If you looked only at my educational career and résumé, I’m the last person you would expect to go into a career in technology. And yet I’m not unique in this regard; this is a very common situation for people in the infosec industry. You might wonder how we all ended up here and what lessons we can offer to those wishing to start their careers (even via a more traditional path). Here’s my story.
People usually assume that because I have a technical job, I must have a degree in computer science. I don’t. I dropped out of college and worked as a florist before starting at a security software company. I had never even heard of computer security as a career path.
After leaving my last florist job, my next adventure started with one lucky step: I took a temp job as an office manager’s assistant. When I had downtime from my regular duties, I offered to do odd jobs for other departments, including the malware research labs. After my temp job ended, I sought a position working in the labs.
My first position was as the email equivalent of the dreaded auto-attendant: “Your sample is very important to us! Your email will be answered as quickly as possible, in the order in which it was received.” To motivate and decrease grumpiness from recipients of this auto-reply, I started adding links to educational resources in my reply templates. Sometimes the resources I needed didn’t exist and I ended up having to create them by asking malware analysts what they wanted people to know.
The process of figuring out how to educate the people who were coming to us for help educated me too. Each new thing I learned gave me another idea for how to make my job — and the job of the malware analysts I worked with — easier and more pleasant, and allowed me to take on more of the work of our analysts. Eventually, I had automated much of the process of frontline response and was primarily doing the work of a malware analyst. By the time I left, I was helping to design automation to speed up the malware analysis process.
Much of what I did for the first few years was metaphorically scrubbing latrines for the department, but it was work I thoroughly enjoyed because it gave me a chance to learn new things almost every day. My willingness to do scut work provided me with an amazing opportunity to get a foothold in an industry that is notoriously difficult to break into. Whether you’re looking to get into the industry with no official education or experience, or you’ve got a degree and are still having a hard time getting in, here are two things you can do to improve your odds.
Establish a Good Reputation
Much of what made achieving my first official security job title possible was a matter of establishing my reputation within the research labs as someone who was willing to do even the most onerous tasks quickly, enthusiastically, and effectively. I moderated the impatience of grumpy inquirers so that analysts could focus on malware samples. I created department-wide tool repositories as I learned what the tools did. I created documentation for our whole process so that it was repeatable by new hires as well as by automation.
Even if you don’t have the good fortune of working at a company with an established security group, there are plenty of industry-wide groups that you can join and where you can offer your assistance — and learn important skills in the process.
A common theme I hear frequently is about how many people get into this industry from surprisingly diverse past careers because they took on a huge problem that no one else had the time or inclination to address. Before their first day in an official security role, they had already created handy tools, or they created much-needed documentation, or they spread information to help people via public blogs or forums. They took time to help others, and thus became indispensable to people who already work in this industry. When a suitable position became available, their lack of technical experience or training was a nonissue because we, collectively, could not afford to be without them.
Establishing a good reputation in this industry is absolutely essential, and it can be a maddeningly slow process. Because of the sensitive nature of the work we do, you must have more than just knowledge and experience to establish your career; someone already in this industry must vouch for you. But this can be an opportunity too, for those of us willing to put ourselves out there to help others.
Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all … View Full Bio