Breaking into Information Security Takes Knowledge and Curiosity

What does it take to succeed in information security? Certifications and education help, but your natural sense of curiosity is also a major career-driver, propelling you to focus on new (and vulnerable) things. Two information security experts explain how they broke into the field and what keeps them interested.

“The most fascinating aspect of information security is the amount of curiosity that one is permitted to use to do their job,” said Nicholas J. Percoco, Chief Security Officer at Uptake, who has worked in security for more than two decades. “Many other professions don’t allow people to go off and find problems; in certain roles in the information security industry, that is your full-time job.”

Percoco’s tech career started early. “By the time I was in middle school I was navigating the Chicago-area Bulletin Board Systems (BBSs),” he said. “These systems were almost like self-contained ‘internets’ with email, message boards, areas to download software and required some basic security and online safety to explore and navigate successfully.” He majored in computer science and, by the late 1990s, was working as an ethical hacker for a security company, testing the vulnerabilities of banks, corporations, and consumer businesses.

In his chief security officer role, he’s responsible for not only information security, but the company’s physical security, as well. “Stakes are very high when poor security decisions are made: systems gets hacked, data gets stolen or people get hurt,” he said. “I also spend time thinking about the future and planning 6, 12 and 24 months out to anticipate where the business will be and what the security needs will be when we are there.” He must organize his team to meet those longer-term plans.

On his personal time, he’s interested in how to hack Internet of Things (IoT) and home-automation devices. He’s in the process of automating his own home in a secure way, which means carefully selecting vendors (“not buying $25 IoT cameras”), practicing good security hygiene, and “making sure the integrations between products and other systems that have access to them are also secure.”

The cyber-security industry needs as many passionate, hard-working people as possible. Fortunately, there’s no one path to success, according to Percoco: “A degree in computer science helps but isn’t required, certifications help but are not required either.” His advice? If you’re new to the field, “volunteer and contribute to security events and open-source projects.” The contacts you meet will give you vital advice on climbing the career ladder.

Like Percoco, Matt Jakubowski has always been interested in solving technical problems, which drew him to information security. As Director of Hackers and Hunters at Uptake, he leads a team that envisions (and tries to emulate) upcoming threats.

“We don’t just buy security products and wait for them to alert,” he said. “We are constantly testing our environment and tools to ensure that they are working and catching whatever we can throw at them.”

And like Percoco, Jakubowski is also fascinated by the Internet of Things and the resulting security implications, especially as consumers weave more of these devices into their homes. “The companies selling these devices almost always put security last in terms of priority,” he said. “So while people might be making their lives easier with these Internet of Things, it’s also making an attacker’s life easier. Consumers should start demanding companies take action and ensure they are following best practices for security.”

Jakubowski believes the best way to break into information security is through networking the old-fashioned way: getting out and meeting people who are passionate about it.

“Of course, just going to the events won’t get you a job; you actually have to know what you’re talking about, too,” he added. “’Information security’ is a broad term that covers a large range of disciplines. So start by finding out what you’re most interested in, whether it be reverse engineering, penetration testing, incident response, etc.”

Those new to the security industry, and interested in a particular sub-discipline, should also read as much about it as possible; setting up a home lab that replicates a real-life environment will also help with the climb up the learning curve. “Don’t be afraid to reach out to people for help; just be sure you’re not asking them a question that the first result of Google has,” Jakubowski said. “Once you start doing that, you’ll start to find what certifications or degrees matter for the field.”

Remember: the security community is small and passionate, and connections count for quite a bit. Make an effort to network and keep learning, and you’ll find your place.

Related Posts

Post a Comment

Your email address will not be published.