Students of IT security: Career advice from the masters

Michael Kassner asks two security experts what it takes to become an IT security pro. Here are their opinions on education, certs, hands-on work, and all the preparation needed to become an expert yourself.

Recently, a couple of students asked, "We're majoring in computer science, how do we get experience in IT security?" After making sure they were talking to me, I began: "Well, here's what I think."

My son--when proofing the first draft of this article-immediately red-lined that last sentence, scribbling in the margin: "It might be best if you refrain from offering any advice. Best leave that to the experts." Hey.

Ask the pros

After a bit, I saw his point. So, I contacted Andre' DiMino and Lenny Zeltser, two IT-security pros I have worked with. After catching up, I mentioned the students' question. Both said they were well aware of this issue, having faced similar circumstances earlier in their careers.

They kindly offered to help in any way they could. Before we get to that, I'd like to tell a bit about their accomplishments.

Andre' DiMino

I first learned about Andre' DiMino when writing about Shadowserver Foundation, the company he co-founded, and how Shadowserver helped deconstruct GhostNet. Here's Andre's vision:

"When my good friend Nicholas Albright and I founded Shadowserver almost 7 years ago, we both had a dream of building a diverse group of security experts that would make a difference in how malicious computer activity was detected and reported."

They definitely succeeded. Recently, Andre' decided to start a new chapter in his life:

"I will be continuing my bot net/malware/cybercrime research and efforts, although independently or via my day job. I look forward to remaining part of the community and in continuing to cultivate joint research and collaborative efforts."

Lenny Zeltser

Lenny is another tireless IT security pro. Working as the lead of a security consulting team at Savvis and teaching at the SANS Technology Institute. Lenny also is an incident handler at the Internet Storm Center.

Lenny is a writer/blogger. He also co-authored the book Inside Network Perimeter Security and contributed chapters to Malware: Fighting Malicious Code and CyberForensics.

Last, but by no means least; Lenny has earned the GIAC Security Expert (GSE) designation. For those unfamiliar with GSE, it requires obtaining several subject-specific certifications and passing a 28-hour hands-on and written exam.

The questions

Two well-seasoned IT-security experts are ready to pass along their secrets of success. The questions, please:

You are considered an expert in the field of IT security. What does that mean to you?

DiMino: I never was too comfortable with the term "expert", especially in the field of IT security. It's such a wide field with many talented and brilliant people in their own areas of specialty.

In any case, I feel that if you have knowledge and abilities that are considered "expert", it becomes your responsibility to pass it on to others for wide benefit. That could be via teaching, mentoring, volunteering, writing, etc.

I also believe that you must guard against becoming too insulated in your own cocoon. It's crucial to exchange knowledge and ideas with your industry colleagues and even those brand new to the field. The danger arises when you become satisfied in your own knowledge and experience, and fail to remember that you can always learn much from others.

Zeltser: There's a distinction between receiving recognition of expertise and my own understanding of my capabilities. It's flattering to hear people refer to me as an expert. It encourages me to disregard my insecurities. Moreover, having a strong personal brand is helpful when you're in the business of consulting and educating on security topics.

For myself, I've noticed that I can piece together patterns to solve security challenges even when I don't have in-depth expertise in every single component of the puzzle. Perhaps that's what being an expert means.

What kind of academics-formal and informal-did you pursue?

DiMino: I formally received an electrical engineering degree, emphasis on computer engineering. In addition, I took courses in a variety of network-security topics. Now, I read as many books and journals as I can. And, I have found enjoyment in the self-teaching aspect of learning.

Zeltser: I earned an undergraduate degree in computer science at the University of Pennsylvania. I didn't obtain many practical skills, but that's not the goal of an undergraduate education. Instead, I learned key concepts that I could build upon. So, the program has been very useful.

As my career path focused on IT security, I recognized the need to understand how businesses work. More specifically, what priorities drive non-IT professionals. That led me to complete the MBA program at MIT Sloan.

An informal aspect of academics that has helped me was IT security training at SANS Institute. I learned practical skills that helped me at work and inspired me to keep learning. I also obtained several professional certifications in the process.

Now having considerable real-world experience, what would you have done differently academically?

DiMino: In retrospect, I would have taken more coding and hard core systems classes. Having a strong foundation in those topics would have saved me much post-academic learning time. I also would have spent more time working through the various labs. Not just looking to get the assignments done.

