I’ve mentioned before that there are all kinds of people who find work in IT security. If you wanted to categorize, you could say that there are business people and technical people. That’s not entirely accurate, but for this topic today, let’s make it simple.
I’d like to talk about the technical career path. For a lot of people in infosec, they find themselves starting on a technical path, as a technician like a firewall engineer, as a software engineer on secure products or software testing, or as analysts in a security operations centre.
Like before, the list above is non-exhaustive. There are probably dozens of initial technical jobs I did not mention. That fact does not reduce the value in trying to understand typical technical career paths. I am going to walk you through, at a high level, four potential career entry points. Those are active hacking jobs like penetration testing, research jobs like vulnerability research, defence jobs like firewall engineering, and software jobs like software engineering. [link to each of those with websites that teach people how to do them]
Where you might be right now [school, technically minded]
I don’t know exactly where you are right now (but if you sign-up for my newsletter and send me an email, then I’ll be able to tailor my understanding of you in these posts) so I will just say that you may be in one of the following positions:
- You could be a student
- You could be in early IT employment looking to switch into infosec
- You could be considering a career shift (this is the path I took!)
I actually took the latter path. After university I worked in business operations and education for 8 years before switching to infosec. I started my infosec career in a technical role (as a defender) before transitioning into consulting. If you are in the same boat, please reach out, because even though it seems daunting, you are needed!
Three potential career entry points [non-exhaustive, but a good start]
Pen testers hack. When I applied for my first security job, most of the young people in the assessment centre were asking to become pen testers. If you are a hacker, it would be fun joining this track.
There are all kinds of different hackers, from software reviewers to red team hackers to social engineers. Depending on your company and your focus, you could be doing any number of hacking activities.
As a beginner, it’s likely you’d do some certification, like CEH or Offensive Security, and then start on your rule under a strong team leaders. Regardless of what type of hacking you are doing, a typical role will require you to hone soft skills like communication. You will not be allowed to just hack away, unless you are elite or the company is special. Most jobs will require you to hack and then communicate with stakeholders (the company, your customers, whatever) via emails, reports, and maybe presentations.
If you have hacking skills, and I mean proper hacking skills, take the time to practice your writing and presentation skills. Those small things, when couple with elite skills, will push you ahead of the competition. The links below will help you understand a wider picture of pen testing and give you some visions of what a day in the life of a pen tester would be.
Good pen testers for industry or government can make an incredible amount of money, but the career progression is limited if you want to stay a hacker forever. Many do, though, because the work is exciting and fun. If you are career-orientated but want to give this a go, try pen testing for a while and then move into architecture or development.
Make sure you bookmark the links below.
Links for Penetration Testing
A Day in the Life of a Penetration Tester
Security researchers are strong coders. They tend to come from software engineering. I’m not the strongest coder, so I’m including some starting points and will find a research expert to fill this in the future.
Links for Vulnerability Research
A Day in the Life of a Vulnerability Researcher
Network Security Designer and Engineer
If you love kit you would find network security engineering exciting. When I started my career I worked in network security engineering, design, and architecture. You build the highways and castles that make information flow work.
A good place to start is with CompTIA’s Network+ and Security+ certifications. These, coupled with practice with customers or in a lab configuring and designing solutions, will get you started on a nice path towards engineering and design. When I started in the graduate scheme, I joined an architecture and design program.
Links for Security Engineering
- https://www.cl.cam.ac.uk/~rja14/book.html [This is A+ if you are serious]
Potential career paths