Shostack + Friends Blog Archive


How to Get Started In Information Security, the New School Way

There have been a spate of articles lately with titles like “The First Steps to a Career in Information Security” and “How young upstarts can get their big security break in 6 steps.”

Now, neither Bill Brenner nor Marisa Fagan are dumb, but both of their articles miss the very first step. And it’s important to talk about that first step when talking about first steps in a career:

Do something useful.

Some ideas:

  • Write a new tool
  • Add an awesome UI to an existing tool
  • Break something interesting and responsibly disclose it*
  • Get more data out there
  • Analyze existing data in a new and thought-provoking way

We have enough people in infosec who are famous for being famous, or famous for being controversial. If you want to stand out from the pack, do something to move the field forward. Share useful work.

You’ll stand out a lot better than people adding to the chorus.

* You want to disclose it responsibly because it avoids a whole silly debate which detracts from attention to your work.

6 comments on "How to Get Started In Information Security, the New School Way"

  • Andrew Hay says:

    Sure, development/research is ONE way to break into security….one of several ways. Many developers that I talk to feel the only way to enter our field is to “hack” something because we, as an industry, have conveyed that hacking is sexy and other aspects of security are not. I’m going to call this the “BH/DC Syndrome” 🙂

    Breaking things isn’t the be all and end all of INFOSEC. You mention “adding to the chorus”. It takes many different types of voices, singing in harmony, to create beautiful music.

  • Aapo says:

    Any suggestions for an useful tool in need of an awesome UI? I’m looking for a topic for my master’s thesis in HCI, and designing and implementing an advanced UI for a security tool would fit the bill nicely.

  • Adrian Lane says:

    That’s just CRAZY talk. We don’t join corporate INFOSEC to be useful. We do it because there is no other place a 24 year old set policy and say “You people are Suxorz” and not get fired? And get paid to play video games to boot! Useful … you crack me up!

  • Marisa Fagan says:

    Happy to see that my blog post crossed your path.

    I may have oversimplified things in the post in an attempt to document the speech I gave. Taken out of context, I can see how it comes off as “this is all you need to do” but I did try to stress that this was simply things nobody told me in school (mostly because Twitter is still new). Perhaps I went to a better school than I realized, but “Work on projects” and “Build your portfolio” were definitely covered. I strongly encourage students to work on the open-source projects and to work through the tutorials provided by OWASP.

    Any other advice becomes too specific. I wouldn’t tell a would-be analyst the same career advice as a future pen-tester. And most students still don’t know what they want to be.

    • Adam says:

      Hi Marisa,

      Your post was pretty clear that “these are the things no one told me,”

      * I was responding to the bullet list
      * which is all anyone reads


  • RHW says:

    Hi Adam, I’d like to discuss guest blogging for the New School. Please e-mail me for future information.

Comments are closed.