At the BSides Boston 2017 Security Conference held at Harvard University’s Science Center, there was an afternoon panel “Breaking Into infosec.” The invited panelists: Tracy Z. Maleeff, Justin Pagano, and myself. The moderator was Keith Hoodlet. The abstract of the panel as written on the schedule:
Are you interested in Information Security, but you don’t know where to start? Are you a professional in another field, wanting to switch into Information Security? Or maybe you’re a Security Professional looking to make a move, andwant to know what hiring managers are looking for. In this panel we will cover various topics for sheperding your career in Information Security from three different perspectives. The panelists - including an educator, a recent convert, and a hiring manager - will field a series of questions on topics including:
- What skills are employers looking for?
- What resources are students currently leveraging?
- How can you get involved in Security (even if it’s outside your current role)?… and any other questions you might have!
We had a fantastic time on the panel. Sadly, the panel was only an hour long and we did not answer all the planned questions or answer any questions from the audience. The panel could have continued for a very long time. Before the conference, panelists were given a list of ten questions to prepare for: Keith wrote the questions (thanks again Keith). Only six of the questions were asked in the panel due to limited time. Here were the ten questions that were planned and my response to each question:
- (To Tracy) What have you found to be the biggest challenge for entering into the industry?
- (To Justin) What have you found to be the biggest challenge in hiring for the industry?
- (To Me) What have you found to be the biggest challenge in preparing students for the industry?
- Working on open-ended problems. I am appalled by how students are generally uncomfortable with working on unstructured and open-ended problems. The problem becomes glaring during students’ first internships as I constantly see comments in Curricular Practical Training (CPT) reports such as “I wish my supervisors had described the overall structure in a little more detail” or “I was simply freaking out with the fact that I did not have an assignment with a roadmap.” That’s normal and reality. Generally speaking in the real world, you will not be given detailed specifications as in most academic classes.
- Get students to talk through vague and open-ended problems.
- Getting them to get experience early and often. There is no substitute for real work experience.
- No hand-holding (I do not do that).
- (To Tracy) What skills have you focused on developing for building your career?
- (To Justin) What skills are you looking to hire for?
- (To Me) What skill are students focusing on learning today?
- Taking responsibility for one’s own learning; college is not an end.
- I did not take a course in web development, mobile development, or security when I was an undergrad (1998-2002).
- (To Tracy) What resources have you found useful in preparing for job interviews?
- (To Justin) What resources does your team leverage on a regular basis?
- (To Me) What resources are students leveraging to develop their skills?
- Hacker News: https://news.ycombinator.com/
- Nick Davis, Rapid7 (he took my Security course in fall 2013, Tufts Class of 2014)
- Sarah Gibson, Veracode (she took my Security course in fall 2016)
- Guest speakers and alumni network
Question 4 (not asked in the panel):
- (To Tracy) As you started your career, what did you do to get involved in Security?
- (To Justin) What are some of the ways internal personal can help amplify the Security message in the workkplace?
- (To Me) What are your students doing to be involved in the Security Community?
- Personal Engagement Project in my Cyber Security and Cyber Warfare course (a joint Computer Science and Political Science course this semester)
- What: Because Cyber Security is a very broad field that encompasses many disciplines and changes rapidly, we expect every student in the class to participate in ways not explicitly defined by the curriculum and syllabus.
- Why: We want our students to be strong in: (1) taking responsibility for one’s own learning, (2) actively engaging with a larger community outside the classroom (e.g., a professional group), (3) be active citizens, and (4) work on an open-ended project. Cyber Security presents many opportunities outside the classroom
- We can’t teach everything about Cyber Security in this class nor can we show all the opportunities that are out there.
- We want to give students’ the flexibility and freedom to pursue to explore what is out there with regards to Cyber Security.
- We want to grow students’ intellectual curiosity and make you take responsibility of your own learning.
- We want to see students engaged with the community in some capacity outside of the classroom –that’s where the real learning is.
- (To Tracy) Have you pursued certifications as a mechanism for growing your career? Why or why not?
- (To Justin) When reviewing resumes, do you find that you’re more likely to interview someone with a certification? Why or why not?
- (To Me) Do you encourage your students to pursue additional certifications? Why or Why Not?
- Ask yourself: do you need it? (thanks to Peter Sullivan back in 2007). Some jobs (e.g., working at the Department of Defense) require certifications.
- The dubious value of some certifications is well documented.
- @viss: “2 people who know their shit and did “real work” before infosec can do 100x more than 5 cissps with zero experience.” Source: https://twitter.com/Viss/status/851912114008498176
- I advocate for the SANS Institute because I am an alumnus and I am very grateful for what I got out of the SANS SEC504 course (GCIH certified from 2007-2011). I give each student in my Security class a SANS poster before the CTF game.
Question 6: What transferable non-infosec skills have you find to be assets within the security industry?
I worked at Harvard for ten years at the Department of Environmental Health & Safety (EH&S). Looking back, I am now more grateful for working there. The reasons:
- I was the only tech person in the Department. Thus, I had to communicate to mostly non-technical personnel.
- I learned the business context of Environmental Health & Safety (EH&S). I applied my technical knowledge to build tools to support the Department, most of those tools are now still in production.
- I was exposed to the importance of industrial hygiene, occupational safety, and public health. As Chris Wysopal once said to me, something along the lines of: “you can’t graduate from a Civil and Environmental Engineering program without learning about health and safety but you can graduate from a Computer Science program without learning learning about security, hygiene, and safety.” Alas, we are still facing the same issues we have for the last decades.
Question 7: What standards or practices do you see other fields using that you think infosec could benefit from adopting? (not asked in the panel)
- A standard glossary of terms. There is still a vocabulary problem in this field. The problem is compounded when working with policymakers and non-tech folks. A good read: “Why Offensive Security Needs Engineering Textbooks” by Sergey Bratus, Ivan Arce, and Michael Locasto (USENIX ;login: August 2014)
- Professional Engineers (PE) exam. A good read: “Programmers: Stop Calling Yourselves Engineers” https://www.theatlantic.com/technology/archive/2015/11/programmers-should-not-call-themselves-engineers/414271/
Question 8: How important is it that individuals participate in extra-curricular activities to expand their knowledge and build their resume? (not asked in the panel)
HUGE. Examples: Atlantic Council Cyber 9/12 Student Competition (Josh Corman is the Director), MITRE Embedded Capture The Flag Competition, Build It Break It Fix It . Not only for the open-ended problems but also for the networking alone. Real work experience and projects are paramount. One will learn as much from the competitions, if not more, than in the classroom.
Question 9: In your opinion, what is the most valuable skill to develop or posses to be successful in Information Security? (not asked in the panel)
Communications and empathy. I’ve seen it first hand what happens when someone does not communicate well. Problems ripples down, affects others.
Question 10: What parting wisdom do you want to share for those that want to break into infosec?
The same message from BSides Boston 2014: security is a lifestyle. In other words, you have to be passionate. Too many people are in it for the parties and money.