How to Get Started In Information Security, the New School Way

by adam on April 24, 2010

There have been a spate of articles lately with titles like “The First Steps to a Career in Information Security” and “How young upstarts can get their big security break in 6 steps.”

Now, neither Bill Brenner nor Marisa Fagan are dumb, but both of their articles miss the very first step. And it’s important to talk about that first step when talking about first steps in a career:

Do something useful.

Some ideas:

  • Write a new tool
  • Add an awesome UI to an existing tool
  • Break something interesting and responsibly disclose it*
  • Get more data out there
  • Analyze existing data in a new and thought-provoking way

We have enough people in infosec who are famous for being famous, or famous for being controversial. If you want to stand out from the pack, do something to move the field forward. Share useful work.

You’ll stand out a lot better than people adding to the chorus.

* You want to disclose it responsibly because it avoids a whole silly debate which detracts from attention to your work.


Sure, development/research is ONE way to break into security….one of several ways. Many developers that I talk to feel the only way to enter our field is to “hack” something because we, as an industry, have conveyed that hacking is sexy and other aspects of security are not. I’m going to call this the “BH/DC Syndrome” 🙂

Breaking things isn’t the be all and end all of INFOSEC. You mention “adding to the chorus”. It takes many different types of voices, singing in harmony, to create beautiful music.

by Andrew Hay on April 25, 2010 at 12:27 pm. Reply #

Any suggestions for an useful tool in need of an awesome UI? I’m looking for a topic for my master’s thesis in HCI, and designing and implementing an advanced UI for a security tool would fit the bill nicely.

by Aapo on April 26, 2010 at 3:10 pm. Reply #

That’s just CRAZY talk. We don’t join corporate INFOSEC to be useful. We do it because there is no other place a 24 year old set policy and say “You people are Suxorz” and not get fired? And get paid to play video games to boot! Useful … you crack me up!

by Adrian Lane on April 29, 2010 at 7:48 pm. Reply #

Happy to see that my blog post crossed your path.

I may have oversimplified things in the post in an attempt to document the speech I gave. Taken out of context, I can see how it comes off as “this is all you need to do” but I did try to stress that this was simply things nobody told me in school (mostly because Twitter is still new). Perhaps I went to a better school than I realized, but “Work on projects” and “Build your portfolio” were definitely covered. I strongly encourage students to work on the open-source projects and to work through the tutorials provided by OWASP.

Any other advice becomes too specific. I wouldn’t tell a would-be analyst the same career advice as a future pen-tester. And most students still don’t know what they want to be.

by Marisa Fagan on April 30, 2010 at 7:16 pm. Reply #

Hi Marisa,

Your post was pretty clear that “these are the things no one told me,”

* I was responding to the bullet list
* which is all anyone reads


by Adam on April 30, 2010 at 7:21 pm. Reply #

Hi Adam, I’d like to discuss guest blogging for the New School. Please e-mail me for future information.

by RHW on May 16, 2010 at 6:59 am. Reply #

Leave your comment

Not published.

If you have one.