So you’re starting out in InfoSec and don’t know where to start. I don’t mean the trainings, or the fields of study, the webinars, or the cons. We aren’t talking about doing your research to publish, or diving in on bug bounty research, or how to conquer your first CTF (capture the flag). Nor are we worrying about creating your first phishing campaign, getting into social engineering or OSINT (open source intelligence), or submitting your first CFP (call for papers). There are plenty of folks out there that can help guide you on how to get started in all the various areas. Which trainings, which accounts, which tutorial videos, write-ups, and blog postings. The overarching question for all of these, is how do I know where to start? Put yourself out there and get involved.
I’m a latecomer to the field. By that, I mean that I wasn’t trolling the message boards, or learning how to hack my PC games to make them better, or writing code to make things work the way I wanted them to. I also didn’t go to school for this or even computers. My background comes from technical theatre, improv/sketch comedy, and stand-up comedy. I made a decision to give those up to pursue a job (surprise, there was a relationship involved in the decision), which landed me in the world of college retail. What I did have, was an interest in computers since I was a child and an enjoyment of solving puzzles. The CSI TV franchise got big and opened up the world of forensics. I had always loved Sherlock Holmes stories, his ability to deduce information from data, and it had never dawned on me that there were attributes of that that could be applied to a career. And I had seen “Sneakers” and “Hackers” growing up, so I should have put two and two together. I realized I could pursue a career in something I had always had an interest in, but I thought that would be the DFIR world (digital forensics and incident response).
Part of the issue I had was no network. Since I didn’t go to school for it, I didn’t have a professor that grew to be a mentor. I didn’t have classmates to start building a network with, to venture out together and support each other. I was basically going it alone. I was able to get my first job as the sole IT help desk/ssysadmin at a small professional services company. It was IT Director and me. Great exposure, I could learn systems and connections in a real-world setting, as well as securing them. But still no one to help guide me along the path.
That continued for a while, ten years at least. I was given more and more security responsibilities thanks to bosses who knew I was interested, trusted me, and fostered my advancement with their support. They weren’t security people though, so they could only let me know what they had heard from security folks they had worked with in the past. Offered me an introduction. But there’s only so much I felt I could do through email, with someone who was talking with me as a favor to someone else. So I took a leap and signed up to volunteer at a BSides.
That experience opened up a world of people in my area and introduced me to Slack groups and local meetups that they all were a part of. It didn’t matter that they worked at different companies, in different areas of the field, or even for competitors. They were a community. I had started to find what podcasts to listen to, which periodicals were good reads, and which people from the industry were good accounts to follow on Twitter. So I was connected to community but I wasn’t really a part of it.
You’ll hear a lot about imposter syndrome in this business and how everyone experiences it. The biggest issue is, you’re not aware of imposter syndrome, nor how it affects everyone, when you’re first starting out. Some are lucky and learn about it early on, other, like myself, go years before learning what it is and that it exist. So you’re not aware of that lens to view yourself through. All you’re doing is comparing yourself to the people who seem to be known and a member of the community. They’ve all written books, or created processes and programs used universally around the world. They’ve developed new techniques, have been writing code or hacking since they were 10 years old (or younger). They have inside jokes, shared memories from a laundry list of conferences that they’ve all attended together. And while all that is true, to some extent, it is not exclusionary.
If you reach out, if you share ideas, show an interest in learning what’s correct or why things are viewed a certain way, many of the people are happy to share their knowledge and thoughts. It is a community. A community of many self-professed geeks and nerds, who just love talking about it. And they love talking about non-security things too. Movies, music, sneakers, biking, hiking, baking (very big since the pandemic), and crafts. They’re all just people. And they want to help. And if you’re not sure who may be the best person or best resource for the area that you’re interested in, just ask. They know each other and their specialties. More importantly, they know the helpers. The ones that look to share, pass on knowledge, and encourage people in the field.
All it takes is one leap of faith on your part to get involved. “Hi, I’m new here and I’m looking to learn.” The output of love and support you’ll get will surprise you.