Review: Breaking into Information Security
Breaking into Information Security is a practical guide for people outside and inside the information security industry. The former can find out how to put their foot in the door, and the latter can learn how to climb the ladder to a higher position within the company/industry.
About the authors
Josh More has ten years of experience working in security. Today he primarily works as a security consultant, he has also worked in roles ranging from user to developer to system administrator.
Anthony J. Stieber has over 18 years of experience in the information technology industry working in academia, banks, retail, and insurance; designing enterprise security architectures, installing military and commercial firewalls, and much more.
Chris Liu has over 15 years of information technology experience and has been a help desk technician, network administrator, quality assurance engineer, release manager, IT manager, instructor, developer, consultant, and product development manager, and is currently an information security professional.
Inside Breaking into Information Security
The three authors have gone through many job changes within the industry, and many of the advice they offer has been learned first hand. But they have also recruited a dozen security professionals to tell their personal story. The authors call this a “community book”, as it has been influenced by everyone with whom they have ever worked.
The introductory chapter is very important for understanding how the book is structured, which models the authors use, and why, but after it readers can skip back and forth to discover what interests them the most. It is also great for those who want to enter the infosec field, as it touches upon what’s important for getting hired – degrees, projects, experience, certifications – and how to make the right choices for yourself. Here the reader will discover which barriers (corporate culture, HR, racism, sexism, etc.) he or she can expect and how to push through them.
The next three chapters address specific jobs in the infosec industry, divided into tiers. Tier 1 includes jobs like log reviewer, help desk, coder, system and network administrator. Tier 2: pent tester, auditor, incident responder, policy administrator, legal expert, law enforcement, etc. Tier 3: pen test lead, security architect, Red Team lead, security consultant, security management, entrepreneur, and so on.
For each of these jobs, the authors explain what is expected, how to break into them, what skills are required and what skill should and will be learned, tips on recognising when you’re stuck, some rules of thumb, etc.
The forth chapter deals with “boosting” – the process by which one can gain skills outside of their regular job, and which can definitely come in hand. Advantages and disadvantages of boosting are explained, and then several boosting paths are addressed (writing books and blogs, open source development, entrepreneurship, evangelism, research, public speaking, conference support, and so on). For each of these paths the reader will discover how to get started, why they should do it and what it might cost them, what skills they’ll gain, and when it’s a good time to stop.
Throughout the book, the authors use a Learn/Do/Teach model, and explain each of the three stages as they feature in all those different jobs.
The book is an extremely interesting read, and would still be without the occasional tongue-in-cheek jokes.
The personal stories for some of the jobs are a great way to see how a specific career path looks from the inside: what opportunities can come up to push one along, what one can learn, what knowledge is good to have, and recommendations by real-life infosec practitioners.
Everyone within the infosec industry can find some value in this book. Individuals who look to break into it – either after school or by switching from another industry altogether – will find it most interesting, especially if they can’t find people to advise them about which road to take and how to decide what is that interests them the most.
Infosec and IT majors thinking about a career in information security should definitely read this book. But they shouldn’t expect advice that’s too specific – instead, they should look at this book as a way to peek in the various parts of the infosec big picture, which will helpfully be enough to make an informed choice of what can be interesting and what they should definitely avoid. Perhaps they will realize that a career in information security is not for them, after all.