Zeltser: I'm not one to dwell on regrets, and I'm happy with the balance of academics and practical experience I've been exposed to. Even before I thought of my interest in IT as a career-when I was in an undergraduate program-I was fortunate to find a job as a system administrator. This apprenticeship-like experience infused me with practical skills.

Students want to know what IT-security certifications are important. Do you have any suggestions?

DiMino: I have a love/hate relationship with certifications. On one hand, they are great by insuring the subject matter is understood. On the other hand, they can be a crutch to those that feel a cert demonstrates knowledge or experience in a certain area.

You also need to choose your certs wisely. Select topics and areas of interest and where you wish to specialize. In my opinion, it's better to have a few good certs where you know your stuff, than to have many certificates with only superficial knowledge.

Zeltser: Which cert is important depends on the person's objectives and interests. Some people focus on certifications as a way of building up their resume. Others like certifications because they provide concrete milestones and a structure for learning new concepts and skills.

Before pursuing an IT security certification, the person needs to understand what he or she is seeking to achieve, making sure the certification takes them towards that goal.

Personally, I am associated (teach security classes) with the SANS Institute. I think the knowledge it provides and the certifications (specifically GIAC) it offers are important.

Students see how fast IT security evolves. It has them nervous about being obsolete before they graduate. Having been in that situation, is there any advice you can offer?

DiMino: It does evolve very fast. The first step is in recognizing that fact and committing yourself to staying current. Before graduating, start determining your areas of particular interest and specialty. Do the research now on what it will take to jump into those areas and get involved.

Students should get on mailing lists and become involved in various outside projects and initiatives. They should also remember that IT security requires a strong commitment to continued learning and in the practical application of what was learned. Without that commitment, they should be nervous!

Zeltser: I view undergraduate work as essential knowledge that creates the foundation for future learning and skill-building. A well-structured program will focus on fundamental concepts that are unlikely to change in the near future.

The program should also teach practical skills, reinforcing the core concepts. With a strong foundation in IT concepts, a student will pick up additional skills when the need arises. And, more importantly, know how to adapt as IT security evolves.

Peiter "Mudge" Zatko, another IT security expert, mentioned: IT-security skills should be developed through "hands-on" apprenticeships rather than classroom education. What are your thoughts?

DiMino: I completely agree. To really cement any classroom theory, you must have the practical application of those theories in a working environment. There is also great benefit to working alongside folks that do this every day and can share experiences and guidance.

Info-sec is one of those fields that can't be simply learned out of a book, or just from a classroom experience. If you truly want to stand out in this field, a student must seek various ways to get lots of "hands-on" practical experience.

For the students who don't have a formal apprenticeship program, I'd recommend volunteering with outside info-sec groups, or look to build a program within your school.

Zeltser: I agree that apprenticeships are an excellent way to develop IT-related skills. At the same time, people benefit from a strong foundation learned in the classroom. And, such a background will help them get much more out of apprenticeships.

If you were speaking to a room full of first-year university students, all excited about IT security, what would you want them to remember from your talk?

DiMino: I've rarely met anyone in the info-sec field that doesn't truly love it. It is not a 9 to 5 job. It becomes part of your life. Dedicate your time and effort to really learning, and not just meeting the minimum requirements.

There are tremendous opportunities in info-sec, and they continue to grow. However, don't feel a degree or a cert will guarantee your place. Info-sec is also very demanding and posers are quickly weeded out.

Don't ever think that you've arrived and have nothing left to learn. Conversely, you yourself will have much to offer and should share it willingly. The whole info-sec community thrives on shared knowledge and experiences.

Zeltser: The field of IT security is pretty broad, and incorporates disciplines such as application security, network defense, penetration testing, and digital forensics. Even within these areas, there are specializations that require unique skills and experiences.

I would encourage students to pick one area of IT security and become really good at it. It's important to understand the overall IT security landscape and how the field's disciplines fit together. But it's hard to be good at all of them-concentrating on a set of skills that appeals to you and that you are good at will help you stand out.

Understand what you want, find your talent, focus, and get to work.

Allowed one opinion

My son must have felt sorry for me. He sent me a text the next day. Mentioning, that with 40 years of experience, I might have at least one good opinion (but don't embarrass myself).

How do I follow these guys? Here's my advice:

Never grow tired of learning. If you do, it's time to try something else.

That's it.

Final thoughts

I told my son that I was concerned about how long the piece was getting. "I can't cut anything. It's all good." He retorted, "Sure you can: Edit your stuff out." Ouch.

Seriously, the two gentlemen offered a lot of good advice. For that, I am grateful.