It would sure make things simple if there was one easy and obvious way to get a job or start a successful business in IT security. But it would also cut off a lot of potential career paths. We spoke to a host of different IT security pros and found that indeed there wasn't just one route to that coveted job.
"There are very few formal paths into security," says Justin Collins, an application security engineer at SurveyMonkey. "Everyone has a different story and oftentimes people just 'fall into' it."
Still, we think folks just starting their careers can benefit from seeing the trails blazed before them. We can't provide every detail about the career paths of the security pros we talked to, but we tried to pick out individual anecdotes or details that illuminate how a career can be built.
Tales of teen hacking
Michiel Prins cofounded his security company HackerOne for a very good reason: his parents told him to. "My best friend/cofounder Jobert Abma and I began learning to program together at 11 years old," he says. "We discovered quickly that it was easy to make programming mistakes that could have a security impact. This made us think that other developers could be making those mistakes too, and we were right."
They tested their skills on each other's systems and on the internet. "One day our parents found out the things we were capable of," he says, "and encouraged us to keep learning. I'm still impressed by how they recognized how skill in hacking could be used for good things. They basically 'forced' us to start a business.
Of course, launching a security business when you're still a teenager isn't easy. "We literally walked around the neighborhood trying to find wireless networks to break into and would ask people if they wanted us to fix them," Prins said. But there was an egalitarian way for them to prove their chops. "HackerOne's first user was the Internet Bug Bounty initiative, a non-profit that offers bounties to security researchers that help improve the security of core internet infrastructure and important open source software." Since then they've taken on commercial clients, including Slack, Coinbase, CloudFlare, and Twitter. (Also read: Why you need a bug bounty program.)
Opportunity knocks
Teddy Phillips currently works in cybersecurity at Hewlett Packard Enterprise. He knew from the beginning of his college days at the University of Alabama that he wanted to work in IT, and he quickly smelled an opportunity when it came time to specialize. "We learned about the cloud and how in the future it was where we'd store more and more sensitive information," he says. "I knew the cloud adoption would depend on the level of data protection. I did more research and saw the demand for cybersecurity professionals trending upward."
When it came to actually landing that first job, he connected with an IT recruiter at a campus career fair, and made sure to connect with security hiring managers once he was working inside the company.
A foot in the door
Darran Rolls, current CTO and CISO of SailPoint, studied computer science in college. "It was a good background but I acquired all of my security knowledge through my own interest and research."
He got his first tech job interview via a family friend, and while that shows that "who you know" is important, he had to prove himself from the start. "On my first day, they gave me two RS232 serial port connectors and said 'make a male-to-male converter. Here's a soldering iron. If it doesn't work, you might not either.' Not knowing I only needed to connect pins 2, 3, and 20, I connected everything to everything just in case. This was tricky, but I made a decent job of it. The connector worked out, and so did I."
An intern abroad
"I always wanted to be part of IT, though originally as a video game developer," says Adam Leigh, manager of IT risk operations at MetLife. Instead, his introduction to IT came in the form of a paid internship with PwC.
"I got the internship at the end of university to support a consulting team doing a hospital improvement initiative in Doha, Qatar," he says. "This was during the war in Iraq and Afghanistan and I think I got ahead of other applicants because I was willing to live in the Middle East for six months during that conflict. I was friendly and volunteered to do all sorts of things to keep the team happy, and it earned me a full-time position at the firm. Then Sarbanes-Oxley hit full swing and I ended up an IT auditor."
Leigh wasn't the only one who had this experience. "There were lots of IT-savvy people who ended in IT security through Sarbanes-Oxley," he says, demonstrating how larger regulatory forces can bend IT careers.
"I have always held onto the idea of using technology to tell important stories," he says. "When I was a kid, I envisioned that through video games. Today I help companies understand how technology helps and hinders them though speaking and reporting on IT risk, and my career goals have been to get to a position where I could speak to more people about that."
Design sensibility
Amanda Rousseau, a malware researcher at Endgame, started out pursuing graphic design in college, but after she took a computer science course, she says, "I couldn’t look back." A network security internship led to a first job at the DoD Cyber Crime Center, where she worked her way up the ladder. "My skills weren’t established overnight," she says. "I spent many hours outside of work trying to catch up and understand the technical aspects of my job."
But that early design training definitely wasn't a waste of time. "Having strong visual communication skills helps me translate many technical concepts into layman’s terms," she says. "Computer science books may not seem interesting, but I try to give different perspectives and analogies. And creative thinking helps you think outside the box and solve problems."
Anchors aweigh
Travis Howe, CISO of Conga, got his start in cybersecurity when he enlisted in the U.S. Navy. "I was always interested in military intelligence and technology," he says. He was assigned to work in cryptologic communications, "which at the time this was the closest role that fit the bill."
It was a combination of aptitude, ability, and a clean record that got him on that track, which he tackled immediately after enlistment ("you can make a move after you get in from other specialties, but it requires more effort"). After boot camp, he went to cryptology schooling in Pensacola; "an insane amount of ongoing study" went on through the rest of his Navy career.
Howe ended up working in encrypted communications facilities, which meant routing top-secret communications to U.S. leaders from anywhere in the world. Once he went into the civilian world, his skills were in demand. "There are several government contractors that design and install similar systems for the military, so when I was looking for a job, it was really a choice of where I wanted to live at the time."
