Every journey has a beginning. Let me start by telling you about mine.

The world of infosec is a challenging and rewarding career. I know of few other industries where you have to spend significant portions of your free time dedicated to growing and honing your skills. One of my favorite things to ask about when talking to other people in the industry is how they got their start. Universities didn’t always have infosec programs, so many of the current older workforce got into infosec in some other way, meaning they didn’t grow up wanting to defend organizations against hackers. As a matter of fact, I didn’t even know IT was a career choice until later on in life. This post will be a (relatively) brief overview of how I got my start.

Community College

I got my start into formal education of ones and zeroes in high school, but it wasn’t much more than HTML or something super basic (pun intended) like a screen saver or math function in Qbasic. I think I still have the textbook somewhere. I remember writing a program using the Pythagorean theorem without even knowing what it was. After high school I had to go to college and the only thing I was interested in was computers. I took another HTML class, an intro to programming class (more Qbasic…) and worked towards an Information Systems degree. Of course I had to take plenty of gen eds, so I wasn’t exactly immersed in technology.

And then came the classes where they separated the dedicated from the lazy: C, C++, and Java. Holy crap did that come as a surprise! I thought computers were fun and interesting yet here I am staring at a screen for hours trying to figure out why if I remove this set of quotes this part works but not that part, but if I leave the quotes the whole thing crashes.

I immediately knew I didn’t want to be a programmer, beating my head on my desk 8 hours a day in a room with no windows, eventually descending into madness. A glimmer of hope appeared in a business class I had to take: Accounting 101. The adjunct professor would assign homework at the start of class and I immediately did the homework during the lesson since it wasn’t hard to grasp. WAIT, THIS IS EASY I’LL CHANGE MAJORS!!! MWAHAHAA. And so I did when I transferred to a 4 year university.

Accounting it turns out, is probably similar in difficulty compared to programming in terms of the effort needed. Accounting 101 was easy but tax accounting suddenly made no sense. And for some reason I took 2 tax accounting classes. One class that was tough but made sense was auditing. Auditors works is solely based off of what can be proven and not what someone says, feels, etc.

Eventually I graduate and find that an accounting degree without an internship under your belt is like trying to convince a black belt that you know karate because you have a karate certificate. Ultimately they have no idea what you are capable of, so you have to look for basic jobs like accounts receivable, which don’t pay well. I had a spreadsheet going and had 25 applications out, but still no offers despite graduating in a couple of months.

My First Job

I interviewed for an IT audit position with state government but didn’t get the job. Another month goes by, no accounting interviews… I’m getting nervous and guess who calls? The audit position! Someone went out on maternity leave and never came back. Somewhere there is a kid that I owe my career to because if there Mom went back to work, I’d probably be doing a trial balance instead of writing this blog.

Auditing sucked. Really sucked. Just when I started to learn how something worked, we had to leave and audit a new client. After about 6 months I finally hit a stride, but I’m still not getting great feedback from my seniors… it turns out you’re not supposed to help the audit client, just find bad stuff, nail them to the wall, write a report and walk away. I used to sit down with sysadmins, identify bad stuff, ask how they would fix it, watch them fix it, then write up how we fixed it. Apparently that is not what auditors do and makes for boring audit reports. Little did I know at the time, fixing bad things is exactly what security people do!

Other Jobs

I had a senior auditor who recognized my intelligence and generally liked me. We worked together a few times but as a junior auditor you bounce around a lot. He was on a separate engagement that mentioned they were looking for security people. It turns out they had no security people. I hated auditing so much at the time that I jumped at the chance. I remember getting the phone call and the feeling of all the blood leaving my face when they told me the position would be a $20k raise.

This job was where I learned the importance of good leaders and leaders who will help you grow. To this day that guy is my favorite boss. He let me run with any idea I had, even if he knew I was going to fail. It let me begin to develop the skillsets I have today. Letting me branch out on my own, I quickly began using a muscle I’d never used before: the analyst part of my brain. I recognized patterns and quickly identified anomalies in logs, finding little bad things.

My boss encouraged me to get a cert to demonstrate that I was learning, so I started a study group for CompTIA’s Security+. To this day I think I’m the only one that got the cert, but the boss let me use work time. One thing that quickly started happening was me explaining the concepts to my study buddies, most of the time using a white board. They loved to poke fun at me, calling me professor.

Little did I know that a year or two later I would be teaching a Security+ class. Teaching something requires a whole new level of understanding than simply passing a test. If you ever get an opportunity to teach, you should do it, but don’t plan on doing it for long. Teaching is exhausting and I truly feel it is the most underpaid profession.

Lessons Learned

With a few years of teaching under my belt and about a decade of experience under my belt, one of the things I have noticed is that infosec requires a certain kind of person. If you are the type that likes to punch a clock - e.g. arrive at work at 9, punch out at 4 - then infosec is most definitely not for you. To be good in this field, you have to be constantly learning. You have to spend weekends at BSides conferences, take a Cybrary/Udemy/Codecademy class, stay up-to-date with infosec news like the Verizon Data Breach Investigations Report (DBIR), new bad guy techniques, new technologies, etc.

Another trend I’ve noticed is that infosec people have a certain mindset. I like to tell my class when they first start Security+ is that infosec is a mindset and that they probably don’t have that mindset now. You need to always think that the glass is half empty. For example, when someone asks that a firewall port be opened, infosec people immediately think of what a bad guy can do with that port. Oh yeah, and what kind of crazy person wants a job where despite all of your effors, they know they are going to eventually lose to the bad guys?!?! Infosec people, that’s who!

So the next time you sit down with someone in infosec, ask them how they got their start. Their answer might surprise you. Maybe they were an accounting major turned blue teamer.