How to find your niche
Relax. It can take time to figure out what really engages you. Appreciate some of the skills you learn along the way. Ignore the advice to follow your passion. You may find work in security that you enjoy doing but aren't exactly passionate about. That is okay. You can be passionate about other things and still be happy in the work you do.
Explore. Try all the things. If your role allows it, take on security projects or initiatives in different areas. Research different areas. Go to security conferences and checkout various talks. Some of the best ones for exploring are single track conferences like BSides. Find a local security meetup. Follow a bunch of people on social media in the infosec field. Listen to security podcasts. There are a ton of them.
Play. Build a home lab. One of the great things about our industry is that there are a ton of free tools that do some amazing things. Some of my favorites are:
Redline a memory forensics tool
Zed Attack Proxy a dynamic analyzer for applications
EMET a windows hardening tool
PDQ Deploy third-party patch management and software deployment tool
Ask questions. Talk to people in various fields. Do this at work and at conferences and local meetups. Social media is also a great place to ask questions.
Evaluate your strengths. If you love math or a good puzzle, cryptography might be your thing. Do you love solving mysteries like a detective? Then maybe incident response or forensics might be your thing. Liking a little bit of everything may lead down a generalist path and into a management or CISO role. Whatever the strength try to match it to a different field in information security.
My story
I didn't really have a plan for what I wanted to do coming out of high school. The one thing I was sure of was that I was heading into the military. I didn't want to head to college not knowing what I wanted to do and put myself in debt. The military would give me an opportunity to figure that out and earn money for college when I did.
Prior to graduating I had looked at a number opportunities in the Army. Helicopter mechanic was one I remember. The other one I remember is paralegal, because that's what I ended up signing to do. That plan ended up falling through and I ended up working at Blockbuster for six months. I eventually signed on with the Navy and tested into the electronics technician role.
As an electronics technician I dealt with anything that had a circuit. Computers, phone lines, printers, communication equipment, and so on. I learned a lot about troubleshooting. I honorably discharged from the Navy after six years still without an idea of what I wanted to do. This lead to contract jobs pulling cable on and off for six months. Eventually, I landed an IT role as a tier two technician. The IT field was alright. I was good at it, but it wasn't exactly inspiring me.
At this point I started going to college part-time as a media arts undergraduate. Why media arts? I enjoyed movies and video games. I had an interest in possibly building websites. The biggest factor, however, was that the offered night classes. The computer science department did not. Plus, I had worked as an electronics technician for the past several years. I would only be gaining a little benefit in going back to school for that.
A year into my tier two technician role I got hired as a network/system administrator for a small state agency. This is where my interest in security really started to manifest. The first appliance I touched was the Sourcefire intrusion prevention system (IPS). I started tuning it and setup a process where I reported computers that needed to be grabbed because they were talking to places like China. This was a juvenile detention facility, there is no reason to talk to China. Despite starting to gain an interest in security, I had aspirations to move into the media arts field for a few years. I was blogging and podcasting about baseball and enjoying that opportunity. I even started making a little money from it. I didn't know what I wanted to do, but I started looking at opportunities in the field.
The problem with the media arts field is that it doesn't pay well and it's highly competitive. The money I started making wasn't anywhere close to feeding myself, wife, and child. I was also putting in a lot of hours after work just to maintain that extra source of income. After a few years of exploring the possibility of a career in media arts, I nixed it for practical reasons. This is when I started to gain clarity on the information security field.
After gaining some network and system, as well as security, administration experience, I was hired into my first security role. This role had me wearing several different hats in the security field. I managed AV, the webfilter, email spam filter, incident response, web application firewall, and much more. All these different areas intrigued me more than network or server administration had ever.
I thought I was good. Security was my niche. Done.
Then I found out I was supposed to find a niche within my niche. I had to pick a field in security. Really? I was enjoying doing it all in security. Can't I be a generalist. Well depending on who you talk to you can or you can not be a generalist. I think you can be a generalist and I was heading down that path as my niche. I had a wide range of experience in not only security but IT in general. I could walk into a network or server discussion and talk basics.
One day my manager came to me and said, "We need to setup an application security program." Off I went to figure out what I need to do. What I discovered in my research was that I had a strong interest in application security. Reading about the field was keeping my interest more than the other fields. Some of my strengths started to show themselves. I've also had an interest in web design. I know HTML and XML pretty well. Plus, I was wrapping up a degree in media arts that gave me more experience with websites. I also started to discover that I had a knack for working with other departments. Which came in handy when setting up security programs that involved other departments. I had found my niche.
Nearly, three years later I am working as senior software security engineer. I work with the development team to get security in the software development life cycle and I am loving absolutely every minute of it. I know I wouldn't be happy as a security operations center (SOC) analyst, because I was in that role for eight months and disliked it a lot. I think I would be happy working as a generalist in information security. For a time I thought I would have to be generalist. The "requirement" to get into application security is to have a programming and development background, which I don't have. That didn't stop me from perusing those types of roles and should probably be left to another blog post.
I shared this story, because I want to show people that it can take time to figure out what you want to do. I didn't know I wanted to be in security until my late 20s. I didn't get into security until after my 30th birthday. It was another two years from that point that I figured out what I wanted to do. Relax, explore, play, ask questions, and evaluate your strengths. Then you'll find your niche.
This post first appeared on Exploring Information Security.