Nobody wakes up one day and is a fresh Information Security professional. There is an idea you can follow the specific path and get here. There are many paths to becoming an Infosec Pro. This doesn't mean a rockstar or hero. An Infosec Pro is someone who does Infosec for a living. To get here, you will have to face trials. Ask any Infosec Pro, and they will tell you their history is littered with challenges, strife, and undocumented networks. Whereas all Infosec shares the common history of these trials, they are as individual as the people who slogged through them and persevered to be Infosec.
My first job in IT was in a call center that managed the user wireless experience in over 2000 hotels. The call center had no real visibility into the environments, and we had to try to talk the user through their issues on the phone, at the mercy of their ability to describe their problems in a technical fashion. Hotels underfunded their networks and let us be the bad guy when people couldn't connect. These were the hotels and nationwide chains that charged under $100/night. We had a few nicer hotels, but their gear worked and the wireless network was properly signal mapped (this is in the days of G, no G+, and certainly no N - some hotels still had B wifi). I moved from level I to level II support in three months, earning agent of the month and agent of the quarter status more than once. However, there was no difference in treatment or pay between the people who took 30+ calls a night, and those who took 5 calls. Management expected the turnover, but were still whiny as if those leaving for greener pastures had betrayed them. In an environment like this, you either learn to work with people, or to maim people, or you lose faith in humanity and end up working the fry station at a Burger King.
Halfway through my time in Grist Mill Enterprises, I took a second job doing similar support and engineering for a business that did wifi in non major franchise coffee shops. The router/firewall combinations were advanced and capable for such small devices, but the GUI was simply a more visual CLI. You needed to understand the way it handles it's rules and routing. This hardware was commonly used by smaller ISPs. The customer support was easier. The engineering challenges harder, and I had no guidance. Like many small businesses, it failed, as sales wasn't selling (reoccurring theme in my career).
This was a stretch where I was putting in 60-80 hours working, and going to school full time. It sounds hard, but with no family or significant other, it wasn't impossible. It was a learning opportunity, and the beginning of understanding how culture affected the ability to get things done. A negative culture someplace pervaded the attitude of everyone. Even the highest performing people would be worn down, or leave for a better, be it money or environment. Irony was always bosses who treated their staff as expendable always got upset as if there was some great betrayal when someone left, as if they should have stayed a beast of burden until it was time to turn them into steaks. The worse they treated people, the bigger the explosion and cries of Judas.
And then 2008 happened.
I spent time bouncing between short term contracts since no one wanted FTEs (full time employees) on the payroll. I did side work, and at times my income was low enough to qualify for unemployment // underemployment benefits. I learned Contract to Hire meant Contract without the contract pay rates (the carrot on the stick is made of wax). I learned that when you are getting started, certifications do matter - anything to differentiate yourself. I learned in a sellers market, any promise of loyalty from a contracting company is worth less than a half eaten saltine. I kept my nose to the grindstone, working for small to mid size IT service companies, major retailers both online and brick and mortar, and worked as an independent repair consultant, while doing side work for the coffee shop people.
Then I landed at a major ICS manufacturer, working in the SOC. This was the first job with Security in the title. Working for a worldwide company as a SOC analyst, you get a diverse view of the world. I had to learn to work with not only different people in isolated business units, but with people in cities all over, on nearly every continent, language barriers and all. There were many lessons:
- You speak to people in Brazil versus Argentina very differently, both in tone and attitude (and language, of course).
- Chinese engineers have as much worry about the NSA as Americans do about APT 1 and 3.
- Almost nobody wants more than a minimal presence in Russia.
- Indian IT has a hierarchy that nearly mirrors a caste system.
- Everyone targets offices in Dubai and the UAE. Everyone.
- If you have to deal with foreign tech support, do it very early or very late. If you are lucky you get Malaysia. They speak better English than most Americans, and strive to be helpful.
- Bureaucracy is bureaucracy is bureaucracy. Everyone, everywhere deals with it. It simply differs in type.
- For all business classifications, lots of places deem Israel as European. Hence EMEA (Europe, Middle East, Africa). Lots of land, small quantity of time zones (comparatively).
- In big enough environments, the various security teams are isolated from each other, and especially from other IT teams. This creates tension.
Here I had some great teammates and mentors, and I had people who were all that is wrong with Infosec. You learn to deal. I also learned to deal with people all over, and really started applying my knowledge of culture in IT and Infosec, and how it affects perceptions. I was able to get things cleaned up, and get resolution from groups others merely let sit as a repeat annoyance, because "those guys are just <derogatory comment> and their part of the environment will never be clean." Why do they behave a certain way? What do they have the power to do? How can I help augment that power? If I do more legwork, can I make their job easier?
When you need to use someone in another country whose language you don't speak, and they don't speak english, who has far less technical acumen than you, to hunt down a problem on a system you have never seen, in a location you will never go, in the hands of a user whose culture causes issues, and you succeed, it sends a message of reliability, and that together we can actually fix the issues we face. Suddenly you and this person aren't different. You are a team getting the job done. That is the ultimate foundational building block - the same blood in the same mud, and you succeeded. When you internalize that, everything becomes possible.
In most cities, there's that handful of employers who, once they are on your resume, open every door in the market. Suddenly, companies that wouldn't return my calls had recruiters calling repeatedly. It was a night and day shift. This led to another opportunity as a mid sized firm, which I eventually left to get to where I am now, coming up on three years. Those lessons of culture, and common successes have been the cornerstone of what I've helped build at my current employer. Difficulties are minimal across teams, and very rarely due to personality issues anymore.
What does all this mean? Despite most major talking heads in the industry who followed nearly identical paths into Infosec (military/3 letter agency into private enterprise), their path isn't the only one. It's great for specialists. We generalists come up very differently. Try everything. Learn your passion. The path isn't supposed to be straight. And above all, learn about how to deal with people, their frustrations and their passions. Your users should be your biggest allies.
Only if you put in the work.