Bootstrapping the next generation.
DISCLAIMER: I am old. Old enough to be older than most people I meet on the security side of the ‘net; old enough to have people wonder what I’m doing at a conference of a Certain Stripe. But I’m not one of these people who sits back in wonderment at the brave new world of 2.0 or attends classes on How to Talk to Millennials, as if they were a separate species.
@jsokoly gave a great talk at B-Sides Austin on the problems that younger people have breaking into the security field. And I’m not saying “it was a great talk for a youngster,” either; it was a great talk, period. He pointed out the ridiculousness of requiring a CISSP for an entry-level security position, when the CISSP itself requires five years of experience. That’s certainly a sign of a clueless employer, right there; but he only touched on a much larger problem, which is How do you bootstrap ANYONE into the security field?
I got my opportunities in my career because someone took a chance on me—many “someones,” many times. I’m a great believer in paying that forward, and I try to mentor people where I can. But I do run into a big stumbling block when I try to help someone who doesn’t have IT experience, but who wants to break into security. I don’t want to encourage paper tigerdom, which is what I think happens when people come into security through the policy-writing door.
In a way, people like @jsokoly are at a disadvantage today, precisely because we have actual academic tracks, programs and certifications for IT security. Back when a computer science program involved learning FORTRAN, it was easy to move on into security because it was uncommoditized territory. This is how thought leaders came into security from fields as diverse as biology (marine or otherwise), mathematics, liberal arts and Chinese philosophy. These days, though, if you’re not a minted Cybersecurity Graduate, you’d better have an alternative pedigree that’s equally compelling.
So how do you get one, especially if you’re lacking in experience (I’m not saying “young”) and can’t afford to go to school? (The price of those five little letters goes up yearly, and if you’re not already making high five figures as a security professional, you can’t afford to waste hundreds of dollars to get them.) I make no secret of the fact that I believe you need a solid background in IT operations—preferably system administration, because if you work in a small enough shop you’ll end up learning network admin and you’ll have to troubleshoot applications as part of your job. I *think* that if you get five years of experience doing that, you can argue to anyone who asks that you spent time doing security as well, especially if you’re well-read on the issues and can discuss them with the right mindset.
But this sort of implies that security is not an entry-level field. And I may get arguments about that, and that’s okay. I know people in entry-level jobs who are “doing security”: they’re doing account administration, publishing “cybertips,” updating antivirus software, and maybe “administering” self-supporting firewall appliances. But with the exception of the last activity, I don’t know of many people who have been successful in breaking out of that entry-level status (and those that have, without the technical experience I mentioned earlier, only got as far as they did because the people who hired them didn’t know any better).
This would further imply that “security” is a specialization, and in order to get experience in it without getting the certification that specialization requires, you need to work in an area where they don’t treat security as a separate function. You may need to go for jobs that smell security-like but don’t actually have the word “security” in the title.
I’m not completely happy with this conclusion, because it means that when I start a promising candidate in an entry-level position in my organization, I have to send him or her out on a journeyman basis to get the next level of work experience somewhere else—somewhere outside of my specialized group. But I think it’s the best avenue for their success in the field. In the spirit of paying it forward, I think that it benefits us all to get new professionals up and running, no matter what tricks we might use to accomplish it.
Note that I still haven’t explicitly said that this is about “the next generation”—in fact, some of the entry-level people I’ve worked with have been older than I am. I still believe that the requirements for a security professional are experience, talent, speed, and personality; you don’t need to be a certain age to have the winning combination of those. Being young is a strong predictor of not having experience, but considering that I started hacking around at age 12,* it’s by no means a certainty. So if an individual who is chronologically challenged doesn’t make an issue of the fact, I don’t either.
One more thing: I don’t see how bringing new people into the field will cause me to lose my own position. Because of my background, I bring a different contribution to the table from what they would, and there’s room at the table for everyone. Just don’t laugh at me when I shoot tequila out my nose, please.
* I was pushed.
(6) Comments • Permalink •