His military background has helped him through his subsequent career as well. "There are a large number of folks in similar military roles that have landed in the cybersecurity field. I have had jobs or job offers in which the hiring team knew about what I did in the military and how it aligned."
The data's not going to secure itself
Chris Bowen, CSO of ClearDATA, began his career as a political staffer in the Arizona state legislature, where he worked on, among other things, internet and voter privacy issues. After getting an MBA, he founded DirectClarity, a content management firm, in 2004. And since the company’s biggest client was in healthcare, that meant interacting with patient data, and quickly getting up to speed on HIPAA law and infosec regulations. This was, it turned out, a huge market; in 2009, he founded ClearDATA, focused entirely on securing healthcare data in the cloud. His move from content management to security was complete.
“We won new clients with over-the-top customer service and in-depth knowledge of HIPAA, security, and privacy, and our ability to help customers be agile and quick yet secure and compliant," says Bowen. "Healthcare is a relatively intimate industry, and a good reputation will precede you."
When it came to making that shift to a security and compliance shop, Bowen had some help from his friends. "What I know about privacy and security I learned from great HIPAA lawyers, privacy officers, and security engineers in the real world," he says. "Certifications are simply there to put the exclamation point on the experience, and to help me stay disciplined in continuous learning."
The security frontier
Dave Cox, CEO of LiquidVPN, got his first job in 1998, working in Y2K compliance job at a large chain of banks. "When I was hired, it was because I had experience with Novell and Windows NT. It was not a traditional cybersecurity position—back then, cybersecurity was an afterthought."
But in the trenches, he could see a whole professional discipline being born. "Most of my friends and I knew cybersecurity was going to be a big industry because of how vulnerable the networks we were coming into contact with were. So I always displayed my security experience at the top of my technical resume. I had four or five years of network administration experience before getting my first dedicated cyber security contract."
When in doubt, be the first
In the 1980s, Kris Lovejoy, currently CEO of BluVector, volunteered to help set up a computer system that would allow her fellow military spouses to communicate with loved ones deployed overseas, which got her some hard-won skills. Flash-forward a bit and she was hired as a consultant in Washington, D.C., "where I found myself literally laying the lines for the internet and installing Microsoft products into three-letter governmental agencies."
"I became the in-house security specialist after having figured out how to write blacklists using Cisco ACLs and becoming one of the few people to pass the Microsoft Proxy server certification test," she says. "To be completely frank, the reason I ended up in security was because I was the only person in a three-state radius who could install Microsoft Proxy server."
Today, Lovejoy says, "I’m a CEO without MBA, and that lack of academic qualification won’t help me gain leadership of a Fortune 100 company."
But she believes there's a difference between academic qualifications and technical certifications. "I worry that in the security world we have over-emphasized academic credentials. Frankly, we have too many CISOs-in-training today, and not enough people to run pen tests, network forensic analysis, and ACL reviews. My bias has always been to promote from within, and teach the people who have the raw materials to grow into a new role. I have always found that it’s the employees who stretch themselves who provide the most value. My advice to those who are hungry for more is to make themselves known to their peers and management."
How hard could it be?
Justin Collins is an application security engineer at SurveyMonkey, but he's more famous as the primary developer of Brakeman, an open source security tool that's shaped his career. "I actually proposed the tool during my internship interview at AT&T Interactive," he says. "The interviewers became very excited and asked if I knew of a similar tool that worked with Ruby on Rails. I said I didn't know of any, but it couldn't be that hard to build."
"Brakeman really was built out of a need at that particular job," he says. For a while, "I barely worked on Brakeman. I've always been a fan of open source, though, so I was happy to open source it with the hope others would find it useful." And that's where things got interesting.
"I presented Brakeman at AppSec USA in 2011," Collins says. "At the conference, I met someone who worked at Twitter and they told me Twitter was using Brakeman. I was pretty thrilled! That introduction led to me working there: I was recruited due to my work on Brakeman."
"I do think the path of 'build a useful tool, open source it, and present on it' is a good way to start a career if you can," he says. "Of course, I've sunk countless hours into maintaining and improving Brakeman over the last seven years; you can't just fling something at the world and wait for job offers to roll in. But it is a great way to get your foot in the door in the field."
Say yes
"I started in the U.K. public sector as a benefit fraud investigator with no interest in IT whatsoever," says Mark Wilson, director of partner enablement at STEALTHbits Technologies. "This gave me a great foundation for troubleshooting and a methodology for sifting out the useful details."
The shift tech came because he was willing to volunteer. "I kept getting asked to do simple things like format templates in WordPerfect. I had no idea how to do it, so I got the manual and figured it out. It beat the day-to-day boredom you get in normal office jobs. In 1999, IT was outsourced and there was a requirement for a local admin. My management recommended me for the role and I jumped at the chance. Head-first into tech support with zero experience!"
Much of Wilson's subsequent career followed a similar head-first pattern that led him to security. "Every role I took for the following 10 years involved support in and around directory and mail migrations and compliance," he explains. "I wrote the IT security policies at a U.K. NHS trust purely through research, trial, and error. This all led to working for Quest as a migration specialist, but also with their security products."
"The biggest piece of advice I can give," he says, "is to take a chance. Take the jobs other people are scared of. Try something new. Stay on the edge and outside of your comfort zone. Do that and you learn so many new skills and work with different people. That willingness is more often than not recognized."
How else should you jumpstart your career? Head to Facebook to let us know.