Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

2/11/2009
02:32 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Path To Becoming An Infosec Pro

Last Friday, my blog entry discussed how many companies out there are disrespecting IT security by inundating infosec professionals with system administration and network management tasks to the point that security is put on the back burner. I've received some excellent feedback from readers, including an e-mail asking what route someone should take to become an infosec professional.

Last Friday, my blog entry discussed how many companies out there are disrespecting IT security by inundating infosec professionals with system administration and network management tasks to the point that security is put on the back burner. I've received some excellent feedback from readers, including an e-mail asking what route someone should take to become an infosec professional.That's not an easy question considering the reader's comment made later in his message. He stated that he started off immediately in an infosec position and has found his lack of having a solid background in IT has been a bit of a hindrance. Excellent point. IT security is a very complex field with numerous specialization options -- like intrusion detection, pen testing, and forensics -- that all require detailed knowledge of IT and networking concepts.

Everyone I know in security has a slightly different story about how they began, but the common thread is almost no one went straight into the field. Infosec was something they were always interested in, but not as their main area of focus. Eventually, they gravitated toward infosec with focuses on things like vulnerability research and digital forensics.

My story is similar. I started off as a lowly tech in college while dreaming of one day becoming a Secret Service agent like my uncle. Somehow I ended up working my way from system administration to infosec because that's what I enjoyed. Others saw that, too, which led to new job opportunities. Having the background in IT is certainly important, but what I've discovered to be the most valuable assets an infosec pro can possess are a deep passion for security and the desire to learn.

Experimenting with new technologies and tools is also critically important, along with good training. What I didn't learn as a sysadmin I picked up while experimenting on my own time. I then took that knowledge to the next level by volunteering in what is now called the Work Study Program for SANS. I took courses 502 and 503 in perimeter protection and intrusion detection. After that, I spent a lot more time experimenting and breaking things, but was able to learn from my mistakes.

So what's the takeaway here? There is no single correct path to becoming an infosec professional. There isn't a Dummies book that will get you from point A to point B. If you don't have a passion for it and love what you do, then it might not be for you. And keep in mind that if you don't have an IT background, no problem. Just know that you'll have to try and make up for it through experimentation and training.

But, most important, have fun. Infosec is a fascinating industry with many facets to explore, so be sure to find an area you enjoy and go for it.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25250
PUBLISHED: 2021-04-13
An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a sensitive file could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privil...
CVE-2021-25253
PUBLISHED: 2021-04-13
An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to exec...
CVE-2021-28645
PUBLISHED: 2021-04-13
An incorrect permission assignment vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target ...
CVE-2021-28646
PUBLISHED: 2021-04-13
An insecure file permissions vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to take control of a specific log file on affected installations.
CVE-2021-28647
PUBLISHED: 2021-04-13
Trend Micro Password Manager version 5 (Consumer) is vulnerable to a DLL Hijacking vulnerability which could allow an attacker to inject a malicious DLL file during the installation progress and could execute a malicious program each time a user installs a program.