02:30 PM
Lysa Myers
Lysa Myers
Connect Directly
E-Mail vvv

Lessons from My Strange Journey into InfoSec

Establishing an entree into the security world can be a maddeningly slow process. For those of us already here, it can be an opportunity to help others.

If you looked only at my educational career and résumé, I'm the last person you would expect to go into a career in technology. And yet I'm not unique in this regard; this is a very common situation for people in the infosec industry. You might wonder how we all ended up here and what lessons we can offer to those wishing to start their careers (even via a more traditional path). Here's my story.

People usually assume that because I have a technical job, I must have a degree in computer science. I don't. I dropped out of college and worked as a florist before starting at a security software company. I had never even heard of computer security as a career path.

After leaving my last florist job, my next adventure started with one lucky step: I took a temp job as an office manager's assistant. When I had downtime from my regular duties, I offered to do odd jobs for other departments, including the malware research labs. After my temp job ended, I sought a position working in the labs.

My first position was as the email equivalent of the dreaded auto-attendant: "Your sample is very important to us! Your email will be answered as quickly as possible, in the order in which it was received." To motivate and decrease grumpiness from recipients of this auto-reply, I started adding links to educational resources in my reply templates. Sometimes the resources I needed didn't exist and I ended up having to create them by asking malware analysts what they wanted people to know.

The process of figuring out how to educate the people who were coming to us for help educated me too. Each new thing I learned gave me another idea for how to make my job — and the job of the malware analysts I worked with — easier and more pleasant, and allowed me to take on more of the work of our analysts. Eventually, I had automated much of the process of frontline response and was primarily doing the work of a malware analyst. By the time I left, I was helping to design automation to speed up the malware analysis process.

Much of what I did for the first few years was metaphorically scrubbing latrines for the department, but it was work I thoroughly enjoyed because it gave me a chance to learn new things almost every day. My willingness to do scut work provided me with an amazing opportunity to get a foothold in an industry that is notoriously difficult to break into. Whether you're looking to get into the industry with no official education or experience, or you've got a degree and are still having a hard time getting in, here are two things you can do to improve your odds.

Establish a Good Reputation
Much of what made achieving my first official security job title possible was a matter of establishing my reputation within the research labs as someone who was willing to do even the most onerous tasks quickly, enthusiastically, and effectively. I moderated the impatience of grumpy inquirers so that analysts could focus on malware samples. I created department-wide tool repositories as I learned what the tools did. I created documentation for our whole process so that it was repeatable by new hires as well as by automation.

Even if you don't have the good fortune of working at a company with an established security group, there are plenty of industry-wide groups that you can join and where you can offer your assistance — and learn important skills in the process.

Be Indispensable
A common theme I hear frequently is about how many people get into this industry from surprisingly diverse past careers because they took on a huge problem that no one else had the time or inclination to address. Before their first day in an official security role, they had already created handy tools, or they created much-needed documentation, or they spread information to help people via public blogs or forums. They took time to help others, and thus became indispensable to people who already work in this industry. When a suitable position became available, their lack of technical experience or training was a nonissue because we, collectively, could not afford to be without them.

Establishing a good reputation in this industry is absolutely essential, and it can be a maddeningly slow process. Because of the sensitive nature of the work we do, you must have more than just knowledge and experience to establish your career; someone already in this industry must vouch for you. But this can be an opportunity too, for those of us willing to put ourselves out there to help others.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/17/2018 | 3:40:32 AM
Re: Glad for the Company
It is rather common to me seeing people from different backgrounds going into unrelated fields to work. It is really not that hard to get into the desired positions as long as past experiences have brought us there. However, specific roles might not be able to be performed if no expertise within the field is available at that moment in time. Some companies might even send those said employees for courses to upgrade themselves and adapt well into that new unrelated environment.
User Rank: Ninja
7/12/2018 | 7:44:23 PM
Glad for the Company
Loved your post and your story resonates.  Mine is similar except coffee and not flowers was my mainstay before getting into my first tech gig.  I tested out of High School early due to boredom and started working at coffee shops. I honed UNIX and GNU/Linux skills in my free time.  Got my first tech gig at a start-up doing automated software test programming thanks to a friend who thought I might be good at it and went on to work at several software companies doing similar work.  For me, it was the side-gigs that got me exposed to InfoSec and hardening systems, scripting configuration managed GNU/Linux installs and VMs became my passion.  Few people I knew as a kid would ever have expected to see me where I am now, for sure, and in fact I am sometimes not sure how I even got here with my lack of actual credentials.  But what you said is true - I made myself indispensable at every job and did everything I could to stay cutting edge by reading as many security and tech papers as I could and making solid recommendations based on data and research.  I'm still executing my end-game (I keep a shortlist of companies I'd love to work for), but watching careers like yours definitely keeps the passion and confidence burning. 
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Privacy Ops: The New Nexus for CISOs & DPOs
Amit Ashbel, Security Evangelist, Cognigo,  2/18/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-21
A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External E...
PUBLISHED: 2019-02-21
A vulnerability in field-programmable gate array (FPGA) ingress buffer management for the Cisco Firepower 9000 Series with the Cisco Firepower 2-port 100G double-width network module (PID: FPR9K-DNM-2X100G) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) conditio...
PUBLISHED: 2019-02-21
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RE...
PUBLISHED: 2019-02-21
In Signiant Manager+Agents before 13.5, the implementation of the set command has a Buffer Overflow.
PUBLISHED: 2019-02-21
A vulnerability in the TFTP service of Cisco Network Convergence System 1000 Series software could allow an unauthenticated, remote attacker to retrieve arbitrary files from the targeted device, possibly resulting in information disclosure. The vulnerability is due to improper validation of user-sup...