How to get started in Information Security
Even my 10 year old has asked me when I will teach her to hack. She even gets excited when Computer Technical Support calls our house because some mysterious tool alerted them about a virus on our computer (we have eight). It is not that she loves hacking or even computers. It is that we all want some insider knowledge on how to do away with the rules.
Information Security is not a field you go to school for. It is something you apprentice in. Every single day. That is a rule that cannot be bypassed. You may start in a school, in a book or in one frustrating moment of losing a password just like I did but your learning must be lifelong.
My customers must be tired of hearing me say that as I speak to them or find them in conferences, my skills are degrading before their very eyes. Actually, it is not so much that they degrade but that someone else is honing their craft elsewhere in previously unthinkable way (i.e. battery BIOS viruses and viruses that propagate through sound).
Everything you learn must be perfected and improved upon lest it be made obsolete by others that are more motivated or by the sheer advancement of technology.
There are at least 100 new virus variants created every day. Not all of these make it to a significant number of computers. Viruses are not the sole or even the best indicator of information insecurity. They are, however, the most public and quantifiable metric that we have. Actual hacking incidents would be a much better indicator but we still do not share such information very well.
As the needle moves in other gauges such as “Records Lost” and as new “sensors” make their way into dashboards such as “Breaches per industry segment”, so must one’s skills.
It is not that a formal education in security, risk management or any other field does not have a place in security. Many useful skills are learned in the journey towards a degree. You never want a white hack to be able to breakdown your defenses without being able to articulate how they did it. You never want your infrastructure to get broken into by a “n00b’s” mistake.
What one must be able to do in Governance, Risk Management, Compliance and Security (GRCI) fields is be able to translate a real or potential risk into discreet actions items that the customers will be willing and able to transform their posture into a tenable one.
“But you did not tell me how to get started!” – Correct. I did not. Whether it is the G, the R, the C, or the I, any specific advice that I give you here will be obsolete by the time these words reach your eye sockets. Find a book; find a mentor; get your hands on something to hack. Take an action that will actually get you closer to the end goal of becoming a G,R,C, or I person.
If you want a better answer than that but are in a position where you can not learn, send me a direct message and we shall get you on your way.