up to the September meeting.

I wouldn't call myself shy, but getting out of your comfort zone and just going out to meet new people can be tough. If you are looking to get into security find your local city ‘Sec’ meetup and go! If the people you meet are half of what I found at ColaSec it will be worth your time.

I walked in, introduced myself as a tech and security enthusiast. People said hi and gave me pizza and beer. They were hanging out talking about random security news then a speaker gave a talk about building a security framework. There was a table in the back with practice locks and lock picks and people were drinking an adult beverage or two. I HAD FOUND MY PEOPLE!

Once the meeting was over everybody was kind of hanging out so I introduced myself to a few of them. I met a few people that worked in a Security Operations Center. There was several help desk managers and a technology course instructor present. There were also people on the job search like me. A conversation about security conferences led to an invitation to one in Kentucky called Derbycon. Tickets sold out, but I managed to snag one last minute and headed out of town to my first security conference.

On the way to Derbycon I checked the speaker list. I found that a few authors of my security books plus people from my twitter feed were going to be at this conference. I decided to meet as many of them as I could. Derbycon itself is worthy of its own write up, but in short it was awesome. I got to keep meeting and talking with real security professionals. They were open to answering questions and connecting on twitter and I continue to stay in touch with many of them today. I learned a lot of other people’s career paths that led to information security.

When I got back from Derbycon I felt like I had direction. I started applying to some help desk and technology jobs to try and get my foot in the door. I revised my resume and evaluated my past skills into how they could help me in a security related position. This started a roller coaster process. As applications and interviews started to pile up frustration started to settle in. Repeat… wait… apply… repeat. I had one interview that I thought went well and a few pings on my resume that had placed me into consideration. I felt things were looking up again. The promising job lead fell through. Then the 'under consideration' jobs decided not to fill the position.

This is the point in the story where desperation may have kicked in. I took a hard look at what I wanted from a security job and it wasn’t a help desk spot that I could work my way up from. Open source intelligence (OSINT) was my favorite subject so I decided to find people I could talk to again. It seemed that military or law enforcement background was a prerequisite for a job in OSINT. I thought about who I could talk to about this and I looked up private investigation firms in Columbia, SC. Through the ‘contact us’ part of the PI websites I shot a quick introduction email. I gave a brief description of who I was. I described what I was studying and asked if they were hiring. I also said if they weren't hiring I would be happy to just talk OSINT and find out how they used it as investigators. I got a phone call from a private investigator 1 day later.

I chatted with the investigator for a few minutes and he asked for my resume. It turns out the background in law enforcement or military wasn’t an issue. So a few hours later I was called for an interview. The position wasn’t exactly OSINT, but they had need of a digital forensic analyst. My technical background led me through the interview with ease. 1st interview led to a 2nd interview which led to a tryout in their computer forensics lab. The tryout went well and I am now over 3 months into my role as a digital forensics analyst. I get to work in a forensic lab doing cool stuff with all types of technology and in between cases I talk OSINT with the other investigators.

I’ve listened to a lot of stories about how people got their InfoSec job. There doesn’t seem to be a defined path or perfect guide out there, but this is my path. I hope by sharing my path that somebody finds some facet of my story that they can apply to their own career path. If I could re-iterate just once point of my story it is to go out and talk to people. Information security is about the people that drive the technology. If you don’t know how to apply information security it in real world scenarios go talk to the people that do. It will likely be a fun journey."

This post first appeared on Exploring Information Security.

Getting into information security via military service

May 21, 2016

I see a lot of self-study and going to college advice for those looking to get into information security. I would like to recommend another option. Join the military. People joining the military get training, real world experience, and money for continued education.

Now, the military isn’t for everyone. Yes, there is a chain of command filled with people who give out orders. And yes, those orders need to be complied with. The thing about that is that most people know what they’re doing in the military. It's usually not an issue. And that's because the quality of people in the military is top notch.

Joining the military is no small decision and it shows in the people that serve. I had several really good mentors in the military that helped shape who I am as a person. Not only did I enjoy the benefits below, but I learned a lot from those mentors. I gained a strong work ethic. Learned communication and leadership skills. And I had a lot of fun doing it.

The lifestyle is a lot different. The first couple of years involved moving around quite a bit. Moving from a barracks to a dorm to another dorm to a different base. Then off-base to an apartment. I spent a year in the midwest, three years one the west coast. Then two years on the east coast. If you like traveling there’s plenty to be had in the military.

Then there's the uniform. Sure, I couldn't pick my close, but that made things easier. Each day I woke up and new what I had to wear. I also saved quite a bit of money on doing laundry, because I could wear the same uniform for a few days. Usually, I was just changing my undergarments.

Training

My first military contract had me set to be a paralegal in the Army. That fell through and I ended up joining the Navy as an electronics technician. That contract came with a $7,000 signing bonus. I had two months of basic training. Two months of basic electronics training. Four months of communication electronics training. Three weeks of miniature/microminiature board repair training (2M). All that in my first year. I was also sent to radio, aircraft load out, instructor, Humvee driver and forklift operator training. When it comes to training the military is one of the best.

I joined in early 2001 and IT (let alone infosec) positions weren't as well defined. Now that the digital age has matured, there's a much stronger focus on information security. That means the programs are much more prominent in today's military.

