No Infosec experience? No problem!

No Infosec experience? No problem!

A lot of people ask me about how they can get into the wider information security industry from outside, be that as a student or as someone looking to change careers. The first thing I ask them is, “What infosec experience do you have?” Inevitably, the answer is almost always the same.

“Absolutely none, otherwise I’d be in the industry!”

Now here’s the thing. When I say that question, people interpret as, “What infosec positions have you held?” – this isn’t the question I’m asking. Let’s look again at the question I’m asking:

“What infosec experience do you have?”

Experience is a wonderful thing. Of the three types of people who can make or break a job application, experience is something that tells them all, “I can do this because I have done this already”. However, it’s a big mistake to assume that experience only comes from your day job. Experience comes from many different places, and how you find and pitch that experience is often more important than the level of experience you have.

Let’s take an example. Say you’re interested in information security, and at whatever level of your current educational experience, you’re not doing something about information security. Say you’re studying French and have a fairly loose assignment. You need to write 2,000 words in French on any subject you like, but it has to be 2,000 words and it has to be in French. I’m using this as an example, because my French lecturer at college used to tell us we could talk about anything we liked as long as it was in French.

Even  language studies can be used to demonstrate infosec experience.
Even language studies can be used to demonstrate infosec experience.

Pick a non-technical information security subject that’s been well covered elsewhere and write about it in French. Can you write 2,000 words about what makes a good password? Cool, do it in French. Get your French grade. Job done, right?

So now you’re left with 2,000 words in a second language discussing information security. How can we fit that into your CV? It’s easier than you think. Firstly we need to get those words on the Internet so someone (preferably someone who also understands French, or at least Google translate) can read them. If nothing else, sign up for a Github account and put it up on your github blog, with a link to Google translate at the top for people who don’t speak French. If you’re feeling brave, make an infographic in French to support it.

So now you have 2,000 words about what makes a good password in French on a website. Now what?

On your CV/Resumé, add French to your list of spoken languages and add communication to your keywords. In your opening statement, make sure you mention that you’re able to communicate technical issues in non-technical terms in both English and French. Make sure there’s a link to your github, and if there’s space, link directly to the blog post somewhere on your CV/Resumé.

Do you see what’s just happened? You’ve just developed demonstrable experience. Furthermore, it’s a form of experience that demonstrates your experience in an information security-related area (explaining things), the advanced and specific elements of that experience (doing it in French) that others don’t have and you’ve made it incredibly easy for someone reading this to confirm that yes, this experience is in fact real. If anyone who speaks or is French reads this as a result of looking at your CV or Resumé, they’re going to talk about it whether it’s a job requirement or not.

At this point, the smart thing to do is to write an English language version of this so people aren’t reliant on Google Translate. Then you can update your CV or resumé to highlight the fact that you’ve done this in English *and* French. That more than satisfies the “We don’t need French” element, but strengthens your position as a good communicator because people see that you can communicate in English as well.

Still not convinced? Let’s try another example. Lets say you work in general IT support. As part of your job you have to go around building, rebuilding and fixing desktops. Desktops have BIOSes (well, normally UEFI these days, but that’s splitting hairs) that control the initial boot process. What do you do to the BIOS when you build a PC? Do you set a password? Do you enable secure boot? Do you lock down disk access?

Write down the process that you follow to configure the BIOS and look through the BIOS settings on your standard build. What are the other options available, what are the security implications and what’s the impact on support operations by enabling them? Work through the setting options taking notes along the way of anything that looks like it’s worth doing. Once you have a pile of notes, put this into a set of instructions and take it to your line manager, suggesting this as part of the build process to harden new kit when it arrives. If you can, try to get someone from the security department involved if you work in a bigger company.

Now in all likelihood if you’re working 1st level support this may get brushed off, but that’s fine. If it’s picked up, then great – you’ve just developed an internal hardening guide for new equipment coming in, that’s experience and it belongs on your CV. If you’ve just been given the cold shoulder, take your notes and turn them into a more generalised document you can publish on the Internet. When it comes to publishing take time to explain each security-relevant setting and the impact of leaving this enabled or disabled on both security and IT support. Put it up on your github blog and link to it on your CV.

“Highlight experience in for the job you want, even if it comes from outside of the job you have”

You might think that this all seems a little lame, and that employers are only interested in the latest technology or zero-day exploits. That’s simply untrue. In both of the examples above I’ve highlighted ways that you can use your experience to show off your ability to communicate solid recommendations for improved security. If you think that’s not an essential skill for anyone in information security, you’re wrong. Most of your time will be spent trying to explain things in terms lay-people can understand. There’s even an entire information security project just for analogies.

Not everything you do has to be security related, but just because security isn’t a core part of your day job doesn’t mean you can’t cherry pick opportunities to show off your skills in ways that will make you stand out. Just as you dress for the job you want, not for the job you have you should highlight experience in for the job you want, even if it comes from outside of the job you have.

Take a look at what you’ve already done and see how you can pitch that in information security terms on your CV. Writing about the security specific aspects of your security experiences or recording screencasts provide an easy way for potential employers to verify your understanding, even if you think it’s nothing special. Once you’ve found some experiences, written about them and updated your CV, you might want to find out more about how to structure your CV. I cover this on day 3 of my free 30 day online email course. If you’d like to give it a try, sign up using the form below.

What others are reading on Raw Hex

Tagged , , , , .

Steve is a full-time penetration tester and founder at Mandalorian and co-founded UK Information Security Conference 44CON in 2011. He is also the author of upcoming penetration testing guide Breaking In.