MI-80

The IT security field is vastly understaffed, but at the same time it can be incredibly difficult to break into. It's not that there's necessarily too many people in the field, but there has been a flood of low qualified college kids into the field because it's become so lucrative. Partially due to this hiring has become a nightmare, companies want people with established track records and college degrees; basically people they feel they can trust and people they feel will get the job done, and cheap. That's really a key. Because there has been a flood of low level security professionals, the average starting salary has dropped drastically in recent years. Reports and ads will always say otherwise, but this is a hard lesson I've learned first hand as I've entered the market place. Then again, every thing's relative. While my pay isn't where I'd like it to be (whose is?), it's not bad to start a career above the national salary average. Really, I can't complain. But enough about the situation, what can you do about it? First off, and I know some reading this will hate it – finish college. The IT community is an offshoot of the business community. Plain and simple, we support expensive toys, and the business community is responsible for supplying and utilizing those expensive toys. For every server we manage, there's a department someone relying on it “just to get their job done.” The point is, love it or hate it, we've got to play nice with the suits. Now because of that culture, education is paramount. Companies such as Google were founded by brilliant people who believe strongly in higher education, and that means when they're looking to hire you can bet your ass they'll be asking where you graduated from. You might think it's expensive, or a waste of time, or nothing compared to real experience, and you're partially right. The thing is college rounds you off, it forces you to study fields and subjects you never would have otherwise, and a well rounded individual is vital when someone's looking you over during an interview. Secondly, and I know I'm hurting with this one, learn how to play dress up. Suits love, well, suits. They value the discipline and prestige associated with getting up every day and putting on an incredibly uncomfortable piece of fabric that burns you up and makes you look like everyone else. But in that conformity comes a familiarity that's invaluable. The suits will feel more comfortable working with you, and in that trust will come your opportunity to make assert influence. So now you've got a college degree and you've got yourself a sharp looking suit, what now? It's difficult to say. You want to be a jack of all trades (Linux, Windows, programming, etc.) but at the same time stay as narrowly focused as possible (do you want to work in vulnerability assessment, forensics analysis, or intrusion prevention?). Simply put no one can do everything, but you've got to have a skill set that sets you apart. At this point in time Linux is a huge plus. We're on the tip of emerging from a Microsoft world, and in the coming years companies are going to be struggling to find qualified Linux Security professionals in a market flooded with A+ and MCP certified technicians. Speaking of certifications, don't put too much value in them. If your company will pay for them, great, go for it! But realize that no one worth working for will value a certification over real world experience. A business that does that is doomed to fail. But while certifications are of little real world value, continued education is invaluable. A Master's degree may make the difference between $56,000 a year and $65,000 a year. Again, education pays off in the long run. All that said, prepare for it: just like the business world, it really is who you know. Network, network, network. And I don't mean Ethernet. Meet, speak with, and befriend as many other technically sound people as you can. Get their email address and keep in touch a few times a year, because when their company's hiring, you want to be on their mind. The security community might as well be a fraternity. The first guy hired, now most senior, will have more impact on who's hired in the future than you could imagine. And if that's a guy who've shared a beer with, you've got a huge lead over everyone else. I got this job for one reason: when a close friend of mine from high school passed it up to take a job with 3G, I was the first name he recommended to get a call. He vouched for my skills, and I was hired within a couple weeks. Fair? No, but this is how it works. If you've got to play the game, you might as well know what you're getting yourself into. And while you're at it, touch your your interpersonal skills. Yelling at a user, while we all know we all want to at one point or another, will never get you anywhere. Take a speech class to help your presentation and vocabulary skills. Take some writing classes to help with your spelling and grammar. Never send out ANYTHING, be it an email or forum post, without first spell and grammar checking it. Be sure to re-read the entire thing before sending it out as well. It may take a minute more, but it'll give all your work a cleaner and more professional feel. Remember these items may stay around for years, and they directly reflect what many feel is your intelligence. Be polite and well spoken and you'll get further than you ever could have imagined. One last snippet of advice I can give concerning this is to sit on every major report you write for a full day. Finish it, wait 24 hours, and re-read and write it. It takes a little more time, but you'll come up with major revisions. You'll compare what you were trying to say to what you actually wrote, and the clarity and quality of your work will skyrocket. Finally, prepare to learn some stupid stuff. You'll have to learn the industry talk: for example the difference between a vulnerability assessment, a penetration test, and a risk assessment. And though you might have been hired as a Linux Security Consultant, when you're new don't freak out if you're running a spyware scan on your bosses Windows box, when you're new you will have odd jobs, it's just how things go. This is especially true for small and medium businesses, who might simply not have enough systems or users to keep you busy eight hours every single day doing a single task. Again, it's about being well rounded, but only within the scope of your career path. Also don't fret if you get overridden on a recommendation you made. You recommended SUSE and they went with Red Hat? Live with it, do your job, and one day you'll be the decision maker. Boiling over such issues will only give you an ulcer and degrade your performance. No one wins every fight! Also realize change takes time. My company's migration to open source and being open standard friendly is moving slower than you could imagine, but it's happening. Baby steps are still progress. That's really all I can say: get a well rounded education and learn to play the game. It's more complicated in the long run, but at the 10,000 foot view that's really all there is to it. And in the meantime, hang out with your nerdy buddies and enjoy, because they might be throwing work your way one day.