Real world experience

During my time in the Navy I did a little bit of everything. I pulled cable. Moved phone lines. Setup computers. Troubleshooted computer issues. Setup communications for field exercises. Inventoried and maintained radio equipment. Setup switches. Created user accounts. And that was all at my first command.

My second command involved a lot more IT work. I learned how to rebuild a server after it crashed and no backups were available. I trained personnel on email usage. Took part in my first workstation refresh, swapping out old computers with new ones. Patched systems. Updated anti-virus. Troubleshooted more computer issues. I leaned on a lot of that experience when I got out and started looking for a job.

I also got the opportunity to do a lot of fun stuff. Train with Navy SEALS. Face-off against the Canadian Army in multi-nation exercise. Jump waves on the Pacific Ocean in a Zodiac Hurricane. Just to name a few.

Money for continuing education

The GI Bill is one of the best benefits received from joining the military. I paid for school and a Network+ certification with it. Last year I graduated from the University of South Carolina with a degree in media arts. All paid for by the GI Bill. I knew coming out of high school that if I went to college I would be wasting my time and my parents money. I wanted to get some real experience and get college paid for when I was ready to go.

The GI-Bill is even better now then when I first started going to school. A year or two after I started taking classes, the GI-Bill changed. Not only was school paid for, but I was making a little money on the side. As long as I was taking more than half a load of classes I got basic allowance for housing (BAH). Which is a significant amount of money. This really helped when we started expanding our family.

Final thoughts

The military is a great option for people looking to start a career. The military does a great job of training and giving it’s members real world experience. A lot of that training and experience translates to the real world. For those looking to get into information security, the military has some good programs. When I joined, I had no idea of the career I wanted to be in. That was okay, because when I knew what I wanted to do I could lean on a lot of my experience.

Serving the military is a massive commitment. Again, it’s not for everyone. It is a viable option though and one that I recommend exploring.

This post first appeared on Exploring Information Security.

Success doesn't require following your passion

February 15, 2016

“Follow your passion” is a phrase often given as career advice to people getting into a field. I don’t like the this advice. It sets high expectations for someone trying to break into a field and it has the potential to lead to burnout. Note the second definition about in the image above.

There’s nothing wrong with using passion as motivation, but that same emotion has a dark side. Instead of following a passion, bring it to your daily work. Look for value and unique skill sets that will provide a positive impact.

Following your passion isn't helpful advice

I first started to question “follow your passion” early in 2015. It was while listening to an episode of the NPR TED Radio Hour titled success. In that episode there was plenty of talk about following your passion for success. Well, except for Mike Rowe. For those unfamiliar with Rowe, he had a TV show titled Dirty Jobs. Rowe would go with a film crew to various locations to work for a day doing a less than glamorous job.

In his TED talk he described the people doing these dirty jobs day-to-day as happy. No one follows their passion to be septic tank cleaner or a road kill highway picker upper or a bait seller. Yet, that's what these people did and they were successful. 40-50 of the 200 people he followed around were multi-millionaires. He suggests that instead of following a passion, bring passion to the work.

A recent Art of Charm podcast featured Cal Newport and he has another angle. In the episode he debunks the “follow your passion” advice. The people that give the advice usually give it because they can't explicitly explain why they've been successful. He says, instead of following your passion you should let your passion follow you. He talks about finding the unique skill and valuable skills in your daily work that makes you stick out. What creative solutions can make systems and processes run more efficiently. That's what these successful people have found in the work they do or the content they create.

Reflecting on my career

Coming out of high school I was set to go into the Army as a paralegal. Instead I ended up in the Navy as an electronics technician, after my contract fell through. Would I be more or less happy in that role? I don't know. I'd like to think I would be just as happy in a legal career as I am in my IT career. I've seen people passionate about computers and I can safely say I am not one of them. What I've enjoyed is solving problems. Building new programs and systems and optimizing ones already in place.

In my daily work I've looked for ways to make the most impact and make things run better:

I’ve implemented a remote access and software deployment solution for the help desk. They had to manage computers all over the state. Before the solution they had to travel for the simplest problem.

I also took our unused IDS solution and setup a one-man security operations center (SOC). Computers I found talking to countries outside of the US I had a technician investigate for malware.

I’ve cleaned up content filtering rules and rebuilt servers to interfere with operations less. That led to management tasking me with important projects. Implementing security in the software development life cycle (SDLC) process. Hardening our computers and securing our websites. I didn't follow my passion to any of those areas, I brought it with me. What's allowed me to be successful is following through on tasks and improving what's already in place.

Of all the work I've done, I found that I really enjoyed working in application security. If there’s one area I would love to move into it would be application security. Yet, I also enjoy building new programs and making a positive impact. I currently work in a SOC. It’s not the most exciting experience for me, but I’m learning what I can and trying to improve or build out new processes. I’m trying to learn the nuance of a SIEM and the challenges of being a SOC analyst. I’m bringing my passion with me and learning the skills that provide value to the organization.

Conclusion

It’s okay to be in a field and not be passionate. Success isn't found by following your passion. It's by bringing it with you. If you’re among those that are passionate about a particular field, that's awesome. I know a couple people like that and they live and breath the work day and night. I contest that’s a rare thing.

For the rest of us look for enjoyment and fulfillment in everyday work. Try to identify what can make the most impact in your organization and your career. Bring the passion or let it follow you. Success will be sure to follow.

This post first appeared on Exploring Information Security.