We Need More Roads Into Infosec
I Think I’ve Heard This One Before…
News of the information security skills gap is no news at all; anyone in the industry at best is aware of it, and at worst is suffering because of it, whether by being overworked, being stressed to the gills, or (likely in addition to the first two) struggling to maintain the security posture they strive for. We don’t have enough smart, motivated folks in this fight.
At the same time, you also don’t have to look too deeply into infosec Twitter or other gathering places to see would-be new practitioners screened out of the game by unrealistic requirements in job descriptions for entry-level positions in the industry. As long as both of these things are true—the skills gap, and the unrealistic entry requirements—we’re going to be on the back foot security-wise.
It was encouraging, therefore, to see SANS and Jen Easterly, head of CISA, addressing this directly in a Twitter thread earlier this year:
Tale of an On-Ramp
My own entry into infosec was one that I encourage anyone interested in joining the field to consider: technical support for a security vendor. Tech support can certainly be a thankless job, but, maybe because of that, it’s often open to relatively green job-seekers. A major key to success for a technical support representative is found in the “soft skills” that sometimes get short shrift in technical fields: communication, empathy, grit, curiosity, a “can-do” attitude, etc. (a sense of humor sure helps, too.) Tech support reps in infosec, or infosec-adjacent fields such as networking, gain exposure not just to the products they are supporting, but also to the customer environments in which these products sit, the customers themselves and their roles and functions, the technology stack with which the product interoperates, the (ab)uses the customer subjects the product to, protocols and standards (such as RFCs), and much more.
Moreover, tech support folks are often sought out within a company for their insights on customers, the product itself, bugs and feature requests, and more. This means that teams such as QA, product management, marketing, technical writing, sales, and others are potential conduits to further career progress for someone in technical support. A lot of doors can open to support personnel who seek out those intra-company relationships.
I write from direct experience: this was my own avenue into what has become a very rewarding career of over two decades in the industry. I did not have a technical background when I applied for that first Level 1 technical support position, but I did have some technical aptitude, some book-smarts on TCP/IP and firewalling, and a variety of those other soft skills that do tend to get at least some emphasis in tech support roles. I also happened to be good at dealing with angry, frustrated customers, which helped a lot; but the key was that the job provided an environment where, by learning what I needed to learn to excel in supporting a complicated set of technologies, I gained a lot of crucial background knowledge to help me advance through the technical support ranks and then into other roles such as product management, product marketing, and general security evangelism.
A Well-Rounded Candidate
I also like to emphasize that skills learned in other professions or backgrounds can be incredibly valuable in technology, even if they seem unrelated. How did I get good at handling fuming customers on the phone? My first job out of college, teaching inner-city middle school students, gave me both experience and perspective in dealing with humans going through difficult things. How did I get comfortable speaking publicly to large audiences, or the media, about security issues? Perhaps my decades on stage as a professional musician had something to do with that. It’s so easy for these kinds of skills to be deemed irrelevant in technical roles, but to dismiss them is to potentially dismiss very strong candidates who can contribute to world-class security teams.
A major challenge to entering this field is an old logic trap that we, as a society, need to change: in order to get a job you need experience, but in order to get experience you need a job. Opening roles such as first-level technical support to candidates who have the right non-technical ingredients and just need a chance to put their talents to work is a step toward making the Internet more secure for everyone.