A recent poster in an information security forum asked what it takes to succeed in the information security field. Having met with moderate success in the field myself, I decided to offer a few of my own thoughts on the matter:
- Be Passionate About It You can’t get to the top if you don’t truly love what you do. You can do decently well by grinding through, of course, but you won’t ever see the upper levels. This is especially true in infosec where it takes so much continual effort to stay current. I’ve seen dozens of “security professionals” in the field because they heard “there’s money in security”. That’s simply not good enough.
- Be An Engineer, Not A Technician If you don’t understand how things work then you will stay at the bottom of the ladder in this field. Knowing how to operate things isn’t going to cut it. Problem-solving, which is ultimately what good consultants and other infosec professionals do, requires an understanding of the problem at hand, as well as how any proposed solution functions. You can’t be a button-pusher and get to the top.
- Don’t Be Intimidated By Anything Many people in I.T. are pretty solid with a few technologies but have areas that they’ll never get into because they view them as scary. I often hear, “Oh, that’s programming, I’m not touching that.”, or “I don’t mess with that Unix stuff.” That kind of approach will keep you limited for life, and for a security professional it’s pretty much a sign you aren’t going anywhere. The top security pros approach the unknown very similarly, i.e. by saying, “That can’t be too hard…” That’s the attitude you need to have.
- Combine Book Knowledge with Hands-On Many screw this up in one direction or the other, and it’s not something you can get away with easily in information security. In this field you need to not only study theory but also know how to implement that knowledge in real-world situations. If you study diligently but can’t apply it, you’re dead. Alternatively, if you can implement but don’t understand underlying concepts you’re dead there too (see above). I strongly recommend that beginners invest in a serious lab environment and implement what they find interesting during their studies. Nothing is more effective as a learning tool (for me, anyway) than studying something academic/theoretical and then seeing it come to life in your lab.
- Sharpen Your Communication Skills Few things are as important as the ability to communicate well. This includes both verbal and written communication. It’s not enough to know lots of things; you have to be able to get that knowledge to your clients/users/management in a way that is useful to them.
Imagine you have two ratings on a scale of 1-10 — message and interface — and that the overall impact of your communication is the product of the two. So if your message is a 10, but your interface to the client (how well you communicated it) was only a 2, your overall score is just a 20. But if your message is a 9 and your interface is an 8 then your score is a 72. You need both solid content and the ability to convey it to others.
- Keep In Mind That There Are People Out There That Make You Look Silly Staying humble is another key attribute. If you think too much of yourself you’ll relax and stop growing. It’s important to realize that there are others that completely dwarf your skills in many areas. Check out some different newsgroups, browse different IRC channels for security related content, etc. Seek out those you can learn from.